One week after Alphabet’s Verily launched its COVID-19 screening website, several unanswered questions remain about how exactly the project will collect, use, and retain people’s medical information.
Verily, a healthcare data subsidiary of Google's parent company Alphabet, has until now operated its Project Baseline as a way to connect potential participants with clinical research. Now, after a confused roll-out, Verily’s Baseline COVID-19 Pilot Program screening and testing website allows users to fill out a multi-question survey about their symptoms and, if they are eligible, directs them to testing locations in a few counties in California.
After a letter from Congress and multiple blog posts, press statements, and not one but two FAQs from Verily, users still do not have enough information about how using this service will affect their medical privacy. So, we have a few questions of our own.
Why does using the site require a Google account?
While the United States is in dire need of more testing, individuals’ access to this critical health service should not hinge on whether or not they have created an account and shared information with the world’s biggest advertising company.
But you can’t use the Verily screening website without a Google account: users must either log into their existing Google account, or create a new one, before filling out the screening survey. Verily representatives have claimed this is necessary to authenticate users and contact them during the screening and testing process. However, Verily has not explained why a Google account is uniquely suited to identifying patients, or why the project cannot use other less invasive forms of identification.
What will Verily do with your information?
Verily assures users that the medical information they input as part of the screening service will not be linked with their Google account data without “separate or explicit” consent. However, the screening website’s FAQ page says that information may be shared with “certain service providers engaged to perform services on behalf of Verily,” which includes—you guessed it—Google.
Who is Verily sharing data with?
The information you choose to provide during the screening process or testing process may also be shared with the healthcare professionals at the specimen collection sites, the clinical laboratory that processes specimens, the California Department of Public Health, and potentially other federal, state, and local health authorities, as requested or mandated for public health purposes.
While Verily has been clearer about the healthcare professionals and labs it partners with, it does not detail what “other federal, state, and local health authorities” include. What is Verily’s relationship with the U.S. government? Would ICE, for example, have access to user data under any circumstances? The only thing that's clear here is that Verily is lumping federal, state, and local public health agencies into one undifferentiated mass, and that is unacceptable.
Verily also fails to provide more information about its relationship with the California Department of Public Health. Is there a written Memorandum of Understanding that lays out how data will flow between Verily and state health authorities?
Does using this service opt you in to Verily’s Project Baseline?
In addition to Project Baseline, where the COVID-19 screening site is hosted, Verily has its Baseline Platform, Baseline Registry, and Baseline Community.
After completing the screening survey on the website, users are asked if they would like to participate in Verily’s Baseline Community, which spokespeople have told the press will “enable you to participate in creating new knowledge that is critically important to the health of all of us in the face of the COVID-19 pandemic.” Statements go on to say that participation in Baseline Community is “completely voluntary,” and imply that users’ information is shared with California public health authorities regardless.
It’s unclear how these various Verily services intersect with the screening website, and how those relationships may or may not change in the future. Concerns about such internal relationships are especially critical given Google’s healthcare ambitions and previous scrutiny in this area.