Fourteen Days After Original Launch
The criteria for eligibility has changed quite a bit.
Now it is called: Baseline COVID-19 Testing Program
It is "in collaboration with the California Department of Public Health
with input from the federal program."
Q. Is Verily exploiting people desperate for income during the COVID-19 crisis,
by offering monetary incentives to participate in their studies?
Q. What is the probability of actually being selected and paid for participation,
after Verily harvests highly sensitive personal information?
Note: One additional question is whether or not this program complies with CDC guidelines regarding who should get tested, and related ethical questions about privileged access to COVID-19 testing.
The following screenshots show the current process and outcome using a fake identity
which is partially composed of real data from a variety of sources to enable tracking of personal information.
The following 30 screenshots of cookies provide documented evidence for future investigation.
While this isn't the most efficient way to collect this information,
it's included here to show why it's necessary for evaluating the extent of data-sharing with third-parties.
Fevermap.net is an initiative I heard about on a myData.org webcast via Twitter.
This is included for future research cases to correlate tracking cookies and other links
between separate COVID-19 projects.
Back to the COVID-19 screening process:
First step is to create a Google account.
Because I registered for Project Baseline previously using my existing gmail account,
in this Iteration #3, I created a new account because during Iteration #2,
I was not able to complete the screening when I logged in to my existing account.
Yes, you can log into this account to verify this...
This email can also be monitored using HaveIbeenPawnd and Google alerts on pastebin, so be careful:)
In previous iterations I did not publish my personal information; only the empty webforms.
In this iteration, I am providing some of my personal information - only what is discoverable in public records
such as my birthdate, for the purpose of leaving breadcrumbs that link my identity with this fake identity.
Other clues are of course, my ip address, device, browser, cookies, and much more.
While a phone number is optional, I chose to include one because it was required to qualify for studies on Project Baseline.
I needed a verifiable phone number that wasn't mine, so I used the telephone number for Sutter Health's Privacy Office.
Sutter Health is one of my providers and I have spoken to their Privacy Officer in the past, but I have not notified them or asked their permission.
I chose "Not now". But I can also do it later.
The point is "anyone can do this" and we might ask ourselves if Verily & Google should have any responsibility to properly authenticate users.
More cookies to compare, if further in-depth research is conducted.
Back to the screening process...
Now I need to provide an address for my fake identity,
so I decided to use the local city jail...
Here we finally get to screening questions to qualify for the testing...
Just lucky I chose the city jail address...
...even though it doesn't ask if I live there!
My fake identity qualifies for the testing ... based on fake answers.
I'm beginning to lose count of how many consents I'm signing...
Not included in these screenshots are my captures of the PWN privacy policy and TOS...
which I compare against the other copies from previous iterations and future iterations...
It's not a scam if the appointment is real...which I am NOT going to test.
Another cookie check...
Most people going through this process would not be aware they have a profile on Verily's Project Baseline.
Let's check the email notification...
The attached instructions is not an attachment, but a link to GoogleDrive:
https://drive.google.com/file/d/1ArKs4VpWplG-oc8UYR3d5vpC2HVkA2j9/preview
It includes the first mention of what form of photo ID is acceptable.
Q. What if an undocumented resident turned up for an appointment?
Regrettably, there is no contact number or email I can call if I need to change or cancel my appointment.
A wasted appointment for someone who really needs it. Shame on me, Ethics Officer!
I did some research to find out if the test sites are actually legit. Why are these not more well-known?
I'm not finding these sites anywhere else, and I neglected to check with the California Department of Public Health.
Here's what I DID find... and it raises questions about privileged access to testing:
