`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`
`
`
`
`Case 5:21-cv-03080-NC Document 25 Filed 07/20/21 Page 1 of 38
`
`
`
`LIEFF CABRASER HEIMANN & BERNSTEIN, LLP
`Michael W. Sobol (SBN 194857)
`Melissa Gardner (SBN 289096)
`Ian Bensberg (pro hac vice pending)
`275 Battery Street, 29th Floor
`San Francisco, CA 94111-3339
`(415) 956-1000
`
`LIEFF CABRASER HEIMANN & BERNSTEIN, LLP
`Nicholas Diamand (pro hac vice pending)
`ndiamand@lchb.com
`Douglas Cuthbertson (admitted pro hac vice)
`dcuthbertson@lchb.com
`250 Hudson Street, 8th Floor
`New York, NY 10013
`Telephone: 212.355.9500
`Facsimile: 212.355.9592
`
`Attorneys for Plaintiffs and the Proposed Class
`
`
`
`UNITED STATES DISTRICT COURT
`NORTHERN DISTRICT OF CALIFORNIA
`SAN JOSE DIVISION
`
`JONATHAN DIAZ and LEWIS
`BORNMANN, on behalf of themselves
`and all others similarly situated,
`
`
`
`
`
`GOOGLE LLC,
`
`
`
`
`
`
`Defendant.
`
`Plaintiffs,
`
`
`
`v.
`
`Case No. 5:21-cv-03080-NC
`
`
`AMENDED COMPLAINT
`
`CLASS ACTION
`
`DEMAND FOR JURY TRIAL
`
`
`
`
`
`
`AMENDED COMPLAINT
`CASE NO. 5:21-CV-03080-NC
`
`
`
`Case 5:21-cv-03080-NC Document 25 Filed 07/20/21 Page 2 of 38
`
`TABLE OF CONTENTS
`
`
`Page
`
`
`
`I.
`II.
`III.
`IV.
`V.
`
`INTRODUCTION ............................................................................................................. 1
`PARTIES ........................................................................................................................... 2
`JURISDICTION ................................................................................................................. 3
`INTRADISTRICT ASSIGNMENT ................................................................................... 3
`GOOGLE’S CONDUCT ................................................................................................... 3
`A. Background: The COVID-19 Pandemic ................................................................... 3
`B. Google’s Exposure Notification System ................................................................... 4
`C. How GAEN Works ................................................................................................... 6
`D. Google Represents to the World That GAEN-Driven Contact Tracing Is
`Anonymous ............................................................................................................... 9
`E. Google’s Implementation of GAEN Exposes COVID-19 Tracing Data via
`Google’s System Logs ............................................................................................ 12
`F. Google Has Been Collecting COVID-19 Tracing Data Along with Other
`Personally Identifiable Information from Devices’ System Logs........................... 18
`G. The Exposed COVID-19 Tracing Data is Personally Identifiable .......................... 19
`H. Millions of App Users Are Affected by the GAEN Security Breach ..................... 21
`I.
`Google Refuses to Satisfactorily Address This Vulnerability ................................ 22
`THE NAMED PLAINTIFFS’ EXPERIENCES .............................................................. 23
`A. Plaintiff Lewis Bornmann ....................................................................................... 23
`B.
`Plaintiff Jonathan Diaz ............................................................................................ 24
`VII. CLASS ACTION ALLEGATIONS ................................................................................ 25
`VIII. CLAIMS FOR RELIEF ................................................................................................... 27
`FIRST CLAIM FOR RELIEF Invasion of Privacy: Public Disclosure of Private
`Facts ..................................................................................................................... 27
`SECOND CLAIM FOR RELIEF Invasion of Privacy: Intrusion Upon Seclusion ......... 29
`THIRD CLAIM FOR RELIEF California Constitution, Article 1, § 1 ........................... 30
`FOURTH CLAIM FOR RELIEF California Confidentiality of Medical
`Information Act, Cal. Civ. Code §§ 56 et seq. ..................................................... 31
`PRAYER FOR RELIEF ................................................................................................... 35
`DEMAND FOR JURY TRIAL ........................................................................................ 36
`
`VI.
`
`IX.
`X.
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`- i -
`
`AMENDED COMPLAINT
`CASE NO. 5:21-CV-03080-NC
`
`
`
`
`
`Case 5:21-cv-03080-NC Document 25 Filed 07/20/21 Page 3 of 38
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`I.
