Practical privacy and simple cybersecurity.
TheNewOil.org

The Privacy of DNA

How insatiable curiosity created an immutable treasure trove of data privacy nightmares, and you've paid for it

While chatting with another privacy enthusiast on the web lately, the topic of DNA testing came up. This person pointed out how very little information exists in a consolidated, easy-to-understand format online for privacy enthusiasts and how this person had to go do their own research so they could discuss the matter with their own family. Given both my interest in true crime and the fact that my own family has performed these tests in the past (though not me personally), I suddenly realized how surprised I was that I had never before tackled this subject. So, with the help of 21x this week I'm going to attempt to dig into this subject.

DNA Testing

I'm sure that if you're reading this, you're familiar with DNA testing, but just in case you're not or you need a refresher, it presents most often in the form of services like 23AndMe or Ancestry.com who offer an inexpensive, at-home DNA collection service (usually something along the lines of spitting in a tube and mailing it in) and in return you get told about your ancestry such as what countries your ancestors may have come from. Some services even offer to identify potential long-lost family members and help put you in touch.

Don't get me wrong, DNA testing has some incredible promise. Full disclosure: Alzheimer's runs in my family and that keeps me up at night. As a child I watched my grandfather deteriorate into a helpless heap who could remember nothing, do nothing. He drooled on himself and got fed by the nurses. I am all in favor of technology that will help me avoid that fate, and I would love to know if I'm at an elevated risk so I can get treatment early. Additionally, I am in favor of using this same technology to help identify victims, find criminals, and help families get closure and justice. But we have to realize that, as with all modern technology, this is a double-edged sword. We can't let mainstream articles of rainbows and butterflies lull us into a false sense of security by painting utopian pictures of early cancer detection and crime prevention.

Not to mention that the reach of consumer grade DNA testing can be incredibly narrow. A person has about three billion base pairs that would need to be analysed to get the full picture of individual's genome; this cannot be done for $100. Instead, your average at-home DNA test sequences only between half a million and one million base pairs. Plenty to identify you, or offer some very limited health insights while at the same time not really giving you a full picture of your genome which would be useful to your doctor.

The Risks

DNA testing carries great benefits, and with it great potential for abuse. For example, in my own life, what happens if I get tested and a health insurance company declines coverage because I'm at risk for Alzheimers? What if they raise my premiums to an unrealistic level? Many countries are still engaged in aggressive, overt racial discrimination, most notably China with their treatment of Uighar Muslims. Imagine how DNA mapping could be used to refine this process. People who would normally not be at risk – maybe people who have left the ethnic community or don't look like they could belong to the said community – would suddenly be proven to have roots and now be targeted. Imagine how this technology could be use to discriminate against transgender people.

The Problems

I think that genetic privacy is not such a widely covered topic because it has no easy technological solutions. As much as we say that privacy is a human right – and it is – so is the right to waive that privacy if you want. I have the right to not put my entire life on display via Facebook or YouTube, but I also have the right to do that if I want. While long term solutions to privacy concerns will always be fundamentally economic and political, there is some comfort in the fact that if you don't want your phone provider reading your text messages, there's something concrete you can do to implement effective controls. DNA is not so black and white. I can strong-arm companies into respecting my privacy by simply opting out, by using encrypted communication and not using their services in some cases. With DNA, I don't have that option. I have to give up some of that privacy in order to get a medical test. In fact, most newborns are tested within minutes of birth for any major problems because many problems can be fixed or treated if caught right away. But rarely discussed is what happens to that blood sample afterwards. Some states require the sample to be destroyed at the request of the parents, but parents often don't know they have that right, or even that the sample is kept. The same can be kept for decades and is often sold or used in research. In time it could even be upcycled into criminal databases for faster criminal identification.

A bigger problem that rarely gets discussed, I think, is the fact that DNA is not one-to-one. In other words, think of Joseph DeAngelo, the Golden State Killer. DeAngelo evaded detection for decades – his last crime was in 1986 – and he was only captured in 2018 after members of his family submitted a DNA test. Family member DNA is so similar to each other that it got flagged and made police investigate the family more closely, at which point they were able to narrow it down and positively identify DeAngelo as their suspect. He would later confess. In this context, DNA is essentially like metadata: if you have enough of it, you don't need the content. If enough of my family members submit DNA tests, my DNA is virtually unneeded. The picture is complete enough to paint in the missing pieces. Or, have you ever considered how the the 4th amendment rights interact with DNA? The law enforcement compared DeAngelo's DNA with the data found on the public DNA sharing website called GEDmatch. As the DNA the Golden State Killer shares with his family is also his, does that fall under the idea that an individual should not be subject to unreasonable searches? Is shared DNA considered to be part of 'persons, houses, papers, and effects'? Even if you fall on the side of 'they do not', it is inarguable that these issues should be tackled through the democratic legislative process.

