A group of DNA collection, testing, and genealogy websites, 23andMe, Ancestry, Helix, MyHeritage, and Habit, has, in conjunction with an outfit called the Future of Privacy Forum, released a set of best practice guidelines for handling sensitive genetic and family data, under the title of Privacy Best Practices for Consumer Genetic Testing Services. (You can download the PDF of the actual guidelines here.)
Will it give consumers much protection?
The first problem is that this is a Fair Information Practice Principles (FIPPs) -based framework. Although FIPPs is not an ISO standard (it's an OECD code), it faces similar difficulties to the Common Criteria and the ISO 9000 quality frameworks. It allows you to document and design your specifications, and, if people don't read them properly, they may never realize that you aren't actually promising anything. (It is perfectly possible, as long as you fill out the forms and documents with the correct language, to have an ISO 9000 certified "standard" that essentially says, "We don't do anything about quality, and we don't care.")
Now FIPPs does talk about the old standard EU privacy directive issues (now subsumed in GDPR) of (1) transparency; (2) consent; (3) use and onward transfer; (4) access, integrity, retention, and deletion; (5) accountability; (6) security; and (7) privacy by design; with the addition of (8) consumer education. But the devil is always in the details. For example, consent says that you have to "[o]btain express consent for collection, analysis, sharing, or reporting of Genetic Data." But it also says, "excluding vendors and service providers." So, basically, they can sell it to anyone who is going to resell or rent it.
And, then again, you sign a consent form when you use these services. Have you actually read the form?
The guidelines themselves don't apply to "deidentified" data. However, it's been amply demonstrated that it doesn't take much to reidentify a lot of deidentified data.
What is to stop any government from giving subpoenas to the DNA companies in their country for when DNA evidence is found at a crime scene? Or from a government to set up a fake company to collect it's citizens DNA?
So the next raid will not be on a companies web site, but directed to physically perpetrate an attack on any facility, which holds DNA records on individuals. Which could then be planted for various purposes surreptitiously, and the victim would potentially have very little chance of being able to prove their evidence.
Sounds like a crime of the century - with the victim having very little chance of redeeming themselves at all, despite their claims of innocence.
So how could such facilities protect themselves from such attacks, or those from whom DNA had been collected for a given purpose. Given that the loser is the victim, who would be wrongly convicted for something they had never done. Almost as bad as Identity theft or worse.
Some victims would ultimately be driven to take very drastic measures in such cases.
Fake news with an additional potentially fatal twist.
I also came across this article from my Google alerts: Which adds to the very issue being discussed:
Or take it a step further, as a criminal I bring false evidence to the crime scene. I go to a convenience store, pick up some discarded cigarettes and liquor bottles and bring them to the crime scene. Before I leave I distribute the "evidence" around the crime scene and have the police chasing DNA ghosts.
So @Caute_cautim if you took a DNA test and then you or your heirs filed a claim, the insurer could ask if you have ever taken a DNA test and if so, were you aware of the risks that caused the claim? If you knew then they could deny the claim because you found out something you should have told them. It is indeed a very slippery slope.
However, it can lead to resolution of family history stories. I was always told my great-great grandmother was an American Indian (Cherokee). My aunt took a DNA test and it showed zero American Indian DNA. I guess there goes that story, OR the DNA companies are just sending out fake information. Think about it. Would you be able to prove that their results were wrong? I would love to do a test one day and send in a sample from the US and then travel to France or somewhere else and send in a sample under a different name and see if the results came back the same. But alas, my research dollars are pretty non-existent for this type of test.
My first response to these sorts of companies is to ask if they are competent. Or if their testing is complete. How many genetic "defects" are they testing for? Are they testing single genes, or combinations? Since we are only at the beginning of our exploration of our own genome, I definitely would not bet my life on companies that advertise on late night TV ...
Well if hackers are targeting our DNA - what next "faraday cages", privacy writs for individuals?