Case 5:21-cv-03080 Document 1 Filed 04/27/21 Page 1 of 29
`
`LIEFF CABRASER HEIMANN & BERNSTEIN, LLP
`Michael W. Sobol (SBN 194857)
`Melissa Gardner (SBN 289096)
`Ian Bensberg (pro hac vice pending)
`275 Battery Street, 29th Floor
`San Francisco, CA 94111-3339
`(415) 956-1000
`LIEFF CABRASER HEIMANN & BERNSTEIN, LLP
`Nicholas Diamand (pro hac vice pending)
`ndiamand@lchb.com
`Douglas Cuthbertson (pro hac vice pending)
`dcuthbertson@lchb.com
`250 Hudson Street, 8th Floor
`New York, NY 10013
`Telephone: 212.355.9500
`Facsimile: 212.355.9592
`Attorneys for Plaintiffs and the Proposed Class
`
`UNITED STATES DISTRICT COURT
`NORTHERN DISTRICT OF CALIFORNIA
`SAN JOSE DIVISION
`
`JONATHAN DIAZ and LEWIS
`BORNMANN, on behalf of themselves
`and all others similarly situated,
`
`v.
`
`GOOGLE LLC,
`
`Plaintiffs,
`
`Defendant.
`
`Case No.: 5:21-cv-3080
`
`COMPLAINT
`
`CLASS ACTION
`
`DEMAND FOR JURY TRIAL
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`2158440.1
`
`COMPLAINT
`
`

`

`Case 5:21-cv-03080 Document 1 Filed 04/27/21 Page 2 of 29
`
`TABLE OF CONTENTS
`
`Page
`
`I.
`II.
`III.
`IV.
`V.
`
`VI.
`
`INTRODUCTION ............................................................................................................. 1 
`PARTIES ........................................................................................................................... 2 
`JURISDICTION ................................................................................................................. 2 
`INTRADISTRICT ASSIGNMENT ................................................................................... 2 
`GOOGLE’S CONDUCT ................................................................................................... 3 
`A. Background: The COVID-19 Pandemic ................................................................... 3 
`B. Google’s Exposure Notification System ................................................................... 3 
`C. How GAEN Works ................................................................................................... 5 
`D. GAEN is Supposed to Ensure User Anonymity ....................................................... 8 
`E. Google’s Implementation of GAEN Exposes COVID-19 Tracing Data .................. 9 
`F.
`The Exposed COVID-19 Tracing Data is Personally Identifiable .......................... 13 
`G. Millions of App Users Are Affected by the GAEN Security Breach ..................... 15 
`H. Google Refuses to Satisfactorily Address this Vulnerability .................................. 16 
`THE NAMED PLAINTIFFS’ EXPERIENCES .............................................................. 16 
`A.
`Plaintiff Lewis Bornmann ....................................................................................... 16 
`B.
`Plaintiff Jonathan Diaz ............................................................................................ 16 
`CLASS ACTION ALLEGATIONS ................................................................................ 17 
`VII.
`VIII. CLAIMS FOR RELIEF ................................................................................................... 19 
`FIRST CLAIM FOR RELIEF
`Invasion of Privacy: Public Disclosure of Private Facts ...................................... 19 
`SECOND CLAIM FOR RELIEF
`Invasion of Privacy: Intrusion Upon Seclusion ................................................... 21 
`THIRD CLAIM FOR RELIEF
`California Constitution, Article 1, § 1 .................................................................. 22 
`FOURTH CLAIM FOR RELIEF
`California Confidentiality of Medical Information Act, Cal. Civ. Code
`§§ 56 et seq. ......................................................................................................... 23 
`PRAYER FOR RELIEF ................................................................................................... 26 
`DEMAND FOR JURY TRIAL ........................................................................................ 27 
`
`IX.
`X.
`
`2158440.1
`
`- i -
`
`COMPLAINT
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`

