Google sued over security flaw in COVID-19 contact tracing technology


Google is being sued over a security flaw in its COVID-19 contact tracing technology that allegedly exposed Android users’ data to third-party apps. 

The lawsuit was filed in California federal court on Wednesday and alleges that dozens of third parties may have been able to access personal and medical details of Android users as a result of the flaw. 

Dozens of US states started using the Exposure Notifications System technology, which was rolled out by Google and Apple last year, to enable public health authorities to use smartphones to help with COVID-19 contact tracing.

The technology, known as Google-Apple Exposure Notifications System (GAENS), acted a framework or platform for public health authorities to build their contact tracing apps. 

It uses Bluetooth technology to alert users if they have come into contact with someone who has tested positive to COVID-19.  

Google is being sued over a security flaw in its COVID-19 contact tracing technology that allegedly exposed Android users' data to third-party apps

Google is being sued over a security flaw in its COVID-19 contact tracing technology that allegedly exposed Android users’ data to third-party apps

Dozens of states started using the technology, including California, New York, Michigan, Virginia, Utah and Pennsylvania.

The lawsuit says more than 28 million people in the US downloaded contact tracing apps that used GAEN. 

The complaint is being brought by two Android users, Jonathan Diaz and Lewis Bornmann, and is a potential class action lawsuit.

It argues that Google had assured it ‘completely safeguards’ sensitive information involved with contact tracing. 

‘However, because Google’s implementation of GAEN allows this sensitive contact tracing data to be placed on a device’s system logs and provides dozens or even hundreds of third parties access to these system logs, Google has exposed GAEN participants’ private personal and medical information associated with contact tracing, including notifications to Android device users of their potential exposure to COVID-19,’ the lawsuit says.   

The complaint says Google became aware of the security flaw that caused a data breach in February but has failed to inform the public.   

Dozens of US states started using the Exposure Notifications System technology, which was rolled out by Google and Apple last year, to enable public health authorities to use smartphones to help with COVID-19 contact tracing

Dozens of US states started using the Exposure Notifications System technology, which was rolled out by Google and Apple last year, to enable public health authorities to use smartphones to help with COVID-19 contact tracing

Dozens of states started using the technology, including California, New York, Michigan, Virginia, Utah and Pennsylvania. The lawsuit says more than 28 million people in the US downloaded contact tracing apps that used GAEN

Dozens of states started using the technology, including California, New York, Michigan, Virginia, Utah and Pennsylvania. The lawsuit says more than 28 million people in the US downloaded contact tracing apps that used GAEN

GAEN TECHNOLGY AT THE HEART OF LAWSUIT: How it works 

The contact tracing apps that use GAEN are designed to run on both Google’s Android and Apple’s iPhone systems.

It works by allowing a user to activate contact tracing on their device. For Android users in particular, it required users to download the app specific to their state’s health department.

To activate, GAEN generates a unique key for each user. The app then uses that key to generate a ‘rolling proximity identifier key’, which subsequently creates a ‘rolling proximity identifier’.

The users phone then broadcasts that identifier over Bluetooth to other users’ phones within range.

If a user receives a positive COVID-19 test, the public health department gives permission for the GAEN system to recognize their identifier as an at-risk user.

The app can then essentially notify other users who have been in close proximity. 

‘To date, Google has failed to inform the public that participants in GAEN have had their private personal and medical information exposed to third parties, who in the ordinary course of business may access the system logs from time to time, or that Google itself may access these logs,’ the lawsuit claims. 

Google publicly said in February that it was having an issue with some Android apps developed using its Exposure Notifications System.

The company later released a statement saying it had rolled out a fix for the issues.     

The contact tracing apps that use GAEN are designed to run on both Google’s Android and Apple’s iPhone systems.

It works by allowing a user to activate contact tracing on their device. For Android users in particular, it required users to download the app specific to their state’s health department.

To activate, GAEN generates a unique key for each user. The app then uses that key to generate a ‘rolling proximity identifier key’, which subsequently creates a ”rolling proximity identifier’.

The users phone then broadcasts that identifier over Bluetooth to other users’ phones within range.

If a user receives a positive COVID-19 test, the public health department gives permission for the GAEN system to recognize their identifier as an at-risk user.

The app can then essentially notify other users who have been in close proximity.

According to the lawsuit, the flaw in the system meant that some users had their personal and medical information exposed.

The lawsuit is demanding that Google fix the security flaw and pay damages and restitution.  

Leave a Reply