The private personal and medical information of Android users who have participated in the Google-Apple Exposure Notification System (GAEN) to assist in state and local authorities’ COVID-19 contact tracing efforts has been exposed to “dozens or even hundreds of third parties” due to a “security flaw,” a proposed class action against Google alleges.
The 29-page lawsuit says that although Google has “unequivocally” assured that it “completely safeguards the sensitive information necessarily involved with COVID-19 contact tracing,” the company’s implementation of GAEN, released to the public last May, has allowed “personally identifiable” contract tracing data to be placed on a device’s system logs, which can be accessed by myriad third parties.
Per the case, Google, despite being informed of the GAEN “security flaw” earlier this year, has yet to inform the public that some contact tracing participants’ personal information has been exposed to third parties with access to Android system logs. According to the suit, more than 28 million people have downloaded contact tracing apps that use the GAEN framework.
More specifically, the complaint relays that the GAEN contact tracing system uses signals called “rolling proximity identifiers” that are broadcast through the Bluetooth radio on mobile devices. Rolling proximity identifiers provide information about proximate encounters with nearby contact tracing program participants, and Google’s apps and APIs record both outgoing and incoming data on each device’s system log, such that Android users running Google’s software “unwittingly expose not only their information to numerous third parties, but also information from unsuspecting GAEN users on other devices,” including iPhones, within range of them, the lawsuit says.
According to the suit, Google and Apple’s contact tracing apps themselves generate ostensibly secure personal device identifiers that change periodically as they’re broadcast to other devices, and should be traceable to a device user only with a “key” held by the public health authorities, the case says. In storage, however, these identifiers are maintained alongside other identifiers called MAC addresses, which, when written to a mobile device’s system log, become available to third parties with access to the logs, the lawsuit says.
“They, alone or in concert, can use the MAC addresses to trace the identifiers back to individual identities, locations, and other identifying attributes, effectively creating an alternative ‘key’ of their own,” the suit alleges.
For individuals who have tested positive for COVID-19, this “key” enables third parties to link that diagnosis back to the particular patient, “defeating the purported anonymity Google claims for its service,” the complaint asserts.
According to the complaint, Google was informed in February 2021 of the apparent GAEN security flaw that caused the data breach at issue in the lawsuit yet has not informed those whose information was allegedly exposed without authorization.
Alleged in the complaint are violations of the California Confidentiality of Medical Information Act.
The lawsuit looks to represent all natural persons in the United States who downloaded or activated a contact tracing app incorporating the Google-Apple Exposure Notification System on their mobile device.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.