Law in the Internet Society

DNA Privacy: Pressing Concern and Political Rallying Point

-- By CharlesRice - DRAFT 3


Your DNA is the most fundamental information about who you are. More than that, it's fundamental information about who all of your family members are too. With the genetic data of one family member it’s possible to make inferences about the genetics of blood relatives. This includes those living, dead, and yet unborn.

The security of our genetic data— and the uses to which it can legally subjected— has taken on practical importance in the context of 1) a global economy increasingly fueled by personal data and 2) the emergence of companies that offer low-cost, direct-to-consumer (DTC) genetic tests.

Absent safeguards on the acquisition and use of this information there are both immediate and long-term risks to equality, freedom, and human agency. As our ability to discern useful insights from expanding indexes of genetic information improves, it’s imperative that we address DNA privacy. Moreover, proximate concerns around the use of genetic data present an opportunity to bootstrap political focus to address broader privacy issues.

DTC Genetic Testing Companies

While their meteoric rise has been hard to track perfectly, estimates suggest that DTC genetic testing companies had tested more than 26 million people as of 2019. Their business model is fundamentally reliant on exploiting the genetic data they collect. In the long term, DTC companies expect that there will be future, profitable uses for this data (i.e. developing new drugs).

In the short-term, however, the main revenue stream comes from the sale of genetic data to third parties. While all of the data sold must be “de-identified” to remove names it’s not clear this is effective; DNA is intrinsically identifying. Once you’ve agreed, it is impossible to pull your data from use in current or completed studies conducted by 3rd party buyers of your data. DNA testing firms are already lobbying for further erosions of genetic privacy.

Disturbingly (if unsurprisingly) very few customers understand what they’ve given away when they purchase an at home genetic test. In 2016, only a third of the 86 existing DTC genetic companies provided sufficient explanations to customers on privacy and the permitted uses of their genetic information.

Immediate Threats

Even if you haven’t shared your DNA results online, it’s likely a family member has, and with this information, it is possible to make inferences about your DNA. As a result, we are rapidly approaching a universal DNA database. Studies suggest that 60% of white Americans could be identified from an anonymous DNA sample through reference to public genealogy databases, and that this number will rise to 90% in only a few years. Nearly everyone’s genetic information is (or soon will be) available and at risk of being misused.

Widespread access to libraries of DNA data— created in part by DTC genetic companies but also national health ministries— have already led to high profile criminal arrests. The Golden State Killer was identified in 2018 when DNA found at a crime scene was matched to a relative’s DTC results uploaded to on a public genealogy website. In 2015, Sweden used a national DNA database to identify the assassin of their Foreign Minister Anna Lindh a decade after her death. These capabilities should prompt chilling questions around law enforcement and civil rights. China, for example, is using DNA information as a tool of control in their ongoing campaign of suppression against Muslim Uighurs.

As genetic discrimination becomes technically feasible it could transform access to employment, healthcare, and other opportunities. Congress hoped that the Genetic Information Nondiscrimination Act of 2008 (GINA) would be “first civil rights bill of the new century of the life sciences.” While GINA does offer some protections (you can’t be denied employment or health insurance because a DNA test shows you face an increased risk of cancer) it also leaves gaping holes (you likely can be de denied employment or health insurance because a family member took a DNA test showing an increased risk of cancer; life and disability insurance are not covered at all).

For now, there are legal and scientific barriers to cloning and DNA experimentation; once sequenced, however, DNA information can be stored indefinitely. The diffusion of gene-editing technology also means that nearly anyone can “hack DNA.” CRISPR offers a mail-order gene-editing kit for only $169. This combination should raise dystopian shivers. We can officially start worrying about someone cloning us in their basement someday.

Henrietta Lacks' story suggests that gaps in the protection of our genetic data will be exploited. We’ll have to hope that safeguards are improved upon rather than weakened over time. This will not be achieved without proactive change; experts have described the current U.S. legal regime as imposing “no limitations” on future uses of DNA data.

Bootstrapping Political Will

The DNA privacy movement should be tied to the broader data privacy rights agenda to catalyze a paradigmatic change in the treatment of personal data and individual sovereignty over their most sensitive information. Doing so would amplify consumer education, empowerment, and political action.

The threats posed by inadequate DNA privacy have driven changes in individual decision making in a way that the risks of sharing of more “mundane” data from phones, computers, and other connected devices have not. DTC genetic testing companies have seen a significant slowdown in new tests amidst fears around genetic privacy. This consumer demand has spawned genetic testing companies with business models that grant participants sole ownership and control of their data and enables them to sell that data anonymously. This should offer lessons for Americans who feel helpless in controlling their data privacy—the decisions of informed consumers can motivate change.

There appears to be an appetite for political agreement on genetic data protections, but these conversations should be linked to larger legislative gaps around health and data privacy. The main law protecting health data (HIPPA) is recognized as being outdated and obsolete in the face of modern technology. Its replacement should link health and genetic data to comprehensive privacy reform in the spirit of the GDPR.

You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.



Webs Webs

r5 - 07 Jan 2021 - 21:23:39 - CharlesRice
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM