Sarah A. Downey is an attorney, privacy analyst, and writer at Abine, an online privacy startup in Boston. Find her on Twitter @SarahADowney.
If you’re like me, the idea of knowing what’s in your genetic profile is both fascinating and scary. Want to learn about your ancestry? How about how likely you are to get Alzheimers or how fast your body processes caffeine? All of these clues are in your genes, and the company 23andMe can help you discover them.
It’s the stuff of science fiction, but it’s already here. That’s why I wanted to try out 23andMe as soon as I heard about it…but waited until I had the privacy tools to pull it off pseudonymously.
Let me explain why I didn’t want 23andMe to know who I was. First, there’s the obvious. I admit I care deeply about privacy, but even if you don’t, you have to admit there’s something unsettling about a massive company–and potentially the government–knowing your entire genetic code, especially if you don’t yet know what it contains.
You’ve probably caught at least some of the NSA news this summer. One big takeaway from the surveillance revelations is that private companies have to turn over customer information when the government asks. Customer information is whatever the company collects about you: emails, phone calls, and, yes, even your genetic code.
That’s why today’s prevailing big data business model (“let’s collect every byte of consumer data we can and figure out how to sell it later”) is fundamentally incompatible with privacy. And let’s not forget that Google, one of the biggest suppliers of data to the NSA and a PRISM company, is a lead investor in 23andMe. Note that some companies, like Wickr, DuckDuckGo, and Abine, (where I work) minimize that problem by either not collecting data at all, or encrypting data so it looks like nonsense to anyone looking at it without the password.
23andMe collects a whole lot of deeply personal information, the kind of stuff that not just marketers, but also insurers, doctors, potential dates, employers, and arch-nemeses would love to get their hands on. They have your entire genome (the sequence of nucleotides that make up your DNA), your browsing activity on their site, the information you provide when registering (like email and name), sex, date of birth, credit card number, the results of any health or behavior-related quizzes on their site (which can include disease conditions, ethnicity, and other health info), and more.
Not only do they collect a lot of personal information, but they share it in five broad situations, including with law enforcement (“Personal Information may be subject to disclosure pursuant to judicial or other government subpoenas, warrants, or orders, or in coordination with regulatory authorities.”)
That’s right: if the NSA comes knocking at 23andMe and wants your genetic code, they’re getting it. There’s a privacy exception–an NIH Confidentiality Certificate–if you’ve opted to participate in 23andMe’s IRB-approved research, but it’s sort of a catch-22: either share your info with the private sector (23andMe and their affiliates) and get more privacy protection from the government, or don’t share your info with the private sector but get less protection from the government.
Even though they offer you during the signup process the chance let them destroy your saliva sample, the company still has the digital record of your genome.
Likewise, the company isn’t clear about whether you can ever delete your data from their servers. They say you can delete your account by emailing customer support, but also say that they’ll “preserve and disclose any and all Personal Information to law enforcement agencies or others if required to do so by law or in the good faith belief that such preservation or disclosure is reasonably necessary.”
They also say they’ll tell you if law enforcement asked for your sample — that is, unless they’re under a gag order, which we now know is pretty common for the NSA.
Let’s summarize: 23andMe has a ton of data about you and they share it in various cases.
Learn about you…without letting them learn about you
Now here’s my strategy for getting my results pseudonymously. Note that the company still gets my genetic code, but they don’t know it’s mine. It’s not tied to my name or other data that could be used to link it to me.
First, any time I went to 23andMe’s site, I used a few privacy tools, including a Virtual Private Network (VPN) service. I used Private Wifi, but there are lots of good options out there. This VPN service lets you choose the secure server through which to run your web traffic; I chose Virginia. That also makes my IP address appear as though I’m in Virginia, although I’m actually in Boston.
Then I opened a new Firefox window in Private Browsing mode while running DoNotTrackMe, a tracker-blocker, and MaskMe, an add-on that creates aliases of your contact and payment information, and went to 23andMe’s website (Full disclosure: My company Abine makes both of these tools).
I put a kit in my shopping cart and was asked to provide a name for it, so I gave a fake one. When filling out shipping information, I re-entered the same fake name and gave Abine’s address. I was able to do this because A), I actually work there and would get the package; and B), any virtual cards created in MaskMe automatically have Abine’s address as the card’s billing address.
I used MaskMe to create a new alias email address and auto-fill with my masked phone number. Both of these aliases forward to my real information, so I knew I’d still get email confirmations and phone calls.
For billing, I again gave my fake name and Abine’s address, then generated a “Masked Card” in the amount of the testing kit. Masked Cards are like virtual prepaid credit cards, so the merchant doesn’t get your real credit card number and your bank doesn’t see where you spent it. Also, most online merchants don’t check for a match on your name when you use a credit card; they only check for billing address, credit card number, CVV, and expiration date, so you can use pseudonyms when online shopping more often than you may have realized.
Using the alias email I’d just created and MaskMe’s password generator, I made a new 23andMe account. MaskMe stored and encrypted this automatically. Because I had a unique email address and password, no person or system can identify me by cross-referencing anywhere else I’d re-used the same information, which is what happens after hacks and data breaches and in big data marketing.
Once I checked out, I went to my real, personal inbox to complete the 23andMe registration by clicking the confirmation email, which was forwarded to me from the alias email address.
The 23andMe process
A few days later, I got my testing kit, essentially a box with a spit tube in it. I had to register it, so I fired up my privacy tools again, logged into my 23andme account, and registered the kit’s bar code. They asked whether I wanted my sample to be used anonymously for their research; I said no. They asked whether I wanted my sample destroyed after testing; I said yes. However, I know the digital record of my genome is different from my saliva sample, and they’ll still have that potentially forever.
After awkwardly filling up the tube with spit in the middle of the office, I sealed it back in the box and dropped the pre-paid shipping box into a mailbox. And then…I waited.
It took three weeks or so for my first batch of results to come in, which I was notified about through my alias email address. With my VPN + private browsing window + DNTMe + MaskMe combo, I went back to 23andMe and logged in.
You get two broad categories of results: health and ancestry. Health results include health risks, drug responses, traits, and inherited conditions. For example, you could find out that you carry the BMCA mutation that causes significantly higher rates of breast cancer (when Angelina Jolie found out, she opted for a double mastectomy), that you’re likelier than most to have Bipolar Disorder, or that you’re a carrier for Cystic Fibrosis. Here are some of my decreased risks:
More sensitive risks, like Alzheimer’s and Parkinson’s, require you to explicitly give your consent to view them by opting in and confirming. Some health providers and insurers have policies that require you to disclose what you know about your genetic health, so staying willfully ignorant is actually a tactic to avoid disclosing things to them. Plus you never know if future laws will be enacted that affect disclosure duties.
23andMe’s “traits” section is less serious than health conditions but still interesting. I learned that I’m built for sprinting (true–I was captain of my college track team) and that I have a “tendency to overeat” (Also true; if it’s in front of me, I will eat it, so don’t put it in front of me).
A week or so later, I got my second, and final, set of results, which dealt with my ancestry. Without providing your father’s sample, they can only analyze your mother’s side, on which I’m 100% Eastern European. They gave me a rundown of which countries they think I’m from. Apparently, I’m also 2.7% Neanderthal, which is average.
The end result of my experiment? I got to find out a lot of interesting things about myself in exchange for giving 23andMe my genome. Because they don’t know it belongs to me personally, it’s of little use to them or any secret agents who come looking for it — although nothing is guaranteed, of course.
Privacy has become something we have to work for rather than something we expect by default, but I’m willing to put in the effort like I did with 23andMe for the peace of mind.