Slashdot Mirror
Top Genetic Testing Firms Promise Not To Share Data Without Consent (washingtonpost.com)
Ancestry, 23andMe and several other top genetic testing companies pledged on Tuesday not to share users' DNA data with others without consent. "Under the new guidelines, the companies said they would obtain consumers "separate express consent" before turning over their individual genetic information to businesses and other third parties, including insurers," reports The Washington Post. "They also said they would disclose the number of law-enforcement requests they receive each year." From the report: The new commitments come roughly three months after local investigators used a DNA-comparison service to track down a man police believed to be the Golden State Killer, who allegedly raped and killed dozens of women in California in the 1970s and 1980s. Investigators identified the suspect using a decades-old DNA sample obtained from the crime scene, which they uploaded to GEDmatch, a crowdsourced database of roughly a million distinct DNA sets shared by volunteers. Investigators said they did not need a court order before using GEDmatch, sparking fresh fears that users' biological data might be too easy to access -- and could end up in the wrong hands -- without additional regulation on the fast-growing, already popular industry.
Hahaha! As though they are capable of stopping that. This data will all be stolen and sold.
We'll sell it, exchange it, barter it but we categorically deny we'll ever share it.
I always wanted to get one of these tests done. But sadly, I never will. They can't be trusted with this data. You are literally paying them to sell you.
I would love if they give me an option to have tests done in person. They do it all right there. And then they destroy their copy of data and DNA right in front of you. Yes, it would be 10-20-50-100x more expensive. If it were still in my budget, i'd still pay to get it done this way.
Ancestry, 23andMe and several other top genetic testing companies pledged on Tuesday TO STOP SHARING users' DNA data with others without consent.
Fixed that for you.
HA! I just wasted some of your bandwidth with a frivolous sig!
Cross my heart and hope we don't get caught.
Also, what's with the promises? Why isn't this a law?
If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
Promises are useless and there is no penalty when you break them.
What we need are laws banning these companies from selling out our genetic data. If they violate the laws then we can (1) take their sorry asses to the cleaners and (2) have them convicted for violating the law and have some of those CEO go to jail.
Also, what's with the promises? Why isn't this a law?
That is the 100 million dollar question. We need fucking laws not promises.
Databrokers and companies like this rarely sell raw data. They feed the raw data into algorithms to generate thousands of scores. For example, Cambridge Analytica created a psychological profile based on raw Facebook data.
In the USA these scores are protected as a form of corporate free speech. "they are just opinions".
As long as the public debate doesn't distinguish between these two types of data, then companies will continue to be able to make claims like this which don't address the real issue. What we really need to know is: do they generate and sell derived data?
... or NSL, then they're totally honest except not and not even allowed to say so.
The USA always had poor privacy protections, but with the government actively subverting even corporate promises, you got fifty shades of lies.
New industry. Legal framework comes after need is established, not before.
I'm not sure that personal data storage is all that new now.
In a world where people in power consider themselves above the law, and issue legal immunity to their corporate henchmen, what would it take for the corporations to be too scared to betray their customers?
Funny how these sort of services have not come under fire in family law and inheritance related dealings before. There is apparently no federal privacy framework to cover these cases, so the abuses continue in the future. That said, the identification of a subject is not an abuse anymore than reading a newspaper to make the identification is, if the investigators did the parallel construction and gained actual evidence the normal way with warrants and such, in my opinion.
Also, what's with the promises? Why isn't this a law?
Why do you think Europe passed GDPR? I would assume the new similar California law would cover this too.
They pledged? How on Earth is this not already the law? How on Earth is this not already in their terms of service? Seriously, are these services only used by terminally naive people?
Under the new guidelines, the companies said they would obtain consumers "separate express consent" before turning over their individual genetic information to businesses and other third parties, including insurers, ...
And insurance companies will require this "separate express consent" in order to receive coverage in 3... 2... 1...
It must have been something you assimilated. . . .
Is that they "promise" this today, and when they find that selling this data is more profitable than being trustworthy, they will just forget that promise. Standard procedure. Just think of "don't be evil" by Google. That went pretty fast.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Not to mention the government can just order them to share it to track you down for a parking ticket any time they wish.
Good point. This data will be stolen, sold, and confiscated. Possibly not in that order.
Washington Post doing a bit of sensationalist journalism. Existing DNA testing companies have already been following these guidelines which are in their terms of service, and large part of them indeed are the law, or their interpretation. The reporting on these companies is weird, because every existing practice and action is always reported as brand new, never happened before. Industry self-regulating is a good idea, but of course there's additional motivation for the companies to cast doubt on those companies not involved in the guidelines. In essence they're saying "Here's what WE have been doing, and what every competitor should do, too".
It would also be pretty dumb move for them to break their promises in an industry where the whole business model is based on gaining people's trust.
Until one of them folds and the information gets bought by another company.
L'Idiot
That's... impressive.
... to believe that they are 100% honest, and not the voyeuristic hypocrites that everyone knows they are.
That's going to be done for them right after the data leak.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
After literally hundreds of data leaks and personal information having become a play toy for companies to be bought and sold with impunity, after Sugarhill had to testify in front of Congress to that effect (so they can't really say that they never ever noticed anything like this), WHAT THE FUCK more do you need to establish a need?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
In which case, yes our shareholders will certainly make us fucking do that.
WHAT THE FUCK more do you need to establish a need?
Maybe some actual damages. For all the Slashdot outrage about data breaches, it isn't really something that the public cares about, and very few consumer losses can be traced to the breaches. Your card data is more likely the be lifted by the waitress at a local restaurant.
I am a customer of 23andMe, and to be honest, I couldn't care less what they do with my data. I have a hard time imagining any negative consequence. If the NSA wants my DNA sequence, they could get it elsewhere anyway. Could an insurance company use it to deny me coverage? Unlikely, since that is illegal, and I don't have any genetic problems, so an insurance company is more likely to give me a discount.
So when there is another breach, Slashdot will throw a hissy fit, everyone else will yawn, and life will go on.
"WHAT THE FUCK more do you need to establish a need?"
Honestly? You need the extremely pro-business-anti-citizen trump administration out of office. Once that's done, talks can -begin-. (Any talks done prior to that are actually just talks to remove consumer rights in advance so permission doesn't even have to be requested.)
The problem is the conservation of DNA samples / user data. Why do they need to keep this in the first place?
Slashdot, fix the reply notifications... You won't get away with it...
Ask any credit card company whether there are damages every single time some credit card processor gets raided. Oh, wait, no, they won't tell you. Because that would tell people to stop using those cards, because the amount of credit card fraud due to cards stolen in data breaches is through the roof. Want proof? Just call your credit card company and dispute some purchases. They don't even investigate anymore. They just refund you, have you sign a shut-up paper and issue a new card.
I don't know about your country and waitresses there, and maybe if you paid them a decent salary they wouldn't be tempted, but I know that my chance to see my card being used in Generistan to buy shit that cannot be tracked is heaps higher than seeing it used to buy shoes of an internet platform.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Businesses are among those that suffer the most from things like credit card fraud. Because who do you think foots the bill? The customer gets his money back and credit card issuers don't pay for fraudulent card use.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Now why do I get the feeling that the only new restrictions on using DNA databanks like these are going to be on law enforcement trying to solve cold cases like that of the golden state killer while private actors like insurance companies will be completely free to use that data to increase costs for people with genetic conditions that can cause serious health problems or just deny them coverage altogether?
"Why should I want to make anything up? Life's bad enough as it is without wanting to invent any more of it."
But not the curator when he will nedd to find some money to bail the company
when a company gets sold your data may be sold too
Trust? are you kidding me... there isnt simply other services than these select few.. competition isn't about trust at all...
also considering how much hacks etc happen...
i personally resorted to third party as payer for my test so they have never even chance to track my dna sample to me through payment data...
