In a scene from the dystopian sci-fi novel Hum, the protagonist returns to a public toilet to retrieve her ten-year-old son’s poop, fearing that his DNA might be used to identify her, undermining the painful steps she’s taken to avoid surveillance detection. While we’re not at the point where surveillance cameras can instantly identify a target, DNA analysis is far more advanced, along with the risks of the information getting in the wrong hands.
“In theory, if there’s a mess-up with your credit card or Social Security number, you get a new one, it can be fixed. But there’s absolutely no way to get a new genome.”
Mark Gerstein, professor of biomedical informatics at Yale University
The Good
DNA analysis has been used to determine paternity, unearth “anonymous” sperm donors, find half-siblings, identify criminals, and exonerate those criminally accused. It can be used to assess genetically related health concerns, enabling lifestyle modification to minimize disease risks or deselect candidates for jobs or, theoretically, to reject candidates for insurance based on their propensity for disease. Future applications envision selecting embryos with the highest genetic potential for brains, brawn, or beauty – at the preference of the progeny designer. For most of us, the technology can mine and confirm information about one’s ancestors, whether hidden or revealed through family lore. But it can also design bespoke-genetic therapies and pharmaceutical interventions, which is of significant interest to Big and Little Pharma. In short, DNA analysis has the potential for good and abuse, huge profits, and financial wipe-outs.
Who Am I?
Most of our DNA is identical across the human species. However, regions of variation exist across the genome – the complete set of genetic material (genes) in a cell or organism. By identifying both the commonalities and differences across and between genomes, lots of information can be retrieved.
In 2007, when 23andMe began its direct-to-consumer marketing, the company provided ancestry and health information. The customer provides a saliva sample that is assessed for thousands of common genetic variations single nucleotide polymorphisms (SNPs). This allowed the identification of genetic markers of diseases such as Parkinson's, celiac, and Alzheimer's. The company also provided ancestry, or genealogical DNA data, “magically” unearthing long-buried ancestral secrets and verifying ancestral relationships.
Ethics
“[T]easing out a DNA fingerprint and determining the likelihood of a match between a suspect and a crime scene is a complicated process that relies upon probability ….. Government-administered DNA databases, such as the Combined DNA Index System (CODIS), … help speed the process, but they also bring to light complex ethical issues involving the rights of victims and suspects alike.”
- Karen Norrgard, PhD Nature Education
Along with questions about accuracy, the ethics of DNA-based identification has come under scrutiny. Much of the ethical concerns have been addressed by disclosures, disclaimers, and securing informed consent when the identification request is voluntary. For involuntary or unconsented use of open source databases to identify perpetrators or anonymous gamete donors (who relied on anonymity agreements), the ethics are unclear, even as states can collect and store DNA from arrested persons for future use in criminal prosecution.
The Bad: Instances of Unconsented Use
In one fraught case, Danielle Teuscher contracted not to use efforts, such as 23andMe and Facebook, to identify or contact the sperm donor who fathered her daughter, Zoe. Perhaps unable to resist the lure of the genetic-id technology, Ms. Teucscher located and contacted the presumed donor, shortly thereafter receiving a “cease and desist” letter from the sperm bank. She was warned “not to contact the donor or learn more information about his identity, background or whereabouts" and advised that the sperm bank could "seek $20,000 in liquidated damages" against her. The sperm bank also withdrew "four additional vials of donor's sperm” she had purchased in planning for Zoe’s genetic siblings.
And the Ugly” The Databank Build Up
In 2013, as the FDA and various states clamped down on 23andMe health-related reports, they changed their business model, focusing on building a genetic database that could be mined for research studies by academic researchers or drug companies. By 2024, 23andMe claimed they had genotyped 14 million individuals. To induce use and assuage the concerns of prospective users, they promised privacy and confidentiality even though HIPAA (the ubiquitous privacy rule requiring health care providers to safeguard patient privacy) doesn’t apply to companies like 23andMe, furnishing DNA information.
Last year, about half of 23andMe’s records were hacked, mainly of Ashkenazi Jews and Chinese, by a hacker using the pseudonym “Golem” who offered to sell the names, addresses, and genetic heritage on a dark web forum. That event triggered the stock’s Niagara-like fall, along with a class action suit that cost the company thirty million dollars in settlement. Attorneys representing victims in a class-action lawsuit worried that the ethnicity-specific groupings could amount to a “hit list,” attracting terrorists looking to identify people of Jewish heritage and Chinese intelligence agencies, which have a history of surveilling and intimidating dissidents abroad.
Subsequently, 23andMe upgraded its privacy and security walls. It may not be enough. The company is financially tanking, and concerns are arising regarding the obligations of the data’s next owner.
As to the company’s prospects, Anne Wojcicki, 23andMe’s CEO, has wavered on selling, nevertheless, writing in a filing to the SEC:
“I remain committed to our customers’ privacy and pledge,” meaning the company's rules requiring consent for DNA to be used for research would remain in place, as well as allowing customers to delete their data.”
While 23andMe promises to ask permission before using customer data for commercial or research purposes, that provision doesn’t bind their successor in interest. Even if confidentiality and privacy were part of a future sales agreement, this would not be guaranteed to continue with subsequent purchasers.
According to 23andMe, there doesn’t seem to be a real risk, as all of its genetic data is anonymized, making it impossible to connect the sample to a specific individual. What’s more, 23andMe has, so far, successfully rebuffed the efforts of law enforcement to subpoena company data.
The Obligations of DNA Bank-Successors-in-Interest
The genetic databank is the company’s most valuable asset, and it might be divested even if 23andMe isn’t sold, declared bankrupt, or taken private. However, they appear to have little legal protection. While some customers might find it laudable that their genes are being used for research, others worry about the obligations of the next custodian of their nearest and dearest proteins,
“Those worried about their sensitive DNA information may not realize just how few federal protections exist.”
- Professor Anya Prince, University of Iowa's College of Law
The Atlantic notes, “The company’s privacy policies make clear that in the event of a merger or an acquisition, customer information is a salable asset.” The clause, found in the fine print, leaves little room for customers to complain. The disclaimer/disclosure portion goes even further, noting:
“If we are involved in a bankruptcy, merger, acquisition, reorganization, or sale of assets, your Personal Information may be accessed, sold or transferred as part of that transaction, and this Privacy Statement will apply to your Personal Information as transferred to the new entity.”
Some say this notification doesn’t satisfy consumer consent requirements, and most consumers don’t contemplate that their DNA data will be sold to other companies.
There may be some limited remedies. Consider the Sears case, where Sears installed spyware onto the computers of users of their “My SHC Community” app. Even though this was disclosed in the privacy notice,
“The FTC concluded that given the significant privacy invasiveness of spyware, burying this fact in the privacy notice was not sufficient and was an unfair practice.”
Daniel J. Solove, Professor, George Washington University Law School
In the event of a sale of DNA data, an “unfairness” action brought by the FTC under the FTC Act could be useful. In Professor Solove’s words, “This would be a bold move for the FTC, but an important one
So, while DNA data has no specific federal safeguards, some states give consumers rights over their genetic information. And remember, customers can always revoke consent.
Those whose DNA resides in the 23andMe databank just might want to consider that option now.
[1] About 80% of 23andMe’s customers have opted to have their genetic data analyzed for medical research. Others might feel ripped off, having paid about $229 for a DNA testing kit and 23andMe monetizing that health data.