`
`INTRODUCTION
`Defendant Google LLC (“Google”) co-created the Google-Apple Exposure Notification
`System (“GAEN”) to assist state and local authorities deploying apps for mobile devices that
`conduct COVID-19 “contact-tracing,” and implements GAEN in Android smartphones via
`Google Play Services (GPS), an application package developed by Google. Google
`unequivocally assures that it completely safeguards the sensitive information necessarily involved
`with COVID-19 contact tracing, including that your identity, your health information, and other
`personal information would be inaccessible to others, including Google. However, Google’s
`implementation of GAEN means that sensitive contact tracing data and personally identifying
`information is placed on a device’s system logs, accessed by dozens or even hundreds of third
`parties, and collected and used by these third parties for their own purposes, including by Google
`itself. As a result, Google has exposed and transmitted GAEN participants’ private personal and
`medical information associated with contact tracing, including notifications to Android device
`users of their potential exposure to COVID-19.
`The GAEN contact tracing system uses signals called “rolling proximity identifiers”
`broadcast through the Bluetooth radio on mobile devices that other mobile devices can detect and
`record, thereby providing information about proximate encounters with nearby participants.
`Google’s GPS records both this outgoing and incoming data on each device’s system log, such
`that Android device users running Google’s software unwittingly expose and transmit not only
`their information to numerous third parties, but also information from unsuspecting GAEN users
`on other devices (including non-Android devices, such as iPhones) who come within range of
`them.
`
`The exposed information is personally identifiable. The contact tracing apps themselves
`generate ostensibly-secure personal device identifiers, which change periodically as they are
`broadcast to other devices, and should be traceable to the device user only with a “key” held by
`the public health authorities. But in storage, these identifiers are maintained alongside other
`device identifiers known as MAC addresses, and in at least some cases, alongside yet other
`personal identifiers including the IP address of the wireless network, telephone number, and the
`
`
`
`
`
`
`- 1 -
`
`AMENDED COMPLAINT
`CASE NO. 5:21-CV-03080-NC
`
`
`
`Case 5:21-cv-03080-NC Document 25 Filed 07/20/21 Page 4 of 38
`
`
`
`App user’s email address. When this stored data is written to mobile device system logs, it
`becomes available to third parties with access to the logs. They, alone or in concert, can use the
`MAC addresses and other identifiers to trace the log files back to individual identities, locations,
`and other identifying attributes, effectively creating an alternative “key” of their own. For those
`who have reported testing positive, it enables third parties, as well as Google itself, to link that
`diagnosis back to the particular patient, defeating the purported anonymity Google claims for its
`service.
`In February 2021, Google was informed of the security flaw in its implementation of
`GAEN that caused the data breach alleged herein. To date, Google has failed to inform the public
`that GAEN participants’ private personal and medical information has left their devices and been
`exposed to and collected by third parties, as well as by Google itself, who in the ordinary course
`of business access the system logs and collect and read the sensitive information contained
`therein.
`Accordingly, Plaintiffs Jonathan Diaz and Lewis Bornmann, on behalf of themselves and
`all others similarly situated, bring this action pursuant to the California Confidentiality of Medical
`Information Act and their common law and constitutional privacy rights to obtain a mandatory
`public injunction requiring Google to remediate the security flaw in its implementation and
`maintenance of the GAEN system, and for, inter alia, damages and restitution.
`PARTIES
`II.
`Plaintiff Jonathan Diaz is a citizen and resident of Alameda County, California.
`1.
`2.
`Plaintiff Lewis Bornmann is a citizen and resident of Solano County, California.
`3.
`Defendant Google LLC (“Google”) is a Delaware limited liability company based
`at 1600 Amphitheatre Way, Mountain View, California, whose sole member is XXVI Holdings
`Inc. XXVI Holdings Inc. is a corporation incorporated in Delaware with its principal office in
`California.
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`- 2 -
`
`AMENDED COMPLAINT
`CASE NO. 5:21-CV-03080-NC
`
`
`
`
`
`Case 5:21-cv-03080-NC Document 25 Filed 07/20/21 Page 5 of 38
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`III.
`
`JURISDICTION
`Under 28 U.S.C. § 1332(d), the Court has subject matter jurisdiction of Plaintiffs’
`4.
`state law claims because the amount in controversy exceeds $5,000,000, exclusive of interest and
`costs, and at least one class member is a citizen of a state that is neither Delaware nor California.
