23 and Me ... and Facebook


Facebook recently informed 87 million users that Cambridge Analytica, a political consulting firm, harvested their confidential information using it to create targeted ads that may have influenced the outcome 2016 presidential election.

Many users were shocked to learn that Cambridge had access to their data.

Now, Congress is demanding reforms from Facebook and other social media sites. Our lawmakers want social networks to simplify privacy terms and conditions.

But Facebook isn’t the only firm that puts users’ privacy at risk. Some genetic testing companies like Invitae, 23andMe, and AncestryDNA do too – and the consequences of irresponsibly sharing DNA data are far more serious than a social media data breach.

Lawmakers and regulators ought to demand these genetic testing companies clearly inform consumers whether, and how, their data will be shared.

Every year, millions of people undergo genetic testing to help predict health problems or just discover their heritage. Doctors send patients’ blood or saliva samples to lab testing companies like Invitae. Millions of people have bought DNA testing kits from companies like 23andMe and AncestryDNA and submitted their samples through the mail.

After sequencing the DNA samples, genetic testing firms often sell or share the genetic information to third parties. For instance, 23andMe agreed to share its data with biopharmaceutical firm Genentech in exchange for as much as $60 million.

Testing firms seek users’ permission to share the data. But they gloss over the risks. As a result, consumers sign away their rights with little comprehension of the privacy violations and discrimination that could ensue.

Take Invitae. Its privacy policy states that it may use patients’ “de-identified” data for “general research purposes” which may include “research collaborations with third parties” or “commercial collaborations with private companies.”

The problem is that the data isn’t permanently “de-identified.” It can easily be tied back to specific people.

Just ask Harvard Medical School Professor Latanya Sweeney. She recently identified the names of more than 40 percent of participants in a supposedly anonymous DNA study. Sweeney cross-referenced participants’ provided ZIP Codes, birthdays, and genders with public records like voter rolls. She then was able to match people up to their DNA.

Your DNA contains a wealth of sensitive medical information. Imagine what employers might do if they got access to people’s DNA. They easily could exploit this information to discriminate against prospective hires.

If you’re worried about someone stealing your social security number, imagine identity theft on the genetic level.

Genetic privacy is a human right. To protect consumers from such abuses, the U.S. government should increase regulation of genetic testing companies to protect people.

European policymakers have already done so. In late May, the European Union’s online privacy legislation – known as the General Data Protection Regulation – will go into effect. Among other provisions, the new law will require genetic testing companies to delete personal information if users request it.

Some DNA testing companies aren’t waiting for regulators to act. They’re already voluntarily promising to not share any genetic samples, leaving the important privacy decisions in patients’ hands “where they belong.”

Social media platforms like Facebook are failing to secure users’ personal information. Most genetic testing companies are failing too.

It’s time for lawmakers and regulators to impose tougher consumer protections so that we don’t have a Facebook-like crisis involving people’s most sensitive genetic information.

Peter J. Pitts, a former FDA Associate Commissioner, is president of the Center for Medicine in the Public Interest.


No comments on this story | Please log in to comment by clicking here
Please log in or register to add your comment