Wharton's Robert Field and the University of Michigan's Kayte Spector-Bagdady discuss privacy concerns prompted by a possible breakthrough via DNA records in the Golden State Killer case.

The arrest last week in Sacramento, Calif., of a person suspected to be the so-called “Golden State Killer” has triggered new concerns about the privacy risks for individuals who use genetic testing services to trace their ancestry or medical history.

When California investigators last week arrested Joseph James DeAngelo, they were armed with samples of his DNA that they had collected from items he had discarded from his home. The investigators linked that to DNA samples that one of DeAngelo’s relatives had uploaded to the website of GEDMatch, a Florida-based DNA analytics firm. The investigators hit on that trail during routine matches of DNA evidence from crime scenes with DNA samples that people send to genealogical websites to find out more about their ancestry or other aspects of their genetic profiles. Police said they suspect DeAngelo committed over 50 rapes and a dozen murders across California between the mid-1970s and 1986.

While the possible breakthrough in a long-cold case is being lauded as a success, it also highlighted the lack of awareness many who use genetic testing sites may have about how their data can be accessed, and for what purpose. Investigators in the Golden State Killer case were able to construct a family tree of the killer’s relatives using the pool of people who had uploaded their information on GEDMatch and then narrowed their search to identify DeAngelo as their suspect.

Not all genetic testing and genealogy sites allow their DNA samples to be used by police, but the case highlights a need for such companies to make their terms of service more clear and intelligible, says Robert Field, a Wharton lecturer and Drexel University professor of law, and health management and policy. “We might look at the terms of service [getting] translated into English,” he said. “Perhaps we could have standards for making clear the terms of service, which no one can or will read” in their current form.

The existing legal protections for people’s genetic information are not updated frequently enough to keep pace with technological advances, such as those covered by the Human Genome Project, said Kayte Spector-Bagdady, chief of the Research Ethics Service at the University of Michigan Medical School’s Center for Bioethics and Social Sciences in Medicine, and assistant professor in the department of obstetrics and gynecology at the school.

Spector-Bagdady noted that back in the 1990s, genetic tests would typically have been used to look for one or two specific variants, such as the so-called BRCA genes associated with breast cancer. However, now, genetic tests are more elaborate with “whole genome and large exome sequencing,” which use newer technologies to conduct rapid sequencing of large amounts of DNA data, she said. “It’s generating enough data about me that is uniquely identifiable to me; it’s even better than a fingerprint. And we don’t even know what it all means.”

Field and Spector-Bagdady discussed ways to strengthen DNA data privacy laws on the Knowledge at Wharton show on SiriusXM channel 111. (Listen to the full podcast using the player at the top of this page.)

“It’s generating enough data about me that is uniquely identifiable to me; it’s even better than a fingerprint. And we don’t even know what it all means.”–Kayte Spector-Bagdady

Limited Protections for DNA Data

One question in the debate is whether the DNA data of individuals should be openly available. Some see that as an advantage, because all people currently have to do to get information about their ancestry and DNA is to send a saliva sample to a genetic testing services firm like 23andMe, said Spector-Bagdady. “Everybody can come together and slowly build their family trees together,” she added.

The existing legal protections for use of genetic data are more for health purposes than for ancestry purposes, said Spector-Bagdady. The 2008 Genetic Information Non-discrimination Act (GINA) prevents employers or health insurers from using an individual’s genetic data to discriminate against them or for other related purposes. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects people’s medical records and personal health information.

“The legal protections [for DNA information] are pretty minimal right now,” said Field. The HIPAA and GINA laws provide protections only as they relate to discrimination based on genetic information in employment and insurance plan offerings, and they don’t apply if an individual’s DNA information is leaked, he added. Also, the protection offered by an ancestry services provider’s terms of service is “minimal,” Field said.

Existing laws provide limited protections for people who voluntarily enter into ancestry testing services as opposed to health ones. Also, there haven’t been as many abuses of data in  ancestry services, said Spector-Bagdady. People are also warned that their genomic data could be matched with those of others and produce unwanted outcomes, she added.

Unintended Outcomes

For example, a young man who may have donated sperm decades earlier could be identified as a father through the DNA samples other individuals in the family may have uploaded to an ancestry site, Spector-Bagdady said. It is not even necessary for that man to have sent in his own DNA sample, and the matching could occur without his consent, she added.

“If a cousin of yours decides to donate DNA information, it’s out there. There’s nothing you can do about it.”–Robert Field

What is also worrisome about the potential uses of DNA data is that “it doesn’t have to be your own” to help establish links, said Field. “If a cousin of yours decides to donate DNA information, it’s out there,” he added. “There’s nothing you can do about it. You can’t prevent your cousin from doing that, and you probably don’t even know [about] it. That’s a really tough one for the law to address.” Up until now, the assumption was that an individual would have the autonomy to decide who could see his or her genetic information, but that is no longer the case, he noted.

Field pointed to another parallel movement to protect people from knowing their own information. “A lot of people don’t want to know if they have a gene for Alzheimer’s,” he said. “And yet, if a relative has put information into a database, it may circle back to you whether you want it to or not. That’s a whole other dimension to this which people should be aware of.”

