Plaintiffs Allege Google’s COVID-19 Contact Tracing System Exposes Personal Information

On Wednesday, two individuals filed a class-action complaint in the Northern District of California against Google LLC relating to its purported failure to safeguard sensitive information in its COVID-19 contact-tracing system.

According to the complaint, Google “co-created the Google-Apple Exposure Notification System (‘GAEN’) to assist state and local authorities deploying apps for mobile devices that conduct COVID-19 ‘contact-tracing,’ and implements GAEN in Android smartphones via Google Mobile Services, a collection of Google apps and APIs (‘GMS’).” The plaintiffs noted that while Google assures that it safeguards the sensitive information needed for COVID-19 contact tracing, “because Google’s implementation of GAEN allows this sensitive contact tracing data to be placed on a device’s system logs and provides dozens or even hundreds of third parties access to these system logs, Google has exposed GAEN participants’ private personal and medical information associated with contact tracing.”

The plaintiffs claimed that the GAEN system utilizes rolling proximity-identifier signals that are broadcast through Bluetooth on mobile devices, which “other mobile devices detect and record, thereby providing information about proximate encounters with nearby participants.” Additionally, Google’s GMS records incoming and outgoing data on a device’s system log, meaning Android devices running Google’s software “unwittingly expose not only their information to numerous third-parties, but also information from unsuspecting GAEN users on other devices … who come within range of them.”

The plaintiffs alleged that this exposed information is personally identifiable, while the contact-tracing apps create “ostensibly-secure personal device identifiers, which change periodically as they are broadcast to other devices, and should be traceable” to health authority devices with the key. However, the complaint continued, “these identifiers are maintained alongside other device identifiers known as MAC addresses,” which when written on a system’s logs become available to third parties. The MAC addresses can purportedly be used to “trace the identifiers back to individual identities, locations, and other identifying attributes, effectively creating an alternative ‘key’ of their own.”

The plaintiffs added that in February 2021, Google was informed of the alleged security flaw in GAEN, which caused the breach of this information. However, the plaintiffs contended that Google has not informed GAEN participants that their medical and private information was accessed by third parties, “who in the ordinary course of business may access the system logs from time to time, or that Google itself may access these logs.”

The class consists of “All natural persons in the United States who downloaded or activated a contact tracing app incorporating the Google-Apple Exposure Notification System on their mobile device.” There is also a California subclass.

The claims for relief are invasion of privacy via the public disclosure of private facts and intrusion upon seclusion; violation of the California Constitution; and violation of the California Confidentiality of Medical Information Act.

The plaintiffs seek for this action to be maintained as a class action and for the plaintiffs and their counsel to represent the class; declaratory, equitable, and injunctive relief; an award for damages, costs, and fees, and pre- and post-judgment interest; and other relief.

The plaintiffs are represented by Lieff Cabraser Heimann & Bernstein LLP.