Privacy Issues with New COVID-19 Screening Program

Laura BednarVulnerabilitiesLeave a Comment

Project Baseline Google Account COVID-19

To contain the outbreak of COVID-19 and to help people discover if they may be qualified for testing, the company Verily decided to expand their “Project Baseline” research initiative to include COVID-19. While this initiative was created with the intent to facilitate screening and testing for the virus, there are some underlying problems that can violate people’s privacy. The platform requires users to use an existing Gmail address, or create a Google account to join the testing program. Verily’s privacy policy does not cover Google data, leaving user’s personally identifiable information (PII) in the hands of yet another tech giant who has been publicly exposed for past privacy issues.

How the Testing Program Works

The Project Baseline website states that the two main areas of focus in the program are helping people with concerns about COVID-19 to potentially get tested for free and to enable public health officials to target testing efforts. To qualify for the screening process, people must be at least 18 years old, willing to sign a public health authorization form and lab consent and drive to a testing site location. The current testing locations are in cities in California, Delaware, Idaho, Michigan, New Jersey, New York, Ohio, Pennsylvania, and Virginia.

The process begins after creating a Google account or connecting an existing account to the program. Users then complete authorization forms and sign consent forms that will release medical information to healthcare professionals, clinical laboratories, and public health authorities for purposes related to testing.

A user will then share information about their current health and any symptoms they may have in a screener test. Based on this information and testing appointment availability, the program will tell the user if they qualify for free testing and where they can get it done. Following the testing, the user will be informed via email or phone when their results are available.

What the Privacy Policy Is Really Saying

Verily is a sister company to Google, and stated on their website that they ask users to link or create a Google account for authentication purposes and for Verily to securely contact the user during the screening and testing process. The site claims that the data of people who use the Baseline COVID-19 Program is stored separately and not directly linked to a Google account.

However, Verily also states that their Baseline COVID-19 Program uses “Google infrastructure, security services, data storage, website hosting, and other support functions to safely store and protect the data collected on the COVID-19 Program website.”

The privacy policy on projectbaseline.com then goes on to say that Verily may share your information with certain service providers who are performing services on their behalf, including Google. In the policy, it is stated that Google’s access to data is “strictly limited to the purpose of providing such services (those listed in the quote above) to Verily. Your data collected through the Services will never be joined with your data stored in Google products without your explicit permission.”

Privacy Concerns with Personal Medical Data

Although the Project Baseline website offers a “use a non-Google email” option when beginning the screening process, that option requires that a Google account be created and linked with the existing address.

Even if the data collected is not stored with your data in other Google products, the fact that Verily uses Google infrastructure such as data storage to “store and protect data collected on the COVID-19 Program website” means that Google may still, in fact, be able to access your PII and medical information. That fact that they offer no option to participate without a Google account is concerning. While the screening process may require a way to authenticate users, there are other methods rather than forcing a Google account. In the midst of a pandemic, people should not be forced to create new accounts, especially one with as pervasive a reach as Google’s.

The privacy policy clearly states that it may use your test results and other information to communicate test results, improve the testing program for public health purposes, and alert public health authorities of the success of the program. With the entire operation being tied to a research project, that is not a surprise.

Organizations such as Rite Aid, the California Department of Public Health, and California All are partners in this program but are not the initiators. Current news coverage indicates to consumers that the testing program is operated by a trusted healthcare facility or company rather than a project developed to obtain data on the pandemic and those affected.

Safety During a Worldwide Emergency

Washing your hands and staying isolated from other people are not the only precautions that people must take during this COVID-19 outbreak. While increasing the amount of testing for this virus is a positive step towards reaching a new level of normal for nations around the globe, there needs to be a proper way to do it.

Data security needs to be upheld and people need to access testing and screening with no strings attached. Secure Data takes data security seriously and we offer a variety of services and products to retrieve your files from a damaged device, identify and end cybercrime, and protect your data using hardware encrypted devices. Learn more about our data security efforts by calling 1-800-388-1266.