Google lawyers dismiss sueball over 'security flaw' in contact-tracing software as 'theoretical' and 'hypothetical'

'Complaint is noticeably devoid of factual allegations'


Attorneys for Google have called for a would-be class action lawsuit linked to its COVID-19 tracking software to be thrown out on grounds that any alleged data breaches are both "theoretical" and "hypothetical".

In 2020, Google and Apple developed a system for digital contact tracing using smartphones. At the time, both companies said that the Google-Apple Exposure Notification System (GAEN) was created because of a "shared sense of responsibility to help governments and our global community fight this pandemic through contact tracing."

Fast-forward to April 2021, and lawyers acting on behalf of lead plaintiffs Jonathan Diaz and Lewis Bornmann filed a complaint with the Northern District Court of California alleging that, despite assurances, GAEN exposes information that is "personally identifiable".

The company's legal team retorted this week [PDF] that not only were the claims "hypothetical," the plaintiffs themselves lacked standing to bring the suit.

Apparently no good deed goes unpunished. Plaintiffs Jonathan Diaz and Lewis Bornmann do not allege that any bad actor has accessed, viewed, disclosed, or used their information as a result of the EN system; they instead merely allege it is theoretically possible that someone could.

In the original April complaint [PDF], the plaintiffs claimed: "Because Google's implementation of GAEN allows this sensitive contact tracing data to be placed on a device's system logs and provides dozens or even hundreds of third parties access to these system logs, Google has exposed GAEN participants' private personal and medical information associated with contact tracing, including notifications to Android device users of their potential exposure to COVID-19."

Those behind the action – a large chunk of which is devoted to the technical details that underpin the action – alleged that Google was informed of the so-called "security flaw".

The complaint added: "To date, Google has failed to inform the public that participants in GAEN have had their private personal and medical information exposed to third parties, who in the ordinary course of business may access the system logs from time to time, or that Google itself may access these logs."

The motion from Google's lawyers this week sought for the whole case to be thrown out [PDF].

The Mountain View firm maintained that the Exposure Notification (EN) system "was developed with robust privacy protections in place [and is used by] millions of users and dozens of public health authorities around the world... free of charge."

Zeroing in on what appears to be the heart of the case, its lawyers added: "[T]his is a case about a hypothetical and exceedingly unlikely risk of harm.... [The] Plaintiffs' Complaint is noticeably devoid of factual allegations showing that an individual's use of the EN system was ever used to identify an individual, and the explanations for how that might be possible are convoluted and highly theoretical."

Stating that the case "consists of allegations that never rise beyond the level of mere speculation," Google called for the case to be dismissed.

The case is expected back in court for a formal hearing in August. ®


Other stories you might like

  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading
  • Big Tech loves talking up privacy – while trying to kill privacy legislation
    Study claims Amazon, Apple, Google, Meta, Microsoft work to derail data rules

    Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.

    That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.

    The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.

    Continue reading
  • SEC probes Musk for not properly disclosing Twitter stake
    Meanwhile, social network's board rejects resignation of one its directors

    America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance. 

    A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. The letter is dated April 4, and was shared this week by the regulator.

    Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.

    Continue reading

Biting the hand that feeds IT © 1998–2022