Google sued over alleged privacy invasions via COVID-19 contact-tracing system
Users alleging that Google exposed their personal data via its COVID-19 exposure-notification system with Apple have sued Google in federal court for invasion of privacy.
Last year, Googlepartnered with Apple to create a Bluetooth-based system in their phones to help track people’s interactions with coronavirus-infected users. The opt-in system was intended to assist public health agencies and others doing COVID contact tracing.
Two Californians proposing the class action lawsuit have claimed that any information from a user’s anonymous positive report of coronavirus using Google’s system can be inferred from “rolling proximity identifiers” that were supposed to be untraceable.
“The hundreds of applications (and the sophisticated technology companies behind them) with access to system logs can easily associate the data that [Google–AppleExposure Notification System] logs to the device owner’s identity,” read the lawsuit. “Device manufacturers, network providers, and application developers commonly already have identifying information about the owners of devices with their apps, or else they have permissions to access information like the phone number associated with a device.”
Asked about the lawsuit, Google spokesperson Jose Castaneda said Google is aware of a problem that it is fixing.
“With the Exposure Notification system neither Google, Apple, nor other users can see your identity and all of the Exposure Notification matching happens on your device,” said Mr. Castañeda in an email. “We were notified of an issue where the Bluetooth identifiers were temporarily accessible to some pre-installed applications for debugging purposes. We reviewed the issue, considered mitigations, updated the code, and are ensuring the fix is rolled out to users. These Bluetooth identifiers do not reveal a user’s location or provide any other identifying information and we have no indication that they were used inappropriately — nor that any app was even aware of this.”
The lawsuit comes amid reports that privacy analysis company AppCensus disclosed an issue in the exposure notification system to Google in February 2021. After seeing no resolution from Google in 60 days, wrote AppCensus’ Joel Reardon on the company’s blog, the company decided to publish their findings regarding the alleged vulnerability on Tuesday.