`

`Case 5:21-cv-03080 Document 1 Filed 04/27/21 Page 3 of 29
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`I.
`
`INTRODUCTION
`Defendant Google LLC (“Google”) co-created the Google-Apple Exposure Notification
`System (“GAEN”) to assist state and local authorities deploying apps for mobile devices that
`conduct COVID-19 “contact-tracing,” and implements GAEN in Android smartphones via
`Google Mobile Services, a collection of Google apps and APIs (“GMS”). Google unequivocally
`assures that it completely safeguards the sensitive information necessarily involved with COVID-
`19 contact tracing. However, because Google’s implementation of GAEN allows this sensitive
`contact tracing data to be placed on a device’s system logs and provides dozens or even hundreds
`of third parties access to these system logs, Google has exposed GAEN participants’ private
`personal and medical information associated with contact tracing, including notifications to
`Android device users of their potential exposure to COVID-19.
`The GAEN contact tracing system uses signals called “rolling proximity identifiers”
`broadcast through the Bluetooth radio on mobile devices that other mobile devices can detect and
`record, thereby providing information about proximate encounters with nearby participants.
`Google’s GMS records both this outgoing and incoming data on each device’s system log, such
`that Android device users running Google’s software unwittingly expose not only their
`information to numerous third parties, but also information from unsuspecting GAEN users on
`other devices (including non-Android devices, such as iPhones) who come within range of them.
`The exposed information is personally identifiable. The contact tracing apps themselves
`generate ostensibly-secure personal device identifiers, which change periodically as they are
`broadcast to other devices, and should be traceable to the device user only with a “key” held by
`the public health authorities. But in storage, these identifiers are maintained alongside other
`device identifiers known as MAC addresses. When this stored data is written to mobile device
`system logs, it becomes available to third parties with access to the logs. They, alone or in
`concert, can use the MAC addresses to trace the identifiers back to individual identities, locations,
`and other identifying attributes, effectively creating an alternative “key” of their own. For those
`who have reported testing positive, it enables third parties to link that diagnosis back to the
`particular patient, defeating the purported anonymity Google claims for its service.
`
`2158440.1
`
`
`
`- 1 -
`
`COMPLAINT
`
`

`

`Case 5:21-cv-03080 Document 1 Filed 04/27/21 Page 4 of 29
`
`
`
`
`
`In February 2021, Google was informed of the security flaw in its implementation of
`GAEN that caused the data breach alleged herein. To date, Google has failed to inform the public
`that participants in GAEN have had their private personal and medical information exposed to
`third parties, who in the ordinary course of business may access the system logs from time to
`time, or that Google itself may access these logs.
`Accordingly, Plaintiffs Jonathan Diaz and Lewis Bornmann, on behalf of themselves and
`all others similarly situated, bring this action pursuant to the California Confidentiality of Medical
`Information Act and their common law and constitutional privacy rights to obtain a mandatory
`public injunction requiring Google to remediate the security flaw in its implementation of the
`GAEN system, and for, inter alia, damages and restitution.
`II.
`PARTIES
`1.
`Plaintiff Jonathan Diaz is a citizen and resident of Alameda County, California.
`2.
`Plaintiff Lewis Bornmann is a citizen and resident of Solano County, California.
`3.
`Defendant Google LLC (“Google”) is a Delaware Limited Liability Company
`based at 1600 Amphitheatre Way, Mountain View, California, whose sole member is XXVI
`Holdings Inc. XXVI Holdings Inc. is a corporation incorporated in Delaware with its principal
`office in California.
`III.
`JURISDICTION
`4.
`Under 28 U.S.C. § 1332(d), the Court has subject matter jurisdiction of Plaintiffs’
`state law claims because the amount in controversy exceeds $5,000,000, exclusive of interest and
`costs, and at least one class member is a citizen of a state that is neither Delaware nor California.
`IV.
`INTRADISTRICT ASSIGNMENT
`5.
`Pursuant to Civil L.R. 3-2(c), assignment to the San Jose Division of this District
`is proper because a substantial part of the conduct which gives rise to Plaintiffs’ claims occurred
`in Santa Clara County. Google developed, markets, and deploys its products throughout the
`United States, including in Santa Clara County. Additionally, Google is headquartered in
`Mountain View, California, which is located within Santa Clara County.
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`2158440.1
`
`
`
`- 2 -
`
`COMPL.AINT
`
`