`INTRADISTRICT ASSIGNMENT
`IV.
`Pursuant to Civil L.R. 3-2(c), assignment to the San Jose Division of this District
`5.
`is proper because a substantial part of the conduct which gives rise to Plaintiffs’ claims occurred
`in Santa Clara County. Google developed, markets, and deploys its products throughout the
`United States, including in Santa Clara County. Additionally, Google is headquartered in
`Mountain View, California, which is located within Santa Clara County.
`GOOGLE’S CONDUCT
`V.
`
`Background: The COVID-19 Pandemic
`In December 2019, a new strain of coronavirus known as SARS-CoV-2 appeared
`
`A.
`6.
`in China.
`SARS-CoV-2 causes a highly infectious disease known as COVID-19.
`7.
`COVID-19 spread swiftly across the globe. The World Health Organization
`8.
`declared it a global health emergency on January 20, 2020.
`One potentially effective tool used by public health authorities to control the
`9.
`spread of infectious diseases like COVID-19 is called contact tracing.
`In general, contact tracing means identifying everyone who has come into contact
`10.
`with an infected person to notify them they may have been infected, observe them for signs of
`infection, and isolate and treat them if they are infected.
`The contact tracing protocol issued for COVID-19 by the U.S. Centers for Disease
`11.
`Control and Prevention provides that such notifications should be issued to anyone who has been
`within 6 feet of an infected person for at least 15 minutes within the past 14 days.1
`
`
`1 Ctrs. for Disease Control & Prevention, Contact Tracing for COVID-19
`https://www.cdc.gov/coronavirus/2019-ncov/php/contact-tracing/contact-tracing-plan/contact-
`tracing.html (Feb. 25, 2021).
`
`
`
`
`
`
`- 3 -
`
`AMENDED COMPLAINT
`CASE NO. 5:21-CV-03080-NC
`
`
`
`
`
`Case 5:21-cv-03080-NC Document 25 Filed 07/20/21 Page 6 of 38
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`Google’s Exposure Notification System
`B.
`In 2020, Google and Apple Inc. developed a system for digital contact tracing
`12.
`using smartphones called the Google-Apple Exposure Notification System (“GAEN”).
`In May 2020, Google implemented GAEN and made it available to public health
`13.
`authorities worldwide.2
`GAEN acts as a framework or platform on which a public health authority can
`14.
`build a mobile contact tracing application (“Contact Tracing App” or “App”) for use in its
`jurisdiction.3
`GAEN and the Apps for which it acts as a framework are designed and intended
`15.
`for use by individuals on their mobile devices and could not function without these users’
`participation.
`16. While certain public health authorities developed Contact Tracing Apps for their
`respective jurisdictions, the apps could only function on devices running Google’s Android
`operating system because Google itself implemented GAEN on each user’s device through
`updates to an application package designed by Google called Google Play Services (GPS).4
`Google has advertised its implementation of GAEN as “[u]sing technology to help
`17.
`public health authorities fight COVID-19.”5
`In the United States, public health authorities in Alabama, Arizona, California,
`18.
`Colorado, Connecticut, Delaware, the District of Columbia, Guam, Hawai’i, Louisiana,
`
`
`2 David Burke, An Update on Exposure Notifications, Google (July 31, 2020),
`https://blog.google/inside-google/company-announcements/update-exposure-notifications.
`3 Google, Exposure Notifications (April 27, 2021) [hereinafter April 27 Exposure Notifications],
`https://www.google.com/covid19/exposurenotifications
`[https://web.archive.org/web/20210427082102/https://www.google.com/covid19/exposurenotific
`ations/].
`4 The original complaint referenced “Google Mobile Services” instead of “Google Play Services,”
`both of which are used to support functionality on Android devices. While Plaintiffs cannot rule
`out that Google Mobile Services is involved in GAEN, Google’s own documentation suggests
`that “Google Play Services” was used to introduce and maintain the GAEN system on Android
`devices. See Google, Use the COVID-19 Exposure Notifications System on your Android phone,
`“How your phone got the update,” https://support.google.com/googleplay/answer/9888358 (last
`visited July 19, 2021).
`5 April 27 Exposure Notifications, supra note 3.
