Identity theft is a plague on society. It’s bad enough when your credit card or your Social Security number is stolen by hackers.
But at least those personal identifiers can be canceled and reissued. What if it’s your DNA?
23andMe officials on Friday confirmed that private data for some of its users is, in fact, up for sale. The cause of the leak, the officials said, is data scraping, a technique that essentially reassembles large amounts of data by systematically extracting smaller amounts of information available to individual users of a service. Attackers gained unauthorized access to the individual 23andMe accounts, all of which had been configured by the user to opt in to a DNA relative feature that allows them to find potential relatives.
…The data included profile and account ID numbers, display names, gender, birth year, maternal and paternal haplogroups, ancestral heritage results, and data on whether or not each user has opted in to 23andme’s health data. Some of this data is included only when users choose to share it.
Consumer genetics sites like 23andMe have become big business. You send in a DNA sample, and they analyze it and give you information about your ancestry, your distinctive traits, and potential health problems that you have genetic predispositions for. You can also opt in to find relatives who may be in the database. (One of the biggest sites, Ancestry.com, was founded by Mormons whose goal was to identify deceased relatives so they could be posthumously baptized.)
Like AI, this is an area where technology has raced ahead while society is still wrestling with the ethics. We haven’t come to terms with the implications of routine genetic testing.
No more blood secrets
For example, there’s no such thing as a closed adoption anymore. Any adoptee can use these databases to find their biological family, and vice versa. Likewise, anyone from a single-parent household can find their other parent, and anyone conceived by sperm or egg donation can know who their donors were.
This is a huge and underappreciated revolution. For the first time, everyone can have certainty about their paternity and their heritage. Blood ties that were concealed for generations are now illuminated. You can see the story of human history—the flows of migration, conquest and displacement—written in your DNA.
But the dark side of this knowledge is that some people will learn things they might not have wanted to know. Some people will find out that they’re the children of an extramarital affair, or worse, that they were conceived by rape or incest. And because of the relative search, other people can learn this too, whether you wanted them to or not.
Even an affair from generations ago can be seen in the data. It’s stamped for posterity in the DNA of your descendants. For example, genetic studies confirm that Thomas Jefferson fathered children with Sally Hemings, who he enslaved at his Monticello estate. Even further back, Genghis Khan’s Y chromosome is carried by almost 16 million men in Asia today, evidence of his campaign of rape and conquest.
Genetics and capitalism
Once you hand over your DNA to a private company, you give up control over what happens to it. This raises the specter of data leaks and data theft, as in the 23andMe story quoted earlier. It doesn’t appear that people’s actual DNA sequences were leaked on the internet—this time. But given how many other data repositories have been hacked, it’s only a matter of time.
Even if there are no leaks, there’s the matter of what the companies do with your DNA. For example, 23andMe makes money by selling users’ genetic data to medical research companies. They mine this data for correlations, looking for genes that are tied to disease or protective mutations they can mimic with drugs. They claim it’s anonymized, but DNA is the least anonymous thing imaginable. You can reconstruct someone’s sex, their ethnicity, even their appearance.
You might be fine with this. After all, it furthers the cause of science. By contributing your DNA, you’re helping to cure diseases and save lives. You might not even care about being compensated for any treasure troves they find in your genome. But even if you’re that selfless, it’s rational to distrust what else a for-profit business might do with this most personal of information.
In the name of making money, corporations have committed horrifying privacy violations. Who’s to say an ancestry site won’t start selling its users’ DNA to advertisers? Will they start showing me ads for drugs that treat diseases they predict I’m going to develop, based on my genetic profile? (It’s already happening.)
Although I love science and I’m intrigued by the possibility of finding out more about myself, I’ve never submitted my DNA to a genetics company, for just this reason.
My DNA is the most personal and intimate information about me that exists. It might reveal facts about my health or my body that I’d rather keep private. It could allow strangers to predict whether I’m susceptible to alcoholism, or dyslexia, or schizophrenia. I don’t want to give up control of that information, not without better legal protection for who can see it and what can be done with it.
Worse, this doesn’t line up neatly with the classical economic paradigm of rational individuals making choices for themselves—because genetic analysis casts a privacy shadow. Even if you don’t submit your DNA, your relatives might. And their DNA reveals information about yours, whether you want it to or not.
A genetic caste system?
The murky ethics of DNA testing come into sharp relief in the story of how police caught Joseph James DeAngelo Jr., better known as the Golden State Killer. He committed a spree of home invasions, rapes and murders in California in the 1970s and 80s, but evaded capture for decades.
They had a suspect’s DNA from a rape kit, but no leads. So, the FBI—rather than getting a search warrant or a subpoena—set up fake profiles with several consumer ancestry companies, posing as the person they sought, uploading his DNA, and claiming to be interested in finding relatives.
What prosecutors did not disclose is that genetic material from the rape kit was first sent to FamilyTreeDNA, which created a DNA profile and allowed law enforcement to set up a fake account to search for matching customers. When that produced only distant leads, a civilian geneticist working with investigators uploaded the forensic profile to MyHeritage. It was the MyHeritage search that identified the close relative who helped break the case.
…A summary of the investigation written by the Ventura County district attorney’s office notes that this search violated MyHeritage’s privacy policies.
You could argue that this is a blessing. Genetic databases were used to identify a suspect in the University of Idaho murders in 2022. They’ve helped catch criminals in numerous cold cases, not just the Golden State Killer case. It’s a more precise and less biased way of identifying a person than eyewitness testimony, or even fingerprints.
