Your Home Assistant Notifications Aren't as Private as You Think

Home Assistant markets itself as a privacy‑first smart‑home platform, yet its default notification pathway relies on Google’s Firebase Cloud Messaging. While SSL protects data in transit, the payload remains readable on Google’s servers, a detail that many users overlook. This exposure is not limited to Android; iOS notifications also route through FCM because Home Assistant cannot directly interface with Apple’s push service. For organizations deploying Home Assistant at scale, the potential for metadata leakage—such as alarm status or occupancy information—poses compliance and reputational risks.

To mitigate these concerns, Home Assistant offers a “local push” mode that uses a WebSocket connection over the home LAN. By configuring the companion app to use the internal URL and restricting connections to trusted SSIDs, notifications stay within the private network, eliminating cloud exposure. However, this method only works when devices are on the home Wi‑Fi, limiting its usefulness for remote alerts. For users who need secure, off‑site notifications, the Signal Messenger integration provides end‑to‑end encryption from the Home Assistant instance to the recipient’s phone, ensuring that sensitive alerts remain confidential regardless of network location.

The broader implication is a reminder that even privacy‑focused platforms can inherit third‑party data handling practices. Consumers and IT teams should audit notification content, adopt ambiguous phrasing for non‑critical alerts, and prioritize encrypted delivery channels. By balancing convenience with security—leveraging local push for routine updates and Signal for high‑risk messages—users can retain the flexibility of Home Assistant without compromising their privacy expectations.