throbber
1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`
`
`
`
`Case 5:21-cv-03080-NC Document 25 Filed 07/20/21 Page 1 of 38
`
`
`
`LIEFF CABRASER HEIMANN & BERNSTEIN, LLP
`Michael W. Sobol (SBN 194857)
`Melissa Gardner (SBN 289096)
`Ian Bensberg (pro hac vice pending)
`275 Battery Street, 29th Floor
`San Francisco, CA 94111-3339
`(415) 956-1000
`
`LIEFF CABRASER HEIMANN & BERNSTEIN, LLP
`Nicholas Diamand (pro hac vice pending)
`ndiamand@lchb.com
`Douglas Cuthbertson (admitted pro hac vice)
`dcuthbertson@lchb.com
`250 Hudson Street, 8th Floor
`New York, NY 10013
`Telephone: 212.355.9500
`Facsimile: 212.355.9592
`
`Attorneys for Plaintiffs and the Proposed Class
`
`
`
`UNITED STATES DISTRICT COURT
`NORTHERN DISTRICT OF CALIFORNIA
`SAN JOSE DIVISION
`
`JONATHAN DIAZ and LEWIS
`BORNMANN, on behalf of themselves
`and all others similarly situated,
`
`
`
`
`
`GOOGLE LLC,
`
`
`
`
`
`
`Defendant.
`
`Plaintiffs,
`
`
`
`v.
`
`Case No. 5:21-cv-03080-NC
`
`
`AMENDED COMPLAINT
`
`CLASS ACTION
`
`DEMAND FOR JURY TRIAL
`
`
`
`
`
`
`AMENDED COMPLAINT
`CASE NO. 5:21-CV-03080-NC
`
`

`

`Case 5:21-cv-03080-NC Document 25 Filed 07/20/21 Page 2 of 38
`
`TABLE OF CONTENTS
`
`
`Page
`
`
`
`I.
`II.
`III.
`IV.
`V.
`
`INTRODUCTION ............................................................................................................. 1
`PARTIES ........................................................................................................................... 2
`JURISDICTION ................................................................................................................. 3
`INTRADISTRICT ASSIGNMENT ................................................................................... 3
`GOOGLE’S CONDUCT ................................................................................................... 3
`A. Background: The COVID-19 Pandemic ................................................................... 3
`B. Google’s Exposure Notification System ................................................................... 4
`C. How GAEN Works ................................................................................................... 6
`D. Google Represents to the World That GAEN-Driven Contact Tracing Is
`Anonymous ............................................................................................................... 9
`E. Google’s Implementation of GAEN Exposes COVID-19 Tracing Data via
`Google’s System Logs ............................................................................................ 12
`F. Google Has Been Collecting COVID-19 Tracing Data Along with Other
`Personally Identifiable Information from Devices’ System Logs........................... 18
`G. The Exposed COVID-19 Tracing Data is Personally Identifiable .......................... 19
`H. Millions of App Users Are Affected by the GAEN Security Breach ..................... 21
`I.
`Google Refuses to Satisfactorily Address This Vulnerability ................................ 22
`THE NAMED PLAINTIFFS’ EXPERIENCES .............................................................. 23
`A. Plaintiff Lewis Bornmann ....................................................................................... 23
`B.
`Plaintiff Jonathan Diaz ............................................................................................ 24
`VII. CLASS ACTION ALLEGATIONS ................................................................................ 25
`VIII. CLAIMS FOR RELIEF ................................................................................................... 27
`FIRST CLAIM FOR RELIEF Invasion of Privacy: Public Disclosure of Private
`Facts ..................................................................................................................... 27
`SECOND CLAIM FOR RELIEF Invasion of Privacy: Intrusion Upon Seclusion ......... 29
`THIRD CLAIM FOR RELIEF California Constitution, Article 1, § 1 ........................... 30
`FOURTH CLAIM FOR RELIEF California Confidentiality of Medical
`Information Act, Cal. Civ. Code §§ 56 et seq. ..................................................... 31
`PRAYER FOR RELIEF ................................................................................................... 35
`DEMAND FOR JURY TRIAL ........................................................................................ 36
`
`VI.
`
`IX.
`X.
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`- i -
`
`AMENDED COMPLAINT
`CASE NO. 5:21-CV-03080-NC
`
`

