When the first home assistants were announced, I was excited. A device I could wake up with a simple hotword that would answer my questions, set reminders, turn on the TV, and dim the lights, all without me having to get off the couch, sounded fantastic. Amazon's Echo and Echo Dot, Google's Home, and a myriad others, most recently the Home Mini, have invaded our kitchens, living rooms, and bedrooms. Heck, I put one in the bathroom.

Without fail, every time a new listening device comes to market, some tinfoil hat-wearer points out how perfect they would be as modern-day Trojan horses for any of the three-letter acronym organizations - NSA, CIA, FBI - you name it. Manufacturers, on their part, assure us their devices are perfectly safe and only listen when prompted. We brush the concerns off and move on with our lives, but not before granting our smart pineapples (did you know "pineapple" is the codename for Google Home?) access to the smart rice maker, smart vacuum, and smart toothbrush.

I didn't give too much thought to these privacy concerns because they all sounded theoretical and unlikely. My four Google Homes and three Echos sat quietly on their respective desks and counters, and only turned on when one of three things happened:

I called out a hotword (Alexa for Echos and Hey or OK Google for Homes). A video I was watching or podcast I was listening to did this (I'm looking at you, Marques!) They heard a noise or word that they thought sounded like a hotword but in reality was not. This happened once or twice every few days.

That is until last week, when a 4th case came along - 24/7 recording, transmission to Google's servers, and storing on them of pretty much everything going on around my Home Mini, which I had just received at the Made by Google October 4th launch event.

Before I describe exactly what happened and how I discovered this pretty incredible violation of privacy, I'd like to point out that it ended up being a hardware defect in my Home Mini as well as an unspecified small number of others. Google never intended for it to happen and has reacted incredibly swiftly to rectify the situation. Before I describe exactly what happened and how I discovered this pretty incredible violation of privacy, I'd like to point out that it ended up being a hardware defect in my Home Mini as well as an unspecified small number of others. Google never intended for it to happen and has reacted incredibly swiftly to rectify the situation.

So what happened?

Wednesday, October 4th

I went to the Google launch event in San Francisco that I'm sure many of you watched closely. In addition to the two new Pixels, the Pixelbook, Pixel Buds, and Google Clips, Google introduced the Home Mini, a tiny $50 version of the Home we'd expected for several months. Everyone in attendance got to take one home, and having run out of rooms to put it in, I stuck mine in the bathroom. Before you go raising your eyebrows, this is a room I spend a considerable amount of time in, listening to podcasts, music, and asking Google random questions when I get ready for the day in the morning.

Several days passed without me noticing anything wrong. In the meantime, as it turns out, the Mini was behaving very differently from all the other Homes and Echos in my home - it was waking up thousands of times a day, recording, then sending those recordings to Google. All of this was done quietly, with only the four lights on the unit I wasn't looking at flashing on and then off.

In the meantime, Android Police, along with numerous other publications, gave the Mini glowing reviews. Their units were fine. Mine, however, was not (#artemsluck as usual).

Friday, October 6th

I turned on a TV located not too far from the Mini and attempted to watch a show. I say "attempted" because during the first 10 minutes, the Mini turned itself on several times a minute, listened to whatever was on the TV, and attempted to respond, usually by saying it did not understand. At some point, it even somehow managed to take over my Spotify stream that was playing in the office and switched it to the bathroom:

At this point, I was ready to chuck the Mini at a wall and yell at David for not noticing the very obvious sensitivity issue that was dialed up past 11 all the way to 111.

Having freshly discovered the day prior that Google's My Activity portal on the web contained an Assistant-specific section, I opened it up, and my jaw dropped. I saw thousands of items, each with a Play button and a timestamp, all attributed to the cryptically named com.google.android.apps.chirp/mushroom/prod and Assistant. See for yourself:

At this point, I remembered chirp was the codename for the Google Home ecosystem and realized mushroom likely referred to the Mini, since the regular Home is pineapple. After listening to a dozen audio clips that looked something like this...

... I went back to the bathroom to take a closer look at the mischievous Mini. Was I grossly misunderstanding how Assistant works or was there something seriously wrong?

Yes, everything you tell your Assistant is recorded and stored on Google's servers unless you explicitly Yes, everything you tell your Assistant is recorded and stored on Google's servers unless you explicitly disable it in My Activity , which will adversely affect the accuracy of recognition.

