On April 27, 2021, class claims were filed in federal court in the Northern District of California against tech giant Google LLC (“Google”) alleging that the COVID-19 contact tracing technology the company co-created with Apple has exposed users’ private personal and medical information. The suit claims that the sensitive data was retrievable by numerous third parties, and also by other contact tracing app users who were within a certain proximity of a fellow user.
In the complaint, named plaintiffs Jonathan Diaz and Lewis Bornmann described how the technology known as Google-Apple Exposure Notification System (“GAEN”) was created, according to the defendant, to assist public health authorities fight COVID-19. Contact tracing apps that use GAEN operate by first requiring a user activate contact tracing on their device; for Android users this required the download of a state-offered public health app. Apple users, conversely, only had to activate GAEN on their phones directly in the device settings without having to download and install a separate contact tracing app.
As part of the activation process, GAEN generates a unique, random sequence of characters called a Temporary Exposure Key (“Key”) for the user, which updates once every 24-hours after installation. GAEN then uses the Key to generate a different, unique random-seeming, sequence of characters called a rolling proximity identifier (“RPI”). Once all these steps are completed, users’ phones broadcast the RPI over its Bluetooth radio to other users’ phones within range, whose devices then receive and record the broadcasted incoming RPI.
In theory, the information transmitted should only be traceable to the device holder with a unique Key held by the public health authorities. However, the RPI is stored alongside other device identifier’s known as MAC addresses, which become available via the device system logs and can allow third parties to identify users using the MAC addresses, thus refuting Google’s claim that the app is anonymous. The plaintiffs argue that Google became aware of the design flaw in GAEN in February 2021, but failed to inform the public that private personal and medical information was allegedly exposed.
The plaintiffs are seeking to represent a national class made up of all persons in the U.S. who downloaded or activated a contact tracing app incorporating the Google-Apple Exposure Notification System on their mobile device. Additionally, the plaintiffs are seeking to represent a California sub-class. The suit brings causes of action for invasion of Privacy: Public Disclosure of Private Facts, Invasion of Privacy: Intrusion Upon Seclusion, violation of the California Constitution and violation of the California Confidentiality of Medical Information Act.
The case is: Diaz et al. v. Google LLC, Case No.: 5:21-cv-03080, in the U.S. District Court for the Northern District of California.
Counsel Financial provides working capital credit lines exclusively for the plaintiffs' bar in all states except California, where credit lines are issued by California Attorney Lending.