Top Genetic Testing Firms Promise Not To Share Data Without Consent

Ancestry, 23andMe and several other top genetic testing companies pledged on Tuesday not to share users' DNA data with others without consent. "Under the new guidelines, the companies said they would obtain consumers "separate express consent" before turning over their individual genetic information to businesses and other third parties, including insurers," reports The Washington Post. "They also said they would disclose the number of law-enforcement requests they receive each year." From the report: The new commitments come roughly three months after local investigators used a DNA-comparison service to track down a man police believed to be the Golden State Killer, who allegedly raped and killed dozens of women in California in the 1970s and 1980s. Investigators identified the suspect using a decades-old DNA sample obtained from the crime scene, which they uploaded to GEDmatch, a crowdsourced database of roughly a million distinct DNA sets shared by volunteers. Investigators said they did not need a court order before using GEDmatch, sparking fresh fears that users' biological data might be too easy to access -- and could end up in the wrong hands -- without additional regulation on the fast-growing, already popular industry.

"We promise. Honest!"

[Narcocide]

Hahaha! As though they are capable of stopping that. This data will all be stolen and sold.

Re:"We promise. Honest!"

[JaredOfEuropa]

Also, what's with the promises? Why isn't this a law?

Re:

[Luckyo]

New industry. Legal framework comes after need is established, not before.

Re:

[Luckyo]

Do you also think that there was no need for laws and regulations related to driving motorized vehicles because drawn carriages weren't new?

Re:

[Anonymous Coward]

I don't think that's what the post above was implying; I think they're just pointing out that after this much time has passed, the lawmakers are quite late in regulating this industry and should hurry their asses up.

Re:

[Luckyo]

It took several decades before something as pervasive and as utilitarian as traffic controls were finalized into what is recognisable today. It has been less than a decade since this particular form of business has become viable.

Re:"We promise. Honest!"

[Opportunist]

After literally hundreds of data leaks and personal information having become a play toy for companies to be bought and sold with impunity, after Sugarhill had to testify in front of Congress to that effect (so they can't really say that they never ever noticed anything like this), WHAT THE FUCK more do you need to establish a need?

Re:"We promise. Honest!"

[ShanghaiBill]

WHAT THE FUCK more do you need to establish a need?

Maybe some actual damages. For all the Slashdot outrage about data breaches, it isn't really something that the public cares about, and very few consumer losses can be traced to the breaches. Your card data is more likely the be lifted by the waitress at a local restaurant.

I am a customer of 23andMe, and to be honest, I couldn't care less what they do with my data. I have a hard time imagining any negative consequence. If the NSA wants my DNA sequence, they could get it elsewhere anyway. Could an insurance company use it to deny me coverage? Unlikely, since that is illegal, and I don't have any genetic problems, so an insurance company is more likely to give me a discount.

So when there is another breach, Slashdot will throw a hissy fit, everyone else will yawn, and life will go on.

Re:"We promise. Honest!"

[Opportunist]

Ask any credit card company whether there are damages every single time some credit card processor gets raided. Oh, wait, no, they won't tell you. Because that would tell people to stop using those cards, because the amount of credit card fraud due to cards stolen in data breaches is through the roof. Want proof? Just call your credit card company and dispute some purchases. They don't even investigate anymore. They just refund you, have you sign a shut-up paper and issue a new card.

I don't know about your country and waitresses there, and maybe if you paid them a decent salary they wouldn't be tempted, but I know that my chance to see my card being used in Generistan to buy shit that cannot be tracked is heaps higher than seeing it used to buy shoes of an internet platform.

Re:

[Anonymous Coward]

It's illegal to deny you coverage, sure, but it's not illegal for them to charge you an insanely high premium, "just in case".

Insurance companies are the last corporations on Earth that are allowed to openly discriminate on basis of gender, age, colour, place of residence, medical history, genetics and all sorts of other factors. Compare the rates for a 21-year-old male driver's insurance to the rates of a 21-year-old female.

You: "Why does it cost more for the male drivers?"
Insurance: "Men are more aggre

Re:

[XxtraLarGe]

I am a customer of 23andMe, and to be honest, I couldn't care less what they do with my data.

Apparently a lot of other people don't either. Many people will upload their results to GEDMatch [gedmatch.com] which compares you with everyone else in their database to find relations. It's a lot different though when someone else gives your information away without your consent. Also, I'm a bit skeptical about the veracity of these tests. I had one done through Vitagene [vitagene.com], and some of the things they have in my results don't square at all with reality. According to my genetic profile, I'm supposed to be gluten sensitive,

Re:

[pnutjam]

For your reading pleasure. [theauthoritarians.org]

Recognize and resist.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Opportunist]

Businesses are among those that suffer the most from things like credit card fraud. Because who do you think foots the bill? The customer gets his money back and credit card issuers don't pay for fraudulent card use.

