In April 2020, due to the unprecedented times caused by the coronavirus pandemic, Google and Apple partnered up to create a COVID-19 tracking feature for their respective platforms. The new tech was designed to warn users if they come into contact with anyone infected with the virus.
However, now, Google is being sued by its users alleging that the search engine giant exposed their personal data via its COVID-19 exposure-notification system with Apple. The case has been filed in the federal court for invasion of privacy.
Two individuals from California who have proposed the action lawsuit claim that any information from a user’s anonymous positive report of coronavirus using Google’s system can be inferred from “rolling proximity identifiers” that were supposed to be untraceable.
The documentation reads,
The hundreds of applications (and the sophisticated technology companies behind them) with access to system logs can easily associate the data that [Google-Apple Exposure Notification System] logs to the device owner’s identity. Device manufacturers, network providers, and application developers commonly already have identifying information about the owners of devices with their apps, or else they have permissions to access information like the phone number associated with a device.
When asked about the lawsuit, Google spokesperson Jose Castaneda said Google is aware of a problem that it is fixing. He wrote in an email,
With the Exposure Notification system neither Google, Apple, nor other users can see your identity and all of the Exposure Notification matching happens on your device. We were notified of an issue where the Bluetooth identifiers were temporarily accessible to some pre-installed applications for debugging purposes. We reviewed the issue, considered mitigations, updated the code, and are ensuring the fix is rolled out to users. These Bluetooth identifiers do not reveal a user’s location or provide any other identifying information and we have no indication that they were used inappropriately — nor that any app was even aware of this.
The lawsuit comes after the privacy analysis company AppCensus disclosed the issue to Google in February 2021 but no action was taken.