I will be waiting until I can analyze my DNA myself, without handing it over to a company that is going to do whatever it wants to with it. We are not yet able to fully appreciate how valuable DNA is, and yet everyone seems delighted to pay companies to take it from them.
Perhaps they will be less delighted when they are convicted of a crime based off of a false positive, have their DNA shared with Facebook to Improve Their User Experience ™, or have their DNA made public after yet another security breach where it is left on an unsecured server.
Remember that your DNA is very valuable, literally. Those who have noticed recent progress in genomics should realize how valuable it would be to a competent advertising company, allowing them to profile and predict users with significantly higher personal accuracy, even if all they are doing is performing basic GWASs (https://en.wikipedia.org/wiki/Genome-wide_association_study).
People can get your DNA without your consent already, as your DNA gets onto every object you touch. The most valuable part about sending stuff to a DNA company is your consent, especially considering that sequencing costs have a super-moore's law like cost reduction. Once they have your consent they can share it, sell it, rent it, to recruiters for ad targeting, insurances, etc etc. Without consent they'd get onto dubious legal territory, if e.g. Amazon took gene samples from refunds. But maybe it'll just become part of their TOS, you not being able to opt out unless you don't want to refund your stuff to Amazon.
Not sure if the ability to sequence DNA yourself is really beneficial to privacy, after all that allows people to sequence the DNA of many people around them.
It would be nice to have better special regulations specifically concerned with DNA usage and collection, just as we do for health information like HIPAA, just as we should for facial recognition as well.
HIPAA does not explicitly call out genetic/genomic information as one of the oft-cited 18 elements of protected information [1]. However, genetic/genomic information is considered to fall under the 18th element, and HHS states that it must be treated as PHI [2,3]. In fact, HIPAA is very broad in its definition of PHI:
"The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)." [4]
Finally, it's worth pointing out that some states (e.g, WA) have enacted their own legislation that specifically calls out genetic testing and data as PHI [5]. In addition, there is the GINA act, which provides some protections as well [6]
Counterargument: Consented mass datasets of DNA annotated with useful data (e.g. health records) are valuable. Your DNA by itself is pretty much worthless. There's a reason you pay 23andme to sequence it rather than them paying you.
Your DNA by itself IS informative to you; there are plenty of public SNP databases you can use for making useful comparisons. The basic "what ethnicity are you?" result that is the bread-and-butter of these companies can be ascertained by comparison with the 1000 Genomes database, which has detailed information on haplogroups.
You can probably also get raw SNP calls from a genotyping service. Human SNP genotyping costs about $300 a sample at-cost and can maybe be had for less. Few of these resources are commercialized for the general public, but they are certainly accessible if you just want the raw data.
In other words, the add-on from 23andMe is mostly convenience - they spare you the effort of having to locate these services and engage with them, and they spare you the effort of having to do your own informatic analysis.
I didn't say it wasn't useful to you. I said it wasn't valuable to others by itself. (At least to anywhere near the extent that people seem to imagine.)
It basically doesn't matter if you share your DNA or not-- if your siblings or extended family share their DNA, then a malicious actor knows almost as much about you as they want to. This is how Osama bin Laden was found, as well as the golden state killer [1].
Maybe justified in those cases, but if it's abuse you're worried about, nothing but extremely stringent laws have a hope of protecting you. Probably not even that.
I learned recently that the state of California collects DNA and blood samples from every newborn, post-1983, and stores it long-term somewhere. It's made available to law enforcement and researchers through some process or other.
You cannot opt-out but you can request that the samples be destroyed. They'll even send you a letter assuring you that it's been destroyed. How kind of them.
FWIW, 23andMe will actually delete your data if you send in a GDPR deletion request. I worked there, and half the company put in a 1-2 month effort into making sure deletions worked correctly, including residual data.
How do GDPR rights work for non citizens? (Ex: in America even non-citizens have constitutional rights while visiting. (This had to be decided at the SC level after some Italian immigrants were roughed up in the 20s and it was argued that's ok since they weren't citizens)
Can I book a vacation to Amsterdam, then demand deletion while on EU soil?
> This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
> (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
> (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
As I understand it, because 23andMe also provides its service within the EU, the GDPR applies.
If they solely offered their service in the US, it's more tricky. Just being in the EU does not _necessarily_ mean the GDPR applies. Consider the following two examples[1]:
> A U.S. citizen is travelling through Europe during his holidays. While in Europe, he downloads and uses a news app that is offered by a U.S. company. The app is exclusively directed at the U.S. market. The collection of the U.S. tourist's personal data via the app by the U.S. company is not subject to the GDPR.
BUT:
> An app developer established in Canada with no establishment in the Union monitors the behaviour of data subject in the Union and is therefore subject to the GDPR, as per Article 3(2)b. The developer uses a processor established in the US for the app optimisation and maintenance purposes.
