As privacy problems continue to pile up for DNA databases, Covid-19 introduces a major new risk

Posted on Aug 26, 2020 by Glyn Moody

Two years ago, Privacy News Online warned that the growing number of large-scale DNA databases were likely to become a serious threat to people’s privacy. Sadly, things have not improved since then. The increasing police use of DNA sites to find suspects for serious crimes, as described in that post, led one of the leaders in this sector, GEDmatch, to give its users the right to opt out from having their DNA compared to crime scene material. Except that it turned out to be little more than “smoke and mirrors“, as the The Legal Genealogist site put it. The same year, researchers discovered that information about a person’s DNA could be extracted from the GEDmatch site by anyone, using a variety of simple tricks.

Confidence in GEDmatch was not enhanced when it was announced that it was to be operated by Verogen, a company formed to market next-generation DNA sequencing technology to crime labs. Just this month, it emerged that security breaches of the GEDmatch site had caused user permissions to be reset, making all profiles visible to all users, and the entire DNA database available for police searches, regardless of whether people had opted out from that use.

Although most of the news in this area has concerned GEDmatch, the largest provider of DNA services is Ancestry.com, which has 18 million people in its AncestryDNA network. Scrutiny of the latter is likely to increase following the recently-announced acquisition of the company by Blackstone, for $4.7 billion. David Kestnbaum, a Blackstone senior managing director, said in a statement: “We believe Ancestry has significant runway for further growth as people of all ages and backgrounds become increasingly interested in learning more about their family histories and themselves.” The question is how it will do that, and how well privacy will be protected. In 2018, Blackstone’s Motel 6 hotel chain had to pay out millions of dollars to Hispanic customers to settle a proposed class-action law suit that claimed “it violated their privacy by regularly providing guest lists to U.S. Immigration and Customs Enforcement (ICE) agents.”

Those might be termed “traditional” threats to privacy arising out of the creation of massive DNA databases. But the Covid-19 epidemic is bringing with it a new problem in this area. At the heart of the global response to the new coronavirus lies testing, which allows infected individuals to be identified, and their contacts investigated. The global demand for tests is a huge opportunity for companies that can supply them. One of the leading players here is BGI Group. As its name implies – BGI stands for “Beijing Genomics Institute” – it is a Chinese company, and one of the scientific leaders in the world of genomics. A special report on the company from Reuters explains:

BGI Group, described in one 2015 study as “Goliath” in the fast-growing field of genomics research, is using an opening created by the pandemic to expand its footprint globally. In the past six months, it says it has sold 35 million rapid COVID-19 testing kits to 180 countries and built 58 labs in 18 countries. Some of the equipment has been donated by BGI’s philanthropic arm, promoted by China’s embassies in an extension of China’s virus diplomacy.

The problem is that Covid-19 test kits often collect the DNA of the person being tested. A concern is that BGI Group’s move into testing could allow it to gather genomic information about millions of people. It already does this for the Chinese government in the troubled region of Xinjiang:

BGI has engaged in gene sequencing of Xinjiang residents and has announced it would build a gene bank and a “judicial collaboration” center in Xinjiang, Axios has found, a region where authorities are seeking to build up genetics-based surveillance capabilities targeting ethnic minorities.

The Chinese authorities have a history of illegally obtaining vast amounts of personal information about US citizens, as this blog reported earlier this year. It is quite plausible that BGI Group would try to use its central position in coronavirus testing for covert DNA testing of citizens in other countries. Israel’s largest medical insurance group has already said that it won’t work with the Chinese company because of exactly this concern.

BGI Group is one of three Chinese companies that will be carrying out large-scale Covid-19 testing in Hong Kong. Given the increasingly fraught relations between Hong Kong and mainland China, some people are concerned that the Chinese government will use the testing program as a means of gathering DNA about Hong Kong citizens. The Chief Executive of Hong Kong, Carrie Lam, who generally satisfies Beijing’s wishes, was questioned on this issue. The journalist Xinqi Su reported her response:

Asked about people’s concern of their DNA samples’ security, #CarrieLam smirked and said, “It’s impossible for any one to be interested in these samples and DNA.” Lam said the lab workers won’t know the persons behind the samples and negative samples would be destroyed ASAP in HK

The developments outlined above suggest that many companies and governments will by interested in the DNA that could easily be extracted from these samples at the same time as the Covid-19 tests are conducted. Identifying individuals becomes easier the more DNA data you collect, because of the way people and their DNA are related. Covid-19 testing is a vital tool for combating the pandemic, but it would be naive to assume that there are no associated privacy risks.

Featured image by Governor Tom Wolf.