We need to talk about DNA data privacy

With the recent controversy over the harvesting of personal Facebook data, the public is rapidly becoming aware of the threats to their privacy that exist within the apps and services that they use every day.

Individuals are learning exactly what information these companies are storing about them, and the issue of personal data control within free-to-use platforms is firmly in the spotlight.

But while the outrage is understandable and the privacy implications here are profound, it is surprising how little has been mentioned to date about the mass storage of human DNA information — a data source that is growing at a prodigious rate. It seems that few people are giving a second thought to the privacy issues surrounding the storage of this most personal of data.

As many as2 billion genomes are expected to be sequenced by 2025. Companies such as 23andMe and AncestryDNA are accelerating this trend by offering self-testing kits for as little as $79. The massive amount of data this kind of testing produces (as much as 400 GB for a single file) is stored in the centralised databases of companies whose business models revolve around selling it to third parties.

So why are people sleepwalking their way into another data privacy quandary that could have a far more negative impact on their lives than their social media data?

One of the reasons is that people are simply not aware that these companies are selling their data. It is certainly not something that gets advertised as part of their sales pitch to consumers, but the reality is, sales of this data is a major driver of the business model of direct-to-consumer genetic testing companies. Low-priced DNA tests are simply a means of gathering the data.

It may be that mass storage and sharing of this data has not raised an outcry due to existing rules surrounding it.Individuals might take comfort from laws such as the Genetic Information and Nondiscrimination Act (GINA) of 2008, which prohibits health insurers and employers from requiring or using genomic data to make decisions.

Significantly, though, this law does not preclude life insurance providers from requesting access when the genomic data exists. And a 2017 amendment to the bill, which proposes to essentially undermine some of the protection afforded by GINA, was proposed, and should serve as an important reminder that regulations can change, particularly as more information becomes available from DNA, and as that information gathers further momentum to make significant impact to a person’s well-being.

Individuals should also treat public reassurances from DNA-storing companies with caution. Last year, AncestryDNA tweaked a contractual clause to give it “royalty-free, worldwide, sub-licensable, transferable licence to users’ DNA data for purposes including personalised products and services,” but when asked about personal data control by the BBC, it told the news organisation that “customers own their DNA and data and control what we do with it.”

The real question is whether centralised company databases that are enticing targets for hackers can legitimately promise ownership and control for personal data.

These companies demonstrate a worrying complacency about hacking. CEO Anne Wojcicki has said that she questions whether 23andMe’s data is an attractive prize for hackers.

But when you consider the rich data that the company stores, the clearly malicious history of hackers accessing individuals’ personal libraries and the fact that it has been demonstrated how de-identified data can be triangulated with other data to identify individuals, this data privacy time bomb is a very real threat. Whether data is de-identified and aggregated isn’t the point. The storage of it in centralised databases is unnecessarily unsecure.

A better approach would be to embrace existing decentralized data storage solutions.

Blockchain technology, and the combination of decentralized data storage, computational consensus and asymmetric cryptography that it involves, provides an improved solution.

Facebook’s inability to predict that personal data gathered via a Cambridge University academic’s app would be acquired by a public relations organisation to build targeted political ads should serve as a reminder to users of how complex personal data storage and access can be, and that they have an interest in maintaining ownership over their data.

For individuals, the self-sovereign identity solutions that are available today can not only give them control over their data, but also empower them to decide who can access it — something that they don’t have with the current centralized genomic DNA storage model.

About the Author

Dr. Axel Schumacher is the CEO and co-founder of blockchain-enabled genomic data hub Shivom and has more than 20 years’ experience in the genetics field. Shivom’s platform aims to be the largest genomic and healthcare data hub on the planet, allowing the world’s population to have their genomes sequenced and securely stored with the help of blockchain technology.

Related Articles