Your Genome May Have Already Been Hacked
By Norman A. Paradis
On April 25, California law enforcement announced the possible capture of a long-sought serial killer. Shortly after, it was reported that police had used public DNA databases to determine his identity.
This extraordinary event highlights that when you send off a cheek swab to one of the private genome companies, you may sacrifice not just your own privacy but that of your family and your ancestors.
In a time of widespread anxiety over the misuse of social media, Americans should also be concerned over who has access to their genetic information.
For-profit genome testing companies like 23andMe make money, in part, by selling anonymized genomic data. Many people may not realize that re-identifying genomes – that is, identifying an individual from their genetic profile – is a relatively straightforward process. In one study, researchers could re-identify five of 10 people, as well as their families.
Humans share about 99 percent of their DNA bases with one another. The few differences that exist are often sufficient to figure out who’s related to whom.
The genome has been something of a disappointment medically. Physicians generally can’t do much with the information that a given patient has, say, a 3 percent greater risk of dementia. But those data are potentially very useful to insurance companies and employers trying lower their risk.
The Genetic Information Nondiscrimination Act, a federal law passed in 2008, prevents insurance companies and employers from forcing people to undergo genetic testing. But it doesn’t necessarily prevent bad actors from using dark-web databases and advanced analytics to give themselves a commercial edge.
There have been no reports yet of companies doing this. But we live in an age in which it seems the possible becomes probable on an almost daily basis.
The financial services industry offers a cautionary tale for the customers of the genome industry. Banks are highly regulated and supposed to provide state-of-the-art protection, yet they have been hacked.
Compared to financial institutions, genome companies are lightly regulated. Eventually, one or more of them will be hacked or even caught selling “risk profiling” services to third parties.
With respect to police and prosecutors, the situation is somewhat different. In the end, they must submit their work to the courts. It’s possible that setting up a fake account on an ancestor DNA website, as the California police reportedly did, constitutes unreasonable search and seizure.
Given the large financial rewards and the behaviour of other industries, millions of American families should likely consider their genomic privacy as already compromised. If the genome of one of your relatives is in one of these databases, then essentially so is yours.
In the uncommon circumstance that a whole family has not one member who has yet to send off a cheek swab, that family might want to consider opting out of this whole thing until society sorts out risks, benefits and privacy protections.
Most people, however, will have to wait and hope they will not be harmed by a genomic revolution that has provided them with little benefit.
Norman A. Paradis, MD, is a Professor of Medicine at Dartmouth College and the Director of Emergency Medicine Research at Dartmouth Hitchcock Medical Center. He is an emergency physician who works in academic medical research and private sector biomedical device development.