Every day we take risks. We get into a car and drive knowing we could get into a crash or we walk down a street knowing we could get hit by a bus. We use our credit cards for shopping, both online and in-person, and we simply assume that these companies will securely handle our credit card information in the age of data breaches. Most of the time we don’t think about these risks. We’ve learned through experience that odds are we won’t get into a car accident every time we drive. However, there are other, more serious, risks we fail to realize or even take into consideration before making a life decision. One of those choices in life is intrinsically tied to us from the moment we are conceived to our inevitable and hopefully peaceful death: Who to give our DNA information to.
Smerconish.com Survey Question on March 15th, 2021
Are discoveries from home DNA tests worth the privacy risks? (Percentage of 7,129 votes)
Millions of people have spit into a tube and sent their DNA to various private corporations in exchange for a deeper look into their family history and more insight into possible health risks that your genetic code may reveal. It’s exciting to find a long-lost family or a relative and can be a relief to know that a propensity for cancer doesn’t run in the family. However, most don’t realize the risks associated with giving away what is uniquely yours to a for-profit corporation.
The goal of this article isn’t to prevent anyone from sending away their DNA for any reason they see fit. It’s purely to help everyone make an informed decision about an irreversible decision in their life.
We Live In The Era Of The Hacker
Corporations are declaring data breaches left and right. If the end of 2020 and beginning of 2021 has shown us anything, in terms of technology, it’s that’s we’re living in the era of the data breach. At the end of 2020 SolarWinds, a provider of IT management software to massive corporations was breached by Russian hackers which forced many Fortune 500 companies and even the major departments of the U.S. government to declare data breaches. DNA companies, too, are not immune from data breaches. In 2018 MyHeritage DNA suffered a massive data breach that exposed the personally identifiable information for 92 million of their users. Fortunately, MyHeritage claims that while a treasure trove of information was stolen, their DNA database was not taken in the cyber heist. In 2019, DNA testing company Vitagene exposed genealogical data on thousands of its members.
Illegally obtaining a person’s DNA can have some disastrous consequences. Imagine if that data falls into the hands of a health insurance provider who is able to review the DNA and then increase their premiums based on what they find (more on this in a future point), or having the DNA of a population fall into the hands of an adversarial government that could use that data in some manner. In the era of genetic engineering with technologies like CRISPR, losing control of your DNA could have some seriously negative consequences.
Corporations That Have Your DNA May Be Purchased Or Give Your DNA To Other Entities
Imagine giving your biological footprint away to a DNA testing company for the purpose of finding family around the world, only to have that DNA company enter into an agreement with a massive pharmaceutical company to use your DNA for study.
That is exactly what happened between 23andMe and GlaxoSmithKline. In 2018, GlaxoSmithKline purchased a $300 million dollar stake in 23andMe and entered into a partnership to share DNA for testing. Overwhelmingly most people do not read the fine print when they sign up for virtually anything online; however, in this case, the more recreational users that use companies like 23andMe either didn’t realize or didn’t understand that their data could be used in this manner.
Furthermore, the concept of your genetic information being shared between companies only exacerbates the previously stated risk of hacking. If the DNA data in question was also copied into a different infrastructure with a different set of security controls, it could be extremely vulnerable. 23andMe also recently went public which means that anyone can purchase a stake in a company that has DNA information on millions of people. Imagine Amazon, Facebook, or an adversarial government bent on dominating the bio-medical field purchasing a controlling interest in one of the largest DNA sites on the planet.
Many US Privacy Laws Are Antiquated Or Not Comprehensive and DNA Privacy Is No Different.
When it comes to privacy laws, the federal government of the United States is years behind other governments and even some of their own states! For example, because many of the privacy laws surrounding location privacy were essentially written in the Reagan era, for years law enforcement could use companies like LocationSmart to access the GPS location of a person’s smartphone in real-time without needing a warrant. HIPAA, the US federal law for health patient privacy, does not cover Direct-to-Consumer products like home paternity tests, fitness trackers, health apps, and DNA testing companies.
The Genetic Information Nondiscrimination Act (GINA) passed in 2008 under the Obama Administration as an attempt to modernize DNA privacy laws has many loopholes that fall short of allowing for total privacy. GINA only applies to health insurance and employment and there was even an attempt to weaken those restrictions in 2017. Furthermore, if an insurance company somehow gains access to DNA via another means, they could indirectly match a person’s DNA to their profile to circumvent the law. This is happening right now. Life Insurance companies do not fall under GINA and have the right to ask for direct-to-consumer genetic testing results which also means they can decline coverage if the person refuses.
You’re Not The Sole Owner of Your DNA. You Own It With Your Family
Even if you’re not partaking in the DNA ancestry aspects of these various companies, your genetically related relatives are. When your cousin sends in his or her DNA to one of these facilities, a part of your DNA goes with it. While this doesn’t identify you directly since you do not have the same parents, you are indeed related, which could get you into trouble. The most glaring example of this is the Golden State Killer. Using a website called GEDmatch, designed for DNA matching, law enforcement was able to run the Golden State Killer’s DNA through that service and find a match to a relative of his, thus allowing the police to narrow in on the culprit.
While no one will deny that finding and locking up a serial killer is a good thing, this situation brings to light issues that both the public and the law must deal with. Essentially we have no right to be forgotten with this kind of data since we are tied to our family. Your family members may have given you no choice but to always be known simply by accident of birth and that is a serious issue that must be addressed.
Until the public has the following general protections, millions of citizens who have already taken this step are potentially in jeopardy:
-
Enforce strict data security laws that ensure our DNA is data is constantly behind layers of strong encryption, which is tested and confirmed regularly by third-party audits.
-
Create consent laws that corporations must adhere to when they enter into agreements with other organizations. For example, when 23andMe partnered with GlaxoSmithKline, all 23andMe users should have been given the right to refuse to have their data used, seen, or transferred to the new entity. Also if another third party requests DNA information, such as a life insurance company, the user should be informed and given the ability to decline.
-
Create and enforce the Right to be Forgotten for all citizens that extends to DNA. Essentially, if you choose to be forgotten, it would be illegal for a DNA matching service to link you to your relatives or for you to be identified in any way with them genetically.
-
Guarantee that all of the above is enforced by penalty of forfeiture and destruction of all DNA data for repeated violations which would be tantamount to putting the company out of business.
With all of this being said, I get it. I, too, really want to have my own DNA run so I can find those long-lost relatives in faraway lands, but the cost of privacy and the consequences of signing my DNA rights away to a private corporation are too steep a cost. You may now consider yourself informed.
______________________________________________________________________________________________________________________
Nick Espinosa
Nick is the founder and CEO of Security Fantatics, the Cybersecurity/Cyberwarfare division of BSSi2dedicated to designing custom Cyberdefense strategies for medium to enterprise corporations. As a member of the Board of Advisors for Roosevelt University’s College of Arts and Sciences as well as their Center for Cyber and Information Security, the Official Spokesperson for the COVID-19 Cyber Threat Coalition and a board member of Bits N’ Bytes Cybersecurity Education as well as Strategic Cybersecurity Advisor for the Private Directors Association, Nick helped to create an NSA certified curriculum that will help the Cybersecurity/Cyberwarfare community to keep defending our government, people and corporations from Cyber threats globally. In 2017 Nick was accepted into the Forbes Technology Council, an invitation-only community for world-class CIOs, CTOs and technology executives, and is a regular contributor of articles which are published on forbes.com as well as smerconish.com.
______________________________________________________________________________________________________________________
