Plaintiffs Jonathan Diaz and Lewis Bornmann filed the class-action lawsuit on April 27, Tuesday, in California federal court. The pair argued that Google's implementation of the technology, which is known as the Google-Apple Exposure Notifications (GAEN) system, violated the California Confidentiality of Medical Information Act, as well as the state's common law and constitutional privacy rights.
The two tech giants rolled out the system last year to assist public health authorities in tracking the spread of COVID-19. GAEN acted as a framework for authorities to build their contact tracing apps.
It works by generating a unique identifier for each Android or Apple device and then transmitting these via Bluetooth to other nearby devices. Apps that use the system can then notify users if they came in close contact with a user who tested positive for the virus.
Google assured that it put protections in place to safeguard sensitive data. In particular, they said that the personal device identifiers change periodically as they were broadcast to other devices and should only be traceable to the user with a "key" held by public health authorities.
But the suit claimed that the tech giant undermined these protections by allowing Android users' personal and medical information to be stored on a device's system logs, which dozens to hundreds of third parties could access. (Related: Amazon’s new Key device already hacked by security researchers, highlighting security flaws.)
The case also argued that Google did not notify affected users even after it became aware of the vulnerability.
"To date, Google has failed to inform the public that participants in GAEN have had their private personal and medical information exposed to third parties, who in the ordinary course of business may access the system logs from time to time, or that Google itself may access these logs," the suit read.
Apple was not named in the suit and there was no indication that Apple users' personal information could be exposed.
Dozens of states have adopted the technology, including California, New York, Michigan, Virginia, Utah and Pennsylvania. According to the lawsuit, more than 28 million people in the United States downloaded contact tracing apps that use GAENS. California's version of app, which is called CA Notify, was installed in a million Android devices and around 8.5 million Apple devices.
The plaintiffs sought to represent a nationwide class of Android users who activated a contract tracing app that use GAEN, as well as a separate subclass comprised of California residents. In their suit, the pair demanded that Google fix the security flaw and pay damages.
Google spokesperson Jose Castaneda said in response to the lawsuit that GAEN uses "privacy preserving technology" and that neither Google, Apple nor other users can use the system to identify individuals. He added that the matching happens only on devices.
"These Bluetooth identifiers do not reveal a user's location or provide any other identifying information and we have no indication that they were used inappropriately, nor that any app was even aware of this," Castaneda told Law360.
But the spokesperson also said that the tech giant was patching an issue: "We were notified of an issue where the Bluetooth identifiers were temporarily accessible to some preinstalled applications for debugging purposes … We reviewed the issue, considered mitigations, updated the code and are ensuring the fix is rolled out to users."
Follow PrivacyWatch.news to learn more about how contact tracing apps and other related technologies leave users vulnerable to data theft.