> In relation to this processing, the Canadian controller has the duty to only use appropriate processors and to ensure that its obligations under the GDPR are reflected in the contract or legal act governing the relation with its processor in the US, pursuant to Article 28.
Are there examples you can think of who will not? Generally speaking, I've found almost everyone after implementing data deletion for GDPR compliance allows its use globally. Mostly because the only thing they invite for refusing is more legislation compelling them to do it, and potentially making other demands as well.
> 23andMe chooses to use all practical legal and administrative resources to resist requests from law enforcement, and we do not share customer data with any public databases, or with entities that may increase the risk of law enforcement access.
> Contents of communications and any data relating to the DNA of an Ancestry user will be released only pursuant to a valid search warrant from a government agency with proper jurisdiction.
The purpose of Ancestry (and FamilyTreeDNA) is ancestry research. You don't go to Ancestry to get your DNA tested for diseases. You go there for ancestry research.
Yes, one purpose of the service is sharing with people who have similar DNA to you (not just police officers conducting dragnet searches). And it's not the "entire purpose" either, much of the ancestry data is available for you to view even if you don't use the sharing features.
> As specified in FamilyTreeDNA's Terms of Service, law enforcement can only receive information not already accessible to the standard user by providing FamilyTreeDNA with valid legal process such as a subpoena or a search warrant.
> Additionally, FamilyTreeDNA customers have the option to opt out of law enforcement matching entirely. If customers do opt out, they can still see their family matches but are excluded from being seen by law enforcement.
This does not make sense to me. I know that DNA can be taken physically from an individual with a warrant, so ostensibly that would hold with FamilyTree as well.
So: if one opts out, what is one opting out of? FamilyTree can't be suggesting that they'll withhold evidence because a customer opted out, can they?
"law enforcement can only receive information not already accessible to the standard user" = LE asking FTDNA for your DNA specifically
"law enforcement matching" = LE uploading suspect DNA to the service and looking for family members, who they will then contact for further investigation of relatives, which does not require a warrant.
due to a recent policy change, LE is obligated to identify itself as such before performing the latter type of search. you can ask FTDNA to exclude your information when a LE account looks for family matches.
Are you suggesting they’d voluntarily delete your data?
Opt out, to me, just means that they’ll share your data if issued a subpoena. However, I don’t know if you could get a subpoena to search the entire DNA database of a company.
I'm suggesting they could delete your data (as well as many other companies), and the possibility is deliberately not mentioned, so they can pretend to respect your privacy by requiring a warrant.
You traditionally can't get a warrant to get the DNA of the cousin of a suspect in a crime. With a centralized DNA registry you can get partial matches. So perhaps those are opt-out?
I personally feel that the next great privacy scandal is going to come from one of these DNA companies being hacked, or abused by law enforcement, etc. And we all will have seen it coming.
The issue, of course, is that unlike Facebook you can't just delete your DNA.
I don't think there is a huge difference with Facebook. You cannot delete your face (well, you can, but at a huge cost, with facial surgery).
So when your photos are leaked, you can't do much about it, deleting your Facebook account won't help here.
> “If FamilyTreeDNA can help prevent violent crimes, save lives, or bring closure to families, then we feel the company has a moral responsibility to do so.”
The FBI (and a variety of other organizations) can and will use the information for any and all purposes imaginable, and a number that are unimaginable.
As a family member of someone who sends in a FamilyTreeDNA kit, you're powerless to opt out. An implicit, traceable link to your own DNA suddenly enters the system against your will, and you have no recourse. Suddenly you become part of this this experiment in mass surveillance.
The people of rich democracies are way too trusting of their governments and don't read enough history. Saying that this service will be used to " help prevent violent crimes, save lives, or bring closure to families" is naive at best and something monstrous at worst.
Some uses are easy to predict. Genocide, for example. Others, no so much.
- Imagine a Bird-type gig economy in which thousands of cash-strapped people are hired (possibly by FamilyTreeDNA under contract from the FBI) to swab public places and objects for DNA, while the company compiles the results into a massive internet of DNA things. Now imagine that database being linked to a face-recognition system using public cameras.
- Imagine being turned down for a job because someone happened to get a peek at your FamilyTReeDNA profile and noticed a marker for mental illness.
- Imagine being sent to prison because some jackass politician starts believing in criminal DNA markers and you fit the bill.
I'll give credit to Bennett Greenspan for this. He knows how to wrap a massive invasion of privacy in the sweet-smelling blanket of saving us all from the criminal boogeyman.
Gattaca was prescient. It was a glimpse of what our future will look like if things continue this way unchecked. While those of us paying attention will find it terrifying, the majority won't notice or be bothered by it I fear.
The vast majority have been convinced that the "I've got nothing to hide" defense protects them. It works with surveillance, and it'll work with this too. They've already given up liberty to purchase some temporary security; Franklin would be upset.
