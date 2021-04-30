



Jessica Davis

April 30, 2021-California Public Health COVID-19 Two individuals using the contact tracking app sued developer Google for the tool’s disclosure of user data and infringement of privacy. Woke up.

Google-Apple’s Contact Notification (GAEN) system was developed by technology giants to help governments and public health agencies control the spread of the coronavirus. This technology relies on proximity data collected from the Bluetooth capabilities of mobile devices to alert individuals about potential exposure.

At the time of its announcement in April 2020, Google provided a detailed plan of its privacy policy, including the requirements for explicit consent of users, and a list of frequently asked questions to repeat the company’s privacy policy.

These policies included allowing the generation of tracking keys linked to the user’s device to be randomized, rather than mathematically retrieving the data from the user’s private key. The tech company also promised to disable the service after the pandemic was contained.

The announcement faced many concerns from various privacy stakeholders, especially with regard to user consent and heavy reliance on APIs. The National Association of Attorneys (NAAG) has emphasized that the app may not adequately protect consumer personal information.

A lawsuit filed in the Federal District Court for Northern California in San Jose alleges that the app confirmed these concerns.

“Google’s GAEN implementation puts this sensitive contact tracing data in the device’s system logs and provides dozens or hundreds of third-party access to these system logs, so Google contacts. We have released personal and medical information about GAEN participants related to racing, including notification of potential exposure to COVID-19 to Android device users, according to the lawsuit. “

Specifically, the proceedings allege that the use of the app’s “rolling proximity identifier” on the device’s Bluetooth radio was recorded by Google’s GMS record.[d] It includes information to a large number of third parties, as well as information from unprotected GAEN users on other devices within their range (including non-Android devices such as the iPhone). “

In addition, identifiers are maintained alongside other device identifiers and stored in the mobile device’s system logs, making them available to third parties who have access to those logs. In addition, the publicly available information is personally identifiable and can be used to track identities to user identities, locations, and other identities.

“For those who report a positive test result, a third party can associate the diagnosis with a particular patient and defeat the anonymity Google claims about the service.” The proceedings are alleged.

“Even if GAEN does not record the COVID-19 diagnosis directly in the system log, the positive COVID-19 test result can be inferred from the RPI written in the system log. This is associated with positive, as explained above. Because we have the key, the diagnostics will be publicly available. ” “Anyone can access the public key to identify the RPI generated by a device belonging to an individual infected with COVID-19.”

The proceedings further allege that Google was informed of the GAEN flaw in February 2021 and that it caused the alleged data breach. However, the general public is not informed that “their personal information and medical information are disclosed to third parties.”

The individual also claimed that when Google began addressing security flaws through software updates, it indirectly confirmed the existence of the flaws outlined in the proceedings.

The proceedings alleged that the tech giant violated California Medical Information Confidentiality Act, common law and privacy rights, and attempted to obtain a compulsory public injunction demanding remediation of the alleged problem with Google. is.

Individuals are also seeking damages and claims in addition to a national class action proceeding against Android users (approximately 28 million) who have downloaded or activated a contact tracking app built on Google’s GAEN. ..

As Kelvin Coleman, Executive Director of the National Security Alliance (NCSA), previously explained to HealthITSecurity.com, the lack of federal privacy in the United States fuels privacy concerns. However, the tech giant has implemented key security requirements that may have been built on compliance with privacy regulations.

“Google and Apple have already taken a good first set of steps to ensure privacy by banning the use of location data tracking in the contact tracking API,” Coleman said at the time. I will. “Other government and private sector developers should ideally follow the same example.”

“Vulnerabilities surrounding Bluetooth capabilities, why you need to enable them on your device as needed, the importance of using cryptographic means, and enabling MFA in apps that use or collect personally identifiable information. You also need to be transparent to your users about the importance of doing this. “

