Law360 (April 28, 2021, 10:03 PM EDT) -- A COVID-19 contact tracing tool co-created by Google is exposing unwitting Android users' sensitive personal information to dozens of third parties due to a "security flaw" that enables diagnoses to be linked to specific individuals, according to a proposed class action filed in California federal court Tuesday.
Plaintiffs Jonathan Diaz and Lewis Bornmann claim that Google LLC has violated the California Confidentiality of Medical Information Act as well as their common law and constitutional privacy rights through its implementation of the COVID-19 exposure notification system that the tech giant developed along with Apple Inc.
The Google-Apple Exposure Notification System, which the companies rolled out last May, is designed to assist governments across the globe with tracking the spread of COVID-19 through smartphone apps that alert users who come in close contact with someone who tested positive for the novel coronavirus.
However, while the companies have assured those who choose to use the tool that their personal data will be safeguarded and their identities would remain anonymous, Google has failed to live up to this pledge by allowing sensitive contact tracing data to be placed on Android devices' system logs, therefore allowing "dozens or even hundreds of third parties" to access this data and tie it to specific individuals, according to the new complaint.
"Users trusting that GAEN would not disseminate personal information was critical to attracting sufficiently broad participation for the apps to play a meaningful role in the public health authorities' COVID-19 responses," the complaint alleged. "For devices running Google's Android operating system, Google designed GAEN in a manner that rendered these representations false."
Rather than tracking individuals' precise movements and location, the voluntary GAEN system uses Bluetooth technology to determine when iPhone and Android device users have come in close proximity with someone who has reported a positive COVID-19 test result and to directly notify those individuals of potential exposure.
The apps are designed to generate secure personal device identifiers, which change periodically as they are broadcast to other devices and should only be traceable to the device user with a "key" held by the public health authorities.
However, the way Google has implemented the system undermines these protections, since the tech giant permits the sensitive contact tracing data transmitted by the apps to be stored on a device's system logs, according to the complaint. This enables the scores of third parties that have access to these logs to "easily associate" what's supposed to be untraceable data to the device owner's identity, "effectively creating an alternative 'key' of their own," the complaint alleged.
"For those who have reported testing positive, it enables third parties to link that diagnosis back to the particular patient, defeating the purported anonymity Google claims for its service," the plaintiffs asserted.
The complaint claimed that Google was "informed of the security flaw in its implementation of GAEN" in February, but that "to date, Google has failed to inform the public that participants in GAEN have had their private personal and medical information exposed to third parties, who in the ordinary course of business may access the system logs from time to time, or that Google itself may access these logs."
The plaintiffs seek to represent a nationwide class of Android users who downloaded or activated a contact tracing app incorporating the Google-Apple Exposure Notification System on their mobile device as well as a separate subclass comprised of California residents.
More than 28 million people across the U.S. have downloaded contact tracing apps that use GAEN or activated exposure notifications on their mobile devices, according to the complaint. California's version of the app, known as CA Notify, has been downloaded to 1 million Android devices and roughly 8.5 million Apple devices, the complaint added.
In response to the new lawsuit, a Google spokesperson noted that the exposure notification system uses "privacy preserving technology" to help public health authorities manage the spread of COVID-19 and that neither Google, Apple, nor other users can see individuals' identity and that all matching happens on users' devices.
"We were notified of an issue where the Bluetooth identifiers were temporarily accessible to some preinstalled applications for debugging purposes," spokesperson José Castañeda said in a statement provided to Law360. "We reviewed the issue, considered mitigations, updated the code, and are ensuring the fix is rolled out to users."
"These Bluetooth identifiers do not reveal a user's location or provide any other identifying information and we have no indication that they were used inappropriately, nor that any app was even aware of this," he added.
The Android users are represented by Michael W. Sobol, Melissa Gardner, Ian Bensberg, Nicholas Diamand and Douglas Cuthbertson of Lieff Cabraser Heimann & Bernstein LLP.
Counsel information for Google was not immediately available.
The case is Diaz et al. v. Google LLC, case number 5:21-cv-03080, in the U.S. District Court for the Northern District of California.
--Editing by Daniel King.
Update: This article has been updated to include a comment from Google.
For a reprint of this article, please contact firstname.lastname@example.org.