Google, other companies get your data if you used Verily’s coronavirus site

Google Booth CES 2020

Verily doesn’t share your data with Google without explicit permission. Except you need to give permission to use the COVID-19 screener. 

James Martin/CNET

For the most up-to-date news and information about the coronavirus pandemic, visit the WHO website.

The rollout of a coronavirus testing website by a sister company of Google has been marred by confusion and limitations. Now, privacy concerns are circling the service. 

The site, designed by Verily, the life sciences arm of Google parent Alphabet, was first made public Friday at a White House press conference by President Donald Trump, who said the search giant was working with the US government to provide preliminary screening and information about coronavirus testing. 

Verily’s online screening test was developed so people could determine if they should be tested for COVID-19, the disease caused by the novel coronavirus, based on their symptoms. The website is launching despite a shortage of coronavirus test kits and as authorities advise the public to avoid swamping emergency rooms. 

The service also requires visitors to have a Google account to use the tech giant’s platform as a health resource. Visitors who don’t have a Google account will be required to create one in order to use the service.

A Google account is required for authentication, as well as contacting people during the screening and testing process, a Verily representative said. The representative didn’t say why Verily specifically needs a Google account to accomplish these tasks.

That requirement is raising privacy concerns for experts wary of Google’s data collection empire. It also brings up criticisms of Google using a public health crisis like the coronavirus outbreak to gather health data on people. 

“COVID-19 testing is a vital public necessity right now — a core imperative for slowing this disease,” said Jake Snow, a technology and civil rights attorney with the American Civil Liberties Union of Northern California. “Access to critical testing should not depend on creating an account and sharing information with what is, essentially, an advertising company.”

A Verily FAQ notes that data collected through the screening service is only linked to a person’s Google account with explicit permission. You give that consent by using the COVID-19 screening service, locking privacy-conscious people out of the health resource. 

“Authorization is required to collect, use and share information and must be provided before screening begins,” a Verily spokeswoman said in a statement. “The services the Baseline COVID-19 Program is providing inherently require the limited and responsible sharing of information with other groups.”

The statement gave examples, such as sharing medical information with companies performing the physical coronavirus tests. On Verily’s FAQ, the company noted that with that permission, data could still be shared with “certain service providers,” including Google.

Requiring consent to data policies in exchange for a technology service is considered “forced consent” by privacy regulators in the European Union. In 2018, Facebook, Instagram, WhatsApp and Google’s Android faced four complaints over “forced consent” with each lawsuit alleging the tech giants simply cut off access to the service if a user didn’t give permission for data collection.

In 2019, French regulators fined Google $57 million for violating the EU’s General Data Protection Regulation over the forced consent concerns. 

“What’s most chilling is that most states have no prohibition on this sort of coercion, forcing people to sign away their privacy to access vital government services,” said Albert Fox Cahn, executive director of the Surveillance Technology Oversight Project. “If profit driven companies are going to play a central role in our response to the COVID-19 pandemic, we must take steps to ensure that they are serving the public, not just their bottom line.”

Verily said that it complies with applicable laws and regulations. This potential forced consent with Verily could violate GDPR, but Verily noted that the coronavirus screening isn’t intended for residents protected by Europe’s sweeping data privacy law.

“The Baseline COVID-19 Program is currently only intended for people in the US, specifically the Bay Area pilot launch,” a spokeswoman said. “GDPR, however, is focused on personal data from EU data subjects.” 

The California Consumer Privacy Act, which went into effect on Jan. 1, doesn’t directly address forced consent.  

When you give permission to Verily to conduct the COVID-19 screener, it also allows the company to share that data with third parties, including Salesforce. Verily said that this was so its customer service team could contact people “with emails or calls as appropriate.” 

The company didn’t verify what other third parties have access to that data.

“This is how privacy invasions have the potential to disproportionately harm the vulnerable,” Snow said. “Google should release this tool without those limits, so testing can proceed as quickly as possible.”

Verily said sharing data from its screening process was “fundamental to the coordination of services,” and third parties include the California Department of Health and the clinical laboratory that’s running the tests. 

The company added that the third-party access to data was limited and had technical security measures to prevent unauthorized access. Still, sharing that data for any purposes beyond what’s necessary to perform a coronavirus screening opens up privacy concerns. 

“I think the more entities you’re sharing sensitive health information with, the more vectors there are for both abuse and screw-ups,” said Lindsey Barrett, a staff attorney at Georgetown Law’s Institute for Public Representation Communications and Technology Clinic.