`
`
`
`
`
`
`- 4 -
`
`AMENDED COMPLAINT
`CASE NO. 5:21-CV-03080-NC
`
`
`
`
`
`Case 5:21-cv-03080-NC Document 25 Filed 07/20/21 Page 7 of 38
`
`
`
`Maryland, Massachusetts, Michigan, Minnesota, Nevada, New Jersey, New Mexico, New York,
`North Carolina, North Dakota, Oregon, Pennsylvania, Puerto Rico, South Carolina, Utah,
`Virginia, Washington, Wisconsin, and Wyoming have released Contact Tracing Apps that use
`GAEN.6
`In the United States, more than 28 million people, residents of each jurisdiction
`19.
`above, have downloaded Contact Tracing Apps that use GAEN or activated exposure
`notifications on their mobile devices.7
`California’s Contact Tracing App is called CA Notify and was developed by the
`20.
`California Department of Technology.8
`Users of Apple devices in California may activate the functionality of CA Notify
`21.
`on their phones without having to download the App.9
`CA Notify has been downloaded to or activated on about 9.5 million mobile
`22.
`devices.10
`23.
`devices.11
`
`CA Notify has been downloaded to or activated on about 8.5 million Apple
`
`
`6 Matthew Sholtz, COVID Tracing App Roundup (Apr. 1, 2021),
`https://www.androidpolice.com/2021/01/02/covid-tracing-apps-ens-android; Mishaal Rahman,
`Here Are the Countries Using Google and Apple’s COVID-19 Contact Tracing API, XDA (Feb.
`25, 2021, 2:27 PM), https://www.xda-developers.com/google-apple-covid-19-contact-tracing-
`exposure-notifications-api-app-list-countries.
`7 Lindsey Van Ness, For States’ COVID-19 Contact Tracing Apps, Privacy Tops Utility,
`Government Technology (Mar. 22, 2021), https://www.govtech.com/health/For-States-COVID-
`19-Contact-Tracing-Apps-Privacy-Tops-Utility.html.
`8 Cal., California Can Stop the Spread, https://canotify.ca.gov/ (last visited July 19, 2021); Cal.
`Dep’t of Technology, CA Notify,
`https://play.google.com/store/apps/details?id=gov.ca.covid19.exposurenotifications (last visited
`July 19, 2021).
`9 Jason Pohl & Dale Kasler, Did You Get a COVID-19 Warning from California’s Phone App?
`Why You Probably Didn’t, The Sacramento Bee,
`https://www.sacbee.com/news/coronavirus/article249875513.html (Mar. 15, 2021, 3:56 PM).
`10 Id.
`11 Id. (“about nine times as many people have enrolled in CA Notify on an iPhone”).
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`- 5 -
`
`AMENDED COMPLAINT
`CASE NO. 5:21-CV-03080-NC
`
`
`
`
`
`Case 5:21-cv-03080-NC Document 25 Filed 07/20/21 Page 8 of 38
`
`
`
`24.
`
`CA Notify has been downloaded to about 1 million Android devices.12
`
`How GAEN Works
`C.
`Contact Tracing Apps that use GAEN work on both devices running Google’s
`25.
`Android operating system and devices running Apple’s iOS operating system.
`On both operating systems, contact tracing that uses GAEN works as follows:
`26.
`First, a user activates contact tracing on their device. For Android users, this requires the
`download of an App offered by their state public health authority. Since fall 2020 it has been
`possible for users of Apple devices in participating jurisdictions to activate GAEN on their
`phones directly from the device settings, without having to download and install a freestanding
`Contact Tracing App.13
`Second, as part of the activation process, GAEN generates a unique, random-
`27.
`seeming sequence of characters called a Temporary Exposure Key (“Key”) for the user.14
`A new Key is generated once every 24 hours after installation.15
`28.
`29.
`Third, the App uses the Key to generate a “rolling proximity identifier key,” which
`then generates a different, unique, random-seeming sequence of characters called a “rolling
`proximity identifier” (RPI).16
`
`
`12 Id.
`13 Russell Brandom, Apple and Google Announce New Automatic App System to Track COVID
`Exposures, The Verge (Sept. 1, 2020, 12:00 PM),
`https://www.theverge.com/2020/9/1/21410281/apple-google-coronavirus-exposure-notification-
`contact-tracing-app-system; Google, Use the COVID-19 Exposure Notifications System on Your
`Android Phone, https://support.google.com/android/answer/9888358 (last visited July 19, 2021)
`(“To use the system, you need to download an official app from your region’s government public
`health authority.”).
`14 Apple & Google, Exposure Notification: Cryptography Specification 6 (Apr. 23, 2020),
`https://blog.google/documents/69/Exposure_Notification_-
`_Cryptography_Specification_v1.2.1.pdf [hereinafter Cryptography Specification].
`15 Apple & Google, Exposure Notification: Bluetooth Specification 3 (Apr. 23, 2020),
`https://blog.google/documents/70/Exposure_Notification_-_Bluetooth_Specification_v1.2.2.pdf
`[hereinafter Bluetooth Specification].
`16 Cryptography Specification, supra note 14, at 6–7.
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`- 6 -
`
`AMENDED COMPLAINT
`CASE NO. 5:21-CV-03080-NC
`
`
`
`
`
`Case 5:21-cv-03080-NC Document 25 Filed 07/20/21 Page 9 of 38
`
`
`
`As the user goes about her day, her phone broadcasts the RPI over its Bluetooth
`30.
`radio to other users’ phones within range, whose devices receive and record the broadcasted
`incoming RPI.17
`The App generates a new RPI for the user’s phone every 15 or 20 minutes.18
`31.
`The App records all the RPIs it broadcasts.19
`32.
`33.
`As the user goes about her day, her phone also broadcasts the identifier known as a
`MAC address (typically, a unique string of characters meant to identify a device on a network)
`when transmitting her RPIs over its Bluetooth radio to other users’ phones within range, whose
`devices record the RPIs but also record the MAC address and associate the MAC address with the
`RPI.20
`
`In general, because Bluetooth transmissions include the transmitting device’s
`34.
`MAC address, Bluetooth device MAC addresses are randomized before broadcast, including with
`GAEN, in an effort to prevent a history of the broadcasts by a specific device from being
`compiled over time.21
`Fourth, the user’s phone receives any RPIs and randomized MAC addresses being
`35.
`broadcast by other users’ phones within Bluetooth range, 22 which on information and belief, is
`approximately 30 feet.
`
`
`17 Apple & Google, Privacy-Safe Contact Tracing Using Bluetooth Low Energy 2,
`https://blog.google/documents/57/Overview_of_COVID-19_Contact_Tracing_Using_BLE.pdf
`(last visited July 20, 2021) [hereinafter Overview]; Bluetooth Specification, supra note 15, at 5;
`Apple & Google, Exposure Notifications: Frequently Asked Questions 3 (Sept. 2020),
`https://static.googleusercontent.com/media/www.google.com/en//covid19/exposurenotifications/p
`dfs/Exposure-Notification-FAQ-v1.2.pdf [hereinafter FAQ].
`18 Bluetooth Specification, supra note 15, at 3, 8; Overview, supra note 17, at 2.
`19 FAQ, supra note 17, at 3–4; Bluetooth Specification, supra note 15, at 5.
`20 Cryptography Specification, supra note 14, at 5; Bluetooth Specification, supra note 15, at 5.
`21 Cryptography Specification, supra note 14, at 5; Bluetooth Specification, supra note 15, at 5.
`22 FAQ, supra note 17, at 3–4; Bluetooth Specification, supra note 15, at 6.
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`- 7 -
`
`AMENDED COMPLAINT
`CASE NO. 5:21-CV-03080-NC
`
`
`
`Case 5:21-cv-03080-NC Document 25 Filed 07/20/21 Page 10 of 38
`
`
`
`The App records all RPIs and MAC addresses the user receives, as well as the
`36.
`user’s distance from any RPI’s source (that is, from another user’s phone), based on the signal
`strength of the Bluetooth transmission.23
`Fifth, if a GAEN user receives a positive COVID-19 diagnosis from a medical
`37.
`professional, with approval from the local public health authority, the user inputs her positive
`diagnosis and the GAEN system will recognize that user’s RPIs as coming from an at-risk user.24
`In CA Notify, for example, the user sees the following screens when she elects to
`38.
`“Share [her] COVID-19 test result” and inputs a positive diagnosis:
`
`The at-risk users’ Keys, which in and of themselves contain no personal
`39.
`information, are marked as exposed and published for anyone to access, by the public health
`authority.25
`
`
`23 FAQ, supra note 17, at 7; Bluetooth Specification, supra note 15, at 6.
`24 FAQ, supra note 17, at 3–4, 8.
`25 Bluetooth Specification, supra note 15, at 3; Cryptography Specification, supra note 14, at 8;
`FAQ, supra note 17, at 5.
