Sens. Flag Privacy, Security Concerns Over Google COVID-19 Screening Site

March 19, 2020 - A group of Democratic Senators are raising concerns about the potential Google COVID-19 screening website over possible privacy and cybersecurity risks, after the Trump Administration announced Google would be providing a testing site on March 13.

Led by Sen. Bob Menendez, D-New Jersey, the group also includes Sens. Sherrod Brown, D-Ohio, Cory Booker, D-New Jersey, Kamala Harris, D-California, and Richard Blumenthal, D-Connecticut. The Senators wrote letters to to Vice President Mike Pence, who is leading the Coronavirus response, and Google CEO Sundar Pichai.

Alphabet reported it’s collaborating with California on a pilot website for the San Francisco Bay Area on March 15. Pence and Pinchai have been asked to detail the privacy and security measures they’ve taken to address potential threats to consumer privacy posed by the planned COVID-19 test screening website.

As the Department of Health and Human Services has recently noted, third-party apps chosen by consumers are not covered under HIPAA regulations. But given current investigations into Google and its partnership with Ascension, the announcement raised red flags among researchers and Congress.

“We appreciate the Administration’s efforts to utilize technology to disseminate up-to-date information about COVID-19 and to assist Americans in determining whether they need to be tested,” the Senators wrote.

READ MORE: Senators Press Ascension on Data Sharing Agreement with Google

“We are concerned that the Administration and any third-party participant in such a venture has not appropriately accounted for the clear privacy and cybersecurity vulnerabilities in deploying and effectuating such a system,” they added.

The project raises a wide range of privacy concerns, including whether individuals will be required to sign waivers forfeiting their privacy and personal data in order to even access the questionnaire, the senators stressed.

The Senators also want to know whether the third-party vendor responsible for launching and maintaining the site will be banned from using the data received through the site for commercial services.

For example, a limited screening site went up on Sunday night, and users soon pointed out on Twitter that language contained in the privacy policy outlines that it would be collecting information to sell ads to third parties.

Google’s Project Baseline coronavirus screening website appears to be one huge data mining operation to collect your health information for commercial purposes. It does not appear to follow HIPAA privacy laws. No wonder Trump was pushing this so hard. This is dystopian. pic.twitter.com/qPafFsd5BZ

— Eugene Gu, MD (@eugenegu) March 16, 2020

The two letters sent to Pence and Google’s Pinchai ask dozens of questions about the project.

READ MORE: DHS Urges VPN Cybersecurity Best Practices in Light of COVID-19

To start, Pence is asked whether the Administration entered into agreements with private companies to launch and maintain a website for identifying clinics and providing individuals with a questionnaire to determine if they should tested. If so, Pence is asked to name the company and when the contract was formalized.

Pence must also explain whether Google is the company selected for the project, and how the Administration analyzed Google’s efforts to protect any personal health data acquired by Ascension as part of their Project Nightingale.

The Senators also ask whether users will be required to have a Google account to access the site, and whether those without one will still be granted access. Pence is also asked whether individuals will need to waive their privacy rights to access the data, and what those forfeited rights will entail, along with whether consumers will have the ability to access and monitor their data on the site.

The Senators are also digging into the planned cybersecurity safeguards and data retention policies, as well as verifying whether the site will be HIPAA compliant. Pence must detail when the site will officials launch, as well as who is tasked with monitoring the vendor’s compliance with the signed agreement and whether the Department of Homeland Security Cybersecurity and Infrastructure Security Agency would support the cybersecurity posture of the site.

Lastly, the Senators asked how testing clinics will be identified and approved to be added to the website.

Google was asked to explain similar concerns, in addition to other questions, including a repeated inquiry into how it’s protecting patient privacy through its partnership with Ascension. Google is also asked for when the site will launch nationwide.

“If Google and its subsidiaries fail to establish sufficient privacy safeguards, Americans who use the site will be more susceptible to identity theft, negative credit decisions, and employment discrimination,” the Senators wrote.

Google and Pence are being asked to provide answers to the inquiry no later than March 30.