Ancestry, 23andMe and other top genetic testing companies agree to new privacy policies

0
7
Ancestry, 23andMe, Habit, Helix, and MyHeritage have all signed on to voluntary new guidelines aimed at better protecting the privacy of people who submit their DNA to these companies for testing; A DNA testing kit from Ancestry is shown here


Top genetic testing companies have announced they’ve agreed to a mutual set of guidelines to better protect the privacy of users who submit their DNA for testing.

Ancestry, 23andMe, Habit, Helix, and MyHeritage have all signed on to the policy drafted with the help of The Future of Privacy Forum, a non-profit in support of ‘advancing responsible data practices in support of emerging technologies,’ according to Gizmodo.

The guidelines, titled Privacy Best Practices for Consumer Genetic Testing Services and released on Tuesday, deal with scenarios where users’ personally identifiable and anonymous genetic information might be shared with law enforcement (without a warrant) and other third parties.

The new voluntary policies call for requiring separate consent from users before sharing ‘individual-level information’ with other businesses and more transparency about the number of requests for data received by, and fulfilled for, law enforcement.

This particular issue came to the nation’s attention with the arrest in April of Joseph DeAngelo, 72, who is suspected of being the so-called ‘Golden State Killer.’

DeAngelo was taken into custody after decades-old DNA from a crime scene matched DNA that had been submitted by a relative of his to a site used by geneologists called GEDmatch.

Ancestry, 23andMe, Habit, Helix, and MyHeritage have all signed on to voluntary new guidelines aimed at better protecting the privacy of people who submit their DNA to these companies for testing; A DNA testing kit from Ancestry is shown here

Ancestry, 23andMe, Habit, Helix, and MyHeritage have all signed on to voluntary new guidelines aimed at better protecting the privacy of people who submit their DNA to these companies for testing; A DNA testing kit from Ancestry is shown here

The new guidelines were in the process of being drafted months before DeAngelo was arrested, The Future of Privacy Forum CEO Jules Polonetsky told the Washington Post.

‘I don’t think the average consumer has wrapped their head around the range of issues they should think about when they make a decision to share [DNA] data,’ she said.

Among other things, the policy focuses on make it known how often police request data from DNA testing companies, and how often the companies comply.

‘Companies should provide a public report describing requests from law enforcement for Genetic Data,’ the policy reads. 

‘Such reports should be made on at least an annual basis.’

Ancestry and 23andMe shared some of this information with Gizmodo, revealing police sent Ancestry ’34 valid law enforcement requests’ in 2017, and that Ancestry provided information in 31 of those cases.

23andMe reported that it has received five requests from law enforcement so far this year, and has not shared information with law enforcement pursuant to any of those requests.

Privacy concerns related to DNA testing came to the nation's attention with the arrest in April of suspected 'Golden State Killer,' Joseph DeAngelo, who is seen here at his arraignment in a Sacramento courtroom on April 27; His arrest was made possible by a public DNA database

Privacy concerns related to DNA testing came to the nation's attention with the arrest in April of suspected 'Golden State Killer,' Joseph DeAngelo, who is seen here at his arraignment in a Sacramento courtroom on April 27; His arrest was made possible by a public DNA database

Privacy concerns related to DNA testing came to the nation’s attention with the arrest in April of suspected ‘Golden State Killer,’ Joseph DeAngelo, who is seen here at his arraignment in a Sacramento courtroom on April 27; His arrest was made possible by a public DNA database

The guidelines, titled Privacy Best Practices for Consumer Genetic Testing Services and released on Tuesday, deal with scenarios where users' personally identifiable and anonymous genetic information might be shared with law enforcement and other third parties

The guidelines, titled Privacy Best Practices for Consumer Genetic Testing Services and released on Tuesday, deal with scenarios where users' personally identifiable and anonymous genetic information might be shared with law enforcement and other third parties

The guidelines, titled Privacy Best Practices for Consumer Genetic Testing Services and released on Tuesday, deal with scenarios where users’ personally identifiable and anonymous genetic information might be shared with law enforcement and other third parties

The new voluntary policies call for requiring separate consent from users before sharing 'individual-level information' with other businesses and more transparency about the number of requests for data received by, and fulfilled for, law enforcement

The new voluntary policies call for requiring separate consent from users before sharing 'individual-level information' with other businesses and more transparency about the number of requests for data received by, and fulfilled for, law enforcement

The new voluntary policies call for requiring separate consent from users before sharing ‘individual-level information’ with other businesses and more transparency about the number of requests for data received by, and fulfilled for, law enforcement

The policy also calls for separate consent to be granted before a person’s ‘individual-level information (i.e., Genetic Data and/or personal information about a single individual)’ can be given to parties other than vendors and services providers which are necessary to perform the DNA testing.

