My Genes Don’t Fit Yours

by Kaberi Basu (L.L.M. 2019)

On April 24, 2018, a four-decade search for the Golden State killer came to rest. The use of genetic information to catch the suspect of a 40-year-old cold case, was welcomed with feelings of both relief and suspicion when the arrest finally provided closure to the relatives of the innumerable victims and the investigators. It pushed people to question privacy and ethical concerns attached to the procedure that was followed, as wells as concerns vis-à-vis the genetic information available with commercial institutions that could be used for criminal investigations.

Golden State Terror!

Beginning in 1976, Northern California’s East Bay area was terrorized by a violent streak of homicide, burglaries, and rapes that would last nearly a decade. The “Golden State Killer” committed as many as twelve homicides, 45 rapes and 120 burglaries in multiple counties from Sacramento to Orange County.

The FBI and local law enforcement agencies kept the search open until June 2016, when an award of $50,000 was offered for any information regarding the Golden State Killer. The perpetrator ransacked homes and took valuables. Neighborhood burglaries were often followed by clusters of sexual assaults.

With no reliable tips, no hits from criminal DNA databases, and no fingerprints found at the crime scene, police became frustrated with the case. Their research began with GEDmatch, a website that allows users to upload their genetic information and search a database of roughly 1 million profiles to identify biological relatives. A meticulously preserved evidence kit from a 1980 rape and murder, frozen, along with many other DNA samples that had previously been useless, was now a crucial piece of evidence. GEDmatch identified 10 to 20 distant relatives, whose lineages were traced back to the early 1800s to find an ancestor in common with the killer. Ancestry.com helped piece together 25 distinct family trees from one set of great-great-great-grandparents. Investigators scoured these trees for potential suspects, focusing on men who were roughly the same age as the killer and had connections to the Sacramento area. This led investigators to Joseph James DeAngelo, a former police officer living in Citrus Heights, a city less than 20 miles outside Sacramento. DeAngelo was put under surveillance, and  a discarded tissue found in DeAngelo’s garbage was collected and sent for matching.

Genetic Privacy

The 2018 closure of the Golden State Killer case brings up serious privacy related questions, many relating to for-profit genome testing companies like 23andMe and GEDmatch, which turn a profit by selling anonymized genetic data. One cannot help but wonder if sending genetic material to one of these companies amounts to relinquishing not just our own privacy, but the privacy of our relatives, as well.

Genetic privacy refers to an individual’s right to the protection of genetic information from involuntary disclosure. The emergence of genetic privacy in the past decade is an off-shoot of the development of genetic and information technology. Previously, information about hereditary traits was limited to what could, in principle, be known to others, such as individual and family health and obvious physical traits. However, recent rapid advances in sequencing technologies have made whole-genome sequencing faster and cheaper. The data sets are capable of linking 10,000 to 1 million human genome sequences and also enables identification of individuals with shared DNA sequences. It is now possible to work our way backwards from an unknown genetic data to the originator of the gene sample.

Genetic privacy is a limited application of information privacy. The different strata of informational privacy include limits on access to personal information: confidentiality, anonymity and secrecy. Confidentiality implies trust in private and in professional relationships between individuals. Anonymity refers to a state of blocked or restricted access to information that identifies persons. Secrecy implies having control over the disclosure of information, it entails an aspect of intentional concealment and can also be deliberately used to the detriment of others.

Issues

The Golden state killer’s investigation has raised other questions, as well. GEDmatch’s privacy policy informs users that broad consent for the further use of their data is granted every time someone uses the service. Conversely, 23andMe provides a form of open consent in which users can limit the scope of consent given for storage and use of their data.

Despite the prospects of reviving cold cases, the lack of third party consent is troublesome. The suspect in this case did not consent for his genetic information to be made available. Instead, a distant relative’s information was used to establish a connection to the accused. There was no consent taken from the accused himself. Moreover, the accused’s consent was never taken for the final match. Instead, a DNA sample was surreptitiously collected from the door handle of a car DeAngelo had been driving, and the tissue found in his garbage would ultimately match the suspect profile.

A second cause of concern is the security of these data sets. 23andMe’s privacy policy emphasizes that personally identifiable information is encrypted and stripped of any genetic data. However, the fact that they profit in part from selling this anonymized genomic data cannot be ignored. The concern is related to the storage of the data itself, and the susceptibility of the stored data to cyber-attacks, hacking, and even insider trading, as health information extracted from genetic data can be of extreme importance to the pharmaceutical and insurance industries.

23andMe has covered its tracks with regards to the Federal Trade Commission’s requirements. However, the loss of data affects its users immensely, as issues range from users being discriminated based on genetic information for insurance protections to social stigma because of discrimination by employers. In many cases, individual users do not have enough standing to take down a company for their data breach, unless a ‘substantial injury’ is shown. Even for the FTC to be able to take a stand under either the ‘unfairness theory’ or the ‘deception theory’, the presence of elements like “substantial injury” and “unavoidability,” which in many cases are difficult to prove, is required.

Biomedical research labs conducting DNA research are subject to rigorous compliance standards, requiring full consent by individuals, permission from multiple committees, and extremely secure data storage procedures. These rigorous standards are not likely the same as those with which commercial companies are required to comply. For pharmaceutical companies, even a set of unidentified genetic data could be useful. If a large pharmaceutical company that controls a large data set of genetic information decides to tailor their research, it could very well chill innovation and medical research. A tailored research on the basis of medical illness on the rise, evident from a large data, would be profit incentivised. Research work would be lucrative in a certain area and other areas would be left uncared for because of lack of funding and interest amongst the Pharma industry. The Genetic Information Non-discrimination Act currently prohibits the insurance companies and employers from any sorts of discrimination based on genetic information.

Genetic information is personally identifiable, especially in the case where a genetic material is taken off a used tissue or cup and compared against a data set. Companies like 23andMe are diligent to make the data stored unidentifiable, though using the database to an already identified genetic information is still possible and a privacy concern.

Conclusion

To address these issues, an initial measure could be alerting the public about the risks of genetic data privacy, which would require informing consumers that it is not possible to fully guarantee that their data privacy will not be breached. Additionally, an open consent mechanism similar to that  23andMe employs is a good start. The choice of withdrawing our data at any point of time is pivotal to trust establishment. It is important to remember the human factor in the equation. Human imperfections remain a cause of concern in the data storage discussion. That insider trading is a possibility for data breach should not be ignored. And, finally, a detailed analysis of the risks of genetic privacy, along with regulatory updating, is required. It will be necessary to revisit concepts like consent and third-party consent, considering the present technological advancement of genetic information.

Katie Burkhart