True, but if they claimed they didn't have some sort of access, and then it turned out that they actually did, then there's a much stronger legal case to be made.
Right now they're hiding behind the non-specific language of the EULA.
If it was only log data, I think it would be easy for them to say so. Can we get an official Hubitat person in here? I'm not sure what tag/keyword to use to draw their attention...
As @thebearmay @marktheknife have said, the existance of a means to connect to your hub for support is well known within this forum community. That's not even a big portion of Hubitat users though. There's no hiding of this capability, it's quite openly mentioned... such as "PM me your hub ID and I'll see if there's something amiss" Words to that effect are spoken most days I'd say, and certainly in the aftermath of a new release.
The greater portion of this particular topic came up before, roughly around the beginning of the year, as a guess. I imagine those that didn't read that will want to express a view here, but I haven't seen anything news worthy so far and don't expect to, honestly.
When people start to make legal threats, I know I have to break out the popcorn.
What damages do you suggest you’ve incurred?
Either way, like others have mentioned it’s not a secret and it has been come up often in threads, staff mentioning they will collect backend logs.
It is incredibly unlikely the tool provides a remote shell to the hub and the suggestion that it could somehow for lateral movement is similarly unlikely. I think you are much more at risk with your daily driver systems than you are with this specialized device.
I’m of the opinion that a lot of the risks people bring up around IoT devices are overhyped. I don’t closely follow the IoT security realm, but I’m not familiar with any instances of consumer IoT devices (apart from externally facing home routers) being used as a jumping off point.
Makes you wonder if Google, Amazon, Philips Hue, Logitech, Sonos, Apple, Microsoft, your cable box provider, NAS box vendor, smart thermostat vendor, smart TV vendor, streaming media box vendor, etc… have access to their devices on your home networks as well, eh? 
My point is that we all probably have devices on our home networks that are potential security risks from the vendors that support them. Not saying Hubitat doesn’t have an opportunity for improvement in this regard, but just thinking out loud about how trusting we are in general. Definitely makes me think about further segregation on my home LAN.
My point in bringing up the legal aspect was simply that Hubitat making a statement is worth something in itself, even if we never get a 3rd party code audit. It's no different than any company making a specific claim- if shown to be untrue, then it may be actionable.
I never said I have personally already incurred some form of damages. Nevertheless, it is entirely possible someone has, or will. I think it's pretty obvious how this could happen (disgruntled employee, outside hacker), and what the potential costs could be (theft, assault, destruction of property, stalking/harassment, etc).
Given that we don't know exactly what they can or can't do (besides "they can definitely access log data"), I think it would be wise to keep poking at this until they offer a more complete explanation.
Distrust of how those companies collect, use, and share data on their consumers is a big reason why I opted for Hubitat and have avoided things like Google Home and Alexa. I haven't plugged every leak, but as the saying goes "a journey of a thousand miles begins with a single step". 
I've never dealt with Hubitat support, so this was news to me... I'm unhappy to find I'm leaking more data to them than I realized. I wish the product would let me control this better.
As a point of clarification: is the log data actively pushed to Hubitat servers (streamed real time, or maybe uploaded in batches?), or does Hubitat have to go fetch it from your hub?
I suspect it's the latter, but am curious if anyone knows for sure (based on past interactions with support, packet captures, etc).
NO one likes a company that boasts 'we see your not secure cuz we're looking at your device'. Hubitat is egregious in this regard.
My hub (+ hue/NR etc) is on its own vlan which can't reach my main network so I'm safe there. It's pretty easy to secure the rest, just disable internet access to the hub and rely on a VPN to access dashboards. Open access when you need the guys to take a look and then shut it down after.
Of all those, if Apple and Microsoft were spying on us via IOS/MacOS or windows then I'd suggest that we're doomed anyway. Better revert to pen and paper at that point 
.
