When you get your DNA scanned is your genetic privacy safe?
23andme is just one of a number of groups that in recent years have been selling a new kind of service — genome scanning. They sequence some — maybe all — of your DNA. And from that, they can tell you a little about your ancestry, and also whether you carry genes that put you at risk for disease.
But this isn't all about you. As more and more people get their genomes scanned, huge genetic databases can be assembled. And these become a fantastic resource for scientists both inside and outside these companies, to study.
More than 60 research papers have been published using genetic information garnered from the 23andMe database. This this kind of genetic data is exactly what scientists need to identify the genetic roots of complex diseases and disorders. But there are also concerns that these vast databases pose a significant risk to our privacy — and that we don't really understand what we're doing when we give private companies — or any organization — control of our genetic information.
The most recent study that was published using genetic data from 23andMe has to do with the genetic roots of cognitive empathy. Varun Warrier is a PhD candidate in the department of psychiatry at the University of Cambridge, as well as the lead author of that study. They had 23andMe ask their customers to perform the "Reading the Mind in the Eyes" test.
The test asks participants to look at a set of eyes and choose the correct mental state associated with what that person was feeling.
After testing close to 90,000 people, Mr. Warrier discovered a region on the third chromosome associated with cognitive empathy for women only. And thanks to 23andMe, it was the largest study of its kind — ever.
So these huge genetic databases are extremely valuable for researchers like Mr. Warrier. And they should be very useful for identifying the genetic roots of disease — from mental disorders like autism, schizophrenia and dementia, to things like heart disease, or even cancer.
But some researchers think you should know that there are privacy risks when you allow your genetic information to be used for research. Remember, we are talking about the very blueprint that makes you, YOU. While these organizations withhold your name when they use your genetic data, that may not be enough to protect you.
Dr. Knox Carey is at the forefront of trying to protect that data. He is the Vice President of Healthcare Initiatives at Intertrust Technologies, where he works in security and privacy for genetic data. He's also part of the Global Alliance for Genomics and Health where he chairs a task team in the Security Working Group.
This interview has been edited for length and clarity.
Bob McDonald: What are the privacy risks and even the kind of limited genetic information that scientists get from 23andMe, for example?
Dr. Knox Carey: Well, for example, there are papers where faces are reconstructed based on genomic data from, for example, 23andMe data sets that are eerily close to the actual person. They're better than police sketches. So there's a lot of inherently identifying information in your genome. And people should be aware of that when they decide to share it.
So there's a lot of inherently identifying information in your genome. And people should be aware of that when they decide to share it.- Dr. Knox Carey
BM: But why should I worry if somebody could see my face? I mean, people are putting their feet on Facebook all the time.
KC: That's absolutely true. I think the consideration should be that you know this is your potential your health data. People can look at that. There's the potential for discrimination. I listened to your segment on intelligence a couple of weeks ago and you know that's a very complex trait. If people knew some of those markers that pertain to your intelligence, you may be treated in one way versus another. So that's one aspect. Another potential danger is that, of course, genes run in families, and so revealing information about yourself necessarily reveals information about your family members who may or may not have consented to that information being public.
BM: Now we do have a law being passed here in Canada that's going to prevent genetic discrimination…
KC: Indeed. We have a similar law in the United States. They're sort of minimal in the sense that they cover overt discrimination. They don't cover things like social stigma and other things.
BM: Now 23andMe does make efforts to anonymize their data. Their website says, and I'm quoting here, they "use procedural, physical, and electronic security methods to protect customers information." So how much faith should customers have in that their data will be protected?
Revealing information about yourself necessarily reveals information about your family members who may or may not have consented to that information being public.- Dr. Knox Carey
KC: I think it's fair to have a reasonable degree of faith that companies like 23andMe are doing a decent job, but I think it's important though not to think that it's completely safe. Every little bit of information about you that is revealed can potentially be correlated with third-party data sources to start to chip away at your privacy. And it's important to recognize those dangers. I should say I'm sounding a bit alarmist here, but I believe that it's very important and part of our mission in the Global Alliance for Genomics and Health is to ensure that more data is shared. Part of the idea there is to ensure that data are protected and some of these privacy concerns are addressed to sort of enable more data sharing. So I would certainly encourage people to share data with researchers. It's just important that we go into it with eyes open.
BM: Are you concerned there's a possibility that someone could hack into their system?
KC: It's a danger and that makes re-identification of subjects in a particular dataset possible on an industrial scale. However, I think that's a less likely scenario.
BM: Now what about the possibility that someone decided to post some of their genetic results from these sites or studies they participated in on Facebook, for example?
KC: Right, so for example, if you posted on Facebook that you had a particular variant or a variant that was a marker for something that seemed to reflect well on you, such as your empathy or something along those lines, that's very interesting, but those may well be correlated with other diseases and other phenotypes such as anorexia. So publishing information about your genetic empathy score, so to speak, might actually be revealing about other things about you that you'd rather keep private.
I think it's fair to have a reasonable degree of faith that companies like 23andMe are doing a decent job, but I think it's important though not to think that it's completely safe.- Dr. Knox Carey
BM: 23andMe also says that even if you don't opt into these studies, and again I quote, "We may share anonymized and aggregate information with third parties." Now do you think there are privacy concerns there?
KC: I do. Anonymization and aggregation are, I would say, minimal steps that need to be taken to protect genomic data. With aggregation, there have been studies that have shown even in cohorts of up to 1000 people, it's possible to identify a single individual in that dataset. Everyone's genome is unique and it acts as a sort of fingerprint that lets you identify people, so if you can interrogate a dataset even if it's aggregated, you can say well, what about this? Is this particular variation in that dataset? And if it is a variation of that I know you have or I know you have a family history, I may be able to get more confidence that you were in the dataset. And every question I ask starts to pull out more and more information. So anonymization and aggregation are very important. The dangers are still there. And there's a lot of research on violating privacy despite aggregation and anonymization.
There have been studies that have shown even in cohorts of up to 1000 people, it's possible to identify a single individual in that dataset.- Dr. Knox Carey
BM: What do you think companies can do to up their security levels and protect genetic information?
KC: I think the most important thing that companies can do to protect genomic information is to take a conservative approach towards releasing the data and allow the subjects, the originators of the data, to have some control over exactly what's happening to the data. I'm not comfortable with the idea of my data being traded behind my back without my knowledge of what's happening to it and where it is. And I think that's a very commonly held sentiment.