Genetics Testing and Privacy: Musings

Three news items about genetic data and testing show the changes afoot on this front. And four recent developments on the privacy front show what lies ahead.

The three news stories about genetic data:

(G1) In April this year, the New York Times reported that "The Golden State Killer Is Tracked Through a Thicket of DNA, and Experts Shudder". In short, the elusive Golden State Killer, whose crime spree between 1976 and 1986 was linked to 12 murders and 50 rapes, was finally tracked down by the fortuitous combination of finding a well preserved sample of DNA from one of the crimes scenes and finding a near-match from DNA uploaded to the genealogy website GEDMatch by the relatives of the suspect.

(G2) In June this year, the NPR-Truven nationwide poll on genetic testing highlighted that "a solid majority were willing to share genetic test information with doctors, relatives and health care researchers." Again curiosity about genealogy is a big driver for genetics testing. Also the curiosity about health risk factors, more from seniors. These two needs seem to mitigate privacy concerns, which are present, at least so far—roughly half of the people surveyed expressed concerns about privacy and the confidentiality of data.

(G3) Last week (July 25th), the genetics-testing company 23andMe announced its partnership with drug giant GlaxoSmithKline to "use people’s DNA to develop medical treatments." In short, GSK plans to invest $300 million in 23andMe over a four-year period, and states that "the goal of the collaboration is to gather insights and discover novel drug targets driving disease progression and develop therapies." 

Four developments on the privacy (or the lack of privacy) front:

(P1) On May 25th this year, the GDPR went into effect. These regulations from the European Union address data protection and privacy for all individuals within the EU, giving them control, and regulate how data is processed, shared and exported by businesses, with significant penalties for infractions. The personal data addressed in these regulations address all types of identifiable data that are not rendered completely anonymous.

(P2) On June 22nd, the US Supreme Court issued what is considered a landmark ruling in Carpenter v. United States. In short, the 5-4 decision ruled that the government violated the Fourth Amendment to the US Constitution (which prohibits unreasonable searches and seizures) by accessing historical cell phone location records without a search warrant. The majority opinion summed up by Chief Justice Roberts is extremely well written and offers a far sighted view into the motivation for the ruling and the need for extending Fourth Amendment protection. This particular sentence, "A person does not surrender all Fourth Amendment protection by venturing into the public sphere," is exceedingly important for the digital road ahead.

(P3) At the end of June, the State of California passed a landmark privacy bill, considered the first of its kind for the US, reinforcing the "inalienable" right to privacy. These regulations go into effect in California only in 2020 but the directive to businesses regarding the need for consumer data protection is clear now. The Wall Street Journal writes: "California lawmakers gave consumers unprecedented protections for their data and imposed tough restrictions on the tech industry, potentially establishing a privacy template for the rest of the nation. The law, which was rushed through the legislature this week and signed by Gov. Jerry Brown on Thursday, broadens the definition of what constitutes personal information and gives California consumers the right to prohibit the sale of personal data to third parties and opt out of sharing it altogether." The WSJ is acknowledging California's historical role in pioneering regulation that rapidly becomes the nation's template.

(P4) Last Thursday (July 26th), Facebook's stock plunged by $120 billion, wiping out 20% of its value, making it the largest ever stock decline in trading history, reflecting investor concerns about slowing growth and the need for increasing spending on security and privacy. The privacy scandals are starting to take a toll on the social network. This was followed on Friday by a 20% drop in Twitter's stock for similar reasons. Also as these networks purge hundreds of millions of fake accounts, the quality of these networks is increasingly in question.

We can sum up these news items as follows:

• On the genetics front, we see that the need for understanding one's past (genealogy, ancestry) and for understanding one's genetic health profile (risk factors, precision medicine) drive the adoption of genetics testing.
• Marketplaces are forming to tap the demand for genetics testing. Such marketplaces or DNA stores have so far been offered as a private service (DNA analysis or DNA storage or Health Profiling) delivered in exchange for a fee.
• Companies (like GSK) and institutions (like law enforcement) are eager to tap these marketplaces/aggregators of genetic data (e.g. the 5 million samples of DNA available at 23andMe).
• On the privacy front, the governments are acting to reaffirm the right to privacy and the right against unreasonable search and seizure explicitly (as enshrined in the US Constitution, articulated as a human right by the UN, and declared as EU Law).
• The impact of businesses ignoring privacy can be severe as the stock drops show and also now when the EU GDPR regulation imposes stiff penalties for infractions (which can go up to $20 million Euro or 4% of a company's revenues, whichever is higher).