Also in country where i live (not murica) dna data if taken in public healthcare is databased and distributed for scientific inquiry and as citizen you have zero access or say in this matter... which in turn is kinda intresting because its against eu law's
Hahaha! As though they are capable of stopping that. This data will all be stolen and sold.
No data has ever been "hacked," "stolen," or otherwise removed unintentionally from a data miner. "Hacked" and "stolen" are just ways of saying "we sold it and didn't want our stock price to fall."
Time.
Do you also think that there was no need for laws and regulations related to driving motorized vehicles because drawn carriages weren't new?
>"Also, what's with the promises? Why isn't this a law?"
And with something this important and "final", what difference will a law make, anyway because... promise or no, law or no, the government will get their hands on all the data whenever they want, with or without warrants, above or under the table. That is what happens when the government is way too huge, everyone is a "potential terrorist", and safety is more important than freedom.
Right, your refusal to give consent means nothing when the government can get rubber stamped warrants or a senior FBI official can just issue a national security letter.
The only consent refusal that works is don't give them your DNA in the first place.
This is fine today since they all got slammed. Once the attention of the public is on something else, all this "goodness" will vanish in fine print.
There is no substantial penalties for ignoring all these good intentions. I remain very skeptical and will keep my DNA to me.
Because you kept signing EULA's and their agreements. Everyone did it to themselves. People are stupid. When I mean stupid, incredibly stupid. Remember, give us your sick, your poor (aka really fucking stupid).
I mean, why would we do something extremely lucrative, or that government's strong arm us into doing?
I don't think that's what the post above was implying; I think they're just pointing out that after this much time has passed, the lawmakers are quite late in regulating this industry and should hurry their asses up.
How bureaucratic can a country be if even the effin' EU where more than a dozen countries have to get to an agreement could get a law addressing this issue done by now?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
If you don't have verifiable accountability, then promises don't mean shit anymore.
I don't know where we went wrong, exactly... because I remember when corporate promises used to count for something.
File under 'M' for 'Manic ranting'
All DNA testing or collecting companies should be covered under HIPPA privacy requirements. Problem solved.
From the GEDmatch website, "You will need to upload DNA and / or genealogical (GEDCOM) data to make use of the tools here." So the data is provided to GEDmatch for free via crowdsourcing but to use the data you must first upload your own DNA sample. What a pathetic company.
It's illegal to deny you coverage, sure, but it's not illegal for them to charge you an insanely high premium, "just in case".
Insurance companies are the last corporations on Earth that are allowed to openly discriminate on basis of gender, age, colour, place of residence, medical history, genetics and all sorts of other factors. Compare the rates for a 21-year-old male driver's insurance to the rates of a 21-year-old female.
You: "Why does it cost more for the male drivers?"
Insurance: "Men are more aggressive drivers, we need to charge them more."
You: "That's discrimination! That's stereotyping!"
Insurance: "Tough shit. You want insurance or not? You can always take the bus if you say no."
Also, can we finally stop helping them by using their propaganda word "sharing"? What they're doing is spying, tracking, recording, and finally, selling. The feel-good term "sharing" has no place whatsoever in the context of this business transaction.
Your card data is more likely the be lifted by the waitress at a local restaurant.
Blatantly false.
Why do you constantly lie?
Here comes the take it or leave it clause in the click-through in 5... 4... 3... 2... 1...
A wild clause appears:
"You agree that your data can be shared with whoever we want whenever we want"
Agree/disagree with the whole document.
Disagree? No service.
Nothing is changed or fixed, but A's are legally CYed.
A lot of people are (rightfully) laughing at this "pledge", but let's assume they're serious for a moment. I still have reservations about them getting "separate express consent." What do you want to bet that this "consent" will be buried on page 5 of a legalese document that nobody reads? Then, when questioned on it, they'll point to the customers "consenting" even if they didn't know they had.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
If a backup were to be left on a server in a closet with a label "do not power off", and found by some "hacker"?