Ultimately, where do my rights begin and my family members' rights end? If my mother chooses to get a 23AndMe test, that's her right. But what about my right to not have my DNA obtained by third party researchers? Or insurance companies? Police? Private individuals can already buy your geolocation from your phone provider, should they be able to buy your DNA?

This all factors back into the classic “nothing to hide” argument, the idea that if I'm not doing anything wrong I shouldn't be worried about putting my life on display, but the problem is so much deeper. I don't mind that DeAngelo got caught. In fact, I'm sad it didn't happen sooner. The man was a monster and he got to live a long and privileged life. Catching him at this point is a formality. There was a time where IMSI catchers were only used by highest levels of law enforcement, now every police department has one they got off eBay.

We can pass laws requiring health companies not to discriminate based on DNA tests, or requiring research companies to get consent and disclose how the DNA is used, but how often are companies caught violating these laws? The fines are always laughably pathetic, often less than 1% of a company's annual revenue, even to the point where many privacy invading companies simply see this as a cost of doing business. That shouldn't stop us from passing these laws, but clearly we can't rely on them solely as a solution.

The Solutions?

So what is the solution? We don't know, and that's one reason this topic is so rarely tackled by privacy advocates. I can't stop my family from taking a DNA test. I can ask them not to and explain why, but I can't force them. And honestly, I didn't even know my entire family had done them until years after the fact. Some 26 million Americans have taken an ancestry tests so far, and one estimate says that if the growth trend holds, 100 million Americans will have had the test done within next 10 years. If you consider that sometimes even a distant cousin's DNA can reveal meaningful information about you, 100 million Americans being on file is essentially covering the entire country. And, not to sound like a broken record, but that's great for utopian reasons: catching bad guys, catching diseases while still treatable, and even curing some of them. But if surveillance capitalism has taught us one thing, it's that abuse in the name of profit will always be inevitable. It won't be long before the same data used to cure some disease will be used to disqualify health insurance applicants for the incurable ones. Or that someone will try to argue that your DNA makes you more prone to being a criminal, bringing back ghosts of social Darwinist policies we thought we had left in the cinders of the Second World War. Or declare you unfit for some type of job. The discrimination is real, and it will happen. Just this month Toyota announced their intention to track driver data and sell it to insurance brokers. But you can change your car, you can adjust your driving pattern, you can chose not to drive Toyota. DNA is immutable. This stuff happens, it's not as tin-foil-hat as it sounds.

Next steps

So, what can we actually do? My suggestions are as follows:

  1. Speak to, at least, your immediate family and let the know how you feel about issues of genetic privacy. Be on the lookout for ancestry-related conversations or DNA testing commercials and voice your concerns where appropriate. What's more, educate them on these issues. Genetics are complicated, and the pull of insight into our ancestry is strong. Make sure that if they do make these choices on your behalf, they cannot claim ignorance as to gravity of their decisions.

  2. Take steps to minimize what is already out there. Most DNA testing companies allow the customer to request destruction of the existing biological sample. Remember, only a tiny sliver of your DNA is routinely tested, do not allow the technology to advance enough where your already sent sample can be re-tested to violate your privacy further. If your child, or even yourself, were tested as a baby, inquire into what happened to those samples and the results. Do they sit in some storage room somewhere? Inquire if you can request to have them destroyed.

  3. Urge the user to delete the existing DNA service account and data. If you are subject to a jurisdiction with strong privacy laws, such as California or the EU, use these laws to compel companies into destroying your data, if the person who had the test done agrees. If they do not, voice your concerns.

  4. Support organizations which support these causes and champion these issues. I know, pickings are slim in terms of political representation on these issues, but do not let your silence be taken as complicity.

Tech changes fast, so be sure to check TheNewOil.org for the latest recommendations on tools, services, settings, and more. You can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...