The scandal involving Facebook data and its use by Cambridge Analytica and other companies has a lot of people thinking about data privacy. It is important to note that the Facebook scandal was not a data breach; it was a feature of the business model and the sharing of the data was not a violation of their policies at the time. Coming on the heels of the Equifax breach, where the data of nearly half of all Americans was exposed, as well as the upcoming enforcement of the General Data Protection Rules (GDPR) by the European Union which is going to have a wide reach into non-EU businesses, conversations around data privacy and your rights to your data have spread far beyond their typical boundaries.
I’ve examined issues around data privacy and data security in several previous posts, including:
- Facebook Polls are a Jackpot for Scammers (Cybersecurity Researcher Brian Krebs later wrote a very similar piece covering those random Facebook questions that ask for similar information, which I have to admit did have me doing a bit of cybersecurity geeking out.)
- When Security is an Afterthought
- Stay in Control of Your Cybersecurity
- Are Users Your Weakest Link?
As you can see, data security, data privacy and general data management are an interest of mine and something I regularly follow. So I’d like to extend the topic into another area where the data privacy conversation does not seem to be reaching, but definitely should be: Genetic Testing for Recreational Purposes.
Personal Genomics and the Data Privacy Question
Whenever I walk into almost any chain pharmacy or chain retailer, I pass end caps filled with boxes from the personal genomics company 23andme. Its sold with a very alluring concept; just pick up the box, provide a DNA sample, send it off to the company and get a report telling you where your ancestors came from on the globe. Of course there are some issues with this concept, starting with the fact that the tests can only show you where concentrations of your genetic code are present in the world today, not where your ancestors came from. Why? Because we do not have historical DNA data from even 50 years ago, let alone from prior centuries when our ancestors were alive to compare to that would give us the basis for that comparison.
But for a privacy minded person like me, those tests present a bigger threat…what happens to the data once the genetic testing company has it?
Just like with the Facebook data scandal, where a part of the blame does rest on the users who gave authorization to the app to access all of the data because they clicked through the box that told them exactly what information the app was going to collect, anyone who is even thinking about having their genetics tested for recreational purposes like this really needs to read the Terms of Service carefully. These companies are not simply testing your genetic code, giving you the results, and then throwing your data away. Just like with Facebook, they are keeping it for future use, and if you are going to give away your genetic information, you should be very comfortable with where that information could end up.
Note: I am not a lawyer, nor am I offering anything that should be construed as legal advice. I am simply providing my analysis and interpretation of these documents as provided on each company’s website, which if freely available for anyone to read and interpret. I encourage you to read the documents yourself and draw your own conclusions.
For instance, Ancestry.com offers a personal genomics testing service similar to the kind you can buy in the stores. Let’s take a look at the Terms of Conditions of using the service to see what we are allowing Ancestry.com and its genetic testing vendors to do with our genomes once they have it.
- According to the Requirements for Using the DNA Services, users “…acquire no rights in any research or commercial products developed by us or our collaborators and will receive no compensation related to any such research or product development…”. In layman’s terms, this means that Ancestry as well as anyone else they decide to give your data to, can use your data to create any kind of research or product they want, and you have absolutely no say in that. Not only does this mean that you can’t receive any monetary benefits from being a part of the development of a commercial product or new miracle drug, this also means that if one of their vendors uses your DNA to research and create unsavory things like genetic-targeted weapons or if society ever takes a major turn and we start rounding up people with certain genetic features in a eugenics-like throwback, there is no where you can hide.
- According to the AncestryDNA Informed Consent Documentation, those who authorize Ancestry to use their data for research purposes grant that right not only to Ancestry, but also to Collaborators (defined as “academic institutions as well as non-profit and for-profit businesses or government agencies”) AND to Collaborator Partners, who are basically anyone else the Collaborators choose to work with. Here is an important thing to remember: Even if you are completely comfortable with Ancestry’s Terms and Conditions and Data Use policies, these Collaborators and Collaborator Vendors may or may not be bound by the same policy. I could find no information indicating whether other participants in the Ancestry Human Diversity Project would be bound by the same rules, or the enforcement mechanisms for it.
What about the off-the-shelf model provided by 23andme? It has some of the same issues as noted above, including a Waiver of Property Rights indicating that you retain no rights to your data or the data from your genome and its further use as a condition of using the service. Interestingly, if you read the Terms of Service, it gives the following warning:
Genetic Information you share with others could be used against your interests. You should be careful about sharing your Genetic Information with others. Currently, very few businesses or insurance companies request genetic information, but this could change in the future. While the Genetic Information Nondiscrimination Act was signed into law in the United States in 2008, its protection against discrimination by employers and health insurance companies for employment and coverage issues has not been clearly established. In addition, GINA does not cover life, long-term care, or disability insurance providers. Some, but not all, states and other jurisdictions have laws that protect individuals with regard to their Genetic Information. You may want to consult a lawyer to understand the extent of legal protection of your Genetic Information before you share it with anybody.
Furthermore, Genetic Information that you choose to share with your physician or other health care provider may become part of your medical record and through that route be accessible to other health care providers and/or insurance companies in the future. Genetic Information that you share with family, friends or employers may be used against your interests. Even if you share Genetic Information that has no or limited meaning today, that information could have greater meaning in the future as new discoveries are made. If you are asked by an insurance company whether you have learned Genetic Information about health conditions and you do not disclose this to them, this may be considered to be fraud.
23andme Terms of Service as accessed and in force on 4/22/2018
This is a good warning against sharing your genome or any data from your genome with others. You may want to consider that before you purchase your DNA testing kit and share your genes and data with them.