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`- 8 -
`
`AMENDED COMPLAINT
`CASE NO. 5:21-CV-03080-NC
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`Case 5:21-cv-03080-NC Document 25 Filed 07/20/21 Page 11 of 38
`
`
`
`Sixth, the App periodically compares the list of exposed Keys to the list of RPIs
`40.
`the user has come into contact with.26
`Anyone in possession of a Key can calculate which RPIs were generated by it and
`41.
`thereby associate these RPIs with one source known to be a device belonging to a COVID-19
`infected individual.27
`If the App determines that the user has come into contact with one or more RPIs
`42.
`generated by an exposed Key, the user is alerted that she has potentially been exposed to the
`coronavirus.28
`43. Where GAEN’s functionality can be activated without downloading a freestanding
`App, its inputs and outputs are handled by the device’s native software. When GAEN is activated
`in this way, it otherwise functions in the same way as when it is App-activated.
`
`D.
`
`Google Represents to the World That GAEN-Driven Contact Tracing Is
`Anonymous
`According to Google, the list of RPIs that a GAEN user’s mobile device sees over
`44.
`time need never leave the device, and while users may learn from a health authority the set of
`RPIs that were broadcast by at-risk users, the identities of those users and other users who may
`have also received a broadcast from an at-risk user remain anonymous. Google represents that
`GAEN does not share a user’s identity; that only public health authorities can use GAEN; and
`that RPIs never leave a user’s phone.29
`For example, on its website30 Google represents the following:
`45.
`
`
`26 FAQ, supra note 17, at 4.
`27 Bluetooth Specification, supra note 15, at 8 (“A user’s Rolling Proximity Identifier changes on
`average every 15 minutes, and needs the Temporary Exposure Key to be correlated to a
`contact.”).
`28 FAQ, supra note 17, at 4.
`29 Burke, supra note 2; Overview, supra note 17, at 1.
`30 Google, Exposure Notifications, https://www.google.com/covid19/exposurenotifications (last
`visited July 20, 2021) [hereinafter July 20 Exposure Notifications].
`- 9 -
`
`
`
`AMENDED COMPLAINT
`CASE NO. 5:21-CV-03080-NC
`
`
`
`Case 5:21-cv-03080-NC Document 25 Filed 07/20/21 Page 12 of 38
`
`
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`46. Maintaining user privacy and anonymity is important for the Apps. Users trusting
`that GAEN would not disseminate personal information was critical to attracting sufficiently
`broad participation for the Apps to play a meaningful role in the public health authorities’
`COVID-19 responses.31
`Accordingly, Google has represented GAEN’s privacy protections as follows:
`47.
`“Doesn’t collect personally identifiable information”32
`a.
`
`31 Pohl & Kasler, supra note 8 (“It appears the people most at risk of spreading the disease are not
`going through the steps that would send an alert. … [T]he app appears to have so far fallen victim
`to worries about privacy and the pervasiveness of surveillance technology.”); Andrew Sheeler,
`This App Uses Bluetooth to Tell You If You Have Been Exposed to COVID-19 in California, The
`Sacramento Bee, https://www.sacbee.com/news/politics-government/capitol-
`alert/article247671555.html (Dec. 7, 2020, 5:39 PM) (“‘We value privacy, California has long
`been a leader in terms of advancing the cause and we don’t want to do anything to set that cause
`back,’ Newsom said.”).
`32 Overview, supra note 17, at 1. Google has revised this document since Plaintiffs filed their
`original complaint. Clicking “Learn more” under “Overview of COVID-19 Exposure
`Notifications” on Google’s current “Exposure Notifications” page, July 20 Exposure
`Notifications, supra note 30, now links to a revised document at a different web address. In place
`of Overview’s statement that GAEN “[d]oesn’t collect personally identifiable information,” this
`revised document provides that GAEN “[d]oesn’t collect or use location data from your phone.”
`Apple & Google, COVID-19 Exposure Notification Using Bluetooth Low Energy 1,
`https://blog.google/documents/66/Overview_of_COVID-19_Contact_Tracing_Using_BLE_1.pdf
`(last visited July 20, 2021) [hereinafter Revised Overview]. Even Revised Overview’s title has
`omitted the privacy promise contained in Overview’s full title, Privacy-Safe Contact Tracing
`Using Bluetooth Low Energy.
`
`
`
`
`
`
`- 10 -
`
`AMENDED COMPLAINT
`CASE NO. 5:21-CV-03080-NC
`
`
`
`Case 5:21-cv-03080-NC Document 25 Filed 07/20/21 Page 13 of 38
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`b.
