The Privacy Hazard in High Tech Heritage
DNA kits like 23andMe, Helix and AncestryDNA topped holiday gift guides again this past year. Kits range in the market from $60 to $200, and they’re meant to help consumers understand family history, genealogy and can even connect unknown family members. Collecting genetic data can also have broader impacts in healthcare and justice for law enforcement. We’ve seen this play out in the arrest of the suspected Golden State Killer Joseph James DeAngelo as a result of DNA from an ancestry website.
However, companies compensate for low product cost through investors, who can have potentially unsavory intentions. While these products can explore how DNA impacts your health, lead to innovations in the healthcare system and solve more crimes, the amassed information and third parties involved also lend themselves to privacy concerns.
Putting your family history in someone else’s hands
Profit and business will always impact companies no matter the company vision and goals. Recently, GlaxoSmithKline (GSK) invested $300 million in 23andMe. While both companies insist that this partnership will only further the availability of beneficial medications, it is important to note that consumers who shared their genetic data with 23andMe before the investment will still be impacted. Consumers who do not consent to sharing their identity will be anonymized, but the rest of their genetic information will be available to GSK.
But, if you dig into the details, it becomes clear that genetic information shared with DNA testing companies can never be truly anonymized, and in using these services consumers risk losing control of the data they provide. With an opt-in status that is unclear, consumers are left unsure of who is using their data – and for what. When you look at data privacy scandals like Cambridge Analytica, the problem was that privacy related data collected by a first party was then shared with a third party. This is where the control was lost – and once actors in the field are driven by profit through services delivered to third parties, they run the risk of deprioritizing data privacy.
Direct to consumer products like AncestryDNA and 23andMe do not have to abide by the same regulations such as the Health Insurance Portability and Accountability Act (HIPAA), to which doctors are bound. And at times it’s in the best interest of the government that this genetic information be shared. FamilyTreeDNA gave the FBI access to its database of more than 1 million users' data that allowed agents to test DNA samples from crime scenes against customers' genetic information. In future incidents, the government could hypothetically subpoena these companies for access to DNA. It’s also important to note that individuals do not need to be the first party granter of their DNA to be found in a system. If a family member, even down to your third cousin, conducts a DNA test kit, the privacy of your DNA is also at risk. Furthermore, Scientists are now able to identify unique mutations in an anonymous sample of DNA to pinpoint its owner.
The fact that this data shares information about an individual’s family member takes this case to beyond “personal”. We need to find a way to better control “personal data once removed” with DNA.
How to protect DNA data for beneficial use cases
Despite potential risks, it’s clear that there are advantages to collecting such a vast amount of genetic data. Leaps can be made in healthcare discoveries, killers can be brought to justice, and families can be reunited. It’s all a question of how to ensure the data is only used for good.
Consumers should be able to trust the companies they share their genetic information with and use the platforms for their original intent: to connect users with their genealogic history and family members. Similar to Facebook as it relates to social data and trust, DNA testing companies are facing a huge trust challenge when it comes to growth. From addressing risk for the future of their business to ultimately reaping the full benefits that the DNA data can bring to both the economy and society. In order to regain public trust, DNA testing companies must implement regulations on data sharing and privacy.
Additionally, there is a strong need for regulation in this space. In healthcare, regulations such as HIPAA have established very strong rules for data protection that demands providers anonymize and scrub out any obvious characteristics before medical companies can share and eventually sell a patient’s data. Unfortunately, with DNA specific regulations in their infancy, this data does not fall within HIPAA regulations. This raises a large number of questions given the increase in consumer interest (AncestryDNA alone sold about 1.5 million kits), and dropping the cost of at home kits as demand continues to grow.
The Future of DNA Kits
Genetic testing kits provide benefits from family background and healthcare innovation to the justice system, but privacy regulations in the field are lax and allow data to be shared without consumer consent. Companies are influenced by investors and profit, and this impacts their decisions on how to use the data they’ve collected. Whether or not the government decides to implement more stringent regulations is yet to be seen, but in the meantime companies should employ data governance to protect the personal data they amass.