Attorneys for Google have called for a would-be class action lawsuit linked to its COVID-19 tracking software to be thrown out on grounds that any alleged data breaches are both "theoretical" and "hypothetical".
In 2020, Google and Apple developed a system for digital contact tracing using smartphones. At the time, both companies said that the Google-Apple Exposure Notification System (GAEN) was created because of a "shared sense of responsibility to help governments and our global community fight this pandemic through contact tracing."
Fast-forward to April 2021, and lawyers acting on behalf of lead plaintiffs Jonathan Diaz and Lewis Bornmann filed a complaint with the Northern District Court of California alleging that, despite assurances, GAEN exposes information that is "personally identifiable".
The company's legal team retorted this week [PDF] that not only were the claims "hypothetical," the plaintiffs themselves lacked standing to bring the suit.
Apparently no good deed goes unpunished. Plaintiffs Jonathan Diaz and Lewis Bornmann do not allege that any bad actor has accessed, viewed, disclosed, or used their information as a result of the EN system; they instead merely allege it is theoretically possible that someone could.
In the original April complaint [PDF], the plaintiffs claimed: "Because Google's implementation of GAEN allows this sensitive contact tracing data to be placed on a device's system logs and provides dozens or even hundreds of third parties access to these system logs, Google has exposed GAEN participants' private personal and medical information associated with contact tracing, including notifications to Android device users of their potential exposure to COVID-19."
Those behind the action – a large chunk of which is devoted to the technical details that underpin the action – alleged that Google was informed of the so-called "security flaw".
The complaint added: "To date, Google has failed to inform the public that participants in GAEN have had their private personal and medical information exposed to third parties, who in the ordinary course of business may access the system logs from time to time, or that Google itself may access these logs."
The motion from Google's lawyers this week sought for the whole case to be thrown out [PDF].
The Mountain View firm maintained that the Exposure Notification (EN) system "was developed with robust privacy protections in place [and is used by] millions of users and dozens of public health authorities around the world... free of charge."
Zeroing in on what appears to be the heart of the case, its lawyers added: "[T]his is a case about a hypothetical and exceedingly unlikely risk of harm.... [The] Plaintiffs' Complaint is noticeably devoid of factual allegations showing that an individual's use of the EN system was ever used to identify an individual, and the explanations for how that might be possible are convoluted and highly theoretical."
Stating that the case "consists of allegations that never rise beyond the level of mere speculation," Google called for the case to be dismissed.
The case is expected back in court for a formal hearing in August. ®