`

`
`
`Case 5:21-cv-03080-NC Document 25 Filed 07/20/21 Page 3 of 38
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`I.
`
`INTRODUCTION
`Defendant Google LLC (“Google”) co-created the Google-Apple Exposure Notification
`System (“GAEN”) to assist state and local authorities deploying apps for mobile devices that
`conduct COVID-19 “contact-tracing,” and implements GAEN in Android smartphones via
`Google Play Services (GPS), an application package developed by Google. Google
`unequivocally assures that it completely safeguards the sensitive information necessarily involved
`with COVID-19 contact tracing, including that your identity, your health information, and other
`personal information would be inaccessible to others, including Google. However, Google’s
`implementation of GAEN means that sensitive contact tracing data and personally identifying
`information is placed on a device’s system logs, accessed by dozens or even hundreds of third
`parties, and collected and used by these third parties for their own purposes, including by Google
`itself. As a result, Google has exposed and transmitted GAEN participants’ private personal and
`medical information associated with contact tracing, including notifications to Android device
`users of their potential exposure to COVID-19.
`The GAEN contact tracing system uses signals called “rolling proximity identifiers”
`broadcast through the Bluetooth radio on mobile devices that other mobile devices can detect and
`record, thereby providing information about proximate encounters with nearby participants.
`Google’s GPS records both this outgoing and incoming data on each device’s system log, such
`that Android device users running Google’s software unwittingly expose and transmit not only
`their information to numerous third parties, but also information from unsuspecting GAEN users
`on other devices (including non-Android devices, such as iPhones) who come within range of
`them.
`
`The exposed information is personally identifiable. The contact tracing apps themselves
`generate ostensibly-secure personal device identifiers, which change periodically as they are
`broadcast to other devices, and should be traceable to the device user only with a “key” held by
`the public health authorities. But in storage, these identifiers are maintained alongside other
`device identifiers known as MAC addresses, and in at least some cases, alongside yet other
`personal identifiers including the IP address of the wireless network, telephone number, and the
`
`
`
`
`
`
`- 1 -
`
`AMENDED COMPLAINT
`CASE NO. 5:21-CV-03080-NC
`
`

`

`Case 5:21-cv-03080-NC Document 25 Filed 07/20/21 Page 4 of 38
`
`
`
`App user’s email address. When this stored data is written to mobile device system logs, it
`becomes available to third parties with access to the logs. They, alone or in concert, can use the
`MAC addresses and other identifiers to trace the log files back to individual identities, locations,
`and other identifying attributes, effectively creating an alternative “key” of their own. For those
`who have reported testing positive, it enables third parties, as well as Google itself, to link that
`diagnosis back to the particular patient, defeating the purported anonymity Google claims for its
`service.
`In February 2021, Google was informed of the security flaw in its implementation of
`GAEN that caused the data breach alleged herein. To date, Google has failed to inform the public
`that GAEN participants’ private personal and medical information has left their devices and been
`exposed to and collected by third parties, as well as by Google itself, who in the ordinary course
`of business access the system logs and collect and read the sensitive information contained
`therein.
`Accordingly, Plaintiffs Jonathan Diaz and Lewis Bornmann, on behalf of themselves and
`all others similarly situated, bring this action pursuant to the California Confidentiality of Medical
`Information Act and their common law and constitutional privacy rights to obtain a mandatory
`public injunction requiring Google to remediate the security flaw in its implementation and
`maintenance of the GAEN system, and for, inter alia, damages and restitution.
`PARTIES
`II.
`Plaintiff Jonathan Diaz is a citizen and resident of Alameda County, California.
`1.
`2.
`Plaintiff Lewis Bornmann is a citizen and resident of Solano County, California.
`3.
`Defendant Google LLC (“Google”) is a Delaware limited liability company based
`at 1600 Amphitheatre Way, Mountain View, California, whose sole member is XXVI Holdings
`Inc. XXVI Holdings Inc. is a corporation incorporated in Delaware with its principal office in
`California.
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`- 2 -
`
`AMENDED COMPLAINT
`CASE NO. 5:21-CV-03080-NC
`
`

