Google Sued for Exposing Information in COVID-19 Contact-Tracing App

Google is being sued for allegedly exposing users' information on its COVID-19 contact-tracing app.

A proposed class-action suit is asking a federal court to order the tech giant to fix an alleged security threat on the Google-Apple Exposure Notification System (GAEN) used across nearly 40 countries and in dozens of U.S. states.

In a complaint filed Wednesday in the U.S. District Court for the Northern District of California, attorneys for the plaintiffs asserted that dozens of third parties potentially had access to the system's stored data, including personally identifiable information and coronavirus exposure results.

"Google has exposed GAEN participants' private personal and medical information associated with contact tracing, including notifications to Android device users of their potential exposure to COVID-19," the filing states.

"Users trusting that GAEN would not disseminate personal information was critical to attracting sufficiently broad participation for the Apps to play a meaningful role in the public health authorities' COVID-19 responses," the complaint contended. "There is no reasonable way for App users to avoid having their personal medical information exposed by the security vulnerabilities that Google designed for GAEN."

According to the plaintiffs, Google had been informed of the security flaw that caused the alleged breach back in February 2021 but the company failed to inform users.

"To date, Google has failed to inform the public that participants in GAEN have had their private personal and medical information exposed to third parties, who in the ordinary course of business may access the system logs from time to time, or that Google itself may access these logs," the complaint reads.

Google Lawsuit Security Breach COVID-19 Data
California plaintiffs have filed a lawsuit against Google alleging that personal information was exposed through the company's contact-tracing app. Eduardo Munoz Alvazrez/VIEWpress

Google spokesperson José Castañeda told Newsweek that the company was notified of a problem that granted temporary access to preinstalled applications and that Google is working on fixing it.

"We reviewed the issue, considered mitigations, updated the code and are ensuring the fix is rolled out to users," Castañeda wrote in an email. "These Bluetooth identifiers do not reveal a user's location or provide any other identifying information, and we have no indication that they were used inappropriately—nor that any app was even aware of this."

But the plaintiffs allege that more than 100 applications that have permission for the GAEN system logs are able to "easily associate" the data with the users' identity. The filing states that because of this, if a mobile device came within Bluetooth range of a third party, the "user's ostensibly anonymous report of a positive COVID-19 diagnosis can be inferred from [rolling proximity identifiers] that were supposed to be untraceable."

The users from California contend that Google violated the state's Confidentiality of Medical Information Act and common law and constitutional privacy rights. They are seeking an injunction that would destroy the information obtained and ban Google from including contact-tracing information on its system logs.

Newsweek reached out to Google for further comment but did not hear back before publication.