`

`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`Case 5:21-cv-03080 Document 1 Filed 04/27/21 Page 5 of 29
`
`
`
`
`
`V.
`
`GOOGLE’S CONDUCT
`
`Background: The COVID-19 Pandemic
`In December 2019, a new strain of coronavirus known as SARS-CoV-2 appeared
`
`A.
`6.
`in China.
`7.
`SARS-CoV-2 causes a highly infectious disease known as COVID-19.
`8.
`COVID-19 spread swiftly across the globe. The World Health Organization
`declared it a global health emergency on January 20, 2020.
`9.
`One potentially effective tool used by public health authorities to control the
`spread of infectious diseases like COVID-19 is called contact tracing.
`10.
`In general, contact tracing means identifying everyone who has come into contact
`with an infected person to notify them they may have been infected, observe them for signs of
`infection, and isolate and treat them if they are infected.
`11.
`The contact tracing protocol issued for COVID-19 by the U.S. Centers for Disease
`Control and Prevention provides that such notifications should be issued to anyone who has been
`within 6 feet of an infected person for at least 15 minutes within the past 14 days.1
`
`B.
`Google’s Exposure Notification System
`12.
`In 2020, Google and Apple Inc. developed a system for digital contact tracing
`using smartphones called the Google-Apple Exposure Notification System (“GAEN”).
`13.
`In May 2020, Google implemented GAEN and made it available to public health
`authorities worldwide.2
`14.
`GAEN acts a framework or platform on which a public health authority can build a
`mobile contact tracing application (“Contact Tracing App” or “App”) for use in its jurisdiction.3
`
`
`1 Ctrs. for Disease Control & Prevention, Contact Tracing for COVID-19
`https://www.cdc.gov/coronavirus/2019-ncov/php/contact-tracing/contact-tracing-plan/contact-
`tracing.html (Feb. 25, 2021).
`2 David Burke, An Update on Exposure Notifications, Google (July 31, 2020),
`https://blog.google/inside-google/company-announcements/update-exposure-notifications.
`3 Google, Exposure Notifications, https://www.google.com/covid19/exposurenotifications (last
`visited Apr. 27, 2021).
`
`2158440.1
`
`
`
`- 3 -
`
`COMPL.AINT
`
`

`

`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`Case 5:21-cv-03080 Document 1 Filed 04/27/21 Page 6 of 29
`
`
`
`
`
`15.
`Google advertises its implementation of GAEN as “[u]sing technology to help
`public health authorities fight COVID-19.”4
`16.
`In the United States, public health authorities in Alabama, Arizona, California,
`Colorado, Connecticut, Delaware, the District of Columbia, Guam, Hawai’i, Louisiana,
`Maryland, Michigan, Minnesota, Nevada, New Jersey, New York, North Carolina, Oregon,
`Pennsylvania, Puerto Rico, South Carolina, North Dakota, Wyoming, Utah, Virginia,
`Washington, and Wisconsin have released Contact Tracing Apps that use GAEN.5
`17.
`In the United States, more than 28 million people, residents of each jurisdiction
`above, have downloaded Contact Tracing Apps that use GAEN or activated exposure
`notifications on their mobile devices.6
`18.
`California’s Contact Tracing App is called CA Notify and was developed by the
`California Department of Technology.7
`19.
`Users of Apple devices in California may activate the functionality of CA Notify
`on their phones without having to download the App.8
`20.
`CA Notify has been downloaded to about 9.5 million mobile devices.9
`21.
`CA Notify has been downloaded to about 8.5 million Apple devices.10
`
`
`4 Id.
`5 Mishaal Rahman, Here Are the Countries Using Google and Apple’s COVID-19 Contact
`Tracing API, XDA (Feb. 25, 2021, 2:27 PM), https://www.xda-developers.com/google-apple-
`covid-19-contact-tracing-exposure-notifications-api-app-list-countries.
`6 Lindsey Van Ness, For States’ COVID-19 Contact Tracing Apps, Privacy Tops Utility,
`Government Technology (Mar. 22, 2021), https://www.govtech.com/health/For-States-COVID-
`19-Contact-Tracing-Apps-Privacy-Tops-Utility.html.
`7 Cal., California Can Stop the Spread, https://canotify.ca.gov/ (last visited Apr. 27, 2021); Cal.
`Dep’t of Technology, CA Notify,
`https://play.google.com/store/apps/details?id=gov.ca.covid19.exposurenotifications (Apr. 5,
`2021).
`8 Jason Pohl & Dale Kasler, Did You Get a COVID-19 Warning from California’s Phone App?
`Why You Probably Didn’t, The Sacramento Bee,
`https://www.sacbee.com/news/coronavirus/article249875513.html (Mar. 15, 2021, 3:56 PM).
`9 Id.
`10 Id. (“about nine times as many people have enrolled in CA Notify on an iPhone”).
`
`2158440.1
`
`
`
`- 4 -
`
`COMPL.AINT
`
`