`

`
`
`Case 5:21-cv-03080-NC Document 25 Filed 07/20/21 Page 5 of 38
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`III.
`
`JURISDICTION
`Under 28 U.S.C. § 1332(d), the Court has subject matter jurisdiction of Plaintiffs’
`4.
`state law claims because the amount in controversy exceeds $5,000,000, exclusive of interest and
`costs, and at least one class member is a citizen of a state that is neither Delaware nor California.
`INTRADISTRICT ASSIGNMENT
`IV.
`Pursuant to Civil L.R. 3-2(c), assignment to the San Jose Division of this District
`5.
`is proper because a substantial part of the conduct which gives rise to Plaintiffs’ claims occurred
`in Santa Clara County. Google developed, markets, and deploys its products throughout the
`United States, including in Santa Clara County. Additionally, Google is headquartered in
`Mountain View, California, which is located within Santa Clara County.
`GOOGLE’S CONDUCT
`V.
`
`Background: The COVID-19 Pandemic
`In December 2019, a new strain of coronavirus known as SARS-CoV-2 appeared
`
`A.
`6.
`in China.
`SARS-CoV-2 causes a highly infectious disease known as COVID-19.
`7.
`COVID-19 spread swiftly across the globe. The World Health Organization
`8.
`declared it a global health emergency on January 20, 2020.
`One potentially effective tool used by public health authorities to control the
`9.
`spread of infectious diseases like COVID-19 is called contact tracing.
`In general, contact tracing means identifying everyone who has come into contact
`10.
`with an infected person to notify them they may have been infected, observe them for signs of
`infection, and isolate and treat them if they are infected.
`The contact tracing protocol issued for COVID-19 by the U.S. Centers for Disease
`11.
`Control and Prevention provides that such notifications should be issued to anyone who has been
`within 6 feet of an infected person for at least 15 minutes within the past 14 days.1
`
`
`1 Ctrs. for Disease Control & Prevention, Contact Tracing for COVID-19
`https://www.cdc.gov/coronavirus/2019-ncov/php/contact-tracing/contact-tracing-plan/contact-
`tracing.html (Feb. 25, 2021).
`
`
`
`
`
`
`- 3 -
`
`AMENDED COMPLAINT
`CASE NO. 5:21-CV-03080-NC
`
`

`

`
`
`Case 5:21-cv-03080-NC Document 25 Filed 07/20/21 Page 6 of 38
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`Google’s Exposure Notification System
`B.
`In 2020, Google and Apple Inc. developed a system for digital contact tracing
`12.
`using smartphones called the Google-Apple Exposure Notification System (“GAEN”).
`In May 2020, Google implemented GAEN and made it available to public health
`13.
`authorities worldwide.2
`GAEN acts as a framework or platform on which a public health authority can
`14.
`build a mobile contact tracing application (“Contact Tracing App” or “App”) for use in its
`jurisdiction.3
`GAEN and the Apps for which it acts as a framework are designed and intended
`15.
`for use by individuals on their mobile devices and could not function without these users’
`participation.
`16. While certain public health authorities developed Contact Tracing Apps for their
`respective jurisdictions, the apps could only function on devices running Google’s Android
`operating system because Google itself implemented GAEN on each user’s device through
`updates to an application package designed by Google called Google Play Services (GPS).4
`Google has advertised its implementation of GAEN as “[u]sing technology to help
`17.
`public health authorities fight COVID-19.”5
`In the United States, public health authorities in Alabama, Arizona, California,
`18.
`Colorado, Connecticut, Delaware, the District of Columbia, Guam, Hawai’i, Louisiana,
`
`
`2 David Burke, An Update on Exposure Notifications, Google (July 31, 2020),
`https://blog.google/inside-google/company-announcements/update-exposure-notifications.
`3 Google, Exposure Notifications (April 27, 2021) [hereinafter April 27 Exposure Notifications],
`https://www.google.com/covid19/exposurenotifications
`[https://web.archive.org/web/20210427082102/https://www.google.com/covid19/exposurenotific
`ations/].
`4 The original complaint referenced “Google Mobile Services” instead of “Google Play Services,”
`both of which are used to support functionality on Android devices. While Plaintiffs cannot rule
`out that Google Mobile Services is involved in GAEN, Google’s own documentation suggests
`that “Google Play Services” was used to introduce and maintain the GAEN system on Android
`devices. See Google, Use the COVID-19 Exposure Notifications System on your Android phone,
`“How your phone got the update,” https://support.google.com/googleplay/answer/9888358 (last
`visited July 19, 2021).
`5 April 27 Exposure Notifications, supra note 3.
`
`
`
`
`
`
`- 4 -
`
`AMENDED COMPLAINT
`CASE NO. 5:21-CV-03080-NC
`
`