Firms that provide DNA analytics services are unlikely to go beyond what is legally required and offer additional protections because “they can make a lot of money” with the DNA information, Field noted. “There are huge marketing opportunities by using that data in ways that aren’t specifically outlawed. So yes, they have every possible incentive to use that data as broadly as possible.” They might supply that information to marketers, pharmaceutical firms and other kinds of product manufacturers, he added. “It is scary that we don’t even know what some of those uses are.”

Spector-Bagdady noted that ancestry services provider 23andMe recently received an enterprise valuation of $1.5 billion. “Of course, that valuation isn’t on the basis of them being able to sell $200 test kits,” she said. “That valuation is on the basis of the data trove that they own with millions of participants, their DNA, and their related health outcomes and health history data, which can be used for research purposes and is also very lucrative for those purposes.”

Making Sense of Terms of Service

Many firms that provide genetics services make it explicit in their terms of service that individuals’ data could be shared with academic researchers, NGOs or private businesses, Spector-Bagdady said. For example, 23andMe requires its customers to sign an “additional research consent” to share their data for research and other purposes, she noted.

“We need to be starting to conceptualize how to regulate data usage as opposed to data collection.”–Kayte Spector-Bagdady

However, putting those clauses in the terms of service does not really help in practice, according to Spector-Bagdady. “The crux of the issue is that it doesn’t matter what we disclose, and it doesn’t matter what we put in front of people, because we know from empirical bioethics research that people don’t read [the terms of service], and even if they read it, they don’t understand it,” she said. “When we’re recruiting clinical patients for research protocols, we have an entire conversation about the risks and benefits of research. And at the end, sometimes people don’t even realize that we were talking about research. So it’s very hard not just to disclose and give information, but to achieve understanding.”

If pushed to provide further protections, all that the ancestry services providers have to do is to disclose in their terms of service that there may be other uses of the DNA data, including law enforcement, “which they’ll do,” said Spector-Bagdady. “But whether the consumer reads those terms of service or understands them is not necessarily the company’s problem.”

To Waive or Not to Waive

Spector-Bagdady noted that while the law enforcerment has been using forensic DNA databases for decades, the assumption was that they contained the information of people who have done “something nefarious or wrong,” she said. “[That] of course isn’t always correct. People end up in these police DNA databases because they’re in the wrong place at the wrong time, or they were related to the wrong person.”

Such situations occur because people who upload their DNA samples, say to an ancestry service, typically waive the privacy rights to their data. “That’s what makes people uncomfortable — there’s no excuse for this privacy waiver of their data,” said Spector-Bagdady.

In fact, the individual waives not just his or her right to privacy, but also that of their entire family, she noted. “We still have yet to resolve in medical ethics how we’re going to require people to fulfill that respect for their family members,” she said.

If required by law, an ancestry service would have to share its DNA database with the police, said Spector-Bagdady. “The police can always get a warrant which supersedes everything,” Field added. “And these [genetic services] companies do warn about that.”

Exercising Caution and Other Remedies

Field also wondered if there are strings attached to people availing of free services. “We’re hearing more and more the phrase that if you’re not paying, you’re the product,” he said. “With Facebook and all of these other sites where we agree to donate our information in return for a very valuable free service, why are they giving it for free? Because they’re making money off of us.” It is important “to make it clear to people that if it’s too good to be true, it’s too good to be true,” he added. Spector-Bagdady noted that with services like those offered by 23andMe, “you are paying and you are the product.”

In exploring solutions to ensure improved privacy protections, Spector-Bagdady suggested approaches that differentiate between the uses of DNA data for academic research and other purposes. Field agreed that “a use-based regulation” would help provide better protection for people’s DNA information.

“There are huge marketing opportunities by using that data in ways that aren’t specifically outlawed. So yes, they have every possible incentive to use that data as broadly as possible.”–Robert Field

Field pointed out that such clarity has been achieved with the language used by institutional review boards (IRBs) governing the protections for people participating in medical research projects that are funded with federal grants. However, the IRB protections that apply in federally funded research projects do not extend to research by private companies like 23andMe if they do not use federal funding, Spector-Bagdady noted.

Spector-Bagdady pointed out that laws like HIPAA were structured to regulate data based on the way data came in, as in whether it is collected by a health care professional, an institution or a private business. However, such data is available to those who didn’t collect it in the first place, she said. “I buy it or I rent it,” she said. “We need to be starting to conceptualize how to regulate data usage as opposed to data collection.”

As it happens, people have a choice to prevent others from accessing their DNA data, but that is by withdrawing the samples they may have provided to a genetic testing services provider. “If you are concerned about non-genealogical uses of your DNA, you should not upload your DNA to the database and/or you should remove DNA that has already been uploaded,” GEDMatch cofounder Curtis Rogers stated in an email to technology publication ArsTechnica.

In the case of the Golden State Killer, the police’s use of his relative’s DNA data “is perfectly legal and probably will hold up in court,” said Field. It was also well within the terms of service at GEDMatch, he added.

All things considered, the debate circles back to whether it is truly possible to keep DNA information private. “In theory, and in a perfect world, yes, but that’s impossible,” said Field. “I don’t think it’s possible any more than with cell phone records or anything else.”