`

`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`Case 5:21-cv-03080 Document 1 Filed 04/27/21 Page 7 of 29
`
`
`
`
`
`22.
`
`CA Notify has been downloaded to about 1 million Android devices.11
`
`C.
`How GAEN Works
`23.
`Contact Tracing Apps that use GAEN work on both devices running Google’s
`Android operating system and devices running Apple’s iOS operating system.
`24.
`On both operating systems, contact tracing that uses GAEN works as follows:
`First, a user activates contact tracing on their device. For Android users, this requires the
`download of an App offered by their state public health authority. Since fall 2020 it has been
`possible for users of Apple devices in participating jurisdictions to activate GAEN on their
`phones directly from the device settings, without having to download and install a freestanding
`Contact Tracing App.12
`25.
`Second, as part of the activation process, GAEN generates a unique, random-
`seeming sequence of characters called a Temporary Exposure Key (“Key”) for the user.13
`26.
`A new Key is generated once every 24 hours after installation.14
`27.
`Third, the App uses the Key to generate a “rolling proximity identifier key,” which
`then generates a different, unique, random-seeming sequence of characters called a “rolling
`proximity identifier” (RPI).15
`
`
`11 Id.
`12 Russell Brandom, Apple and Google Announce New Automatic App System to Track COVID
`Exposures, The Verge (Sept. 1, 2020, 12:00 PM),
`https://www.theverge.com/2020/9/1/21410281/apple-google-coronavirus-exposure-notification-
`contact-tracing-app-system; Google, Use the COVID-19 Exposure Notifications System on Your
`Android Phone, https://support.google.com/android/answer/9888358 (last visited Apr. 27, 2021)
`(“To use the system, you need to download an official app from your region’s government public
`health authority.”).
`13 Apple & Google, Exposure Notification: Cryptography Specification 6 (Apr. 23, 2020),
`https://blog.google/documents/69/Exposure_Notification_-
`_Cryptography_Specification_v1.2.1.pdf [hereinafter Cryptography Specification].
`14 Apple & Google, Exposure Notification: Bluetooth Specification 3 (Apr. 23, 2020),
`https://blog.google/documents/70/Exposure_Notification_-_Bluetooth_Specification_v1.2.2.pdf
`[hereinafter Bluetooth Specification].
`15 Cryptography Specification, supra note 13, at 6–7.
`
`2158440.1
`
`
`
`COMPL.AINT
`
`- 5 -
`
`

`

`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`Case 5:21-cv-03080 Document 1 Filed 04/27/21 Page 8 of 29
`
`
`
`
`
`28.
`As the user goes about her day, her phone broadcasts the RPI over its Bluetooth
`radio to other users’ phones within range, whose devices receive and record the broadcasted
`incoming RPI.16
`29.
`The App generates a new RPI for the user’s phone every 15 or 20 minutes.17
`30.
`The App records all the RPIs it broadcasts.18
`31.
`As the user goes about her day, her phone broadcasts the identifier known as a
`MAC address (typically, a unique string of characters meant to identify a device on a network) in
`the course of transmitting her RPIs over its Bluetooth radio to other users’ phones within range,
`whose devices record the RPIs but also incidentally record the MAC address and associate the
`MAC address with the RPI.19
`32.
`In general, because Bluetooth transmissions include the transmitting device’s
`MAC address, Bluetooth device MAC addresses are randomized before broadcast, including with
`GAEN, in an effort to prevent a history of the broadcasts by a specific device from being
`compiled over time.20
`33.
`Fourth, the user’s phone receives any RPIs and randomized MAC addresses being
`broadcast by other users’ phones within Bluetooth range, 21 which on information and belief, is
`approximately 30 feet.
`
`
`16 Apple & Google, Privacy-Safe Contact Tracing Using Bluetooth Low Energy 2,
`https://blog.google/documents/57/Overview_of_COVID-19_Contact_Tracing_Using_BLE.pdf
`(last visited Apr. 27, 2021) [hereinafter Overview]; Bluetooth Specification, supra note 14, at 5;
`Apple & Google, Exposure Notifications: Frequently Asked Questions 3 (Sept. 2020),
`https://static.googleusercontent.com/media/www.google.com/en//covid19/exposurenotifications/p
`dfs/Exposure-Notification-FAQ-v1.2.pdf [hereinafter FAQ].
`17 Bluetooth Specification, supra note 14, at 3, 8; Overview, supra note 16, at 2.
`18 FAQ, supra note 16, at 3–4; Bluetooth Specification, supra note 14, at 5.
`19 Cryptography Specification, supra note 13, at 5; Bluetooth Specification, supra note 14, at 5.
`20 Cryptography Specification, supra note 13, at 5; Bluetooth Specification, supra note 14, at 5.
`21 FAQ, supra note 16, at 3–4; Bluetooth Specification, supra note 14, at 6.
`
`2158440.1
`
`
`
`COMPL.AINT
`
`- 6 -
`
`

