WASHINGTON, D.C. – U.S. Senator Bob Menendez (D-N.J.), a senior member of the Senate Finance Committee that sets national health policy, led a group of colleagues in sending separate letters to the Trump Administration and the tech giant Google raising concerns over privacy and cybersecurity vulnerabilities involving a third-party coronavirus (COVID-19) testing website announced last week by President Trump and coronavirus response coordinator Dr. Deborah Birx.

“[W]e are concerned that the Administration and any third-party participant in such a venture has not appropriately accounted for the clear privacy and cybersecurity vulnerabilities in deploying and effectuating such a system,” the senators wrote to Vice President Mike Pence, Head of the White House Coronavirus Task Force. “There are myriad privacy concerns about such an endeavor, including: whether people will be required to sign waivers forfeiting their privacy and personal data in order to access the questionnaire; whether the private company responsible for launching and maintaining the website will be prohibited from using data received through the website for commercial purposes; and whether the private company will be prohibited from selling any data collected through the website to a third-party.”

“[R]ecent data breaches affecting all types of companies, including Quest Diagnostics LabCorp, Equifax, and Capital One, among many others, have left millions of Americans susceptible to identity theft and various forms of fraudulent activity”, the senators wrote to Google CEO Sundar Pichai. “To state the obvious, the information Americans enter on this website will be highly valuable to potential hackers, foreign state and nonstate actors with nefarious intent, and other criminal enterprises.”

“We are concerned that neither the Administration nor Google has fully contemplated the range of threats to Americans’ personally identifiable information,” the senators wrote to both Vice President Pence and Pichai.

Furthermore, the group of senators expressed concerns about data privacy in regards to Google’s “Project Nightingale,” an initiative with Ascension Health that grants the tech giant access to millions of Americans' personal health data. In addition, they requested information on who in the Administration is in charge of monitoring this arrangement and ensuring private information is protected and whether anyone interested in doing the online screening would be required to have a Google email account (Gmail.com) to access the website.

As of today, there is no clear timeline on the date when the coronavirus information website will be available as Google pushed back the launch originally scheduled for Monday, March 16.

Joining Sen. Menendez in sending the letter were Sens. Sherrod Brown (D-Ohio), Cory Booker (D-N.J.), Kamala Harris (D-Calif.) and Richard Blumenthal (D-Conn.).

The full text of the letter to Vice President Pence can be found here and the full letter to Google can be found below and downloaded here.

Dear Mr. Pichai:

We write to express our concern and obtain information about recent announcement of the Administration’s plan to work with Google to launch a virus screening website for COVID-19. On Friday, March 13, 2020, during a White House press conference, President Trump and coronavirus response coordinator Dr. Deborah Birx announced that Google would be developing a website to help Americans access testing clinics and determine whether they should be tested. On Sunday, March 15, 2020, Alphabet announced it is collaborating with California to launch a pilot of a COVID-19 testing website in the San Francisco Bay Area. We appreciate the Administration’s efforts to utilize Google’s technology to disseminate up-to-date information about COVID-19 and to assist Americans in determining whether they need to be tested. However, we are concerned that neither the Administration nor Google has assessed what privacy and cybersecurity vulnerabilities may arise in developing and deploying such a system.

There are numerous privacy concerns about such an endeavor, including: whether people will be required to sign waivers forfeiting their privacy and personal data in order to access the questionnaire; whether Google or any of its subsidiaries will be prohibited from using data received through the website for commercial purposes; and whether Google and any of its subsidiaries will be prohibited from selling any data collected through the website to a third-party. This applies not just to COVID-19 status information but all other personally identifiable information shared through the website for the purposes of evaluating symptoms and identifying testing centers. If Google and its subsidiaries fail to establish sufficient privacy safeguards, Americans who use the site will be more susceptible to identity theft, negative credit decisions, and employment discrimination.

Moreover, recent data breaches affecting all types of companies, including Quest Diagnostics and LabCorp, Equifax, and Capital One, among many others, have left millions of Americans susceptible to identity theft and various forms of fraudulent activity. To state the obvious, the information Americans enter on this website will be highly valuable to potential hackers, foreign state and nonstate actors with nefarious intent, and other criminal enterprises. We are concerned that neither the Administration nor Google has fully contemplated the range of threats to Americans’ personally identifiable information.

In addition to privacy and cybersecurity concerns, we have questions about who will be responsible for the website and when it will be launched. On Friday, the Administration announced the website would be developed with Google, however later that day, Google tweeted a statement suggesting the project was much farther from launching than what was indicated by the President. Google’s life science affiliate, Verily, said they are “in the early stages of development, and planning to roll testing out in the Bay Area, with the hope of expanding more broadly over time.” As of Monday, March 16, however, Google announced even further delays in the availability of its COVID-19 information website stating the company wants to take a little more time to fill out the sites features, which according to reports, it didn't start working on until last week. Also, news reports indicate it is unlikely that Google’s site will be able to deliver the comprehensive, national screening features previously mentioned by the White House. If Google is indeed the company responsible for launching and maintaining the website, we have specific concerns in light of the company’s “Project Nightingale” initiative with Ascension Health which grants it access to millions of American’s personal health data.

To address these concerns please provide answers to the following questions no later than March 30, 2020. We appreciate your efforts to protect Americans and we look forward to your response.

1. Has Google or any of its subsidiaries entered into any agreements with the Administration to launch and maintain a website to identify testing clinics and provide a questionnaire for Americans to determine with they should be tested? If yes, when was the agreement formalized?

a. Please provide the specific terms of the agreement.

2. Please describe Google’s efforts to protect personal health data acquired from Ascension Health as part of the “Project Nightingale” initiative.

3. Will Google require individuals to use a Google account to use the website? Will individuals without a Google account be able to use the website?

4. When will the website launch?

5. When will the website be available nationally?

6. Will users of the website be required to sign a waiver forfeiting their privacy and personal data, other than for public health purposes, in order to access the questionnaire? If yes, please provide the terms of such a waiver.

7. Will individuals who use the website be able to access and monitor their data?

8. Will Google be prohibited from using data collected on the website for commercial purposes?

9. Will Google be prohibited from selling the data collected on the website to third parties?

10. What specific cybersecurity safeguards will be utilized to ensure the security of the data entered on the website?

11. What are the specific data retention policies regarding any and all information entered into the website by individuals?

12. Will the website and any user entered data protection and use policies be HIPAA compliant?

13. What role, if any, would the Cybersecurity and Infrastructure Security Agency have in supporting the cybersecurity posture of the website?

14. How will testing clinics be identified and approved to be added to the website?

Sincerely,

###