The Ultimate Privacy Betrayal: Personal DNA Used for Undisclosed Purposes, without Permission

As this blog has reported, one of the biggest threats to privacy is surveillance advertising. It works by tracking everything people do online — which sites they visit, what they do there. It draws its power from aggregating these tiny pieces of seemingly innocuous information to build up a detailed profile of what we do, and thus who we are, at least as far as our online actions are concerned.

If this kind of digital profiling is bad, how much worse, then, is DNA profiling. DNA’s three billion genetic “letters” are the literal program that built us, a biological code that runs in nearly every one of our body’s cells. Not only that, but they contain copy and paste elements from our parents’ code too. Through them, our DNA is also bound up with everyone that is related to us: the closer the relation, the more the two biological programs are similar, and the greater the information that one genome contains about the family member’s DNA.

However concerned we are about the threats to our privacy that online tracking represents, we should be far more worried about losing control of our genetic data. One reason for that is because we cannot change our DNA — at least with current technologies. And even when advanced gene editing becomes available, it seems unlikely that it will be possible to make enough changes to the trillion copies of DNA found throughout the body that we can ever truly break the link between old and new genetic code. Against that background, two recent stories involving DNA are both shocking and also an important warning of future problems.

The first involves DNA collected following a woman’s rape. The San Francisco Chronicle has the details:

The San Francisco police crime lab has been entering sexual assault victims’ DNA profiles in a database used to identify suspects in crimes, District Attorney Chesa Boudin said Monday, an allegation that raises legal and ethical questions regarding the privacy rights of victims.

Boudin said his office was made aware of the purported practice last week, after a woman’s DNA collected years ago as part of a rape exam was used to link her to a recent property crime.

An update to the story revealed that the case against the woman involved had been dropped. At the same time, it was still unclear whether there were other cases where DNA collected from sexual assault victims had been used to connect them with unrelated crimes where genetic material had been gathered. The San Francisco District Attorney’s office believes that “one of the police’s DNA databases could include DNA profiles from rape victims collected over several years, and that this database is regularly used to search for matches to DNA found at crime scenes.”

Independently of the abuse of the genetic privacy of the person involved in this particular case, there is a broader point. If there is any suggestion that DNA gathered from victims of rape will be run through other police databases seeking matches for unrelated crimes, people will be even more reluctant to go to the police. Reporting rape cases is a traumatic experience for someone who may already be suffering Post-Traumatic Stress Disorder (PTSD), with low rates of successful prosecutions. Adding the worry that they might be accused of a crime could make the disadvantages of giving a DNA sample far outweigh the advantages.

The second case of genetic privacy abuse was in the UK. Testing for Covid-19 has used both public and private clinics. The latter have to be approved by the UK government, although the requirements don’t seem to have been particularly stringent. It is now alleged that one of the approved testing providers reserved the right to sell customer DNA gathered during the tests for medical research. According to UK privacy laws, this required consent, which it is claimed was hidden away in a 4,800 word privacy policy. The Information Commissioner’s Office, which is responsible for protecting privacy in the UK, is investigating the case.

Once again, there are some important general issues beyond the specifics. One is the use of extremely long privacy statements that users must accept if they are to make use of a service. Asking customers to read such statements is already a stretch; expecting people to read nearly 5000 words is clearly unreasonable. If important information about the re-use of DNA material is among those 5000 words, it is even more egregious. This shows we need new rules about such documents, requiring them to be short, simple, comprehensible and with the important elements highlighted, not hidden.

Another issue is that the Covid-19 tests were required as part of efforts to bring a pandemic under control. In many situations, there were obligatory, not optional. Taking advantage of that necessity to harvest people’s DNA to be sold for other purposes would be completely unacceptable. As with the DNA collected from a rape victim, if DNA collected in the course of carrying out a Covid-19 test ends up being used for other purposes, this is likely to make people more reluctant to take such tests. Since there is every possibility that there will be future pandemics requiring similar testing, any action that sows suspicion in the minds of the public now is irresponsible in the extreme.

Although these are just two examples of genetic privacy being abused, they are unlikely to remain isolated ones. As DNA sequencing costs continue to fall, the use of DNA for myriad purposes will increase, and the desire to gather as much of it as possible will also grow. If we don’t fight to preserve genomic privacy now, soon it will be too late.

Featured image by OpenStax Anatomy and Physiology.