Pages

20 October 2023

Bad genes: 23andMe leak highlights a possible future of genetic discrimination

RAJ ANANTHANPILLAI

23andMe is a terrific concept. In essence, the company takes a sample of your DNA and tells you about your genetic makeup. For some of us, this is the only way to learn about our heritage. Spotty records, diaspora, mistaken family lore and slavery can make tracing one’s roots incredibly difficult by traditional methods.

What 23andMe does is wonderful because your DNA is fixed. Your genes tell a story that supersedes any rumors that you come from a particular country or are descended from so-and-so.

But the very fixed, certain nature of genetics carries with it potential for great trouble.

You can replace your Social Security number, albeit with some hassle, if it is ever compromised. You can cancel your credit card with the click of a button if it is stolen. But your DNA cannot be returned for a new set — you just have what you are given. If bad actors steal or sell your genetic information, there is nothing you can do about it.

This is why 23andMe’s Oct. 6 data leak, although it reads like science fiction, is not an omen of some dark future. It is, rather, an emblem of our dangerous present.

23andMe has a very simple interface with some interesting features. “DNA Relatives” matches you with other members to whom you are related. This could be an effective, thoroughly modern way to connect with long-lost family, or to learn more about your origins.

But the Oct. 6 leak perverted this feature into something alarming. By gaining access to individual accounts through weak and recycled passwords, hackers were able to create an extensive list of people with Ashkenazi heritage. This list was then posted on forums with the names, sex and likely heritage of each member under the title “Ashkenazi DNA Data of Celebrities.”

First and foremost, collecting lists of people based on their ethnic backgrounds is a personal violation with tremendously insidious undertones. If you saw yourself and your extended family on such a list, you would not take it lightly.

In response to this incident, 23andMe released a statement which said, “At 23andMe, we take security seriously. We exceed industry data protection standards and have achieved three different ISO certifications to demonstrate the strength of our security program.”

I am inclined to believe that they likely do exceed the industry standards. And that is precisely the problem, that it is such a low bar.

I find it troubling because, in 2018, Time reported that 23andMe had sold a $300 million stake in its business to GlaxoSmithKline, allowing the pharmaceutical giant to use users’ genetic data to develop new drugs. So because you wanted to know if your grandmother was telling the truth about your roots, you spat into a cup and paid 23andMe to give your DNA to a drug company to do with it as they please.

Although 23andMe is in the crosshairs of this particular leak, there are many companies in murky waters. Last year, Consumer Reports found that 23andMe and its competitors had decent privacy policies where DNA was involved, but that these businesses “over-collect personal information about you and overshare some of your data with third parties…CR’s privacy experts say it’s unclear why collecting and then sharing much of this data is necessary to provide you the services they offer.”

That last piece is crucial to understanding the current privacy landscape. Why are we sharing so much with companies to begin with?

When you use direct-to-consumer genetic sites like 23andMe today, you feed an ecosystem that will have drastic consequences for you and your children. As it stands, your DNA can be weaponized against you by law enforcement, insurance companies, and big pharma. But this will not be limited to you. Your DNA belongs to your whole family.

Pretend that you are going up against one other candidate for a senior role at a giant corporation. If one of these genealogy companies determines that you are at an outsized risk for a debilitating disease like Parkinson’s and your rival is not, do you think that this corporation won’t take that into account? If it is available information, companies will absolutely use it, thank you for your time, and hire the other candidate.

Insurance companies are not in the business of losing money either. If they gain access to such a thing that on your record, you can trust that they will use it to blackball you or jack up your rates.

In short, the world risks becoming like that of the film Gattaca, where the genetic elite enjoy access while those deemed genetically inferior are marginalized.

The train has left the station for a lot of these issues. That list of people from the 23andMe leak cannot put the genie back in the bottle. If your DNA is on a server for one of these companies, there is a chance that it has already been used as a reference or to help pharmaceutical companies.

Perhaps we can request the company to “return” the sequenced, digitized DNA back to us and certify that they don’t have any more copies of our DNA on their servers, or to provide consumers the option to encrypt and lock their DNA and not release it to anyone without their explicit permission.

There are things they can do now to avoid further damage. The next time a company asks for something like your phone number or SSN, press them as to why they need it. Make it inconvenient for them to mine you for your Personal Identifiable Information (PII). Your PII has concrete value to these places, and they count on people to be passive, to hand it over without any fuss.

Many of 23andMe’s users went to the site as a curiosity. The company went public in June 2021, during COVID. “It’s kind of an ideal time for us,” CEO Anne Wojcicki said at the time. The public was interested in genomics. Many were sitting at home with idle hands. So, out of a potent mix of curiosity and boredom, many probably agreed to 23andMe’s terms without a second thought.

I do not want to shame any individual or group for wanting to learn about their families, but we as a society need to snap out of our fugue state when it comes to privacy.

Using a privacy-preserving, reusable, digitally-verified credential would be a giant step in this direction. With a reusable verified credential, consumers need not provide their personal information, nor do businesses need to collect and store it. What is crucial about this kind of solution is that it does not fundamentally alter the manner in which end users operate online, but it protects them, as well as corporations, from breaches and leaks.

The time to start worrying about this problem was 20 years ago, but we can still affect positive change today. This 23andMe leak is only the beginning; we must do everything possible to protect our identities and DNA while they still belong to us.

No comments:

Post a Comment