Who knew something as simple as some spit would change the technological landscape in 2018. Yet that is precisely what companies like 23andMe, which launched its DNA testing service in 2006, have been banking on. Over 12 million people have sent their spit off to testing companies like Ancestry.com, 23andMe, MyHeritage, FamilyTreeDNA, and the other 40-plus DNA testing companies. It seems the Age of Genomics is here. Whether it’s a utopian Golden Age of the future or a dystopian Dark Age remains to be seen.
The proof is in the saliva
The steps are simple: order a kit from a DNA testing company, use the spit kit to collect your saliva, send the barcoded tube back to the company in its pre-paid package, and then discover – who you are, where you come from, and, perhaps, who you’re meant to be. For $199 – the current price for the recommended kit from 23andMe – consumers get ancestry reports and genetic health risk reports. It’s an enticing prospect.
But DNA testing companies aren’t making their profits off the kits they sell to consumers. Instead, they are collecting millions of DNA samples that include personal health information (PHI) and turning around to sell it to research and pharmaceutical companies.
“The companies offering these tests largely make their money not from doing the tests, but from selling the genetic information to other companies interested in having access to large genetic databases,” says Professor Sheldon Krimsky of Tufts University.
23andMe stands to make $300 million on its recent deal giving exclusive access to its DNA database to GlaxoSmithKline (GSK), a massive biopharmaceutical company in the UK.
For many consumers, this came as an unpleasant surprise. What at first appeared to be a fun and scientific way to learn more about yourself – at one time 23andMe’s website stated their goal was to bring “you personal insight into ancestry, genealogy, and inherited traits,” – quickly evolved into health risk profiles, drawing rebuke from the FDA in 2013. (The FDA has since withdrawn its complaint, and 23andMe now sells genetic health risk kits). The real risk that even the FDA is missing isn’t with your DNA being misused to give poor medical advice, it’s collecting your data to create a profitable database that it can then sell.
As Charles Seife pointed out in his Scientific American article “23andMe Is Terrifying, But Not For The Reasons The FDA Thinks” back in 2013, “The Personal Genome Service isn’t primarily intended to be a medical device. It is a mechanism meant to be a front end for a massive information-gathering operation against an unwitting public.” Seife goes on to use the example of Google; your local friendly search-engine that became the largest indexed database of information in the world, raking in $10 billion annually by providing your personal preferences to advertisers and corporations.
Turns out, the data lurking in your DNA is more valuable than you thought. But to whom? The contenders: consumers, DNA testing companies, and the community. 23andMe argues the latter; your DNA benefits the community by helping find cures faster. In the 23andMe and GSK deal announcement, 23andMe’s CEO Anne Wojcicki said, “By working with GSK, we believe we will accelerate the development of breakthroughs.”
Today, 23andMe’s core values state, “We are a mission-driven company with big dreams of using data to revolutionize health, wellness and research. We want to improve healthcare. We want to prevent disease. We want to give individuals control over their health data. We want to dramatically accelerate the pace of research. We want to develop better drugs smarter and faster.”
That’s all well and good; however, when these drugs do finally come to market, the question remains whether consumers – the same people who donated their DNA to “science” – will see the price of drugs drop in return for their contributions.
Does PHI protection even matter?
“Privacy is a value so complex, so entangled in competing and contradictory dimensions, so engorged with various and distinct meanings, that I sometimes despair whether it can be usefully addressed at all,” writes Robert Post, a leading legal scholar, in the Georgetown Law Journal in 2001.
On the other hand, when this question was posed to a colleague, he answered, “Meh. My data’s already out there. Who cares.”
Aye, there’s the rub. Privacy is complex, and with less and less of it in our daily lives, perhaps we no longer see its value. But your PHI is valuable – and not just to the vaults of genetic testing companies. Illegal entities value the immutable nature of your medical records. Unlike your credit card, which can be cancelled and replaced, or even your social security number, which – though it will be a hassle – can be newly administered, the PHI in your medical record can’t be replaced. A medical record on the darknet – the non-indexed collection of markets where hackers, criminals, and privacy advocates linger – sells for between 10 to 50 times as much as a credit card number.
This is precisely why HIPAA, the Healthcare Information Portability and Accountability Act, was signed into law by President Bill Clinton in 1996. It protects PHI from being shared by healthcare organizations. It also enforces standards of security that “apply to any health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions”. Hospitals, clinical call centers, billing and payment entities, and other healthcare enterprises must follow these rules.
The Genetic Information Nondiscrimination Act (GINA) passed in 2008 solidified these standards around genetic discrimination. Employers and health insurance companies can’t request your genetic results or use results to discriminate against offering you a policy.
But 23andMe does not provide insurance, nor is it a healthcare organization, even though it markets health risk kits. It is a direct-to-consumer private company; therefore, HIPAA and GINA don’t apply. Genetic testing companies have no legal obligation to act in consumer’s best interests. Nor do the laws protect consumers. Long-term care insurers – those who sell life insurance policies or disability insurance – can’t use your genetic information to sell you health insurance, but they can use genetic tests to decide whether to offer you an insurance policy. During initial qualifying interviews, long-term care insurers can ask if you have undergone genetic testing, and you are obligated to disclose it. The 1997 science fiction film Gattaca might have been ahead of its time – but only just.
De-identification, pseudonymization, re-identification, and federal laws
Then there’s the risk of the data used in research being connected back to an individual. In 23andMe’s privacy statement, they claim that “Registration Information is stripped from Sensitive Information, including genetic and phenotypic data. This data is then assigned a random ID so the person who provided the data cannot reasonably be identified.” The keyword there? “Reasonably”. De-identification and pseudonymization, as these processes are called, cannot reasonably be considered secure.
In 2017, multiple studies, including Boris Lubarsky’s ‘Re-Identification of “Anonymized” Data’, showed that DNA cannot be fully anonymized, simply because it is individual to every person (excepting identical twins). But the research isn’t new; in 2013 – the same year the FDA addressed concerns with 23andMe’s data privacy – Science published a report by Professor Melissa Gymrek titled ‘Identifying Personal Genomes by Surname Inference’. In it, Gymrek and her co-authors dictate an easy methodology for recovering surnames “from personal genomes by profiling short tandem repeats on the Y chromosome”. Not something your average hacker can likely do, but a multi-billion pharmaceutical company? Perhaps.
The National Institute of Health (NIH) recognizes the risks; it its overview of the National Human Genome Research Institute, the NIH points out that your DNA can never be fully anonymized and that balance is needed.
“People have a right to keep their medical information, and that of their dependents, private. Yet medical records are a rich source of research data, and it is in the interest of medical research, and thus everyone’s health and well-being, that scientists have access to large numbers of participants and quantities of data. How do we strike the proper balance between scientific progress and patient privacy? Federal laws, like the Common Rule and the Health Insurance Portability and Accountability Act (HIPAA) aim to strike that delicate balance.”
Since HIPAA and GINA don’t apply to DNA testing companies, though, and people giving DNA samples to these companies are considered consumers, not patients, the federal laws can’t help.
23andMe and consumer consent
Of course, according to 23andMe and other DNA testing services, you have nothing to worry about. A 23andMe spokesperson, who spoke to Gizmodo regarding recent headlines, said “23andMe implements various physical, technical, and administrative security measures to protect all 23andMe customer data, including de-identification.” And, as DNA testing companies are quick to point out, consumers can easily opt-out of any genomic sharing and research.
Presently, 23andMe is forging ahead. Last year, the FDA approved the company’s plan to sell consumers tests that identify up to ten different diseases and conditions that have genetic links, and as recently as this March it gained the go-ahead to inform consumers about breast cancer risks.