On April 27, 2021, a class action lawsuit was filed against Google, Inc. (“Google”) alleging that the Google-Apple Exposure Notification System (“GAEN”) – the company’s COVID-19 contact tracking app – contained a flaw that may allow third parties to access user medical information. Google had promised users of GAEN that their medical information would be held in the utmost privacy. The company explained that “the list of people you’ve been in contact with doesn’t leave your phone unless you choose to share it,” implying the data was safe from unauthorized third-party access. Further, Google promised that data collected was all anonymized such that even if third parties could access the data, the information could not be linked to a particular individual.
However, even though GAEN does not log COVID-19 diagnoses to system logs directly, rolling proximity identifiers (RPIs) are stored alongside MAC addresses in the system logs. The combination of these identifiers can be used to trace the information back to individual identities, locations, and other identifying attributes, and these system logs are accessible by third parties for various purposes. In fact, studies have found that more than 400 preinstalled apps on phones built by Samsung, Motorola, Huawei, and other companies have permission to read system logs, typically for crash reports and analytic purposes. Thus, availability of this information in system logs appears to contradict Google’s assurances.
Researchers from the privacy analysis firm AppCensus discovered the weakness in the GAEN information storage system that allowed other apps to access GAEN user information earlier this year. AppCensus alerted Google to the problem in February 2021, but Google did not take action at the time. Fortunately, there is no widely published evidence that third party apps have actually gathered user data from the system logs, and Google asserts that it is now rolling out a patch to address the weakness in the app’s programming.
This case adds an extra consideration for companies beyond just the data with which the company’s app is intended to interact. A finding against Google could encourage companies to design their apps with downstream data flow in mind. In particular, for sensitive data, companies should be aware of what other information is being stored alongside the data collected by their apps and which parties may have access. App developers should consider prompt adjustments if a potential weakness in privacy measures is brought to their attention.