Computers, Privacy & the Constitution

Genological Tracing and DNA Database Privacy

-- RochishaTogare - 16 Apr 2022


Despite how new genetic testing as a field really is, DNA-based tests are a key in ensuring the proper attribution of evidence in criminal cases, for confirming one’s identity (as the government would like us to believe a simple measure for ensuring the safety of the citizenry), and for medical procedures to ensure the health of patients through both mild checkups and acute illnesses.

However, a company came around in 2012 that changed the “access” to this technology. In exchange for a quick and easy oral swab, Ancestry, a for-profit genealogical testing firm, offered a “new affordable” home-testing kit combining “state-of-the-art DNA science with the world’s largest online family history resource and a broad global database of DNA samples.” With these few lines, genealogical tracing became a consumer product that anyone could engage in for fun to understand their ancestral background.

What the company failed to mention was that this data wasn’t received, tested, results sent to user, and data magically erased to ensure the user’s privacy. How could it when the service relies on more users offering data for past and futures to then be tested against? How else can one “find distant cousins who may hold the keys to exciting family history discoveries?”

Facing the Implications of Database-Driven Technology

The craze for DNA ancestry and geological testing saw a climax in 2018. There were more DNA tests purchased in 2018 than in all previous years combined, as more services like 23 and Me and MyHeritage? cropped up to take advantage of the market.

Then in April 2018, California law-enforcement announced that they used a genealogical database, one very much like the database used by the former genealogy tracing companies, to identify the Golden State Killer. It was received incredibly positively, as a similar database helped release an innocent man from prison. Cynthia “CeCe” Moore, the major player in bringing the truth of the case to light, had made a career in using DNA databases and information provided on home-testing kits, including individual’s names and email addresses, to track criminals through ancestral matches.

But soon after, GEDMatch and other DNA sites immediately had to backtrack when consumers asked how Cynthia and other expert had gained access to this data. The site itself had begun to warn users that police were using the database, and it was quickly uncovered that large sites like FamilyTreeDNA? (two million+ users) had been helping the F.B.I without telling anyone. Then started the flood of opt-out options.

Policy Reactions

Undeniably, our founding fathers and any changes made to the constitution thereafter surrounding the facade of privacy our documents provide failed to foretell the creation of genetic tracing. Even HIPAA, enacted in 1996, was created before scientists of the Human Genome Project were able to fully reveal the first draft of our genetic code in 2003.

Some states did take measures into their own hands, albeit slowly, since the rise of issues in 2018. California signed into law the Genetic Information Privacy Act which restricts the distribution of data gleaned from home testing kits, requiring individual content before the data is used in specific ways.

Broadly summarized are these requirements: First, the bill features an opt-in to data distribution rather than opt-out features. Once opted-in, users must have a reasonable means to cancel their consent. Second, companies cannot bury such content clauses in long reams of text that user are unlikely to read. Lastly, users must be given a “clear and easy way” to delete their DNA data from the company’s database permanently and to further close their accounts.

Continuing Challenges and Considerations

Despite all the state action, law enforcement has hardly been known to care about what lines they cross in the pursuit of their justice. Several times, law enforcement has been proven to ignore the terms of the site that restrict use by such entities and upload fake profiles in order to get the information they are after. It’s easy to take a DNA sample from a crime scene, drop it into a testing kit, label it with some fake information, and wait for results.

Except in the most severe of cases, it’s a wonder why people are in the first place so quick to hand over such fundamentally private information. A person may be curious about my genetic history and ancestral background, but DNA is the very next step of my privacy that we would think people would refuse to trade to unknown entities and, ultimately, the government.

What is ultimately needed is to educate individuals more on the choice they are making, not just by simply saying “place indicate whether third-parties and governments may use your data,” but by informing consumers as to the permanence of such information once it’s out in the world. As with anything on the internet, deleting information doesn’t mean that information is truly deleted. Traces of that data, at the very least, will forever be online even with attempts to “wipe” such data. DNA, even more so, inherently connects people with one another, and you cannot simply erase such connections once they’re brought to light.

What happened with the Cambridge Analytica case and people sharing friends’ lists to the third-party without those friends' knowing or consent is ultimately what DNA testing is on a far more intimate level. People fail to recognize that even one individual in a family offering up their DNA information undeniably reveals the information of every other member of the family, their participation in such home-testing kits or even consent notwithstanding. At the very least, testing may reveal information people are not ready to reveal, and robs the right of other individuals to their privacy.

The very nature of genetic genealogical testing robs individuals of choice and ultimately privacy.

This is an accurate summary of some factual background, accompanied by the rhetoric of danger. This too is not inaccurate. To improve the draft is to go beyond the announcement of danger to some purpose, to give the reader some remedies to consider or actions to take.

You do not point out the particular forms of externality that result for the relatives of those who decide to give away genetic information. One of my first cousins compromised the genetic privacy of his lineage for generations out of curiosity about possible lost relatives. But this might be a predicate for regulatory intervention, as the concept of "family privacy," to break down the "my genes are my property" conception.

Overall, then, you want to sharply curtail the background material that is known to all, and to concentrate on the new ideas you can bring to bear.

You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.


Webs Webs

r3 - 01 May 2022 - 16:30:04 - EbenMoglen
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM