The Washington Post

Can you trust Facebook with your genetic code?

We share everything on Facebook: our family photos, intimate thoughts, relationship woes.

Some of us even post our DNA.

Thousands of Americans are sharing results of genealogy tests on social media sites like Facebook, even posting their entire genome on GitHub and GenomesUnzipped.

But is it safe for patients to share DNA with a private company and then post test results on the Internet? That’s not so clear.

Genealogy companies like 23andMe that analyze your genetic data encourage this kind of sharing, and they say that it is safe. For just $99, you can send 23andMe a sample of your DNA, and it will send you a full report, replete with information about your health and ancestry, and give you options to share the data online and connect with people you might be distantly related to. It can also be used by prospective parents to determine the risk that their future offspring will inherit a genetic condition.

23andMe’s goal, according to its marketing materials, is to grow to one million customers by the end of the year. The company is compiling the world’s largest “genetic data resource,” its chief executive Anne Wojcicki recently said, to “address unanswered questions related to the contributions of genes, the environment, and your health.” Collecting your data and analyzing it en masse with others’ data is part of the company’s fundamental mission.

23andMe spokespeople and former employees I spoke with did not seem all that concerned about the possible privacy risks of sharing DNA data online.

“There are always risks, but people have to make their own decisions,” said 23andMe spokesperson Catherine Afarian in a phone interview. “People post all sorts of things without regard to consequences — it’s not an issue specific to genetics.”

Should you have the right to share genetic information?

23andMe’s basic premise, and its go-to response to privacy questions, is that people should have control over their own health data.

“It’s not entirely risk-free [to share test results on Facebook],” Afarian admitted. “But again, our mission is to give individuals choice over how their information is shared.”

But Dr. Dietrich Stephan, a human geneticist, and the founder of Silicon Valley Biosciences, is concerned that people aren’t making informed decisions. Stephan lists several “unforeseen consequences” of sharing genetic information on the Web.

“If you were malicious, you could deny people health insurance or life insurance,” he said.

But when you share your DNA online, it’s not just your own information you are sharing. Because you share many genes with members of your family, you are potentially sharing their information too.

Even if you buy the argument that everyone should have control over their data, how about your brother’s data? Or your future offspring’s?

Dr. Stephan has been embroiled in this debate for years. He started Navigenics in 2007, a 23andMe rival that was acquired by Life Technologies Corp in 2012 (the final sum for this acquisition was never disclosed, but sources tell me that Navigenics struggled with its revenues.)

“It’s one thing to post your DNA on Facebook,” said Missy Krasner, executive in residence at Morgenthaler Ventures, who formerly worked at Google Health (Google Ventures and Google Corporate are investors in 23andMe) and consults at Box. ”But you’re also invading the privacy of people you’re related to.”

Can 23andMe promote itself and keep your data secure?

23andMe describes itself as a genetics testing company, but arguably, it’s more of a citizen science effort. The company often repeats its goal to harness the “power of one million people” and provide a crowdsourced database for the purposes of breakthrough science and research.

For this somewhat utilitarian goal, 23andMe has become the master of marketing and self-promotion. To that end, the company recently recruited a new president, Andy Page, the former president of luxury online shopping site Gilt Groupe.

In the past five years or so, 23andMe has built integrations with Facebook and started advertising its service on various social media sites as well as broadcast TV networks.

In addition, the company actively encourages its customers to share test results on Facebook, which is a highly effective customer acquisition tool. The company has popular features like a tool to create a melody out of your DNA and an “ancestral composition” service. 23andMe claims it can tell you the percentage of your DNA from 22 worldwide populations. Many customers feel compelled to share that they’re part Jewish or mostly hail from Sub-Saharan Africa.

23andMe has not developed an easy way to share health risks, although it’s certainly possible, and many people do, as evidenced by many of the comments on a recent Marketwatch article titled “Would you share your DNA on Facebook?”

On top of all this, 23andMe has an open API to allow third-party developers to mine genetic data. Customers determine whether to grant developers access to the app that uses the API.

This is a strikingly open and social approach, which is somewhat surprising given that 23andMe is dealing with some of the most sensitive information any company can possess.

