FBI, US g-men tried to snatch DNA results from blood-testing biz. What a time to be alive

23andMe reveals four law enforcement requests

+Comment Not content with snooping on your emails, whereabouts and telephone calls, it appears the Feds now want your DNA results.

DNA testing company 23andMe says it has received four requests from law enforcement agencies for "user data" in the past quarter, all of them from the United States.

Those stats came in the first "transparency report" from the company on Wednesday. At the same time, it launched a new "personal genome service" (PGS) test that it says will provide you with 60 different data points covering "health, ancestry, wellness, and personal."

The transparency report is frustratingly vague. We asked the company how it defined the term "user data" and it told us: "Any personal information relating to one of our customers, including but not limited to name, email address, health, and genetic information."

It confirmed that this includes the results of the tests it carries out on your behalf. But we don't know exactly what was asked for, or under what justification.

Likewise, who is "law enforcement"? Does it include the FDA? The company told us: "We've received requests from both state and federal law enforcement organizations. Only two of the four requests were legally valid, one from the FBI and one from a state law enforcement agency."

So on at least one occasion the FBI has asked for specific details on an individual. We don't know for a fact it was their DNA tests, but since that is 23andMe's sole function, it's a fair bet.

Privacy

On the plus side, 23andMe refused to hand over the details requested – whatever they were. Under its privacy policy, it promises not to use user data without consent, unless: "(i) the information has been anonymized or aggregated so that you cannot reasonably be identified as an individual; or (ii) a legal obligation requires us to use it in some way, e.g., a court order requires us to disclose the information."

Of course, there is some irony in the company publishing the transparency report on the same day that it launched its new service. Suddenly the potential problem has grown much larger.

That new test comes after two years of work with the FDA, after the agency told 23andMe that it must "immediately discontinue marketing the PGS until such time as it receives FDA marketing authorization for the device."

The FDA was concerned about the danger of false positives or negatives giving patients misleading information about their risk of contracting serious diseases or conditions.

Even though 23andMe didn't hand over any data in this instance, it does put a spotlight on the fact that we are increasingly reliant on corporations to protect hyper-personal data.

And we have seen repeatedly in recent years the willingness of both corporations and law enforcement agencies to push the envelope, in their own interests, on what is acceptable or even legal.

It's worth noting that when the FDA undercut 23andMe's business by forcing it to take down its test, soon afterwards the company sold access to parts of its DNA database to pharmaceutical companies Genentech and Pfizer, with a cut on any new drugs developed as a result. It was a smart business move. But that business is people's most personal data, and the financial reward is already there in its commercial exploitation.

Security

Even if we assume that those with such data and those with the legal powers to force the handover of data will not abuse our trust, there is the issue of security and data storage. As we have seen time and time again, companies do not protect their data sufficiently, leaving them open to hackers.

When millions of credit card details are leaked, it is bad enough, but imagine what would happen if the details of millions of DNA tests are put online or sold on the dark web.

The FDA did its job in this case, as frustrating as it must have been for 23andMe. The FDA has ensured that medical tests are being carried out appropriately and with the necessary levels of care and attention. It is protecting the public for the public's own good.

But until we have a government agency with equivalent powers to force companies to maintain high data-security and privacy standards, the insertion of Silicon Valley-style disruption into our personal lives, albeit through innovative companies, is a disaster waiting to happen. ®




Biting the hand that feeds IT © 1998–2018