On the other hand, you don’t have to be a hardcore civil libertarian to worry about abuses of power. The U.S. has a dark history of eugenics, sterilizing people without their consent because they were minorities, or immigrants, or poor, or simply undesirable.
If the government had everyone’s DNA, it’s all too plausible that this evil could return as a new caste system with a scientific veneer. If an ethnonationalist party wins power again, we could end up in a dystopia where people with the “right” DNA get privileged access to education, jobs and health care, while a genetically defined underclass is forced into subordination.
Between the risks of unfettered capitalism and unchecked government power, we shouldn’t be in a rush to hand over our DNA to unknown parties. We should slow down and think carefully before we give up that much of ourselves. We’ve already given away much of our privacy, but it’s not too late to reclaim it with better regulation.
Still, there’s an argument that the benefits of disclosure outweigh the risks in at least some cases. We already expect politicians to release their tax returns, under the theory that we should know who’s bankrolling them and who might be in a position to influence them. As an extension of that principle, I can imagine a future where office-seekers have to make their genomes public.
What if a candidate is susceptible to early dementia, or some other disease that might cut their life short or compromise their decision-making? Voters undeniably have an interest in knowing that information, but do they have a right to know it?
Our DNA is the deepest refuge of our selves, the sanctum sanctorum of our privacy. If we should be able to keep anything private, it’s this. On the other hand, the more we’re able to tell about people from their genes, the stronger the public-interest case is for disclosure. Whatever we choose, this is too momentous a decision to leave in the hands of profit-seeking private parties. We need a democratic consensus, backed by law, about what we should keep confidential and what should be revealed.
I have to come down on the side of more genetic testing.
On the one hand, I’m not at all worried about finding out things I don’t want to know; but that could be because of my personal situation. I was adopted when I was just three months old, and I can’t remember a time when I didn’t know that; so my parents must have told me as soon as I was able to understand the concept. (And my parents are those who took care of me when I needed them. I’m very clear about that.)
I also can’t imagine having any secrets about my health. Anyone can see me walking around with a walker. I’m currently undergoing radiation and chemotherapy for lung cancer; and I’ve blogged about it. Facts are facts.
And even if I did want to keep some data about me hidden, I wouldn’t be able to. The astronomer and author, David Brin, has argued repeatedly (an early example) that keeping secrets is bound to fail because the folks who are looking at us will always be one step ahead. Instead, he argues for “sousveillance”, looking back at the elites. (How much would we have known about, e.g., the murder of George Floyd without the cell phone cameras recording the incident?) This seems in line with your speculation that, maybe some day, candidates for political office will be expected to make their DNA public.
Your post might have actually moved me to submit my DNA to one of the testing companies. 😎
Our concept of privacy developed in the relatively recent past. We used to know much more about our neighbors and coworkers and we didn’t know much about anyone else. Imagine the community of a hunter-gatherer tribe or a rural village; very little was private. That was the norm for much more of human history than the last 200 years or so of increasingly big cities and easy transportation. That said, I like my privacy and I protect it jealously.
Incidentally, I heard a historical geneticist say that among royals or serfs, and everyone in between, about one in eight children was not born of the parentage expected by history or family tradition.
actually at the moment SSNs can’t be deleted. it would take a fundamental overhaul of systems not likely to happen under current budget circumstances. they can issue a new SSN, which can be helpful in various ways for an ID theft situation, but the old one still exists and could potentially still be used maliciously.
as so many millions of SSNs have been compromised in leak after hack after leak, the best solution will probably be coming up with a new way to ID people definitively, but it’s hard to imagine one that won’t quickly end up the same.
im not an expert and i don’t even disagree with the article, but i think it vastly overstates the importance of genes. in particular the idea that appearance can be reconstructed is wrong. it can give a range of possibilities but the same genes can be expressed very differently, as people have discovered when cloning cats and getting different colors.
Very interesting article. Another possible problem: what would prevent companies from somehow getting their hand on your data and refusing jobs to people who are more likely to get sick, or stuff like that? Or even to decide that they have found a correlation between intelligence and DNA and they will only hire people with “smart” genes. The movie Gattaca comes to mind.
This makes me wonder (belatedly, given that the horses have already fled the barn and closing the door will have little utility for most people right now) if there’s a potential market for a genetic testing service (like 23&Me) which uses only air-gapped instrumentation and computers, and which is audited by one of those psycho-privacy organizations (who believe that privacy is like, the most important thing ever…they’re usually Libertarian, or Libertarian-adjacent) to confirm it has protocols in place to systematically destroy both its clients’ genetic material and the data extracted from same after burning a CD of an individual’s results and shipping it to them via one of the more reputable courier companies. This obviously wouldn’t be a perfect solution, but there is a lot of publicly-available information on the human genome, and a private database of sequences would not be necessary to tell customers quite a lot about themselves. Sure, there would be no ability to find long-lost relatives or whatever, but the important stuff in the genome (according to me) is the health information, and there’s plenty of trivial (but possibly fascinating?) information that could be discovered and shared without storing peoples’ data.
Were those cats calicos? That’s caused by X inactivation patterns that are basically folding in entropy from the environment rather than wholly genetically determined. It’s a bit like fingerprints: even identical twins will have different ones.
But I’m not aware of any gross differences in human appearance that are generated that way, unlike the case with calico cats.
Hard to give up that which one never had.
BTW, I’ve never ever had the urge to pay $ to 23andMe for their primitive testing.
(Thieves can’t steal what ain’t there, can they?)
I’ve never had that urge either, but when my sister did, most of my DNA went out on the web for all to see.