`c.
`
`“List of people you’ve been in contact with never leaves your phone”33
`“People who test positive are not identified to other users, Google or
`
`“All of the Exposure Notification matching happens on your device.”35
`d.
`Relying on Google’s representations, news media have reported about GAEN as
`
`Apple”34
`
`48.
`follows:
`
`“Apple and Google say they will create software allowing phones to
`a.
`broadcast unique cryptographically generated codes via Bluetooth. The codes won’t include
`identifying information or location data, and the cryptography is designed to make it impossible
`to tie the codes to a particular person.”36
`“Bluetooth-based Covid-19 contact-tracing schemes are designed to upload
`b.
`no data from most users.”37
`“Apple and Google emphasize … privacy protections … . No location data
`c.
`is shared and the system does not share your identity with other users, Apple, or Google. All
`matching is done on-device and users have full control over whether they want to report a
`positive test.”38
`
`33 Overview, supra note 17, at 1. This promise too has been omitted from Revised Overview,
`which provides in its place that “Bluetooth beacons and keys don’t reveal user identity or
`location.” Revised Overview, supra note 32, at 1.
`34 Id.
`35 April 27 Exposure Notifications, supra note 3. This “Exposure Notifications” webpage that
`Google displayed to the public prior to April 27, 2021, when Plaintiffs filed their original
`complaint, also stated as follows: “Designed to Protect your Privacy. We understand that the
`success of this approach depends on people feeling confident that their private information is
`protected. The Exposure Notifications System was built with your privacy and security central to
`the design.” Id. This language does not appear on the webpage as of July 19, 2021. Compare
`April 27 Exposure Notifications, supra note 3, with July 20 Exposure Notifications, supra note 30.
`36 Sidney Fussell & Will Knight, The Apple–Google Contact Tracing Plan Won’t Stop Covid
`Alone, Wired (Apr. 14, 2020, 3:04 PM), https://www.wired.com/story/apple-google-contact-
`tracing-wont-stop-covid-alone.
`37 Andy Greenberg, Does Covid-19 Contact Tracing Pose a Privacy Risk? Your Questions,
`Answered, Wired (Apr. 17, 2020, 7:00 AM), https://www.wired.com/story/apple-google-contact-
`tracing-strengths-weaknesses.
`38 Chance Miller, Apple Releases iOS 13.7 with New Built-in COVID-19 Exposure Notifications
`AMENDED COMPLAINT
`- 11 -
`
`CASE NO. 5:21-CV-03080-NC
`
`
`
`
`
`
`
`
`
`
`Case 5:21-cv-03080-NC Document 25 Filed 07/20/21 Page 14 of 38
`
`
`
`For devices running Google’s Android operating system, Google designed GAEN
`49.
`in a manner that rendered these representations knowingly false.
`
`E.
`
`Google’s Implementation of GAEN Exposes COVID-19 Tracing Data via
`Google’s System Logs
`Every Android device hosts a “log file” or “system log”: a file for logging
`50.
`important device metrics and events that occur during operation.
`Smartphone system log files enable application and operating system developers,
`51.
`device manufacturers (called “original equipment manufacturers” or “OEMs”), and mobile
`network providers to obtain necessary data for later analysis, such as to evaluate the stability and
`reliability of a given application, connection, or device. As such, the system logs exist to transmit
`information in the logs from the phone to be received by the entities with permission to access the
`logs.
`
`On smartphones running Google’s Android operating system, certain applications
`52.
`“pre-installed” on the device (that is, included on the device at the time of sale) are automatically
`granted permission to access the system logs, called “READ_LOGS” permission.
`There are hundreds of such of applications.
`53.
`54.
`Applications with READ_LOGS permission include applications developed by
`Google (the operating system developer), such as Google Play Services; applications developed
`by Samsung and Motorola (device manufacturers), such as Samsung’s “MyGalaxy” music and
`video streaming service; and applications developed by AT&T, Verizon, or T-Mobile (mobile
`network providers), such as Verizon’s account management app “MyVerizon.”39
`On information and belief, more than one hundred different applications or
`55.
`services that hold READ_LOGS permission and contain code for executing a command to view
`
`
`Express System, 9 to 5 Mac (Sept. 1, 2020, 1:00 AM), https://9to5mac.com/2020/09/01/covid-19-
`exposure-ios-13-7-