This additional consent, though, may not be required in instances where law enforcement have obtained a warrant requiring the production of such data.

The policy reads: ‘Genetic Data may be disclosed to law enforcement entities without Consumer consent when required by valid legal process.’

However, the guidelines do call for notice, when possible, in such an event.

‘When possible, companies will attempt to notify Consumers on the occurrence of personal information releases to law enforcement requests.’

The top services that have signed on to the new, more protective policies are different than GEDmatch, however, which was used to track down DeAngelo.

GEDmatch is a free, crowd-sourced database of approximately one million distinct, raw DNA sets shared by volunteers. The site doesn’t accept DNA, do its own analysis, and then send users a detailed report, including matches to relatives.

Investigators uploaded DNA from a suspected ‘Golden State Killer’ crime scene to the site, and could then look through the database themselves for other DNA sets that matched, to varying degrees.

A relative of DeAngelo’s apparently uploaded DNA to that site and was able to be identified by that data, investigators matched the crime scene DNA to that relative, and investigated that person’s known relatives, eventually arriving at DeAngelo.

From there, authorities collected DNA samples from both DeAngelo’s driver-side car handle as well as an item that was discarded outside DeAngelo’s home, which they said matched the DNA from the crime scene.

While Ancestry, 23andMe, Habit, Helix, and MyHeritage have all said they agree to these standards of practice for now, it's important to note that the guidelines aren't legally required; A DNA testing kit from 23andMe is shown here

While Ancestry, 23andMe, Habit, Helix, and MyHeritage have all said they agree to these standards of practice for now, it's important to note that the guidelines aren't legally required; A DNA testing kit from 23andMe is shown here

While Ancestry, 23andMe, Habit, Helix, and MyHeritage have all said they agree to these standards of practice for now, it’s important to note that the guidelines aren’t legally required; A DNA testing kit from 23andMe is shown here

Curtis Rogers, who operates the GEDmatch site, shared the following message to its users when the news broke in April, according to NPR

‘We understand that the GEDmatch database was used to help identify the Golden State Killer. Although we were not approached by law enforcement or anyone else about this case or about the DNA, it has always been GEDmatch’s policy to inform users that the database could be used for other uses, as set forth in the Site Policy,’ he wrote.

‘While the database was created for genealogical research, it is important that GEDmatch participants understand the possible uses of their DNA, including identification of relatives that have committed crimes or were victims of crimes. If you are concerned about non-genealogical uses of your DNA, you should not upload your DNA to the database and/or you should remove DNA that has already been uploaded.’

Rogers said at the time that GEDmatch does not ‘hand out data,’ at all.

‘This was done without our knowledge, and it’s been overwhelming,’ Rogers said in April.

While Ancestry, 23andMe, Habit, Helix, and MyHeritage have all said they agree to these standards of practice for now, it’s important to note that the guidelines aren’t legally required.

‘In general, I think there should be stronger transparency requirements and legally binding rules for everyone around the transfer and use of super sensitive data like this,’ Justin Brookman, the director of consumer privacy and technology policy at Consumers Union, told the Post.

For those concerned with how their DNA and personally identifiable data might be used, the guidelines also call for procedures to be in place to delete data already submitted.

‘Unless otherwise required by law, Companies should provide Consumers clear and prominent methods to delete their account and Genetic Data and destroy their Biological Sample, and describe any relevant limitations,’ the policy reads.

While this may not be possible in all scenarios, for example, when a user has already provided informed consent to share data for research purposes, many of the top genetic testing companies already have such procedures in place for other scenarios.

(function() {
var _fbq = window._fbq || (window._fbq = []);
if (!_fbq.loaded) {
var fbds = document.createElement(‘script’);
fbds.async = true;
fbds.src = “http://connect.facebook.net/en_US/fbds.js”;
var s = document.getElementsByTagName(‘script’)[0];
s.parentNode.insertBefore(fbds, s);
_fbq.loaded = true;
}
_fbq.push([‘addPixelId’, ‘1401367413466420’]);
})();
window._fbq = window._fbq || [];
window._fbq.push([“track”, “PixelInitialized”, {}]);



Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here