Re:

[Luckyo]

Time.

Re:

[Opportunist]

How bureaucratic can a country be if even the effin' EU where more than a dozen countries have to get to an agreement could get a law addressing this issue done by now?

Re:

[Luckyo]

How ignorant can a person be to think that large societal changes such as legislation will be enacted quickly when a rather small, but completely revolutionary field arises.

Seriously, consider how long it took for something as universally useful, and universally dangerous as motorized traffic to become legislated from its inception into a reasonable form.

This is a field that is utterly marginal, completely voluntary to participate in, and impacts almost no one in comparison, and time it was viable is a tiny

Re:

[Opportunist]

It wasn't small or revolutionary for the 28 countries in the EU?

Re:

[Luckyo]

Elaborate.

Re:

[Opportunist]

Your explanation that the US government has not taken control of this problem and issued a law that regulates the use and abuse of personal data was that it is a revolutionary field that requires longer time frames to be addressed. My response (or rather, response question) is that the EU has issued a legal guideline (effectively a law, but due to how the EU works it's to be implemented by the local governments, which did happen already, too) despite being comprised of 28 different nation states with diverg

Re:

[Luckyo]

That is more about the fact that Europe has countries that have a completely different understanding of what "privacy" even means, comparable to for example how homosexuals and blacks have completely different understanding what "civil rights" mean in US.

Same umbrella name, completely different understanding of issues. As a result, EU will always be far more stringent in regulating any potential violations of what they understand as privacy, to the point where to a US citizen, many of the issues regulated s

Re:

[Opportunist]

Ok, from that angle it makes sense.

It's a bit like "socialism" isn't a bad word around here. We do enjoy being protected from plummeting into the abyss, even if that means we have to pay more taxes.

Also something, taxes isn't considered a bad thing here either. Most people understand that that ain't money the treasury secretary eats for breakfast.

Re:

[Luckyo]

Not sure where "here" is, but here in the Nordics, "socialism" is considered a pretty bad thing. That's why it's only the fringe left parties that advocate for it, and no mainstream politician will touch it with a ten foot pole. Memory of how Eastern Europe ended up is fresh.

Re:

[dj245]

New industry. Legal framework comes after need is established, not before.

It is already the law that insurance companies can't discriminate [wikipedia.org] based on genetic information. I'm not sure why that was included in the "needs explicit permission" category. If I was insurance company, I wouldn't want that information since it would be a liability to have it.

Re:

[Luckyo]

How is that in any way relevant to this particular discussion?

Re: "We promise. Honest!"

[hlavac]

In a world where people in power consider themselves above the law, and issue legal immunity to their corporate henchmen, what would it take for the corporations to be too scared to betray their customers?

Re:"We promise. Honest!"

[jaa101]

Also, what's with the promises? Why isn't this a law?

Why do you think Europe passed GDPR? I would assume the new similar California law would cover this too.

Re:

[Donwulff]

Washington Post doing a bit of sensationalist journalism. Existing DNA testing companies have already been following these guidelines which are in their terms of service, and large part of them indeed are the law, or their interpretation. The reporting on these companies is weird, because every existing practice and action is always reported as brand new, never happened before. Industry self-regulating is a good idea, but of course there's additional motivation for the companies to cast doubt on those compa

Re:

[markdavis]

>"Also, what's with the promises? Why isn't this a law?"

And with something this important and "final", what difference will a law make, anyway because... promise or no, law or no, the government will get their hands on all the data whenever they want, with or without warrants, above or under the table. That is what happens when the government is way too huge, everyone is a "potential terrorist", and safety is more important than freedom.

Re:

[Cajun Hell]

Also, what's with the promises? Why isn't this a law?

It is the law, that they will definitely and absolutely break their promise, guaranteed, if their government tells them to. Promises or not, you don't say Fuck Off to a court order unless you are willing to lose everything that you care about.

Re:

[torkus]

Even if it was law today and strictly enforced it wouldn't matter.

Just like no one can check your credit/background/etc. without your explicit consent...and many employers require that consent in the pile of pre-hire forms you're required to sign.

Such a law would only work if it required your explicit consent AND explicitly barred any company, organization, person or entity from discriminating against you if you refuse to provide it. Until they completely bar companies (be it insurance or employment) from

Re:

[racermd]

Insight: GDPR would likely cover this. As would a lot of the other PII laws in other countries that are getting closer to being fully aligned with GDPR. The U.S. isn't there just yet (Privacy Shield? Please...) but a new law in California is close and I hear Oklahoma is about to do something similar. It's only a matter of time before every country puts a strong law on the books protecting PII.

