Still thinking about what to get Mom for Mother’s Day? A trendy idea is to give a gift membership to a genealogy website such as Ancestry.com or 23andMe.com, so she can learn more about her lineage.
However, cybersecurity expert Andy Green suggests that having Mom send a saliva swab to be entered into a DNA database isn’t the best idea – for her or her family.
According to Green, a lecturer of information security and assurance in Kennesaw State’s Coles College of Business, subscribers to genetic testing services have good intentions, such as learning more about their ancestors or trying to solve a family mystery. However, he cautions that submitting DNA to companies in a largely unregulated industry comes with ethical, legal, constitutional and privacy concerns.
“People are focused on wanting to know more about their family, but they don’t think about the larger implications,” he says.
The most significant of those ramifications is the potential for government overreach, says Green. He points to the revelation that the Federal Bureau of Investigation accessed Family Tree DNA’s database last year, without the company’s knowledge, to try to identify suspects in violent crimes. Family Tree DNA chose to cooperate with the FBI rather than fight the issue and, unbeknownst to its more than two million users, opened its database of genetic information to federal investigators.
It may be well-intentioned, but surveilling people for the potential ability to have evidence in the event a crime is committed is akin to state-sponsored surveillance of its citizens, and a potential violation of Fourth Amendment rights, Green says.
“Surveilling people for the potential ability to have evidence in the event a crime is committed is akin to state-sponsored surveillance of its citizens, and a potential violation of Fourth Amendment rights.”Andy Green, lecturer of information security and assurance at Kennesaw State University
Another fundamental flaw, according to Green, is that genealogy testing companies are not subject to federal privacy laws. Nor do they have to comply with HIPAA guidelines that protect the privacy of patients’ medical records and other health information.
The ancestry websites make no secret that they sell data to pharmaceutical and health insurance companies, Green says. Though the websites say they anonymize that data, Green contends that someone’s identity still could be determined by cross-matching unique genomes in their DNA with DNA data from a source such as a medical record.
“So, what happens if a potential employer gets hold of your DNA data and finds through genetic markers that you’re likely to be sick in 15 years, that you’re likely to have cancer or Alzheimer’s, and makes a decision to employ or not employ based on that data?” Green said. “What if a health insurance company looks at your data and decides either to put you in the higher-risk pool or not to insure you at all – for something that hasn’t happened yet?”
The solution to these privacy and security concerns, Green says, is to build a technical, legal and policy framework to safeguard that the DNA people submit is used expressly for the purposes stated by the genealogy websites.
“If we put the appropriate controls in place to ensure that my DNA data is used only for what you’re telling me it will be used for, I’m comfortable with that,” Green says. “Then it’s just a personal choice based on a single issue.”
In the meantime, instead of having Mom mail her saliva to a DNA database, take her out for a mouth-watering dinner. Flowers and a card aren’t bad ideas, either.