`

`
`
`Case 5:21-cv-03080-NC Document 25 Filed 07/20/21 Page 7 of 38
`
`
`
`Maryland, Massachusetts, Michigan, Minnesota, Nevada, New Jersey, New Mexico, New York,
`North Carolina, North Dakota, Oregon, Pennsylvania, Puerto Rico, South Carolina, Utah,
`Virginia, Washington, Wisconsin, and Wyoming have released Contact Tracing Apps that use
`GAEN.6
`In the United States, more than 28 million people, residents of each jurisdiction
`19.
`above, have downloaded Contact Tracing Apps that use GAEN or activated exposure
`notifications on their mobile devices.7
`California’s Contact Tracing App is called CA Notify and was developed by the
`20.
`California Department of Technology.8
`Users of Apple devices in California may activate the functionality of CA Notify
`21.
`on their phones without having to download the App.9
`CA Notify has been downloaded to or activated on about 9.5 million mobile
`22.
`devices.10
`23.
`devices.11
`
`CA Notify has been downloaded to or activated on about 8.5 million Apple
`
`
`6 Matthew Sholtz, COVID Tracing App Roundup (Apr. 1, 2021),
`https://www.androidpolice.com/2021/01/02/covid-tracing-apps-ens-android; Mishaal Rahman,
`Here Are the Countries Using Google and Apple’s COVID-19 Contact Tracing API, XDA (Feb.
`25, 2021, 2:27 PM), https://www.xda-developers.com/google-apple-covid-19-contact-tracing-
`exposure-notifications-api-app-list-countries.
`7 Lindsey Van Ness, For States’ COVID-19 Contact Tracing Apps, Privacy Tops Utility,
`Government Technology (Mar. 22, 2021), https://www.govtech.com/health/For-States-COVID-
`19-Contact-Tracing-Apps-Privacy-Tops-Utility.html.
`8 Cal., California Can Stop the Spread, https://canotify.ca.gov/ (last visited July 19, 2021); Cal.
`Dep’t of Technology, CA Notify,
`https://play.google.com/store/apps/details?id=gov.ca.covid19.exposurenotifications (last visited
`July 19, 2021).
`9 Jason Pohl & Dale Kasler, Did You Get a COVID-19 Warning from California’s Phone App?
`Why You Probably Didn’t, The Sacramento Bee,
`https://www.sacbee.com/news/coronavirus/article249875513.html (Mar. 15, 2021, 3:56 PM).
`10 Id.
`11 Id. (“about nine times as many people have enrolled in CA Notify on an iPhone”).
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`- 5 -
`
`AMENDED COMPLAINT
`CASE NO. 5:21-CV-03080-NC
`
`

