when relevant content is
added and updated.
In response to incidents such as the Federal Bureau of Investigation (FBI) using material in a genetic database to track down a murder subject, the major genetic testing firms are pledging that they will follow certain best practices before doing so in the future. But don’t cheer just yet.
“Under the new guidelines, the companies said they would obtain consumers’ ‘separate express consent’ before turning over their individual genetic information to businesses and other third parties, including insurers,” write Tony Romm and Drew Harwell in the Washington Post. “They also said they would disclose the number of law-enforcement requests they receive each year.”
Well, that’s nice, except for a few things.
- The agreement doesn’t cover GEDMatch, the open source database used by law enforcement to track down the alleged “Golden State Killer.”
- How long is it going to take before insurers offer either carrots – “We’ll give you this sort of price break to give us access!” – or sticks – “We won’t insure you unless you give us access”?
- What happens when law enforcement puts gag orders on these firms forbidding them to release information about law enforcement requests or releases of information? In other words, how long will it be before we see a “warrant canary” on genetic database sites?
- At this point, it’s something the companies are doing only out of the goodness of their hearts—and their concern that people will stop using their services if they are afraid the information could get out. “Adherence to the rules is voluntary,” Romm and Harwell write. “While the policy offers users of participating sites added new protections at a time of great ‘uncertainty,’ it doesn’t have the force of law, said Justin Brookman, the director of consumer privacy and technology policy at Consumers Union.”
- Having once submitted your data, it’s not at all clear that you can delete it from the databases. “Customers of these DNA testing services would gain some limited rights to have their biological data deleted, but they may not be able to withdraw data that was already in use by researchers,” note Romm and Harwell.
This is all happening at the same time that the genetic database companies are finding new ones to monetize the data. 23andMe recently announced it had struck a research deal with GlaxoSmithKline for $300 million, Romm and Harwell write. “As part of that pact, GlaxoSmithKline can access ‘de-identified’ genetic data about 23andMe users — provided they’ve previously given their consent — so that the firm can ‘gather insights and discover novel drug targets driving disease progression,’ the company said.”
That’s fine – noble, even – except that studies have demonstrated that the so-called “de-identified” data can actually be “re-identified” pretty easily. And under the guidelines, the genetic database testing companies don’t need to inform their users about these efforts, Romm and Harwell write. (And other genetic databases for research may also be subject to police search and not subject to these guidelines, writes Natalie Ram in Slate.)
Another nuance – the genetic databases suffer from a “lack of diversity,” and concern about privacy, particularly from law enforcement, could keep ethnically diverse individuals from submitting their material to the databases, writes Eric Rosenbaum for CNBC. 23andMe has noted that the genetic testing industry remains challenged by a lack of diversity, and to the extent that poverty is intertwined with the criminal justice system, a focus on using these databases to identify criminals will create unease or distrust, especially among historically targeted populations, he writes. In addition, when companies are sold or go out of business, as in Sports Authority or Radio Shack, the new owner may not hold to the same provisions, he notes.
As many as 12 million Americans – 1 in 25 – have had their genetics tested by one of the companies as of 2017, according to MIT Technology Review.
The guidelines themselves are a pretty interesting read, with some fascinating circumlocutions. For example, genetic information is important because, in the document’s words, “It may contain unexpected information or information of which the full impact may not be understood at the time of collection.” In other words, you may unexpectedly find out that your daddy isn’t your daddy or that you were adopted. Not to mention, “It may have cultural significance for groups or individuals,” and that could have any number of meanings.
There’s another offhand sentence in the Washington Post story that’s pretty ominous: “Companies, meanwhile, would have to ensure the person submitting DNA data is the actual owner of that data.” Uh, yeah. You mean they don’t do that now? There’s all sorts of interesting possibilities around that. You think Facebook stalking is bad? How about someone sending off some hair or spit from a prospective partner or job applicant? Or let’s get into science fiction and imagine bounty hunters on the prowl for people with – or without – certain genetic conditions. Remember those “I woke up without a kidney” urban legends?
Social media companies have been reporting the number of law enforcement requests they get, on a semiannual basis, for several years. Genetic testing database companies are also planning to do this, with Ancestry saying it had received 34 requests, 31 of which it had fulfilled, and 23andme saying it had received five requests, none of which it had fulfilled. If the social media companies are any indication, these numbers should zoom up over time.