Years ago, when I first heard about online DNA match services, my reaction was something to the effect of, “Stuff you put online lives forever, you no longer have control of it, so what happens when privacy breaches happen?”
The recent high-profile US case of the alleged Golden State Killer was one example of the off-label use of DNA matching services that’s captured the nation’s imagination.
While many people have a preconceived notion of DNA being unique, decisive, and absolutely airtight, the reality is a touch more humbling, as multiple news outlets and law enforcement officials have warned of the perils, error rates, and numbers of false positives involved in family matching. If anything, it reinforces a need to follow the usual rules of investigation: strive to be more thorough, and always tread carefully.
While this particular legal case has raised a lot of eyebrows, to me it seems to be more about the unmasking of a killer than the means by which the latest set of leads was generated. This isn’t a new technology, it’s been around for quite some time. Police have used these services before, but those instances haven’t grabbed headlines in the same way as the case of the Golden State Killer.
To the officers involved, I salute your creativity and perseverance. Hopefully, once justice has taken its course and the case has been tried, you’ll have been able to give some much-needed closure to the families of the victims.
But that’s not why I’m writing.
What’s problematic about the mainstreaming of genetic sequencing and the subsequent breakdown of taboos surrounding our most sensitive personal possession — the DNA code — is not the risk of false positives or accidental misidentification in a police investigation. It’s the line of opportunists who are eager to acquire that data and bend it to their will for all manner of commercial, insurance, medical, and other misuses as people relax their guard and invite more and more strangers to the party to play gatekeeper to this extremely sensitive information.
If you’ve ever been a victim of identity theft, or if you’ve ever had someone run up a bunch of unauthorized charges on your credit card, you already have a glimpse of how it feels.
Your bank can issue a new credit card number, but you don’t get a mulligan once your DNA code makes it into the wild.
It’s unlikely you’d ever truly be able to reassert control over your data once such a situation has developed — it’s already out there, you’ve given it away. The only way to stop it might have been taking steps to ensure it didn’t happen in the first place.
The only assurance that data won’t be lost, resold, or misused usually comes in the form of an electronic agreement, written by some faceless person thousands of miles away whose IT assets might or might not be adequately secured and encrypted, and whose corporation might or might not be designed with sufficient financial contingencies and legal safeguards to properly protect its user base in the event of some sort of major organizational failure.
When one’s chosen service winks out of existence further down the road — regardless of whether it’s a consequence of voluntary closure, owner retirement, bankruptcy, or corporate acquisition — the question then becomes, who gets to handle and retain that data? If you’re told it gets sequestered or destroyed, how can you confirm that was actually the case? Disposition of IT assets is notoriously inconsistent.
I’ve long felt I had my reasons for not getting on board with the genetic sequencing fad, but none of them come from a dislike of the technology. The problems that affect this unique set of services are entirely caused by people — in this case, the black-hat hackers and other opportunists circling the wagon, licking their chops as they see nothing more than an easily exploitable meal ticket.
On that last point, they aren’t wrong. Large databases have an annoying habit of springing leaks, sometimes with fanfare and other times without.
Are there any victims of the Adobe, Target, Equifax, or Wells Fargo scandals in tonight’s audience? (If you’re a US citizen, for example, there’s a strong chance that you’re in at least one of these groups and might not know it.)
Despite the majority of customers and businesses being reasonable, systems are incredibly complex and shit happens. Protecting yourself begins with yourself.
Most of us don’t expect something unfortunate will happen — we should.
Most of us don’t invest in contingency plans to guard against data theft or financial ruin — we should.
Most people don’t read the Terms of Service when they sign up with an Internet-based business or service.
Again, we should.
It’s your data and your choice. Take the gamble if you wish, but under no conditions should you be expected to walk into a situation without first getting a reasonable sense of the dangers or seeing what the big picture looks like.
Incorrect family matches are the least of your perils on the DNA sequencing road.
Be more thorough, and tread carefully.