`

`
`
`Case 5:21-cv-03080-NC Document 25 Filed 07/20/21 Page 8 of 38
`
`
`
`24.
`
`CA Notify has been downloaded to about 1 million Android devices.12
`
`How GAEN Works
`C.
`Contact Tracing Apps that use GAEN work on both devices running Google’s
`25.
`Android operating system and devices running Apple’s iOS operating system.
`On both operating systems, contact tracing that uses GAEN works as follows:
`26.
`First, a user activates contact tracing on their device. For Android users, this requires the
`download of an App offered by their state public health authority. Since fall 2020 it has been
`possible for users of Apple devices in participating jurisdictions to activate GAEN on their
`phones directly from the device settings, without having to download and install a freestanding
`Contact Tracing App.13
`Second, as part of the activation process, GAEN generates a unique, random-
`27.
`seeming sequence of characters called a Temporary Exposure Key (“Key”) for the user.14
`A new Key is generated once every 24 hours after installation.15
`28.
`29.
`Third, the App uses the Key to generate a “rolling proximity identifier key,” which
`then generates a different, unique, random-seeming sequence of characters called a “rolling
`proximity identifier” (RPI).16
`
`
`12 Id.
`13 Russell Brandom, Apple and Google Announce New Automatic App System to Track COVID
`Exposures, The Verge (Sept. 1, 2020, 12:00 PM),
`https://www.theverge.com/2020/9/1/21410281/apple-google-coronavirus-exposure-notification-
`contact-tracing-app-system; Google, Use the COVID-19 Exposure Notifications System on Your
`Android Phone, https://support.google.com/android/answer/9888358 (last visited July 19, 2021)
`(“To use the system, you need to download an official app from your region’s government public
`health authority.”).
`14 Apple & Google, Exposure Notification: Cryptography Specification 6 (Apr. 23, 2020),
`https://blog.google/documents/69/Exposure_Notification_-
`_Cryptography_Specification_v1.2.1.pdf [hereinafter Cryptography Specification].
`15 Apple & Google, Exposure Notification: Bluetooth Specification 3 (Apr. 23, 2020),
`https://blog.google/documents/70/Exposure_Notification_-_Bluetooth_Specification_v1.2.2.pdf
`[hereinafter Bluetooth Specification].
`16 Cryptography Specification, supra note 14, at 6–7.
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`- 6 -
`
`AMENDED COMPLAINT
`CASE NO. 5:21-CV-03080-NC
`
`

`

`
`
`Case 5:21-cv-03080-NC Document 25 Filed 07/20/21 Page 9 of 38
`
`
`
`As the user goes about her day, her phone broadcasts the RPI over its Bluetooth
`30.
`radio to other users’ phones within range, whose devices receive and record the broadcasted
`incoming RPI.17
`The App generates a new RPI for the user’s phone every 15 or 20 minutes.18
`31.
`The App records all the RPIs it broadcasts.19
`32.
`33.
`As the user goes about her day, her phone also broadcasts the identifier known as a
`MAC address (typically, a unique string of characters meant to identify a device on a network)
`when transmitting her RPIs over its Bluetooth radio to other users’ phones within range, whose
`devices record the RPIs but also record the MAC address and associate the MAC address with the
`RPI.20
`
`In general, because Bluetooth transmissions include the transmitting device’s
`34.
`MAC address, Bluetooth device MAC addresses are randomized before broadcast, including with
`GAEN, in an effort to prevent a history of the broadcasts by a specific device from being
`compiled over time.21
`Fourth, the user’s phone receives any RPIs and randomized MAC addresses being
`35.
`broadcast by other users’ phones within Bluetooth range, 22 which on information and belief, is
`approximately 30 feet.
`
`
`17 Apple & Google, Privacy-Safe Contact Tracing Using Bluetooth Low Energy 2,
`https://blog.google/documents/57/Overview_of_COVID-19_Contact_Tracing_Using_BLE.pdf
`(last visited July 20, 2021) [hereinafter Overview]; Bluetooth Specification, supra note 15, at 5;
`Apple & Google, Exposure Notifications: Frequently Asked Questions 3 (Sept. 2020),
`https://static.googleusercontent.com/media/www.google.com/en//covid19/exposurenotifications/p
`dfs/Exposure-Notification-FAQ-v1.2.pdf [hereinafter FAQ].
`18 Bluetooth Specification, supra note 15, at 3, 8; Overview, supra note 17, at 2.
`19 FAQ, supra note 17, at 3–4; Bluetooth Specification, supra note 15, at 5.
`20 Cryptography Specification, supra note 14, at 5; Bluetooth Specification, supra note 15, at 5.
`21 Cryptography Specification, supra note 14, at 5; Bluetooth Specification, supra note 15, at 5.
`22 FAQ, supra note 17, at 3–4; Bluetooth Specification, supra note 15, at 6.
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`- 7 -
`
`AMENDED COMPLAINT
`CASE NO. 5:21-CV-03080-NC
`
`