Privacy experts fear that 23andMe is not doing nearly enough to keep your data secure. One Silicon Valley geneticist I interviewed, who requested anonymity, quipped that sharing 23andMe results online is worse than sharing bank account information: Your financials will likely change, but your genes never will.

Policy analyst and attorney Sarah A. Downey argued a similar case in a recent  VentureBeat article. 23andMe’s data collection is akin to having a company “know your entire genetic code.” (Note that 23andMe is still in the exploratory phase when it comes to gene sequencing, and does not currently sequence your entire genome. More on that later.)

Downey has a point: 23andMe’s terms of service are hardly airtight. The company can give up your DNA if it receives a court order, and your data may be used for the purposes of research and development. Moreover, it is not clear what will happen to your genetic information in the event of an acquisition — as when rival Navigenics was scooped up by Life Technologies Corp.

“Even if they only let 50 people look at your DNA, you still don’t know who they are,” said George Church, genetics professor at the Harvard Medical School and a founder of the Personal Genome Project, in a recent interview.

Should you be paranoid?

23andMe’s Afarian admits that we’re still very early in our understanding of genetics, and the laws that protect consumers are still evolving.

In an in-depth interview, I asked her whether relatives are at risk when you share your genetic information. Afarian said it “depends on your family member,” as you might not inherit the same health risks as all your siblings.

It’s a reasonable response but doesn’t really work in practice. Imagine a scenario where it’s a close race between several qualified job candidates. An employer might conduct an Internet search on one of the recruits, discover that they have a high risk of getting Parkinson’s disease (or a close family member is), and make the decision to hire someone else. That recruiter or employer could cite any number of reasons for that decision.

That would be illegal. But that doesn’t mean it won’t happen.

In 2008, the Bush administration passed the Genetic Information Nondiscrimination Act (GINA), which protects employees with pre-existing health conditions from being discriminated against at work. In theory, if you have a high risk of contracting breast cancer or Parkinson’s disease and you share this information publicly, you shouldn’t be affected — in a perfect world.

“There is a vast difference between implementation and enforcement,” said Lauren Fifield, a senior health policy strategist at health IT startup Practice Fusion, and genetic discrimination is very difficult to prove.

Furthermore, 23andMe customers who choose to share ancestral composition risk race-related discrimination. Fifield cites another potential concern: “Romantic interests who opt against marriage and children” based on a potential mate’s genetic profile (although arguably, you might not want to marry someone who makes decisions that way anyway).

To make matters more complex, the U.S. is one of the few countries where laws exist at all to prevent genetic discrimination.

23andMe has long been aware of this potential issue but has not taken steps to educate and inform consumers. Instead, it downplays the potential effects.

Alex Khomenko, one of the first engineers at 23andMe, developed many of the Facebook integrations. He’s aware that customers may be discriminated against for sharing information from test results. “Like any form of discrimination, it will happen occasionally,” he said.

But he hasn’t heard about any negative consequences, such as genetic discrimination at work or insurance companies denying health insurance, based on their risk of disease.

“I am less concerned about this scenario in practice,” he said.

The race for the $100 genome

Copyright 2013, VentureBeat

Let’s run through the science behind genealogy tests like 23andMe, and the state of the market.

The market

23andMe does not sequence the entire genome, but it has not ruled it out in the future.

Some of the prevailing challenges with full-genome sequencing include storage, and making sure the data presented is “accurate and trustworthy.” The company completed a pilot in November of 2012 and continues to research the possibilities of full sequencing. A number of other biotech companies are following suitCNN rather dramatically calls it a “race for the $100 genome.”

What 23andMe sequences today is substantially less than the full genome. It partners with biotech giant Illumina to genotype about 900,000 locations in your genome — more accurately, SNPs (single nucleotide polymorphisms), the places where a single letter in the DNA sequence can differ from one person to the next. 900,000 may seem like a lot, but in reality, that sample is about 0.03 percent of the entire human genome.

This test is designed to be affordable for 23andMe and its customers and yet reveal significant information. Given that its test is so cheap, the company has nearly stamped out the U.S.-based competition in the direct-to-consumer genetic testing space.

