Thursday, June 19, 2008

23 and Me is Scary: Privacy Edition


23 and me (23andme) is a relatively new company providing a friendly service. The company describes itself as "focused on helping consumers understand and browse their genome." You spit in a cup and they give you a bunch of services relating to you genotype. You can find out about your ancestry, genes you share with family members and a ton of other stuff based on an analysis of your gene. It costs USD 1000, but you get to find out all this information and if you choose, you can share it with others in a social network and compare characteristics. 

On their side of the equation, they separate your genetic information from any personal identification information, and put it into a database available to research and other institutions. Some may pay a fee. They are creating, with consumer subsidy, what may turn out to be the world's largest database of genetic information. The database will provide the data to cure disease and alleviate untold suffering in the world. The service is useful to its consumers. The data is unimaginably valuable, to them. It is a veritable Youtube for genetic researches. Beyond the financials, it is a tremendous service to humanity. The scary part, is one of the initial investors is Google.

Google learned something early on I didn't learn until law school. You don't have to know anything, you just have to know where to find it. Google's version, is data is power, but you don't have to own it as long as you can tag it. They created the best algorithm for creating metatags and the rest is history. Their business, is not entirely based on the data tagged on the web. In consideration of the service they provide, we provide personal data. Lots of personal data. We surrender our privacy without even knowing it.

We know we are surrendering privacy when we introduce ourselves to someone. Less directly, we surrender privacy when we hand a credit card to a waiter in a restaurant. Some of us know we are photographed and filmed tens of times each day as we walk around in public. Few realize who much data we surrender to Google and other on line services. When you do a search on Google, it tracks your search, and ties it to you IP address. Yes, even the porn. This is then stored with all the other searches and the places you go on line, purchasing through the wallet and tons of other stuff. The profiles are sold to advertisers and the like. Google has never matched the profiles to actual names, but AOL and others have, under government order. 

Google actually stood up to the US government and refused to offer certain services in China to avoid the risk of having to disclose. Right now we say it is no big deal, because we are not doing anything wrong. But what happens, as in the case of the Patriot Act and AOL, the rules of what is wrong change and start to be measured by what appears to be wrong? It is a scary thought when you consider Google not only has the search data, but if you use Google desktop, it has access to metatags for every file on your computer, gmail gives it access to all of your email, the proposed health service will give it access to your medical data, the wallet gives your purchasing data, and android phone gives it your communication and location data. They will know everything about you, because you told them. 

Is there anything more private than your genome? I may be paranoid. Strike that, I am paranoid, but I am not the only one. Earlier this year Rolling Stone did a fantastic profile of Larry Brilliant, the head of the Google foundation. The story revealed some of the strategy behind the investments as well as the concerns. He considers:
Where can Google make the most difference?" Another litmus test: "Will it scale?" That is, if it works, could DotOrg grow it exponentially? A pandemic-warning system, based on Google search technology, would definitely scale. Building roads in Africa, though important, would not. . . . As the system evolves, it's easy to imagine how Google's prowess in search technology, satellite imagery and mapping might revolutionize how we respond to epidemics.
It is a great idea. The investments are amplified by Google's prowess in its core business. With Larry and Sergey at the helm, operating under their credo of "do no evil" the world can feel safe, but the potential for wrong is there.
. . . as the company moves deeper into the realm of public health, the questions get more complex. Collecting data is one thing; once you get it, what do you do with it? If you detect an outbreak somewhere in the world, who has the authority to make the call? Who takes responsibility for the warning if it turns out to be wrong? Who profits if it's right? . . .
"It has to be clear that this effort is not about gaining commercial advantage but about changing the world," says [John] Doerr. Right now, Google is able to deflect many questions about privacy and corporate evildoings simply because Sergey Brin and Larry Page seem like honest guys. But the more the company moves into new arenas, like energy and public health, the more danger there is that Google could be revealed to be just another greedy corporation using philanthropy as a mask to hide its plundering and profiteering.
The article is about the foundation side of Google, the investment in 23andme, along with investments from other leading VC's, came from the business side. The founder of 23andme happens to be married to a Sergey Brin, but the investment is not a case of nepotism. The business makes sense for Google. The database will be an incomprehensibly large pool of data. As it sits, it is without value. The data will only have value when it is sorted, tagged and correlated. Once Google tools are applied, the value is immeasurable.

