DNA for sale

Michelle McNamara’s tireless efforts to find the serial murderer and rapist known as the Golden State Killer paid off with the arrest of Joseph James DeAngelo.

Sadly, she didn’t live to see it happen. Her best-selling book I’ll Be Gone in the Dark: One Woman’s Obsessive Search for the Golden State Killer, published after her untimely death in 2016, has been widely credited with solving the case. And now an HBO series is on the way. But there’s more to the story, and it could well impact us all.

In this real life deus ex machina, the unexpected, if not entirely unforeseeable evidence that led directly to the arrest of the 72-year-old Vietnam veteran came by way of a relative’s DNA submitted to a genealogy website. Keep in mind that it was not his DNA, but that of a relative. And if this sounds like a good case to test the Fourth Amendment, I’m inclined to agree with you.

Don’t get me wrong. The Golden State Killer has been apprehended. That’s a development that is beyond words for those affected by his crimes. However, the circumstances of his identification give me pause.

The Fourth Amendment prohibits unlawful search and seizure. While the framers did not draft this part of the Constitution with the Internet in mind, they sure as Hell didn’t anticipate the advent of genealogical data companies that share DNA information with law enforcement. And even if, through some stunning act of clairvoyance, they had managed to foresee so much in the way of innovation, the identification of the Golden State Killer would still beggar the imagination. In fact, if you really consider what happened in the case, it should make your head spin.

The notion that genetic information contributed by a curious family genealogist could get a relative pinched for a crime is a stretch even for digital natives. The reason is this: Beyond the whizbang factor, the use of DNA data in this way may not always be legal.

There Oughta Be a Law

While it may seem like a legal question–and it is one–the solution will most likely come by way of consumer driven private sector innovation. Certain kinds of data gathering and processing, for example, may pose risks to privacy that consumers will no longer tolerate. Facebook’s recent woes are a testament to that fact.

If the way information moved around in the case of the Golden State Killer sounds familiar, then you’re already starting to connect the privacy-consumer-innovation dots.

Facebook’s founder Mark Zuckerberg landed in the hot seat at a Congressional Hearing  because the digital data free-for-all is no longer critic-free. Today, many consumers are becoming more knowledgeable about how their private information is being used (and exploited)–at least in a rudimentary way–and that data is big business. They know information comes from all over the place, and it has great value. Because this knowledge is no longer egghead territory, what companies do with the consumer information that they collect, hold and sell is one of the most pressing issues facing society today.

So, I listened with fascination as Mr. Zuckerberg answered a battery of questions posed by members of Congress (many having absolutely no idea how social platforms work) regarding the exploitation of Facebook’s user base as a motherlode for data mining companies like Cambridge Analytica. Facebook users didn’t see the underbelly of staying connected to friends and family, and it was not general knowledge that any information “shared” on the site (or “liked) would help marketers better understand both them and their connections, both on and off of Facebook.

While the potential identification and conviction of a legitimate monster suspected of 50 rapes and at least 10 murders rightly goes in the Win column, the ramifications of this story and what it means for privacy in a broader sense needs to be discussed.

What Do Companies Do with Your DNA?

Should you be expecting ads on your Facebook touting the best treatment for a cancer you haven’t yet been diagnosed with or local heart specialists? Perhaps. The truth is we have no idea how DNA data is moving around, who’s buying it, and, more broadly, what can be done with it.

The controversy surrounding data brokers like Cambridge Analytica and the wider role of Facebook in the surveillance economy has pulled back the curtain on privacy protection for the general public. Our likes, dislikes, and pictures of places, friends and pets have all been fodder for an enormous and often intrusive information apparatus. It goes without saying that in today’s digital Wild West environment data brokers may not be totally forthcoming about the ways they monetize the genetic information of their users.

The service that helped identify DeAngelo, GEDMatch, is a free and open-source website that by definition shares all information publicly–its Terms and Policy Statement actually states ‘…users participating in this site should expect that their information will be shared with other users.’

While it’s obviously the prerogative of users to be able to share their genetic data, they should not be able to force their entire family to adhere to the same terms and conditions. Considering the obvious privacy concerns caused by Facebook’s tracking of non-Facebook users “for security reasons,” the idea of forcibly sharing access to one’s genetic code has the potential for deeper and more unsettling repercussions. The same relational situation–people not in the system, but related to people who are–played out between the GEDMatch data and the Golden State Killer.

As the technology for genetic testing becomes more sophisticated and less expensive, numerous businesses have rushed in to capitalize on the market. Services including 23andMe, and AncestryDNA have had little to no oversight from regulators, largely leaving the security and privacy of their users up to the services themselves. 23andMe goes to great lengths on its website to assure users of the strict nature of its privacy policy, all of which carry similar echoes from the past:

  • “We want you to decide how your information is used and with whom it is shared.” – Facebook made similar announcements in 20082009201020142017, and 2018, none of which kept Mr. Zuckerberg out of a Congressional witness chair or user data out of the clutches of data miners.
  • “We do use and share aggregate information with third parties in order to perform business development, initiate research, send you marketing emails and improve our services… [a]ggregate information has been stripped of your personal details.” – Data mining companies are able to create “3D pictures” of individuals by aggregating information and “re-identifying” them, including Localblox, which left the re-compiled data of 48 million people on a publicly accessible server.
  • “[S]oftware, hardware and physical security measures to protect the computers where customer data is stored.” – Home Depot, Target, Saks Fifth Avenue, Chipotle, OPM, the DNC, Equifax, eBay, Yahoo, Adobe, Sony, and once again, Facebook all made similar claims before falling victim to significant data breaches.

While I have no desire to single out 23andMe here, I do want to highlight the fact that we’re not just repeating past mistakes, we’re actively exacerbating them.

Mark Zuckerberg and everyone on his team who helped make Facebook what it is today have said that they didn’t expect their platforms to be misused. Whether or not you believe them is a personal matter. When it comes to DNA data, genetic testing companies and consumers alike can’t afford to be naive with data of this importance and permanence. The time is now for sane laws that make sense all around.

Privacy in the digital age was stillborn. It never existed. That needs to change.