`

`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`Case 5:21-cv-03080 Document 1 Filed 04/27/21 Page 9 of 29
`
`
`
`
`
`34.
`The App records all RPIs and MAC addresses the user receives, as well as the
`user’s distance from any RPI’s source (that is, from another user’s phone), based on the signal
`strength of the Bluetooth transmission.22
`35.
`Fifth, if a GAEN user receives a positive COVID-19 diagnosis, with approval
`from the local public health authority, the GAEN system will recognize that user’s RPIs as
`coming from an at-risk user.23
`36.
`The at-risk users’ Keys, which in and of themselves contain no personal
`information, are marked as exposed and published for anyone to access, by the public health
`authority.24
`37.
`Sixth, the App periodically compares the list of exposed Keys to the list of RPIs
`the user has come into contact with.25
`38.
`Anyone in possession of a Key can calculate which RPIs were generated by it and
`thereby associate these RPIs with one source known to be a device belonging to a COVID-19
`infected individual.26
`39.
`If the App determines that the user has come into contact with one or more RPIs
`generated by an exposed Key, the user is alerted that she has potentially been exposed to the
`coronavirus.27
`40. Where GAEN’s functionality can be activated without downloading a freestanding
`App, its inputs and outputs are handled by the device’s native software. When GAEN is activated
`in this way, it otherwise functions in the same way as when it is App-activated.
`
`
`22 FAQ, supra note 16, at 7; Bluetooth Specification, supra note 14, at 6.
`23 FAQ, supra note 16, at 3–4, 8.
`24 Bluetooth Specification, supra note 14, at 3; Cryptography Specification, supra note 13, at 8;
`FAQ, supra note 16, at 5.
`25 FAQ, supra note 16, at 4.
`26 Bluetooth Specification, supra note 14, at 8 (“A user’s Rolling Proximity Identifier changes on
`average every 15 minutes, and needs the Temporary Exposure Key to be correlated to a
`contact.”).
`27 FAQ, supra note 16, at 4.
`
`2158440.1
`
`
`
`COMPL.AINT
`
`- 7 -
`
`

`

`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`Case 5:21-cv-03080 Document 1 Filed 04/27/21 Page 10 of 29
`
`
`
`
`
`D.
`GAEN is Supposed to Ensure User Anonymity
`41.
`Through the GAEN system, in theory, the list of RPIs that a user’s mobile device
`sees over time need never leave the device, and users learn from a health authority the set of RPIs
`that were broadcast by at-risk users, but the identity of those users, and what other users may have
`also received a broadcast from an at-risk user should remain anonymous. Google represents that
`GAEN does not share a user’s identity; that only public health authorities can use GAEN; and
`that RPIs never leave a user’s phone.28
`42. Maintaining user privacy and anonymity is important for the Apps. Users trusting
`that GAEN would not disseminate personal information was critical to attracting sufficiently
`broad participation for the Apps to play a meaningful role in the public health authorities’
`COVID-19 responses.29
`43.
`Accordingly, Google has represented GAEN’s privacy protections as follows:
`a.
`“Doesn’t collect personally identifiable information”30
`b.
`“List of people you’ve been in contact with never leaves your phone”31
`c.
`“People who test positive are not identified to other users, Google or
`
`Apple”32
`
`d.
`
`“All of the Exposure Notification matching happens on your device.”33
`
`
`28 Burke, supra note 2; Overview, supra note 16, at 1.
`29 Pohl & Kasler, supra note 8 (“It appears the people most at risk of spreading the disease are not
`going through the steps that would send an alert. … [T]he app appears to have so far fallen victim
`to worries about privacy and the pervasiveness of surveillance technology.”); Andrew Sheeler,
`This App Uses Bluetooth to Tell You If You Have Been Exposed to COVID-19 in California, The
`Sacramento Bee, https://www.sacbee.com/news/politics-government/capitol-
`alert/article247671555.html (Dec. 7, 2020, 5:39 PM) (“‘We value privacy, California has long
`been a leader in terms of advancing the cause and we don’t want to do anything to set that cause
`back,’ Newsom said.”).
`30 Overview, supra note 16, at 1.
`31 Id.
`32 Id.
`33 Google, supra note 3.
`
`2158440.1
`
`
`
`COMPL.AINT
`
`- 8 -
`
`