It's quite simple. We have the laws already that should be making scenerios like this a death wish for companies. Why are they not enforced? Why is the data not seeded bogus accounts?
And more important - There is _nothing_ they can do to prevent mass record searching by Government or LEO. With the number of groups being given access to _Police_ databases this is quite serious since there are no distinctions between serious crimes in progress and nosey browsing. CPIC (Canadian Police Information Center), is used by third party securtiy companies for example.
New industry. Legal framework comes after need is established, not before.
It is already the law that insurance companies can't discriminate based on genetic information. I'm not sure why that was included in the "needs explicit permission" category. If I was insurance company, I wouldn't want that information since it would be a liability to have it.
Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
Its like the banks, attempts to assuage public concerns by offering to "self police" to avoid legislation.
We all know how that worked out.
Besides, who needs consent when you can have a data breach.
Until this stuff is regulated as HIPAA medical information, which will dramatically increase the cost, this is a "no-fly zone" for me, and probably should be for you too. Self regulation doesn't cut it. LE requests should have a higher level of scrutiny.
I am a customer of 23andMe, and to be honest, I couldn't care less what they do with my data.
Apparently a lot of other people don't either. Many people will upload their results to GEDMatch which compares you with everyone else in their database to find relations. It's a lot different though when someone else gives your information away without your consent. Also, I'm a bit skeptical about the veracity of these tests. I had one done through Vitagene, and some of the things they have in my results don't square at all with reality. According to my genetic profile, I'm supposed to be gluten sensitive, which is not the case. I can eat a lot of bread/cereal/pasta without negative consequence.
Taking guns away from the 99% gives the 1% 100% of the power.
Yea, you don't need a warrant to view data people willingly made public.
I would never try smoked oysters.
I'll see your senator, and I'll raise you two judges.
For your reading pleasure.
Recognize and resist.
Cheap storage VM.
I am not a customer of 23andMe and yet I would want YOUR data to be protected even if you do not care. ...
First they come for your DNA., but
Don't fight for your country, if your country does not fight for you.
It will remain private, until we get alot of people in the DB and its worth alot of money and they decide to change the policy.
It will remain prvate, until it isn't.
Right, your refusal to give consent means nothing when the government can get rubber stamped warrants or a senior FBI official can just issue a national security letter.
The only consent refusal that works is don't give them your DNA in the first place.
Well, in this country anyway, refusal to consent means guilty until proven innocent when it comes to LE. See DUI/DWI regs. Think there won't be creep? "Sir..this one refused consent. Great! Arrest them!"
It is the law, that they will definitely and absolutely break their promise, guaranteed, if their government tells them to. Promises or not, you don't say Fuck Off to a court order unless you are willing to lose everything that you care about.
"Believe me!" -- Donald Trump
All my genetic information belongs to me; it's my intellectual property, and using it in any way other that for my own medical treatment is a violation of that, and any organization in control of my genetic material agrees to pay me 10 Million U.S. dollars per incident if they fail to restrict it.
Free for law enforcement to use now given past and existing testing results?
Based on any DNA found in the USA and any of the free site that law enforcement can open with collected data sets?
Did enough people send in to the other genealogy database sites to give anyone in the USA a partial match based on existing open data sets?
Domestic spying is now "Benign Information Gathering"
As long as they've PROMISED not to do it, I guess we're good then, yes?
-Styopa
Once the testing is done, and the results sent out, all data should be deleted. There should be nothing to share in the first place.
Prove anything by multiplying Huge Number times Tiny Number
A number of these genetic testing firms are specifically in the business of tracking ancestry. And their customers are interested in discovering lost relatives and other similar links. They will consent without problems. Because this is the service they are buying. Medical testing: That's a different issue and probably falls under HIPPA rules.