A whole set of issues will arise on the profit side with the growth of genetic treatments. Patent issues have already arising with treatments coming from human genes. Is the person who carries the gene giving rise to the AIDS vaccine entitled to portion of the revenue generated by the discovering and commericilizing company? I don't know. These issues will be the subject of years of debate by people smarter than I. My concerns don't arise from what the company does within its own control, or from the profit it will generate. These are only money issues. May can flow in any direction if someone determines compensation was made to the wrong person, or not made to the right person, the money can be reallocated. My concerns arise from the actions the company must take outside of its control and which cannot be imagined today.

Like your search queries and computer files, the genetic information is separated from any personal identification data. Other than you, no one will be able to tie your genetic data to your identity without your permission, except you . . . and 23andme. The company warns you about opting into the sharing system as data is hard to contain once released. It also explains your data may be supplied to researchers, and if they are interested in personal studies, they may ask if you would like to participate. This is all reasonable. But what about compelled disclosure by the company?
Disclosure Required By Law

Please be aware that under certain circumstances personal information may be subject to disclosure pursuant to judicial or other government subpoenas, warrants, or orders. In the event that we are legally compelled to disclose your personal information to a third party, we will notify you with the contact information you have provided to us in advance unless doing so would violate the law or a court order.
We have no reason to be concerned today. There are no legal repercussions to carrying a gene. . . today. Then again, the government did not have access to your library records before the Patriot Act. My concern is in the things I can't imagine today. I am not so worried about a Fantastic Voyage scenario where my gene would be the one to save the president and I picked off the street to be sacrificed to save the life of another more important person - even though the thought of how many people are more important is mind boggling. I am not even concerned about a possibly more realistic Minority Report scenario. My concerns lie in the yet to be determined questions of ethics and responsibilties arising from our increased knowledge of genetics.

What if one of your genes carries a 100% certainty of passing on a 100% terminal disease to your children? What if a gene creates the risk of an aerosol transmission of a carcinogen? What if you are the sole source of a gene which could wipe out AIDS? What if you are named as a party in a paternity action? What if an adoptive child wants to find their birth parent? When will there be an ethical obligation to disclose personal information and when will there be a legal obligation? There are a ton more I can't think about, but as we learn more about the human genome, more possibilities of good and bad will emerge. It will create a field day for attorneys and medical ethicists and more years of debate. You think stem cells are controversial, wait for this. But it will also create an entirely new set of rules, laws and regulations. As we learned from the DMCA, the first implementation of regulation of new technology is not always the best. During this learning phase, whose privacy will be compromised?

The warning in the privacy statement cautions sharing the data, but it does not address the permanence of your shielded data. As people learned from Facebook and Myspace profiles, the information posted on the web is among the easiest in history to create, but part of one of the most permanent records in history. They think about sharing with their friends. They rarely think about the privacy they forfeit. Do you really think the teenagers flashing their parts on Myspace know they are sharing it with the world forever? Well, maybe they do. When I do a Google search on my name, I find a post I put in an Apple Newton forum 10 years ago. 23andme, is no different. According to their privacy policy, they are more like the Hotel California than a white board.
When deleting an account, we remove from our systems all Genetic and Phenotypic Information that can be associated with your Account Information. As stated in our Consent Form, however, Genetic Information and/or Phenotypic Information you have provided for research prior to your request for deletion will not be removed from ongoing or completed studies that are using the information. Neither Account Information nor a link to your account are used in 23andMe-authorized research. In addition, we retain limited Account Information related to your order history (e.g., name, contact, and transaction data) for accounting and compliance purposes.
If the law changes and you are no longer comfortable being on the grid, you cannot remove your data. When the company is required to disclose the identity of carriers of a gene associated with predisposition to spit on the sidewalk, someone may come knocking on your door.

I am excited by the prospect of building the Library of Human Alexandria in our lifetime. As a cancer survivor I probably have some defective genes, possibly of interest. There ones I don't know about are the troubling ones. As much as I may want to know what I am carrying, I am too scared today to contribute.




4 comments:

Anonymous said...

So use a public library or college computer, pay for the service using a prepaid credit card bought with cash, and use a fake name. Break those tenuous links, and all they've got is your genome...not you.

Anonymous said...

PATRIOT act - can't open a prepaid credit card account without ID.

Anonymous said...

Go to a walgreens and get a visa gift card then.

Anonymous said...

lol data on the card will trace it to where it was bought and security camera will show you buying it... skynet