Is it temporary safety though? A large enough DNA database might nearly eliminate serial rapists. That's one hell of an immediate (and permanent) benefit to trade off against some theoretical downside.
Well, the data might not eliminate them, rather quickly identify them for "special tasks", like when machiavellian directors intentionally seek bully managers to control their unit with fear. Identifying someone who has certain negative traits might fast-track them to positions of power.
Not sure how that follows, that requires the victims to come forward, be taken serious by the police, and the whole process to progress through the justice system in time for their second crime.
Not to mention the first rape wouldn't be avoided anyway, so it's a quite small security it buys.
How many serial rapists can there be, anyway? Of those, how many of them raped multiple people, instead of the same victim several times, who was too traumatized to go to the police? How many are family members?
The other—less terrifying—lesson of Gattaca was that adversity (by not being dealt a great hand) can lead to drive and innovation that surpasses the naturally gifted.
>Saying that this service will be used to " help prevent violent crimes, save lives, or bring closure to families" is naive at best and something monstrous at worst.
It will because it has been used to do just that.
> Genocide, for example
It's not like humans have had difficulty committing genocide in the past without DNA databases. The Rwandan genocide, for example, was done primarily with machetes and coordinated by radio. Similarly the rest of your hypothetical situations can be done without DNA testing if society wished to act in that manner. I don't see much weight in your scenarios at least compared with actual murderers and rapists going to jail.
I wonder what is the minimum % of people that need to have their DNA sequenced in order for any human to be able to be identified. The police cases mentioned in the past hint that we are already.
thanks. it seems that already (considering only GEDMatch's 850000 samples):
> Its also striking that were already in an era in which familial searches against publicly accessible SNP databases are feasible for a lot of cases, probably the majority
of cases where the suspect has substantial recent ancestry in the US
As a person who worked in a genetics lab for a while, those who are concerned about privacy should do the following: find a smaller lab and tell them from the get go you want all the data, and for them to delete it after sequencing, then find a third party to do the data analysis.
With sequencing at less than 1k these days, you should be able to do it for sub 3k with the analysis while protecting your privacy.
This is the reason not to ever use any of these scummy companies. What next? Should I sign over the rights to my DNA to them too so they can charge me for cell division and reproduction? Monsanto already does this. Fuck these people and their moralistic bullshit. It is our moral responsibility to not use such services if we at all care about privacy, security, and our own well being. Even DNA isn't 100% accurate. Do they think it's our responsibility to go to prison when our DNA is mistakenly matched to a crime scene too? Seriously, fuck these companies.
This isn't really necessary. Make a DNA database of crimnals. That guy who killed a child and left his sperm behind? He is bound to slip up and get arrested for something sooner or later.
No need for the FBI to start fishing for everyone's DNA.
England shows that "criminal" DNA databases expand as much as they can.
Now if you're arrested, not necessarily convicted, you'll have your DNA taken and kept on file for a few years. Note that someone had to take England to the EU court of human rights to get this changed so that people found not guilty, or people not charged, won't have their DNA kept indefinitely.
'Moral responsibility' is a very interesting choice of words given the history of this institution. But, feels like history isn't used for forecasting doom if it causes short-term inconvenience.
I wonder how many men are worried that this sort of matching is going to turn up children they didn't know they had fathered. That situation is a lot more common than cold case serial killers.
Those sort of errors cause all sorts of more serious trouble in another way:
Men finding out they didn’t father children they thought they did.
I worked at a genetics lab, and day one training was that this happened all the time, and that we absolutely must not let people in medical studies know we’d found a mismatch. (In fact, we actively avoided noticing such things.)
Yes, but in this case what would happen would be mothers (or the children) actively searching for the dads, using those forensic genealogy techniques. The key of course is that the dad's DNA is not required to perform the search.
Same. Law enforcement already has plenty of tools to implement totalitarianism, should that be the goal of the political class. If we are in the dark universe where this eventually comes to pass, a DNA database is not going to make much of a difference in one way or another. On the other hand, in the world where we have good leaders, this tool offers a material delta in the finding and convicting of dangerous criminals.
I put the odds of that happening at pretty much 0.
Sometimes it is fun to think about the odds of me getting hit by a meteorite if I leave my underground bunker, but I'm not going to let that dictate my daily life.
Sadly it’s not that simple. You don’t have to use it, but unless you can stop your family as well they will have most of what they need from you that way.
Perhaps they will be less delighted when they are convicted of a crime based off of a false positive, have their DNA shared with Facebook to Improve Their User Experience ™, or have their DNA made public after yet another security breach where it is left on an unsecured server.
Remember that your DNA is very valuable, literally. Those who have noticed recent progress in genomics should realize how valuable it would be to a competent advertising company, allowing them to profile and predict users with significantly higher personal accuracy, even if all they are doing is performing basic GWASs (https://en.wikipedia.org/wiki/Genome-wide_association_study).