The problem in the case of the Golden State killer is that the police used DNA testing to identify a relative of his. And then did additional work to identify him, given the shortened list of suspects. I don't know how one would go about protecting their privacy if it involves links to relatives who happily give up theirs.
Have gnu, will travel.
Yup, let me jump on my Alexa (which hopefully hasn't emailed last night's spat with my wife to all my contacts) and order one of their kits. After all, they wouldn't ever be bought by a health insurance company that would troll my genome for any genetic predisposition to illnesses and, now that Herr Trump is removing protections for people with pre-existing conditions, label said genetic code as a pre-existing condition.
No, never.
Oh, Alexa is emailing last night's heated debate to all my contacts. Better talk to my Android tablet to order one instead. Oops, that's sent video of last night's makeup sex to my coworkers. Better grab my other surveillance device -- my iPhone -- and ask Siri to get one instead. Oh crap, it just posted my purchase (and my genome) to facebook with global viewing privileges.
But hey, at least I know my ancesters came from North America and Europe, with a pretty little pie-chart to make me feel warm and fuzzy. What's that? My medical insurance has been cancelled and I'm now flagged as uninsurable, with half a dozen pre-existing conditions under the heading "genetic predisposition to X"? Well, golly, at least I know what percentage I am of English, French, German, Native American, and Italian, so it's all good!
Even if it was law today and strictly enforced it wouldn't matter.
Just like no one can check your credit/background/etc. without your explicit consent...and many employers require that consent in the pile of pre-hire forms you're required to sign.
Such a law would only work if it required your explicit consent AND explicitly barred any company, organization, person or entity from discriminating against you if you refuse to provide it. Until they completely bar companies (be it insurance or employment) from requiring this, it would be a law completely without teeth.
For now, it's just their current user agreement which is subject to change at a whim.
You can get rich if you own a politician, but you have to be rich to buy one in the first place.
Insight: GDPR would likely cover this. As would a lot of the other PII laws in other countries that are getting closer to being fully aligned with GDPR. The U.S. isn't there just yet (Privacy Shield? Please...) but a new law in California is close and I hear Oklahoma is about to do something similar. It's only a matter of time before every country puts a strong law on the books protecting PII.
And make no mistake - the GDPR is no joke. The regulation body is self-funded from fines levied against violators. If you do ANY business with the E.U. or nations that have laws similar to GDPR, you need to comply. Failing to do so is VERY expensive.
Is GDPR a silver bullet that solves all the issues? No, but it's probably the best compromise between being able to do business and protecting PII for every individual.
My sources are unreliable, but their information is fascinating. -- Ashleigh Brilliant
What a bunch of bullshit. All it'll take is a national security letter or just a plain old court order for that matter and they'll squeal in fear like little piggies and hand over their entire database, personally-identifiable information and all. You're nuts if you send your DNA in to any of these companies, if you do you may as well just cut out the middle-man and send it directly to the local LEOs, FBI and HLS, at least that way it'll cost you a little less in taxpayer money to have your privacy violated.
It took several decades before something as pervasive and as utilitarian as traffic controls were finalized into what is recognisable today. It has been less than a decade since this particular form of business has become viable.
How ignorant can a person be to think that large societal changes such as legislation will be enacted quickly when a rather small, but completely revolutionary field arises.
Seriously, consider how long it took for something as universally useful, and universally dangerous as motorized traffic to become legislated from its inception into a reasonable form.
This is a field that is utterly marginal, completely voluntary to participate in, and impacts almost no one in comparison, and time it was viable is a tiny fraction of what it took to legislate a proper framework for motorized vehicles.
Or subpoenaed by law-enforcement. Which will help police even when the suspect is not the firm's customer, but merely a relative of one.
Of course, this prospect should not bother law-abiding members of a well-governed society...
In Soviet Washington the swamp drains you.
How is that in any way relevant to this particular discussion?
Insurance companies are the last corporations on Earth that are allowed to openly discriminate on basis of gender, age, colour, place of residence, medical history, genetics and all sorts of other factors.