And make no mistake - the GDPR is no joke. The regulation body is self-funded from fines levied against violato

Re:

[mi]

Why isn't this a law?

Because they are private companies, serving willing customers? And, at any rate, the law may not be too helpful to privacy — indeed, detrimental [apnews.com] to it.

Re:

[Jarwulf]

Not to mention the government can just order them to share it to track you down for a parking ticket any time they wish.

Re:

[Narcocide]

Good point. This data will be stolen, sold, and confiscated. Possibly not in that order.

Re:

[hcs_$reboot]

The problem is the conservation of DNA samples / user data. Why do they need to keep this in the first place?

Re:

[NicknameUnavailable]

Hahaha! As though they are capable of stopping that. This data will all be stolen and sold.

No data has ever been "hacked," "stolen," or otherwise removed unintentionally from a data miner. "Hacked" and "stolen" are just ways of saying "we sold it and didn't want our stock price to fall."

Re:

[mi]

This data will all be stolen and sold.

Or subpoenaed by law-enforcement [ajc.com]. Which will help police even when the suspect is not the firm's customer, but merely a relative of one.

Of course, this prospect should not bother law-abiding members of a well-governed society...

Re:

[DickBreath]

I would never try smoked oysters.

Re:

[DickBreath]

Also, what about warrants from local or federal law enforcement?

Grammar error?

[TiggertheMad]

Ancestry, 23andMe and several other top genetic testing companies pledged on Tuesday TO STOP SHARING users' DNA data with others without consent.

Fixed that for you.

Lol promises

[Anonymous Coward]

Promises are useless and there is no penalty when you break them.
What we need are laws banning these companies from selling out our genetic data. If they violate the laws then we can (1) take their sorry asses to the cleaners and (2) have them convicted for violating the law and have some of those CEO go to jail.

Re:

[hcs_$reboot]

A better promise: "Any DNA received, any user data is to be trashed / burned as soon as the tests are done and sent to the requesting party".

It's about the derived data

[mrwireless]

Databrokers and companies like this rarely sell raw data. They feed the raw data into algorithms to generate thousands of scores. For example, Cambridge Analytica created a psychological profile based on raw Facebook data.

In the USA these scores are protected as a form of corporate free speech. "they are just opinions".

As long as the public debate doesn't distinguish between these two types of data, then companies will continue to be able to make claims like this which don't address the real issue. What we really need to know is: do they generate and sell derived data?

Totally Honest right up to the first subpoena

[Anonymous Coward]

... or NSL, then they're totally honest except not and not even allowed to say so.

The USA always had poor privacy protections, but with the government actively subverting even corporate promises, you got fifty shades of lies.

Re:

[gweihir]

Even worse. This "promise" will keep until they find it profitable to sell this data.

Seriously?

[k.a.f.]

They pledged? How on Earth is this not already the law? How on Earth is this not already in their terms of service? Seriously, are these services only used by terminally naive people?

Re:

[Ol Olsoc]

Seriously, are these services only used by terminally naive people?

Pretty much yes.

If you ever see a commercial, it is a woman standing there, going on about how surprised she was to find out that she is some small percentage native American or Slovakian, and how interesting that is. Narcissism, replete.

This is not unlike those stupid Facebook adverts where a person goes to some web page, fills in a bunch of personal info, then Facebook shows up with a spot saying "Fred Fart is a gentleman of old, a great friend and a powerful enemy" or "If you can't handle Suzy at he

Re:

[Tony Isaac]

Google also knows MORE about you than any of these DNA companies, and their entire business model is built on selling your information to the highest bidder. Why is this any worse?

Optional not optional.

[fahrbot-bot]

Under the new guidelines, the companies said they would obtain consumers "separate express consent" before turning over their individual genetic information to businesses and other third parties, including insurers, ...

And insurance companies will require this "separate express consent" in order to receive coverage in 3... 2... 1...

The way that works

[gweihir]

Is that they "promise" this today, and when they find that selling this data is more profitable than being trustworthy, they will just forget that promise. Standard procedure. Just think of "don't be evil" by Google. That went pretty fast.

Until one of them folds

[ruddk]

Until one of them folds and the information gets bought by another company.

Re:

[Tony Isaac]

A contractual agreement like this does not go away legally when a company folds.

And I promise ...

[Laxator2]

... to believe that they are 100% honest, and not the voyeuristic hypocrites that everyone knows they are.

No need to

[Opportunist]

That's going to be done for them right after the data leak.

Unless fines for doing that are less than revenue.