`

`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`Case 5:21-cv-03080 Document 1 Filed 04/27/21 Page 11 of 29
`
`
`
`
`
`44.
`follows:
`
`Relying on Google’s representations, news media have reported about GAEN as
`
`a.
`“Apple and Google say they will create software allowing phones to
`broadcast unique cryptographically generated codes via Bluetooth. The codes won’t include
`identifying information or location data, and the cryptography is designed to make it impossible
`to tie the codes to a particular person.”34
`b.
`“Bluetooth-based Covid-19 contact-tracing schemes are designed to upload
`no data from most users.”35
`c.
`“Apple and Google emphasize that all of the … privacy protections … . No
`location data is shared and the system does not share your identity with other users, Apple, or
`Google. All matching is done on-device and users have full control over whether they want to
`report a positive test.”36
`45.
`For devices running Google’s Android operating system, Google designed GAEN
`in a manner that rendered these representations false.
`
`E.
`Google’s Implementation of GAEN Exposes COVID-19 Tracing Data
`46.
`Every Android device hosts a “log file” or “system log”: a file for logging
`important device metrics and events that occur during operation.
`47.
`Smartphone system log files enable application developers, device manufacturers,
`and/or network providers to obtain necessary data for later analysis, such as to evaluate the
`stability and reliability of a given application, connection, or device. As such, the system logs
`
`
`34 Sidney Fussell & Will Knight, The Apple–Google Contact Tracing Plan Won’t Stop Covid
`Alone, Wired (Apr. 14, 2020, 3:04 PM), https://www.wired.com/story/apple-google-contact-
`tracing-wont-stop-covid-alone.
`35 Andy Greenberg, Does Covid-19 Contact Tracing Pose a Privacy Risk? Your Questions,
`Answered, Wired (Apr. 17, 2020, 7:00 AM), https://www.wired.com/story/apple-google-contact-
`tracing-strengths-weaknesses.
`36 Chance Miller, Apple Releases iOS 13.7 with New Built-in COVID-19 Exposure Notifications
`Express System, 9 to 5 Mac (Sept. 1, 2020, 1:00 AM), https://9to5mac.com/2020/09/01/covid-19-
`exposure-ios-13-7-built-in.
`
`2158440.1
`
`
`
`COMPL.AINT
`
`- 9 -
`
`

`

`Case 5:21-cv-03080 Document 1 Filed 04/27/21 Page 12 of 29
`
`
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`exist to transmit information in the logs from the phone to be received by the entities with
`permission to access the logs.
`48.
`On smartphones running Google’s Android operating system, certain applications
`“pre-installed” on the device (included with the device purchase) are automatically granted
`permission to access the system logs, called “READ_LOGS” permission.
`49.
`There are hundreds of such applications.
`50.
`Applications with READ_LOGS permission include applications developed by
`Google (the operating system developer), such as the Android Game Optimizing Service;
`applications developed by Samsung and Motorola (device manufacturers), such as Samsung’s
`“MyGalaxy” music and video streaming service; and applications developed by AT&T, Verizon,
`or T-Mobile (mobile network operators), such as Verizon’s account management app
`“MyVerizon.”37
`51.
`On information and belief, more than one hundred different applications or
`services that hold READ_LOGS permission and contain code for executing a command to view
`the system logs can be installed on Android devices.
`52.
`In addition, advertising partners affiliated with entities that have READ_LOGS
`permissions and third-party software have READ_LOGS permissions in spite of public
`pronouncements by Google that third parties should not have READ_LOGS permissions.
`53.
`Smartphone system log files may be transmitted to application developers, device
`manufacturers, and network providers with READ_LOGS permissions in the ordinary course of
`the phones’ operation. 38 Google at times accesses, or has accessed, system log files for upload
`which contain COVID-19 contact tracing information.
`54.
`Device manufacturer Samsung acknowledges that it collects:
`
`37 With respect to pre-installed applications generally, see Julien Gamba et al., An Analysis of
`Pre-installed Android Software 4–5, 41st IEEE Symposium on Security and Privacy (May 7,
`2019), available at https://arxiv.org/pdf/1905.02713.pdf.
`38 Google, Privacy Security Best Practices, https://source.android.com/security/best-
`practices/privacy (Sept. 1, 2020) (“Logging data increases the risk of exposure of that data and
`reduces system performance. Multiple public security incidents have occurred as a result of
`logging sensitive user data.”).
`
`2158440.1
`
`
`
`COMPL.AINT
`
`- 10 -
`
`