My Amplifi mesh system is the same. User cannot get to logs but Ubiquiti staff can! I was also surprised by Reolink staff member accessing one of my passworded cameras, without needing to ask me for the password, when I contacted them with a problem with it! But I think there is actually a way to disable that with the Reolink system.
Any rules based router (eg edgerouters) can easily be set to block out anything. I imagine the Amplimesh can't do this as it's a tradeoff between security and convenience/user friendliness.
Disappearing ink as well? I would also guess that all involved have a cellular device? Enough said!
So does the fact that all your lights are out and you're car isn't in the driveway and I just watched you leave...
The way that works is the main reason I chose to go UniFi and run my own controller in a container.
Synology and Qnap, and other tech, also has remote access capability, but it has to be enabled by the user, and it creates a local log of its use and all actions taken.
If hubitat added that, it would be sufficient. It’s not about, why can you access my stuff, but about why can you do it without asking, and without my control and without any logs I can see.
I am not concerned re this really as long as it’s limited to accessing logs / diagnostic features only. It’s an important and welcome support feature and I accept Hubitat’s inference that it is logs plus maybe key stats like memory info only. I do wonder if they might have API access too though ?? Fairly sure they don’t have shell access as during an incident I had a while back they said they had no way to diagnose further, something they would have wanted to help with. Maybe a clarification from Hubitat would re-assure on just what access they do have and I’d be very accepting of that.
It would be much better though for the user to have to manually enable such access for a short period of time like many other devices implement. One for a future update , maybe a little higher on the todo list now than it was.
Hubitat has literally never said that to anyone ever. Literally. Never.
Hubitat devices have showed up on multiple internet accessible lists (Shodan, et al), and then they made people aware of that, but that is nothing like what you said.
Exactly. And the power company knows every time you aren't home too based on the smart meters they have installed in most areas... Better cut off your power and go off the grid!
(that was sarcasm for those not inclined)
All this said, I would like it if Hubitat made it more clear in the TOS (that no one reads) (EDIT: It is in the TOS) and install screens (that some small % of users read) what remote connectivity is present and data sent to Hubitat, and make a user opt in/out for it. But it isn't something I'm losing sleep over.
I can't speak for the utility companies where other's might live, but no, ours does not have any way to determine that other than "current consumption rate is," and the access to that data is audited by the specific government agency.
We're way off topic; there's a big difference between someone camping in front of a house to case it, and a company with which we have chosen to engage acting in bad faith.
I say bad faith because the access should first and foremost be documented and made public, and not "sure the people in the forums here always knew." But also, it is not opt-in or user manageable, the use of it is not logged in any way. Formal security AAA tenets aside, this is not a stretch - the company that installed my HVAC system isn't allowed to just walk in to check on it whenever they feel like it.
I'm not advocating they stop offering support; I'm advocating they offer support in a responsible and correct manner. For all those people who are like "well I'm not worried," that's fine - you can enjoy your product as is. There are others who think this needs fixing and just because you don't care about it, doesn't make it a non-issue.
Something like 80% of the US households have smart power meters now. Utilities use that to forecast power demand on a more regional basis, shift loads, and adjust how/where they purchase supplemental power from. And there is no opt in/out - you want power, you get a smart meter.
But anyway, yes, you are right - that is somewhat off topic.
It is documented and public in Terms of Service . It's just that most of us don't read the details of any company's TOS. I only went looking for this situation in TOS as a result of this thread.
I'm sorry - where exactly does that say "Hubitat will have remote access to your hub and your logs at any time without your consent and without your knowledge or control?"
That exact exchange took place between me and Bruce in the chat log shared in the post (see first message).
Leaving aside completely that TOS aren't universally enforceable for the exact reason you've stated. It has been recognized that shrink wrap licenses are onerous, cumbersome and unintelligible to most people. It's also not an excuse - "oh we wrote a blanket statement so now we can just do whatever."
Again, we're straying off topic. TOS and other products being bad in no way detracts from having a constructive conversation about how this company can improve their product.
Download the Hubitat app