A Look at the GDPR Principles

The EU's GDPR (Global Data Protection Regulation) took effect in May this year. This regulation applies to personal data that is identifiable or only pseudonymized, held by businesses. To boil it down for the purposes of our discussion, here are the basic principles guiding the regulation as I see them, all quite reasonable:

• Disclosure of Individual rights (to access the personal information collected, to transfer the information somewhere else, to request removal of the information, to lodge a complaint about what's in the information, to withdraw prior consent offered for collecting information)
• Who is processing this information (the company, The Company?, third parties)
• Why is the information being collected?
• Is there a legal basis for the type of information being collected?
• How long will this information be kept? (temporary, legally mandated timeframe, forever, we have no idea!)
• Who is this information being shared with? (GSK? Cambridge Analytica?)
• Will the information be transferred outside the EU?
• What kind of automated processing and logic do you use? (Shallow or Deep Learning?)

This law is far sighted in addressing individual rights and placing them into a cohesive framework. A note of caution, however. With the wide and sweeping mandate of the GDPR or the upcoming California Privacy Law, it's inevitable that a large number of small businesses will be caught up in this trying to respond to these requirements, just like the thousands of small fry that end up in a trawler's large nets. These type of laws aimed at the big fish will need to make the openings in their nets wide enough for the small fry to swim through without difficulty—that is, clarify the compliance burden for small businesses so that it is not onerous, particularly since they find meeting the existing business needs of book keeping, taxes, human resources, information technology and so on already quite challenging.

A Look at the Carpenter v. United States Ruling

When the US Supreme Court agreed to hear Carpenter v. United States, it was clear that a major constitutional principle would soon be put to the test. In this case, whether the government's search of the defendant's CLSI (Cell Site Location Information) without a warrant was legal. The lower courts (including the Sixth Court of Appeals) had ruled in the government's favor. It is worthwhile to look at the key points made by Chief Justice Roberts in writing the majority opinion in this landmark ruling for the implications for privacy and the Fourth Amendment protections in the digital age.

They are as follows:

• The Court reviews the Framers' intent for the Fourth Amendment (the right against unreasonable searches and seizures), highlighting how it was crafted as a "response to the reviled 'general warrants' and 'writs of assistance' of the colonial era, which allowed British officers to rummage through homes in an unrestrained search for evidence of criminal activity."
• The Court highlights that past rulings have made it clear that "technology has enhanced the Government’s capacity to encroach upon areas normally guarded from inquisitive eyes" and have "determined that the Government—absent a warrant—could not capitalize on such new sense-enhancing technology to explore what was happening within the home."
• Discusses how GPS monitoring was deemed to "impinge on expectations of privacy" in a prior ruling, meaning that such protections extended not only to the home (property) but also to the person.
• The Court notes that cell phone location information is "detailed, encyclopedic, and effortlessly compiled." This is a very important observation since it touches on the capabilities of current technology to accrue an enormous amount of information about a person almost effortlessly now, in stark contrast to the limitations of the past.
• The Court also discusses the Third Party Doctrine, a legal principle formulated in the prior rulings (Smith, Miller), which posits that a "person has no legitimate expectation of privacy in information he voluntarily turns over to third parties." This was deemed applicable "even if the information is revealed on the assumption that it will be used only for a limited purpose." Again, an exceedingly important observation that distinguishes what information is kept by a person and what is shared voluntarily. If the Third Party Doctrine could extend to shared information, it meant that the Fourth Amendment protections did not apply.
• And the Court determines that the Third Party doctrine does not extend to the CLSI.
• And that "the location information obtained from Carpenter's wireless carriers was the product of a search," meaning a Fourth Amendment search. States that "a person does not surrender all Fourth Amendment protection by venturing into the public sphere."
• Makes it clear again that "things were different prior to the digital age." "These location records hold for many Americans the 'privacies of life'." "When the government tracks the location of a cell phone it achieves near perfect surveillance, as if it had attached an ankle monitor to the phone's user." And boom! "When the government accessed cell-site location information from the wireless carriers, it invaded Carpenter's reasonable expectation of privacy in the whole of his physical movements." This is a far sighted recognition by the Court of the immense reach of advanced technology.
• And the Court highlights something extremely important after that: "One well recognized exception applies when 'the exigencies of the situation' make the needs of law enforcement so compelling that a warrantless search is objectively reasonable under the Fourth Amendment." These are cases like when a suspect is attempting to flee or when a person is in imminent harm or when the destruction of evidence is very likely.

With this background, we can venture into what the future might hold for genetics data.