`

`Case 5:21-cv-03080-NC Document 25 Filed 07/20/21 Page 10 of 38
`
`
`
`The App records all RPIs and MAC addresses the user receives, as well as the
`36.
`user’s distance from any RPI’s source (that is, from another user’s phone), based on the signal
`strength of the Bluetooth transmission.23
`Fifth, if a GAEN user receives a positive COVID-19 diagnosis from a medical
`37.
`professional, with approval from the local public health authority, the user inputs her positive
`diagnosis and the GAEN system will recognize that user’s RPIs as coming from an at-risk user.24
`In CA Notify, for example, the user sees the following screens when she elects to
`38.
`“Share [her] COVID-19 test result” and inputs a positive diagnosis:
`
`The at-risk users’ Keys, which in and of themselves contain no personal
`39.
`information, are marked as exposed and published for anyone to access, by the public health
`authority.25
`
`
`23 FAQ, supra note 17, at 7; Bluetooth Specification, supra note 15, at 6.
`24 FAQ, supra note 17, at 3–4, 8.
`25 Bluetooth Specification, supra note 15, at 3; Cryptography Specification, supra note 14, at 8;
`FAQ, supra note 17, at 5.
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`- 8 -
`
`AMENDED COMPLAINT
`CASE NO. 5:21-CV-03080-NC
`
`

`

`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`Case 5:21-cv-03080-NC Document 25 Filed 07/20/21 Page 11 of 38
`
`
`
`Sixth, the App periodically compares the list of exposed Keys to the list of RPIs
`40.
`the user has come into contact with.26
`Anyone in possession of a Key can calculate which RPIs were generated by it and
`41.
`thereby associate these RPIs with one source known to be a device belonging to a COVID-19
`infected individual.27
`If the App determines that the user has come into contact with one or more RPIs
`42.
`generated by an exposed Key, the user is alerted that she has potentially been exposed to the
`coronavirus.28
`43. Where GAEN’s functionality can be activated without downloading a freestanding
`App, its inputs and outputs are handled by the device’s native software. When GAEN is activated
`in this way, it otherwise functions in the same way as when it is App-activated.
`
`D.
`
`Google Represents to the World That GAEN-Driven Contact Tracing Is
`Anonymous
`According to Google, the list of RPIs that a GAEN user’s mobile device sees over
`44.
`time need never leave the device, and while users may learn from a health authority the set of
`RPIs that were broadcast by at-risk users, the identities of those users and other users who may
`have also received a broadcast from an at-risk user remain anonymous. Google represents that
`GAEN does not share a user’s identity; that only public health authorities can use GAEN; and
`that RPIs never leave a user’s phone.29
`For example, on its website30 Google represents the following:
`45.
`
`
`26 FAQ, supra note 17, at 4.
`27 Bluetooth Specification, supra note 15, at 8 (“A user’s Rolling Proximity Identifier changes on
`average every 15 minutes, and needs the Temporary Exposure Key to be correlated to a
`contact.”).
`28 FAQ, supra note 17, at 4.
`29 Burke, supra note 2; Overview, supra note 17, at 1.
`30 Google, Exposure Notifications, https://www.google.com/covid19/exposurenotifications (last
`visited July 20, 2021) [hereinafter July 20 Exposure Notifications].
`- 9 -
`
`
`
`AMENDED COMPLAINT
`CASE NO. 5:21-CV-03080-NC
`
`

