The popular ancestry-tracing company 23andMe may be up for sale, CEO Anne Wojcicki says, putting 15 million customers’ genetic data up for grabs. The acquisition will include the legal rights for the purchaser to do virtually anything with the data. The company recently paid out $30 million in a settlement over a data breach. Keith Hanson, a seasoned law enforcement agent and security specialist, talked to Ashley Bateman of Health Care News about the potential dangers of the sale and what people should know about the potential exposure to their DNA data.
Health Care News: 23andMe has been highly popular since it launched in 2006. Why did the company catch your attention in recent months?
Hanson: 23and Me first came on my radar when people were talking about it. I like to know the backstory of a service. People are sending in a lot of genetic information because it’s a novelty.
One of the founders of Google was married to one of the founders of 23andMe. That set off a red flag for me. Google is a search engine company that is seeking power, government power, and now wants access to people’s genetic information. That’s really concerning. Genetic information is not protected under [the Health Insurance Portability and Accountability Act].
Health Care News: Will there be any protections of this private data if the company is sold?
Hanson: I would imagine there is some degree of due diligence before a buyer would be allowed to have access to the database. Will it be based on ethical or legal standards? Internally, the company (the seller) may have a separate way to access information.
Health Care News: Would the company’s customers be notified about a sale?
Hanson: Based on the terms of a deal, the purchaser may want to know what the seller will tell its customers. A buyer is not acquiring the company because of the trademark and website, but [for] the data the company has aggregated. That’s what they’d monetize.
I imagine it would be a difficult, arduous process for customers to have their information removed.
Health Care News: How do these companies monetize this data?
Hanson: Insurance companies or underwriters, for example, pay them a fee that gives them a license and security key to access the database. The underwriters then take the genetic profile and predictive modeling to determine whether you have a higher risk of certain cancers, for example.
People think determining risk profiles cannot be done in health care because of privacy protections, but we do this already for car loans and car insurance. So, the information contained within 23andMe and Ancestry.com can be used to create a risk model for each individual based upon the very private information, an individual’s DNA.
Health Care News: Is this why online services such as social media are offered to customers for free?
Hanson: With every platform that is free or sold at discounted rates, the users are the commodity. The information the user is putting in is aggregated and sold. It’s more cost-effective to keep it free, to have more users.
Health Care News: Can genetic data, or data in general, be manipulated and weaponized against consumers?
Hanson: You’re giving a company that monetizes people’s data the most intimate data about you. That can be used with AI-based predictive modeling programs to determine which diseases you could get.
Conservatives were being accused of scaremongering, but with access to that information you have medical providers who could determine whether you are or are not a good candidate for the cost of a surgery, and this could be the basis for denial of insurance coverage. Part of the risk modeling in the underwriting process would be to conduct a screening.
Most people have a normalcy bias where [they believe] everything is fine. However, the company could be using the information illegally, for nefarious, immoral purposes, and it is legal because people sign user agreements and sign their rights away.
Health Care News: Wouldn’t the company have to comply with state and federal laws?
Hanson: On the surface, this is a voluntary transaction. The company isn’t obtaining the information immorally, illegally, or unethically. They are providing a legitimate service. The company is honoring the terms of the agreement.
But there is a lot of fine print in that agreement that customers don’t typically read. And unless you are an attorney, you would have a hard time understanding the terms in the fine print.
Health Care News: Why do people overlook data privacy concerns?
Hanson: I don’t think people understand that data and information are the single most valuable resource we have. I think people may have a basic understanding, but it’s too inconvenient to think through because it’s intangible. Data security and privacy are largely intangible in an online environment.
Not a day goes by without another data breach, but it’s largely intangible. That’s where the biases start coming in. Your data allows me to pretend that I’m you, steal things from you, and have a better understanding of what you do, so I can control you.
Consumer habits, lifestyle, whatever it might be, can be used in AI-based programs capable of manipulating human psychology. Data is being sold to analytics firms that utilize and rely upon artificial intelligence.
