Skip to content
Link copied to clipboard

Worried about Facebook privacy? Don't forget ancestry sites share your info, too | Opinion

After sequencing the DNA samples, genetic testing firms often sell or share the genetic information to third parties.

Amy Junod Placentra / Staff

Facebook recently informed 87 million users that Cambridge Analytica, a political consulting firm, harvested their confidential information, using it to create targeted ads that may have influenced the outcome of the 2016 presidential election.

Many users were shocked to learn that Cambridge had access to their data. They thought only Facebook could view the information. Naïve? Perhaps.

Now, Congress is demanding reforms from Facebook and other social-media sites. Our lawmakers want social networks to simplify privacy terms and conditions.

That way, when we check "I accept," we'll better understand the risks of sharing personal information with social-media platforms and their numerous commercial clients.

>> Read more: An ancestry test taught me about myself, but can it get my kid a free education?

But Facebook isn't the only firm that puts users' privacy at risk. Some genetic testing companies like Invitae, 23andMe, and AncestryDNA do too — and the consequences of irresponsibly sharing DNA data are far more serious than a social-media data breach.

Lawmakers and regulators ought to demand these genetic-testing companies clearly inform consumers whether, and how, their data will be shared.

Every year, millions of people undergo genetic testing to help predict health problems or just discover their heritage. Doctors send patients' blood or saliva samples to lab testing companies like Invitae. Millions of people have bought DNA testing kits from companies like 23andMe and AncestryDNA and submitted their samples through the mail.

After sequencing the DNA samples, genetic-testing firms often sell or share the genetic information to third parties. Many testing companies have inked multimillion-dollar contracts with pharmaceutical companies. For instance, 23andMe agreed to share its data with the biopharmaceutical firm Genentech in exchange for as much as $60 million.

>> Read more: Regulating Facebook might not be the best response to Zuckerberg's missteps | Opinion

Testing firms seek users' permission to share the data. But they gloss over the risks.  As a result, consumers sign away their rights with little comprehension of the privacy violations and discrimination that could ensue.

Take Invitae. Its privacy policy states that it may use patients' "de-identified" data for "general research purposes," which may include "research collaborations with third parties" or "commercial collaborations with private companies."

The problem is that the data aren't permanently "de-identified." The information can easily be tied back to specific people.

Just ask Harvard Medical School professor Latanya Sweeney. She recently identified the names of more than 40 percent of participants in a supposedly anonymous DNA study.  Sweeney cross-referenced participants' provided zip codes, birthdays, and genders with public records like voter rolls. She then was able to match people up to their DNA.

Your DNA contains a wealth of sensitive medical information. Imagine what employers might do if they got access to people's DNA. They easily could exploit this information to discriminate against prospective hires.

Say an employer discovers that a job applicant has a genetic mutation that's likely to lead to breast cancer. The employer might be tempted to not hire the candidate to avoid huge health-care costs. If you're worried about someone stealing your Social Security number, imagine identity theft on the genetic level.
Genetic privacy is a human right. To protect consumers from such abuses, the U.S. government should increase regulation of genetic-testing companies to protect people.

>> Read more: When a DNA test unites family members, not everyone is happy about it

European policymakers have already done so. In late May, the European Union's online privacy legislation — known as the General Data Protection Regulation — will go into effect. Among other provisions, the new law will require genetic testing companies to delete personal information if users request it.
Some DNA testing companies aren't waiting for regulators to act. They're already voluntarily promising to not share any genetic samples, leaving the important privacy decisions in patients' hands, where they belong.

Social-media platforms like Facebook are failing to secure users' personal information. Most genetic-testing companies are failing too.

The consequences of such irresponsible data-sharing range from election meddling to employer discrimination. It's time for lawmakers and regulators to impose tougher consumer protections so that we don't have a Facebook-like crisis involving people's most sensitive genetic information.

Peter J. Pitts, a former FDA associate commissioner, is president of the Center for Medicine in the Public Interest.