`

`Case 5:21-cv-03080-NC Document 25 Filed 07/20/21 Page 12 of 38
`
`
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`46. Maintaining user privacy and anonymity is important for the Apps. Users trusting
`that GAEN would not disseminate personal information was critical to attracting sufficiently
`broad participation for the Apps to play a meaningful role in the public health authorities’
`COVID-19 responses.31
`Accordingly, Google has represented GAEN’s privacy protections as follows:
`47.
`“Doesn’t collect personally identifiable information”32
`a.
`
`31 Pohl & Kasler, supra note 8 (“It appears the people most at risk of spreading the disease are not
`going through the steps that would send an alert. … [T]he app appears to have so far fallen victim
`to worries about privacy and the pervasiveness of surveillance technology.”); Andrew Sheeler,
`This App Uses Bluetooth to Tell You If You Have Been Exposed to COVID-19 in California, The
`Sacramento Bee, https://www.sacbee.com/news/politics-government/capitol-
`alert/article247671555.html (Dec. 7, 2020, 5:39 PM) (“‘We value privacy, California has long
`been a leader in terms of advancing the cause and we don’t want to do anything to set that cause
`back,’ Newsom said.”).
`32 Overview, supra note 17, at 1. Google has revised this document since Plaintiffs filed their
`original complaint. Clicking “Learn more” under “Overview of COVID-19 Exposure
`Notifications” on Google’s current “Exposure Notifications” page, July 20 Exposure
`Notifications, supra note 30, now links to a revised document at a different web address. In place
`of Overview’s statement that GAEN “[d]oesn’t collect personally identifiable information,” this
`revised document provides that GAEN “[d]oesn’t collect or use location data from your phone.”
`Apple & Google, COVID-19 Exposure Notification Using Bluetooth Low Energy 1,
`https://blog.google/documents/66/Overview_of_COVID-19_Contact_Tracing_Using_BLE_1.pdf
`(last visited July 20, 2021) [hereinafter Revised Overview]. Even Revised Overview’s title has
`omitted the privacy promise contained in Overview’s full title, Privacy-Safe Contact Tracing
`Using Bluetooth Low Energy.
`
`
`
`
`
`
`- 10 -
`
`AMENDED COMPLAINT
`CASE NO. 5:21-CV-03080-NC
`
`

`

`Case 5:21-cv-03080-NC Document 25 Filed 07/20/21 Page 13 of 38
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`b.
`c.
`
`“List of people you’ve been in contact with never leaves your phone”33
`“People who test positive are not identified to other users, Google or
`
`“All of the Exposure Notification matching happens on your device.”35
`d.
`Relying on Google’s representations, news media have reported about GAEN as
`
`Apple”34
`
`48.
`follows:
`
`“Apple and Google say they will create software allowing phones to
`a.
`broadcast unique cryptographically generated codes via Bluetooth. The codes won’t include
`identifying information or location data, and the cryptography is designed to make it impossible
`to tie the codes to a particular person.”36
`“Bluetooth-based Covid-19 contact-tracing schemes are designed to upload
`b.
`no data from most users.”37
`“Apple and Google emphasize … privacy protections … . No location data
`c.
`is shared and the system does not share your identity with other users, Apple, or Google. All
`matching is done on-device and users have full control over whether they want to report a
`positive test.”38
`
`33 Overview, supra note 17, at 1. This promise too has been omitted from Revised Overview,
`which provides in its place that “Bluetooth beacons and keys don’t reveal user identity or
`location.” Revised Overview, supra note 32, at 1.
`34 Id.
`35 April 27 Exposure Notifications, supra note 3. This “Exposure Notifications” webpage that
`Google displayed to the public prior to April 27, 2021, when Plaintiffs filed their original
`complaint, also stated as follows: “Designed to Protect your Privacy. We understand that the
`success of this approach depends on people feeling confident that their private information is
`protected. The Exposure Notifications System was built with your privacy and security central to
`the design.” Id. This language does not appear on the webpage as of July 19, 2021. Compare
`April 27 Exposure Notifications, supra note 3, with July 20 Exposure Notifications, supra note 30.
`36 Sidney Fussell & Will Knight, The Apple–Google Contact Tracing Plan Won’t Stop Covid
`Alone, Wired (Apr. 14, 2020, 3:04 PM), https://www.wired.com/story/apple-google-contact-
`tracing-wont-stop-covid-alone.
`37 Andy Greenberg, Does Covid-19 Contact Tracing Pose a Privacy Risk? Your Questions,
`Answered, Wired (Apr. 17, 2020, 7:00 AM), https://www.wired.com/story/apple-google-contact-
`tracing-strengths-weaknesses.
`38 Chance Miller, Apple Releases iOS 13.7 with New Built-in COVID-19 Exposure Notifications
`AMENDED COMPLAINT
`- 11 -
`
`CASE NO. 5:21-CV-03080-NC
`
`
`
`
`
`
`