Lots of companies discriminant based on age by giving discounts for children and senors.
It wasn't small or revolutionary for the 28 countries in the EU?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
* Terms and conditions subject to change without notice. Continued use of our service, or failure to notify us in writing within 30 days of said change, will indicate your consent to these changes allowing us to do whatever the fuck we want with your data.
--- Keep the choice with the user..
It has been less than a decade since this particular form of business has become viable.
'Cept for the fact that you pulled "decade" completely out of your ass ... and apparently you did it in order to bolster a previous argument you made, which you also pulled completely out of your ass.
This is not communication. This is you being a dishonest fuck.
Because they are private companies, serving willing customers? And, at any rate, the law may not be too helpful to privacy — indeed, detrimental to it.
In Soviet Washington the swamp drains you.
If they Pinky Promise, I'm in. It's the only way to guarantee privacy.
They *are* capable of stopping the data from being leaked. Their business plan just needs to consist of:
(a) Receive biological sample from customer.
(b) Do genetic tests on sample.
(c) Send copy of test results to customer.
(d) Delete original test results.
Problems only arise when they skip part (d). (And why would they skip it, unless they planned to sell the results to third parties?)
If the penalty for breaking these pledges is jack-shit, then what is the pledge worth?
Thanks for that. I really wondered what substance these new policies could have, other than PR, since the main use of the data is by law enforcement, which can force a handover anyway.
So, really, they won't hand your info over to random third parties like (maybe insurance companies?) without your permission. That's of benefit, so your rates don't go up. But, as far as a sample from me goes. No thanks, I think I'll keep my DNA.
So why the fuck ARE you a customer of 23andMe?? So you can jerk off about being 10% Lithuanian??
Elaborate.
Your explanation that the US government has not taken control of this problem and issued a law that regulates the use and abuse of personal data was that it is a revolutionary field that requires longer time frames to be addressed. My response (or rather, response question) is that the EU has issued a legal guideline (effectively a law, but due to how the EU works it's to be implemented by the local governments, which did happen already, too) despite being comprised of 28 different nation states with diverging interests, a problem the US is not facing.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
> Unlikely, since that is illegal, and I don't have any genetic problems
hahahahahahahahaha. You are cute. Do you want some candy?
btw, you are overweight. Your premium is now $4000/m. Pay or cancel?
That is more about the fact that Europe has countries that have a completely different understanding of what "privacy" even means, comparable to for example how homosexuals and blacks have completely different understanding what "civil rights" mean in US.
Same umbrella name, completely different understanding of issues. As a result, EU will always be far more stringent in regulating any potential violations of what they understand as privacy, to the point where to a US citizen, many of the issues regulated should not be regulated at all.
In this regard, your analogy is valid to an extent, but it stumbles on severe cultural differential, making it difficult to apply across the Atlantic. US traditionally tends towards liberty, which means that problems should manifest themselves in some notable way before liberty is curtailed by regulation. It's a cultural choice.
Ok, from that angle it makes sense.
It's a bit like "socialism" isn't a bad word around here. We do enjoy being protected from plummeting into the abyss, even if that means we have to pay more taxes.
Also something, taxes isn't considered a bad thing here either. Most people understand that that ain't money the treasury secretary eats for breakfast.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Not sure where "here" is, but here in the Nordics, "socialism" is considered a pretty bad thing. That's why it's only the fringe left parties that advocate for it, and no mainstream politician will touch it with a ten foot pole. Memory of how Eastern Europe ended up is fresh.
I am a customer of 23andMe, and to be honest, I couldn't care less what they do with my data. I have a hard time imagining any negative consequence.
That disinterest and lack of imagination is your cue to sit down and be quiet while grownups are talking.
Jesus christ, what is it with all the man-children jumping into every random conversation to man-splain their stupid irrelevant man-pinions about whatever. If you have nothing useful to add just wander off and play at something that does interest you instead.