Here are some sundry observations and a prediction or two that we can make for the emerging Genetic Data Market and Practices, observing these developing trends:

• Genetic data aggregators like 23andMe that currently provide a service that consumers need and want, but now seem eager to help drug companies or others harvest the private data that consumers entrusted them with will face the inevitable consumer backlash. (As the Scientific American article referenced above highlights, 23andMe lets you close your account and will discard the spit samples you provided, but its policy makes it clear that your past is not really erasable—meaning the research and whatever else happened with your data, presumably such drug harvesting.)
• The idea of law enforcement tapping such genealogy sites without a warrant may also give users pause, even if the cause is extremely justified, like the search for the serial killer and rapist mentioned above. It's not the cause but the method that the privacy experts shudder about. (Note: the criminality of Carpenter does not enter into the debate on a constitutional principle but the question of his rights. The Sixth Circuit Court had affirmed Carpenter's conviction and sentence prior to the US Supreme Court agreeing to hearing his case.)
• On the other hand, competitors (genetics testing companies or genetic data stores) can highlight and advertise privacy safeguards (no sharing, will seek future use consent, will seek warrants for search, share future windfall with participants) to attract consumers spooked by such news. And it's likely that this will happen, because there's an Apple for every Google.
• It's also pretty clear that genetic data will become legally subject to the Fourth Amendment (like the historical cell phone location data mentioned above) making law enforcement require a warrant for such a search. It's important to recognize such protections help law enforcement as well. A genetic database search could be potentially branded as an illegal search by the defense and the entire case (against a real murderer) could then be in jeopardy. As noted above, the Court does grant exceptions to warrantless searches when the "exigencies of the situation" warrant that (minor pun intended here).
• Having learned from the Carpenter ruling, the justice system will itself evolve and impose safeguards on searching and handling genetic data and genetics testing. The outcome in the case of the Golden State Killer case was positive—a case almost four decades old, with a large number of unsolved murders and rapes linked to the unknown person, was brought to a close, and brought closure to the families of the victims yearning for that for decades. But privacy experts fear misuse as well as the mishandling of such vital evidence that gets innocent people trapped. Like a fishing trawler ensnares thousands of fish, turtles and other sea creatures indiscriminately with its mile-long fishing nets. Massachusetts had to toss out almost 30,000 cases because of the scandals involving its two key drug testing labs operated by technicians Farak and Dookhan, which involved contamination, mishandling and falsification of results. The investigation also found that two assistant attorneys general Kaczmarek and Foster engaged in misconduct by withholding key information and caused immense harm by delaying justice in many cases.
• The Facebook and Twitter stock debacles reflect the costs of not only mishandling user information but also the costs of network misuse (like allowing organizations to sway an election through bots and misinformation). It's now clear that the days of cheap user acquisition are over. This may be belated realization on the part of the stock markets but it has sunk in. Trust in networks, real privacy safeguards, active measures to guard against misuse (like Cambridge Analytica), the increased need for human curation (50 people to manage a billion real users as well hundreds of millions of the more prolific fake users is hardly adequate), and the need to protect data in accordance with domestic and international law (like the GDPR out now and the California Law that goes into effect January 1, 2020) mean big spending. Also there are penalties to consider (like the 4% of global revenues in the GDPR).
• A request like the need to match a serial killer's DNA can be potentially handled with privacy safeguards using two key methods: (1) a court within the state/federal court system that can grant a warrant recognizing the urgency (e.g. preventing an imminent murder) or evaluating the request for justifiable warrantless access ("exigencies of the situation"), and (2) privacy-preserving search techniques (match without revealing data, reveal only when matched, etc.—there are a number of such underutilized mechanisms)
• The Coase Theorem is well known from its moorings in law and economics. Based on the theorem, since trading in DNA data is becoming possible and transaction costs are being rendered sufficiently low (for DNA acquisition, analysis, sequencing, storage, communication), one can predict more efficient outcomes emerging in future arrangements among the parties involved (individuals, aggregators and upstream players like drug companies and so on). For example, if there is little inducement for an individual to provide DNA (and very high costs of doing DNA analysis oneself), the mechanism to aggregate DNA information into a ready pool might not exist, and drug companies and providers will not have access to a pool of DNA data to tap for drug development and delivering precision medicine. And genealogy or ancestry sites provided just such an inducement and with sufficiently low transaction costs to get such DNA networks going. Whether the step of delivering precision medicine follows easily or gets more challenging is the next act to follow.
• The Coase Theorem also helps us understand the role of regulation in such situations. The emergence of the GDPR as well as the California Privacy Law—however belated these developments—are inferences we can make from the theorem, arising in this case to set up institutions (regulatory frameworks) to correct the misallocation of resources. In another sense, these laws also establish transparent tradability, which might not have been possible before (by defining consumer rights and business responsibilities and by assigning a penalty for failure to discharge these responsibilities). In addition, the Coase Theorem can also help in quantifying the liability involved, as it has been used previously in tort law. Obviously, a large loss envelope and a high probability of loss mean a large liability. So attention will now be focused on lowering the probability of loss (by increasing data protection and installing privacy safeguards) and on reducing the loss envelope (the exposure and seriousness of the exposure).

I'll end this long perspective with a rough sketch of how I see the market dynamics evolving in the genetics testing space:

End Note: Hope you find these observations connecting genetics testing with developments taking place on the privacy front interesting. Look forward to your comments and feedback. If you'd like to get in touch with me to discuss any of these aspects, please write to me at [email protected].