`

`
`
`Case 5:21-cv-03080-NC Document 25 Filed 07/20/21 Page 14 of 38
`
`
`
`For devices running Google’s Android operating system, Google designed GAEN
`49.
`in a manner that rendered these representations knowingly false.
`
`E.
`
`Google’s Implementation of GAEN Exposes COVID-19 Tracing Data via
`Google’s System Logs
`Every Android device hosts a “log file” or “system log”: a file for logging
`50.
`important device metrics and events that occur during operation.
`Smartphone system log files enable application and operating system developers,
`51.
`device manufacturers (called “original equipment manufacturers” or “OEMs”), and mobile
`network providers to obtain necessary data for later analysis, such as to evaluate the stability and
`reliability of a given application, connection, or device. As such, the system logs exist to transmit
`information in the logs from the phone to be received by the entities with permission to access the
`logs.
`
`On smartphones running Google’s Android operating system, certain applications
`52.
`“pre-installed” on the device (that is, included on the device at the time of sale) are automatically
`granted permission to access the system logs, called “READ_LOGS” permission.
`There are hundreds of such of applications.
`53.
`54.
`Applications with READ_LOGS permission include applications developed by
`Google (the operating system developer), such as Google Play Services; applications developed
`by Samsung and Motorola (device manufacturers), such as Samsung’s “MyGalaxy” music and
`video streaming service; and applications developed by AT&T, Verizon, or T-Mobile (mobile
`network providers), such as Verizon’s account management app “MyVerizon.”39
`On information and belief, more than one hundred different applications or
`55.
`services that hold READ_LOGS permission and contain code for executing a command to view
`
`
`Express System, 9 to 5 Mac (Sept. 1, 2020, 1:00 AM), https://9to5mac.com/2020/09/01/covid-19-
`exposure-ios-13-7-

This document is available on Docket Alarm but you must sign up to view it.


Or .

Accessing this document will incur an additional charge of $.

After purchase, you can access this document again without charge.

Accept $ Charge
throbber

Still Working On It

This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.

Give it another minute or two to complete, and then try the refresh button.

throbber

A few More Minutes ... Still Working

It can take up to 5 minutes for us to download a document if the court servers are running slowly.

Thank you for your continued patience.

This document could not be displayed.

We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.

Your account does not support viewing this document.

You need a Paid Account to view this document. Click here to change your account type.

Your account does not support viewing this document.

Set your membership status to view this document.

With a Docket Alarm membership, you'll get a whole lot more, including:

  • Up-to-date information for this case.
  • Email alerts whenever there is an update.
  • Full text search for other cases.
  • Get email alerts whenever a new case matches your search.

Become a Member

One Moment Please

The filing “” is large (MB) and is being downloaded.

Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.

Your document is on its way!

If you do not receive the document in five minutes, contact support at support@docketalarm.com.

Sealed Document

We are unable to display this document, it may be under a court ordered seal.

If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.


Access Government Site

We are redirecting you
to a mobile optimized page.





Document Unreadable or Corrupt

Refresh this Document
Go to the Docket

We are unable to display this document.

Refresh this Document
Go to the Docket