Verily, the life sciences arm of Google parent Alphabet, has indicated it plans to keep a requirement that visitors to its coronavirus screening website use a Google account to sign in, a decision that has drawn scrutiny since the .
The website allows people to take a screener survey to see if they should go to testing stations for COVID-19. The tool, which is currently open only to people in a handful of California counties, is hosted through Verily’s Project Baseline, an initiative to advance clinical research.
But in order to take the screener, people must use a Google account. If they don’t have one, they are prompted to create one. Verily said it needs to rely on Google accounts for security and authentication reasons. The explanation came in an April 10 response to a group of Democratic senators, who last month wrote a letter to Verily grilling the company over privacy concerns related to the website.
“Given that Google Account provides best in class authentication and that quickly developing alternative methods of authentication runs the risk of being less secure for participants, currently Verily cannot make this a priority as we don’t have the mechanism at hand to provide a different, equally secure method for authentication in the Baseline COVID-19 Program,” Verily wrote in a response to the letter viewed by CNET.
In the response, written by Verily CEO Andy Conrad, the company also committed to not using data from the website for “commercial purposes.” Verily also said more than 7,000 people have been tested for COVID-19 after completing the website’s screener.
Verily also acknowledged the website isn’t covered under the Health Insurance Portability and Accountability Act, or HIPAA, the federal law regulating the security and privacy of certain medical information.
“With respect to its Baseline COVID-19 Program, Verily is not acting as a covered entity or a business associate as defined by HIPAA,” the letter says. “As the program expands, we will continue to prioritize the protection of individual health data. However, in the future if we engage in a program where we do become a covered entity or we are required to sign a BAA [Business Associate Agreement] we will take all the appropriate steps to ensure compliance with HIPAA.”
Reached for comment, Verily pointed to a blog post similar to the response letter that was posted to the Baseline website late Tuesday.
The response letter comes as tech giants have tried to use their resources and engineering chops to contribute to the coronavirus response. Google and Apple last week announced a major project to use their massive operating systems to let public health authorities build tools for contact tracing, which would use people’s phones to warn them if they’ve been in contact with someone who’s tested positive for COVID-19.
But even as the tech giants try to help, they’re still haunted by past privacy controversies. The letter from senators is a follow-up to another missive by the same group from March 18 about data concerns. The senator’s letter is signed by Robert Menendez of New Jersey, Kamala Harris of California, Richard Blumenthal of Connecticut, Sherrod Brown of Ohio, and Cory Booker of New Jersey.
On Wednesday, Menendez praised Google’s commitment to not use data from the website commercially, but criticized the company’s decision to not provide alternative forms of authentication.
“I remain concerned that the company cannot quantify the number of people who were denied the opportunity to participate in its pilot COVID-19 screening program in California simply because they didn’t have a Google account,” Menendez said in a statement. “Most concerning, they seem to not have a plan to fix this. If Verily is seriously considering expanding these sites to other states –or nationally—my hope is that they address this question and provide an alternate authentication method to ensure that anyone interested in accessing a testing site can use the program.”