[h33t l4x0r]

In which case, yes our shareholders will certainly make us fucking do that.

I've got a bad feeling about this...

[The Cynical Critic]

Now why do I get the feeling that the only new restrictions on using DNA databanks like these are going to be on law enforcement trying to solve cold cases like that of the golden state killer while private actors like insurance companies will be completely free to use that data to increase costs for people with genetic conditions that can cause serious health problems or just deny them coverage altogether?

Perhaps the company said so

[Chatterton]

But not the curator when he will nedd to find some money to bail the company
when a company gets sold your data may be sold too [slashdot.org]

Pinky swear!

[cascadingstylesheet]

I mean, why would we do something extremely lucrative, or that government's strong arm us into doing?

In today's world, promises are empty....

[mark-t]

If you don't have verifiable accountability, then promises don't mean shit anymore.

I don't know where we went wrong, exactly... because I remember when corporate promises used to count for something.

Take it or leave it in 5... 4... 3...

[samwichse]

Here comes the take it or leave it clause in the click-through in 5... 4... 3... 2... 1...

A wild clause appears:
"You agree that your data can be shared with whoever we want whenever we want"

Agree/disagree with the whole document.

Disagree? No service.

Nothing is changed or fixed, but A's are legally CYed.

Separate Express Consent

[Jason Levine]

A lot of people are (rightfully) laughing at this "pledge", but let's assume they're serious for a moment. I still have reservations about them getting "separate express consent." What do you want to bet that this "consent" will be buried on page 5 of a legalese document that nobody reads? Then, when questioned on it, they'll point to the customers "consenting" even if they didn't know they had.

Re:

[pnutjam]

I don't even really need your consent. How many of you have a stupid cousin? I know my brother dumped his DNA into one of these systems so he could...? Not sure why. Their data sets are risible when it comes to identifying your ethnic makeup, and I'm also uncertain why anyone really cares about that?

Promises, promises

[thunderclees]

Its like the banks, attempts to assuage public concerns by offering to "self police" to avoid legislation.
We all know how that worked out.
Besides, who needs consent when you can have a data breach.

HIPAA or bust

[Torodung]

Until this stuff is regulated as HIPAA medical information, which will dramatically increase the cost, this is a "no-fly zone" for me, and probably should be for you too. Self regulation doesn't cut it. LE requests should have a higher level of scrutiny.

How much was out in the USA?

[AHuxley]

Free for law enforcement to use now given past and existing testing results?
Based on any DNA found in the USA and any of the free site that law enforcement can open with collected data sets?
Did enough people send in to the other genealogy database sites to give anyone in the USA a partial match based on existing open data sets?

Well THAT'S a relief!

[argStyopa]

As long as they've PROMISED not to do it, I guess we're good then, yes?

Data Retention

[Tokolosh]

Once the testing is done, and the results sent out, all data should be deleted. There should be nothing to share in the first place.

Testing for what?

[PPH]

A number of these genetic testing firms are specifically in the business of tracking ancestry. And their customers are interested in discovering lost relatives and other similar links. They will consent without problems. Because this is the service they are buying. Medical testing: That's a different issue and probably falls under HIPPA rules.

The problem in the case of the Golden State killer is that the police used DNA testing to identify a relative of his. And then did additional work to identify him, gi

Re:

[Nidi62]

A number of these genetic testing firms are specifically in the business of tracking ancestry. And their customers are interested in discovering lost relatives and other similar links. They will consent without problems. Because this is the service they are buying. Medical testing: That's a different issue and probably falls under HIPPA rules.

A lot of diseases have a genetic component that is tied with ancestry. Say, for example, you have some Ashkenazi Jew ancestry- that links you to a higher prevalence of certain diseases, for example Tay-Sachs. Some West African heritage- an increased chance of sick cell trait. Insurance is about chance and managing risks: if they know more about your ancestry, they know more about your risks.

Do they Pinky-swear not to?

[Rick Schumann]

What a bunch of bullshit. All it'll take is a national security letter or just a plain old court order for that matter and they'll squeal in fear like little piggies and hand over their entire database, personally-identifiable information and all. You're nuts if you send your DNA in to any of these companies, if you do you may as well just cut out the middle-man and send it directly to the local LEOs, FBI and HLS, at least that way it'll cost you a little less in taxpayer money to have your privacy violated.

Small print.

[bjwest]

* Terms and conditions subject to change without notice. Continued use of our service, or failure to notify us in writing within 30 days of said change, will indicate your consent to these changes allowing us to do whatever the fuck we want with your data.

Penalty

[ChoGGi]

If the penalty for breaking these pledges is jack-shit, then what is the pledge worth?