In the modern world it’s easy to take the rapid pace of change for granted.
The steady stream of highly specialized, expensive technologies that are scaled and brought to market as direct-to-consumer products are more than enough to elicit soul-searching among the general population.
And maybe they should. Because in 2019, the general population is very concerned about taking back some of the privacy they so freely gave up in recent years without a second thought. Some of these technologies go deeper into a person’s private life than ever before.
Take DNA testing, for example. Could a technology go any deeper?
Given the comparative infancy of genetics, the recent emergence of home DNA testing kits seems nothing short of miraculous. Indeed, the National Human Genome Research Institute concludes that the cost of DNA sequencing has been reduced by orders of magnitude in only a decade.
The kits promise results that at the least promise a bit of fun—perhaps an unexpected far-flung ancestral connection. At best, test results can be potentially lifesaving, identifying genetic predisposition to a range of medical conditions.
But you don’t have to be Orwell to understand that the decision to allow a profit-driven company to analyze a person’s data at a genetic level represents a new level of privacy threat. It makes the traditional categories of personal data seem tame by comparison.
This is the thought process that my wife and I worked through when a friend suggested that we buy a DNA test kit for our three-and-a-half-year-old son (we’ve also got a pair of six-week-old twins. Sleep is a distant memory—but that’s another story). Our friend had used the test with their family, and had a lot of fun examining the results. No doubt there’s something compelling about seeing, in granular detail, the genealogical makeup of your child. But as someone who thinks about data privacy for a living, this got my gears churning.
Fatherhood challenges you to make responsible decisions for those who can’t understand the full scope of an issue. In a way, it mirrors the responsibility wielded by companies at the vanguard of tech—can they be trusted to use their power in a way that benefits their users? On the question of the DNA test, I decided to do some more digging into the topic and came out with two takeaways: First, I decided I wasn’t comfortable enough with data privacy standards in this area to go forward with the test. Second, I realized that the field of DNA testing showcases a number of data privacy issues that prevail across the technology sector.
My DNA testing deep-dive
I emerged from my deep-dive into the topic skeptical about the effectiveness of current regulation to protect consumers’ genetic information from being exploited in ways they can’t foresee. Most importantly, the data yielded by these kits are not considered or classified as actual medical health data, which is protected by the strict regulations of HIPAA. The only legislation directly concerning this data is called the Genetic Information Non-discrimination Act (also known as GINA), and it has been criticized by privacy experts for its narrow scope. There are some alarming gaps in what GINA does not protect, as we learn from health and wellness reporter Julia Ries:
“GINA does not protect members of the US Military, Indian Health Service, Veterans Administration, federal employees and those who work for a company with fewer than 15 employees … Additionally, GINA does not apply to life insurance, disability or long-term care insurance in most states, meaning that these premiums could very well fluctuate based on your test results.”
What’s more, in many of these companies’ intake process, consumers opt in to allowing their DNA results to be shared with third parties. The wording and scope of this permission varies by provider, but as we know from the history of companies like Facebook, the fluid nature of opt-in consent could mean that a user has their genetic data leveraged in ways that may not have been immediately obvious during the opt-in process—as when companies have
Privacy policy design can be an ambiguous business even with the best intentions, and I think it would be naive of a consumer to believe that DNA testing companies don’t have an incentive to leverage your data in ways that can’t be foreseen.
The only certainty is uncertainty
I see the trajectory of social media as very instructive in the case of DNA testing. Only a few switched-on observers understood the incredible profit potential that lay in Facebook’s accumulation of personal data when the site debuted in the early 2000s. Similarly, it’s just not possible to predict how responsibly these DNA companies will behave in the future. It’s also impossible to predict how robust the security infrastructure of these companies will prove. And it’s impossible to know if they’ll be acquired by someone like an Amazon with intent to match purchase behaviors to the expressions of certain genes. Terrified yet?
In short, even if I refuse to opt into any sharing or reselling permissions, the precious nature of the data in question—literally the very fabric of my children’s bodies—means that I could never rest easy knowing it lived on the servers of a privately-run, profit-seeking enterprise. It’s an issue that exists across the tech sector. In this case, the risks feel particularly pronounced.
So, I decided that my children, like the billions and billions of children that lived on this planet from time immemorial until approximately 2015, will spend their youth completely oblivious to their genetic makeup. They can wait until they’re 18 to find out whether they have distant Polynesian ancestry or slightly elevated risk of rheumatoid arthritis. I think we’ll all sleep better at night.