`

`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`Case 5:21-cv-03080 Document 1 Filed 04/27/21 Page 13 of 29
`
`
`
`
`
`information about … your device, including MAC address, IP
`address, log information, device model, hardware model, IMEI
`number, serial number, subscription information, device settings,
`connections to other devices, mobile network operator, web
`browser characteristics, app usage information, sales code, access
`code, current software version, MNC, subscription information and
`randomized, non-persistent and resettable device identifiers, such
`as Personalized Service ID (or PSID), and advertising IDs,
`including Google Ad ID[.]39
`
`55.
`A Samsung-manufactured Android device may have 150 or more pre-installed
`applications or services that hold READ_LOGS permission and contain code for executing a
`command to view the system logs.
`56.
`A Motorola-manufactured Android device may have 60 or more pre-installed
`applications or services that hold READ_LOGS permission and contain code for executing a
`command to view the system logs.
`57. Mobile network operator Verizon acknowledges that “[s]ome Verizon wireless
`devices include system applications we provide to … collect information about network and
`device conditions including location, battery life and applications on the device.”40
`58. Mobile network operator T-Mobile acknowledges that it “automatically” collects
`
`[d]evice and service performance and diagnostic information,
`including reports from your device about signal strength, speeds,
`app and service performance, dropped calls, call and data failures,
`geolocation information, and device data like battery strength and
`serial number and similar device identifiers, settings, language
`preferences, and software versions[.]41
`
`59.
`System log files may also routinely be transmitted to third parties with
`READ_LOGS permissions.
`
`
`39 Samsung, Samsung Privacy Policy for the U.S., https://www.samsung.com/us/account/privacy-
`policy (Jan. 1, 2021).
`40 Verizon, Let’s Take a Look at the Full Verizon Privacy Policy,
`https://www.verizon.com/about/privacy/full-privacy-policy (Apr. 2021).
`41 T-Mobile, T-Mobile Privacy Notice, https://www.t-mobile.com/privacy-center/our-
`practices/privacy-policy (Feb. 23, 2021).
`
`2158440.1
`
`
`
`COMPL.AINT
`
`- 11 -
`
`

`

`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`Case 5:21-cv-03080 Document 1 Filed 04/27/21 Page 14 of 29
`
`
`
`
`
`60.
`Android devices treat the entities with READ_LOGS permission as privileged first
`parties with respect to device users, as indicated by Google’s public explanation that
`READ_LOGS permissions are “[n]ot for use by third-party applications, because Log entries can
`contain the user’s private information.”42
`61.
`As Google recognizes, because “logs are a shared resource and are available to an
`application with the READ_LOGS permission,” “inappropriate logging of user information could
`inadvertently leak user data to other applications.”43
`62.
`In the mobile application development industry, it is a recognized best practice to
`log no more than necessary to ensure the application’s stability and reliability.44
`63.
`In the mobile application development industry, it is a recognized best practice
`never to log sensitive or personally identifiable information unless the application’s basic
`functionality requires it.45
`64.
`Google recognizes and promotes these practices.46
`65.
`Google implements GAEN for Android smartphones via its Google Mobile
`Services, which is a collection Google apps and APIs (“GMS”). Google’s GMS instructs, or has
`instructed, the GAEN system to log every RPI broadcasted and received by the user’s phone to
`the system logs.
`66.
`GAEN logs every COVID-19 exposure notification received by a user to the
`system logs.
`67.
`On information and belief, GAEN logs every user’s input, and failure to input,
`positive COVID-19 diagnoses to the system logs.
`
`
`42 Google, Manifest.permission,
`https://developer.android.com/reference/android/Manifest.permission#READ_LOGS (Apr. 21,
`2021).
`43 Google, Security Tips, https://developer.android.com/training/articles/security-tips (Aug. 7,
`202