Do you think it’s a hassle when you have to cancel a lost or stolen credit card? Are you annoyed when your email gets hacked? Does it unnerve you to know your Facebook and Twitter posts are used to target you for advertising? Are you alarmed at the idea of Russian trolls and political activists using psychological-warfare techniques to wage influence campaigns against American voters?
I’m here to say: You ain’t seen nothin’ yet.
Last week, news everywhere buzzed with reports of the Golden State Killer – also known as the East Area Rapist, the Original Night Stalker, and the Diamond Knot Killer – captured more than 20 years after the last of his crimes were committed. Connected to 12 murders and at least 50 rapes, this man terrorized Sacramento County and parts of Southern California from 1976 to 1986.
What broke the case? And why has it caused a new eruption in debates about data privacy?
As they like to say in the old detective novels, the case had grown cold. The suspect left copious amounts of DNA behind at the crime scenes but, although DNA analysis has improved over the years, police could not find a match.
The breakthrough in the case came about because of a combination of two recent technological innovations: the Internet, and the availability of genetic testing for average consumers.
Personal genetic decoding, something that once cost thousands of dollars and weeks of analysis, is now available for $59 and a cheek swab. The two most popular genetic testing companies today are 23andMe and AncestryDNA. Both offer services which provide a complete “autosomal DNA” profile, available for download, as well as detailing ethnic history and susceptibility to disease. They will even match you to relatives you didn’t know you had.
It’s this last ability to do genetic matching that law enforcement took advantage of to finally nab the Golden State Killer.
GEDMatch is a free online utility used to compare autosomal DNA profiles. Although they don’t do genetic testing themselves, members of the site can upload their data from any of the most popular genetic testing companies, and use the site’s powerful matching tools to compare their DNA profile to those of other members of the website. As a free service and one that combines data from multiple genetic testing companies, GEDMatch is the largest public database of its kind. Its tools are so powerful and precise, users can isolate and match specific DNA sequences in order to find relations previously unknown, or trace branches of their family tree back to its genetic origins. GEDMatch is a favorite resource for researchers and genealogists all over the world.
This is the service investigators used to finally track down the Golden State Killer. The suspect hadn’t uploaded his own genetic profile to the database, but distant relatives of his had. Once the investigation could identify individuals related – however distantly – to the suspect, it took only four months to narrow their search down to the one person responsible. Then it was a simple exercise of obtaining a DNA sample from some trash the suspect discarded and matching it to samples from the original crime scenes.
It’s a good thing, right? Another bad guy behind bars. If police had had access to this tool in 1976, they might have prevented 49 rapes and 12 murders.
Right? Not so fast.
There are two notes of warning that I would like to proffer for consideration. The first should be obvious to anyone who has lived through the last two years: any data stored online can be hacked; nothing is safe. And second: for every positive benefit gained from sharing information online, there are evil men and women waiting to use that data for their own nefarious purposes.
We have seen in the past year how Facebook information can be used by political activists, advertisers – and Russians – in ways we are not aware and would not condone. How long until those same people find ways to use our genetic code to their gain and our detriment?
Not long, actually, as they are already doing it.
In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA). This law, meant to make it easier for people to keep their insurance when changing jobs, also included a provision allowing medical companies to share or sell the data of their patients – as long as that data was “anonymized,” or had all identifying information removed first.
This data sharing provision in HIPAA was supposed to help medical researchers who could make use of the data for research purposes, while protecting patient confidentiality. There are two glaring problems with this idea, however. First, they didn’t account for the fact that others, with more profit-minded goals, like marketing and political entities, would also be interested in the data. Second, they also didn’t account for the ingenious ability of data analysts to combine data sets from multiple sources in order to “deanonymize” the data for marketing purposes. And hospitals and insurance companies have not been discriminating about who they sell patient data to.
That same HIPAA data sharing provision also applies to genetic testing companies. Peter Pitts, a former FDA associate commissioner and current president of the Center for Medicine in the Public Interest, writes this in a recent guest column for Forbes magazine: “23andMe has [already] sold access to its database to at least 13 outside pharmaceutical firms. One buyer, Genentech, ponied up a cool $10 million for the genetic profiles of people suffering from Parkinson’s. AncestryDNA, another popular personal genetics company, recently announced a lucrative data-sharing partnership with the biotech company Calico.”
The availability of genetic testing for the average consumer was just a distant dream when HIPAA passed in 1996. The internet was still in its infancy. A lot has changed in the last 22 years, and our laws have not kept up.
“Customers are wrong to think their information is safely locked away,” Pitts concludes. “It’s not; it’s getting sold far and wide.”
There’s another reason to worry about data privacy when considering genetic information. Unlike our social security number or credit history, our genetic information doesn’t belong only to us. We share much of our genetic code with those we are related to. Police tracked down the Golden State Killer by looking at those parts of his DNA which he shared with others. Do we have the right to share our own genetic information when doing so means that, by necessity, we are also sharing information about family members who have not given their consent?
What happens when – not if – GEDMatch, 23andMe, Ancestry DNA or another company that stores genetic information is hacked? If my mother’s genetic code was part of the hack, is my own DNA profile also compromised because we share so much genetic history in common?
These questions need to be asked, but they should have been asked a decade ago. Part of the problem is how ignorant most members of Congress are about modern technological developments like social media or the complexities of online security.
A couple weeks back, I sat and watched Mark Zuckerberg, the founder of Facebook, testify before Congress. After two days, ten hours, and 600 questions, I came away with one conclusion: our representatives in Washington don’t know the first thing about how social media works. How can they legislate something they don’t understand?
I am also afraid there is a current tendency in the United States to try and address individual incidents as they occur, instead of working in a bipartisan way to address the problem as a whole. Unfortunately, this piecemeal approach is like sailing a broken boat that springs one leak after another because its owners don’t want to take the boat out of the water to fix it properly.
We need to step back and take a broader look at the privacy concerns that face us in this new data-landscape we find ourselves in post-Internet. Our representatives in Washington should educate themselves on the technical challenges of storing data online and bring in unbiased experts who will present a consumer-centric perspective on the best way to approach the problem.
We could learn a lot from what the European Union has done with the recently passed General Data Protection Regulation (GDPR) which is set to go into effect later this month. The law sets up standards that apply to user data across the board. It builds-in accountability and responsibility for proper data usage with the establishment of independent supervisory authorities which investigate complaints of data abuses. The new law also clearly stipulates that users maintain ownership of their personal information no matter who is storing that data and it confirms a user’s right to have his data erased at any time. Finally, the GDPR sets forth requirements that companies notify users in a timely manner if their personal information is ever breached or hacked.
The United States, as home to the three biggest data content platforms on the planet – Google, Facebook, and Twitter – should be at the forefront of these discussions about personal privacy. Technology moves too quickly for us to take a “wait and see” approach to consumer data protection. A few weeks ago, we were talking about Facebook data and it was already ten years too late; today it’s our genetic information. It’s time for our representatives in Washington to put our right to personal privacy ahead of corporate profits and partisan bickering.
Where is Ralph Nader when you need him?
Eric Austin lives in China, Maine and writes about technology and community issues. He can be contacted by email at firstname.lastname@example.org.
Responsible journalism is hard work!
It is also expensive!
If you enjoy reading The Town Line and the good news we bring you each week, would you consider a donation to help us continue the work we’re doing?
The Town Line is a 501(c)(3) nonprofit private foundation, and all donations are tax deductible under the Internal Revenue Service code.
To help, please visit our online donation page or mail a check payable to The Town Line, PO Box 89, South China, ME 04358. Your contribution is appreciated!