And in the wake of a $50 million fundraise in December of 2012, 23andMe’s test dropped in price from $299 to $99. This move ensured the company would remain one of the few remaining operators in an infantile market.

In its eight year reign, 23andMe has raised gobs of cash — over $160 million — from various venture firms and global corporations, such as Google, Johnson & Johnson, and Genentech. Google cofounder Sergey Brin personally invested in the company in its early days and has served as a vocal supporter. (He is married to the company’s CEO Wojcicki, though they are currently separated.)

Brin is often cited as a test case in the press, as he discovered through 23andMe that he had an increased risk of Parkinson’s Disease. Brin would subsequently launch a genetics initiative to connect people with the disease and advance research and development.

The test

23andMe’s test results reveal the risk of contracting certain genetic conditions (relative to other test-takers), the likelihood that you’ll have an adverse reaction to certain pharmaceuticals, your ancestral information, and what percentage of your genes come from Neanderthals.

When you sign up for the service, 23andMe will send a DNA kit with a barcode. You can then register the barcode and create an account. Once you’ve sent in a vial of spit for analysis, you can opt in to the research program. Scientists can perform research using your de-identified data in aggregate, meaning that basic information like your name and location will be stripped from the database. Those findings are occasionally published in scientific journals.

The company claims its test can identify over 240 health conditions and traits. Your receive results in a report, which you can access online and via a mobile application.

Criticisms of the test 

Suppose you discover through a 23andMe test that you have a higher than average risk of male pattern baldness, or worse, Parkinson’s — what next?

23andMe’s brand of SNP technology has been critiqued by scientists for failing to provide actionable results.

New York University Langone Medical Center bioethicist Arthur Caplan explained it like this in an interview with  Forbes: “Say you test positive for a breast cancer disposition — then what are you going to do? The only preventative step you can take is to chop off your breasts.” Although, more women have been asking about preventative mastectomies in the wake of Angelina Jolie’s piece in the New York Times“My Medical Choice.” Doctors informed Jolie that she faced an 87 percent chance of contracting breast cancer.

Many customers are highly critical about their experience with 23andMe. A quick search on the Web, and you’ll find a vocal subset who say that the results are interesting, but that’s about it.

“I don’t know how to use my genetic data to make meaningful improvements to my lifestyle,” wrote Richard Macmanus, a former editor at technology news publication ReadWriteon his personal blog. 

Can DNA ever stay anonymous?

Given the lack of information you can act on, what’s the upside for consumers?

23andMe will tell you that we can all benefit from a database of genetic information. The company also stresses that the DNA data it shares can be stripped of any details about its owner, helping protect your privacy.

However, scientists are finding that DNA is not ever really anonymous.

In 2008, Stephan was involved with a study that showed DNA could be used to “reverse identify” individuals. The study from the Translational Genomics Research Institute found that owners of genetic data stored anonymously in a database can be identified — even if their DNA accounted for just 0.1 percent of a mixture of other people’s DNA.

“We showed that we could identify whether an individual or any of their extended family members were present in publicly available disease databases,” said Stephen.

In another study in January, researchers at the Massachusetts Institute of Technology were able to identify almost 50 individuals who anonymously submitted personal genetic data as participants in genomic studies. All that was needed? A computer, an Internet connection, and publicly accessible online resources.

In response to questions about these studies, Khomenko said that privacy concerns are “valid in theory” but aren’t all that threatening in practice. He claims the NSA never knocked on his door asking for data.

However, even 23andMe executives, past and present, are willing to admit that when it comes to genetics and privacy, we’re just at the beginning.

Show Comments
Most Read
DJIA -1.29%
NASDAQ -3.25%
Last Update: 02/07/2016(DJIA&NASDAQ)



Success! Check your inbox for details.

See all newsletters

Close video player
Now Playing

To keep reading, please enter your email address.

You’ll also receive from The Washington Post:
  • A free 6-week digital subscription
  • Our daily newsletter in your inbox

Please enter a valid email address

I have read and agree to the Terms of Service and Privacy Policy.

Please indicate agreement.

Thank you.

Check your inbox. We’ve sent an email explaining how to set up an account and activate your free digital subscription.