I turned on a nearby TV and started recording. Here's what I saw:

Just to clarify, the audio is not coming out of the speaker next to the Home Mini, but from a TV speaker a few feet away.

As you can see, the Home Mini quietly turns on, flashes its lights, then shuts off after recording every sound. When the volume increases, it actually attempts to respond to random queries. I was even able to get it to turn on just by knocking on the wall.

Friday, October 6th - 4:22pm

At this point, I realized the seriousness of the situation and contacted Google PR. I described the issue, added "urgent" to the subject, and sent it off, not expecting a response until Monday at best.

Hi, Please forward this to the Google Home team for a response. We are working on a story and will publish in the next day or so. I just discovered the issue and based on my understanding, it's quite a serious violation of privacy, specific to the Google Home Mini. Could you please confirm that the Mini's codename is "mushroom"? Here's an example screenshot from the Google My Activity page, filtered by Assistant. As you can see, there are thousands of triggers that record, transmit, and save the audio snippets on Google's servers. All of them say they were triggered by a hotword. It's obviously not true. I also noticed the Home Mini is extremely sensitive to nearby sounds (TV, speech, etc.) and has a lot of false positives, including ones that result in an audible response (usually that it didn't understand what was asked). <SNIPPED IMAGE> Now here's the kicker - based on Google My Activity, the onslaught of thousands of transmitted and saved Assistant-related audio queries started on the day the Home Mini was set up (October 4). The mention of "com.google.android.apps.chirp/mushroom/prod" does not appear before then either, all pointing to the Home Mini being the culprit and not the larger Homes, Android TVs, or phones. Needless to say, if a listening device records almost every minute of every day and stores it remotely, we're talking about a huge privacy violation. Does Google have a comment about this? Thank you. Sincerely,

Artem

Friday, October 6th - 4:32pm

To my surprise, the first reply came in 10 minutes later. They were looking into it. I replied with a few more details.

Friday, October 6th - 5:58pm

Google assured me that this was the first time they've heard of this issue and were really interested in swapping out my unit to examine it.

Friday, October 6th - 7:00pm

Google PR was on the way to my house to pick it up. Mind you, we're talking about a Friday night here. That's dedication! I wasn't home at the time, but by 9pm, the exchange was made. In fact, I was left with two replacement Google Home Minis for my trouble. I'm on to you, Google! (/s)

An engineer was driving up to Oakland to examine it that very night. It was clear how seriously they were treating the situation.

Saturday, October 7th

The next day, Google sent me its initial assessment that I will quote here:

We have learned of an issue impacting a small number of Google Home Minis that could cause the touch mechanism to behave incorrectly. We are rolling out a software update today that should address the issue. If you're having any additional issues, please feel free to contact Google Support at 1-855-971-9121.

I asked for some clarifications and gave them more time.

Sunday, October 8th

Further clarifications arrived. The Google Home Mini supports hotword activation through a long press on the touch panel. This method allows people to activate the Google Assistant without saying the hotword. On a very small number of Google Home Mini devices, Google is seeing the touch panel register “phantom” touch events.

In response, the updated software disables the long press to activate the Google Assistant feature. Once the Google Home Mini devices receive the updated software, all long press events (real or phantom) will be ignored and Google Assistant will not be invoked accidentally.

The company also let me know that they're in the process of building a long-term fix, whatever it may be. It's too early to say if they're going to be able to deal with "phantom" touch events entirely in software or if a recall for affected units will be in order.

Monday, October 9

I followed up with some more questions.

Tuesday, October 10

The firmware I was originally running was 1.28.99351. Google says the new firmware is 1.28.100122, and the rollout has already been completed.

You can also see that the online Home Mini documentation has been updated to reflect the above:

Conclusion

So there you have it. Don't be surprised that the long-press to activate Assistant functionality, described in many reviews, isn't working. My Google Home Mini was inadvertently spying on me 24/7 due to a hardware flaw. Google nerfed all Home Minis by disabling the long-press in response, and is now looking into a long-term solution.

I'd like to once again commend the company's reaction to my report and the speed at which they issued the OTA that dealt with the problem right away, giving them time to look for a proper fix.