– Two individuals who used California’s state public health COVID-19 contact tracing app have filed a lawsuit against its developer, Google, claiming the tool exposes user data and violated their privacy, among other allegations.
The Google-Apple Exposure Notification (GAEN) System was developed by the tech giants to support governments and public health agencies control the spread of the coronavirus. The tech leans on proximity data gathered from Bluetooth functions of mobile devices and alerts individuals of potential exposure.
At the time of the announcement in April 2020, Google provided a detailed plan of its privacy policies that included a requirement of explicit user consent, along with a list of frequently asked questions to reiterate the companies’ privacy policies.
Those policies included ensuring the generation of tracking keys linked to the user’s device were randomized, instead of mathematically pulling the data from the user’s private key. The tech companies also pledged to disable the service once the pandemic had been contained.
The announcement was met with a host of concerns from a range of privacy stakeholders, particularly around user consent and the heavy reliance on APIs. The National Association of Attorneys General (NAAG) stressed that the apps may not sufficiently protect the personal information of consumers.
READ MORE: AGS Urge Apple, Google to Ensure Privacy of COVID-19 Contact Tracing
The lawsuit, filed in the US District Court of Northern California in San Jose, alleges the app confirmed those concerns.
“Because Google’s implementation of GAEN allows this sensitive contact tracing data to be placed on a device’s system logs and provides dozens or even hundreds of third parties access to these system logs, Google has exposed GAEN participants’ private personal and medical information associated with contact tracing, including notifications to Android device users of their potential exposure to COVID-19,” according to the lawsuit.
Specifically, the lawsuit alleges that the app’s use of “rolling proximity identifiers” on devices’ Bluetooth radio is recorded by Google’s GMS records, which “unwittingly expose[d] not only their information to numerous third parties, but also information from unsuspecting GAEN users on other devices (including non-Android devices, such as iPhones) who come within range of them.”
Further, the identifiers are maintained along other device identifiers and stored to mobile device system logs, it’s then available to third parties that have access to those logs. And as the exposed information is personally identifiable, the information can be used to trace the identifier back to user identities, locations, and other identifiers.
“For those who have reported testing positive, it enables third parties to link that diagnosis back to the particular patient, defeating the purported anonymity Google claims for its service,” the lawsuit claims.
READ MORE: New COVID-19 Spear-Phishing, Spoofing Attacks Mimic Google, WHO
“Even if GAEN does not log COVID-19 diagnoses to the system logs directly, a positive COVID-19 test result can be inferred from the RPIs that are written to the system logs, because, as discussed supra, the Key associated with a positive diagnosis is made publicly available,” it continues. “Anyone can access the publicly-disclosed Key and identify which RPIs were generated by a device belonging to a COVID-19 infected individual.”
The lawsuit further claims that Google was informed of the GAEN flaw in February 2021, which caused the alleged data breach. However, the public has not been informed that “their private personal and medical information exposed to third parties.”
The individuals also claimed that Google indirectly confirmed the existence of the flaw outlined in the lawsuit, when it began addressing a security flaw through a software update.
The lawsuit claims the tech giant violated the California Confidentiality of Medical Information Act, as well as common law and privacy rights, and seeks to obtain a mandatory public injunction that would require Google to remediate the alleged issue.
The individuals are also seeking alleged damages and restitution, along with a nationwide class-action for Android users who downloaded or activated a contact tracing app built on Google’s GAEN—roughly 28 million individuals.
READ MORE: Sens. Flag Privacy, Security Concerns Over Google COVID-19 Screening Site
As previously explained to HealthITSecurity.com by Kelvin Coleman, executive director, National Cybersecurity Alliance (NCSA), the lack of a federal privacy in the US has fueled privacy concerns. But the tech giants implemented key security requirements, likely built on compliance with privacy regulations.
“Google and Apple have already taken a good first set of steps to better ensure privacy by barring the use of location data tracking in their contact tracing API,” Coleman said, at the time. “Other government agencies or private sector developers should ideally follow the same example.”
“They should also be transparent in communicating to users the vulnerabilities surrounding Bluetooth functionality, why enabling it on devices should be done on as needed basis, the importance of using encryption measures and enabling MFA for any apps that use or collect personally identifiable information.”