Google COVID-19 Contact-Tracing Tool Exposes Data: LawsuitComplaint Alleges 'Exposure Notification System' Allows Third-Party Access to Personal Info
A lawsuit seeking class-action status alleges that a security flaw in a Google COVID-19 contact-tracing tool is "unwittingly" exposing personal and medical information of millions of users to third parties through device system logs.
But Google says it reviewed the issue, updated the code and is ensuring the fix is rolled out to users.
The two plaintiffs filing the lawsuit, who both downloaded California state public health contact-tracing apps that incorporate the Google-Apple Exposure Notification, or GAEN, system, allege invasion of privacy as well as violations of the California Confidentiality of Medical Information Act.
The plaintiffs "seek to represent a nationwide class of Android users who downloaded or activated a contact-tracing app incorporating the Google-Apple Exposure Notification system on their mobile devices" and also a separate subclass of California residents.
Public health authorities in California and 26 other states and territories have released contact-tracing apps that use GAEN, the lawsuit states. More than 28 million people in the U.S. have downloaded contact-tracing apps from those jurisdictions, according to the lawsuit.
Google and Apple co-created the GAEN system to assist state and local authorities deploying apps for mobile devices that conduct COVID-19 contact tracing, the complaint notes. GAEN is implemented in Android smartphones via Google Mobile Services, or GMS, a collection of Google apps and application programming interfaces.
"Google unequivocally assures that it completely safeguards the sensitive information necessarily involved with COVID-19 contact tracing," the lawsuit states. "However, because Google’s implementation of GAEN allows this sensitive contact-tracing data to be placed on a device’s system logs and provides dozens or even hundreds of third parties access to these system logs, Google has exposed GAEN participants’ private personal and medical information associated with contact tracing, including notifications to Android device users of their potential exposure to COVID-19," the lawsuit alleges.
Rolling Proximity Identifiers
The GAEN contact-tracing system uses signals called “rolling proximity identifiers,” or RPIs, broadcast through the Bluetooth radio on mobile devices that other mobile devices can detect and record, thereby providing information about proximate encounters with nearby participants, the lawsuit explains.
"Google’s GMS records both this outgoing and incoming data on each device’s system log, such that Android device users running Google’s software unwittingly expose not only their information to numerous third parties, but also information from unsuspecting GAEN users on other devices, including non-Android devices, such as iPhones, who come within range of them," the lawsuit states. It claims the exposed information is personally identifiable.
"The contact-tracing apps themselves generate ostensibly-secure personal device identifiers, which change periodically as they are broadcast to other devices, and should be traceable to the device user only with a 'key' held by the public health authorities," the lawsuit says. "But in storage, these identifiers are maintained alongside other device identifiers known as MAC addresses." When this stored data is written to mobile device system logs, it becomes available to third parties with access to the logs, the lawsuit alleges.
Third parties can use the MAC addresses "to trace the identifiers back to individual identities, location, and other identifying attributes, effectively creating an alternative 'key' of their own," according to the lawsuit. "For those who have reported testing positive, it enables third parties to link that diagnosis back to the particular patient, defeating the purported anonymity Google claims for its service."
Third-Party Access Risk
App users on other devices are also identifiable, the lawsuit contends.
"The hundreds of third parties with applications that access the system logs can associate the data from other devices that GAEN logs to the owners of those other devices and can link their RPIs and identities to specific locations," the complaint says.
"This is because GAEN writes the RPIs received by Android devices to the system logs together with, and directly associated with, the randomized MAC address broadcast by the originating device. Because GAEN logs the randomized MAC addresses and the corresponding RPIs together, the data are formally linked in any collection of the logs."
No aspect of GAEN’s functionality requires any of this data to be written to the system logs, the lawsuit alleges, stating: "There is no reasonable way for app users to avoid having their personal medical information exposed by the security vulnerabilities that Google designed for GAEN."
By exposing users' data to third-party entities, "Google allowed that information to escape unfettered into cyberspace, thereby making it available to a number of people so substantial that it is substantially certain to become knowledge readily accessible to the public," according to the complaint.
The lawsuit also contends that Google became aware by mid-February that contact-tracing information had been written to GMS system logs and thus became exposed to any entity having access to those logs.
"To date, Google has failed to inform the general public or provide widespread notice to GAEN participants of this data security flaw," the lawsuit alleges.
"In or about the third week of April 2021, Google indirectly confirmed the existence of the security flaw by acknowledging that in late March 2021, it began to address the security flaw by rolling out patch fixes," the lawsuit states. "Google continues to keep the general public uninformed about the security flaw, and as a result the extent and efficacy of any supposed fixes are unknown to plaintiffs."
In a statement provided to Information Security Media Group, Google says its exposure notifications use "privacy-preserving technology to help public health authorities manage the spread of COVID-19 and save lives. With the exposure notification system neither Google, Apple, nor other users can see your identity and all of the exposure notification matching happens on your device."
The statement notes, however, that Google was "notified of an issue where the Bluetooth identifiers were temporarily accessible to some pre-installed applications for debugging purposes. We reviewed the issue, considered mitigations, updated the code, and are ensuring the fix is rolled out to users.
"These Bluetooth identifiers do not reveal a user’s location or provide any other identifying information, and we have no indication that they were used inappropriately - nor that any app was even aware of this.”
Besides seeking damages, the lawsuit is asking the court to order Google to stop including or copying personal and medical information to the system logs on Android devices and cease allowing "unauthorized parties" access to that information.
The lawsuit also asks the court to order Google to destroy all personal and medical information acquired, created, or otherwise obtained from device system logs.