This article has been saved to your Favorites!

Google Calls COVID Tracing App Security Flaw 'Hypothetical'

By Craig Clough · 2021-06-30 17:27:10 -0400

Lamenting that "no good deed goes unpunished," Google asked a California federal judge Wednesday to toss a proposed class action claiming that a free COVID-19 contact tracing tool the company co-created exposed unwitting Android users' sensitive personal information, saying the users only allege a "hypothetical" exposure based on speculation.

Google told the court the two lead plaintiffs lack standing to bring the suit because they do not allege their sensitive information was ever accessed through the Exposure Notification system, and that they failed to state claims for which relief can be granted because there is no allegation of any public disclosure of their information.

"Over the past year, the EN system has been used by millions of users and dozens of public health authorities around the world," Google said in its motion to dismiss the complaint. "Google and Apple made the technology available free of charge. Apparently no good deed goes unpunished."

The company added, "In other words, this is a case about a hypothetical and exceedingly unlikely risk of harm. Plaintiffs' complaint is noticeably devoid of factual allegations showing that an individual's use of the EN system was ever used to identify an individual, and the explanations for how that might be possible are convoluted and highly theoretical."

Plaintiffs Jonathan Diaz and Lewis Bornmann claim in their April lawsuit that Google LLC violated the California Confidentiality of Medical Information Act as well as their common law and constitutional privacy rights through its implementation of the COVID-19 exposure notification system that the tech giant developed along with Apple Inc.

The Google-Apple Exposure Notification System, which the companies rolled out last May, is designed to assist governments across the globe with tracking the spread of COVID-19 through smartphone apps that alert users who come in close contact with someone who tested positive for the coronavirus.

However, while the companies have assured those who choose to use the tool that their personal data will be safeguarded and their identities would remain anonymous, Google has failed to live up to this pledge by allowing sensitive contact tracing data to be placed on Android devices' system logs, therefore allowing "dozens or even hundreds of third parties" to access this data and tie it to specific individuals, according to the complaint.

The plaintiffs seek to represent a nationwide class of Android users who downloaded or activated a contact tracing app incorporating the Google-Apple Exposure Notification System on their mobile device as well as a separate subclass comprised of California residents.

Google said in its motion that Diaz and Bornmann lack standing because they do not allege any third party actually accessed their information, only that it theoretically could have happened.

Among the cases Google cited to support a lack of standing is the Eastern District of California's 2015 ruling in Leidos" data-unique-id="581899">Fernandez v. Leidos, which held that "[i]f no one has viewed your private information (or is about to view it imminently), then your privacy has not been violated."

Google also pointed to the Northern District of California's 2018 ruling in Williams v. Facebook Inc. , which held that in order to establish Article III standing in a privacy claim under California law, plaintiffs must allege their information was not only collected but also wrongfully disclosed.

According to Google's motion, the plaintiffs failed to state a claim for public disclosure of private facts, and cited the Northern District of California's 2014 ruling in Opperman v. Path Inc., in which the court dismissed a claim alleging plaintiffs' phone address books were transmitted in an unencrypted manner.

The Opperman ruling held that "[w]hile plaintiffs alleged that their information could have been intercepted by third parties, they do not allege that any interception occurred, nor do they allege that it was 'substantially certain' that their address books would become 'public knowledge.'"

Google added that in "the instant case, plaintiffs have alleged even fewer facts that could lead to an inference of public disclosure 'at large' of 'private facts."

Counsel for the parties did not immediately respond to requests for comment. 

The Android users are represented by Michael W. Sobol, Melissa Gardner, Ian Bensberg, Nicholas Diamand and Douglas Cuthbertson of Lieff Cabraser Heimann & Bernstein LLP.

Google LLC is represented by Benedict Y. Hur, Simona Agnolucci, Eduardo E. Santacana and Tiffany Lin of Willkie Farr & Gallagher LLP.

The case is Diaz et al. v. Google LLC, case number 5:21-cv-03080, in the U.S. District Court for the Northern District of California.

--Additional reporting by Allison Grande. Editing by Andrew Cohen.

For a reprint of this article, please contact reprints@law360.com.