Probing your DNA could trigger future privacy violations

Timothy Caulfield says he had "zero privacy concerns" when he spit into a test tube and mailed it off to 23andMe, a DNA genetic testing and analysis company, for a book he was writing in 2012.

But in the wake of the recent Facebook and Cambridge Analytica data scandal, the university professor is reconsidering the potential perils of voluntarily handing over his DNA to a private firm.

'With all the breaches that we've seen and with the sophisticated ways in which this information can now be used, I've got to admit my concern is starting to raise a little bit," said Caulfield, a law professor and Canada research chair in health law and policy at the University of Alberta.

"I'm becoming more concerned and I'm also becoming more hesitant to put my information out there."

- 'We are sorry': Facebook execs grilled by Canadian MPs

The number of customers purchasing direct-to-consumer genetic tests from the two biggest companies is now more than 15 million, according to the companies' websites. Caulfield is among a growing number of experts warning about the risks of giving up your genetic code to discover ancestry, health preconditions or athletic prowess.

The combination of genetic and personal information collected from social media can provide "a pretty comprehensive picture of an individual," Caulfield said in an interview with CBC News.

Both 23andMe and Ancestry, which bills itself at the largest for-profit genealogy company in the world, collect information from the profiles of customers who log into their site from other social media accounts, as stated in their privacy policies.

Can information be manipulated?

"Can that be manipulated for political reasons for marketing reasons for purposes of employment?" asked Caulfield. "There is some concern that using big data, using algorithms, we can find out an incredible amount, not just about who we are but our predispositions, our interests, our tendencies. And we are uncertain how that could play out."

Those kinds of concerns have lawmakers investigating in Canada, the United States and the United Kingdom after explosive allegations surfaced that Cambridge Analytica was improperly accessing the data of up to 87 million Facebook users, including more than 600,000 Canadians.

Whistleblower Christopher Wylie, who has since left Cambridge Analytica, said it obtained the information from a Russian-American named Aleksandr Kogan, who developed a Facebook quiz that allowed the collection of the data.

Kogan is expected to testify before a British House of Commons committee on Tuesday.

Facebook admitted public profile information was likely collected from most of its two billion users but has said it doesn't know by whom.

The revelation underscores a big question raised by privacy experts about the wisdom of giving up genetic information to a private organization: Who else might end up having access to it?

'A lot' can go wrong

"Well I think what we have seen over the last couple of weeks is that there's a lot that can potentially go wrong, frankly even if you have consented," said Jill Clayton, Alberta's privacy commissioner.

Combined with personal information shared on social media, the comprehensive profile "can be used for all kinds of malicious purposes including identity theft and fraud, hurt, humiliation and embarrassment, depending who might know this information about you," said Clayton.

In December, Clayton's office, along with her federal and B.C counterparts, issued a joint guideline advising consumers to find out just what they're consenting to, whether that be the collection of personal information on social media in addition to biological samples, ways the data will be used, who it will be shared with, and how long it will be kept.

She pointed out data requests have been made and used by law enforcement and acknowledged concerns that employers or insurance companies could require disclosure of test results that might result in discrimination.

To that end, the federal government passed the Genetic Non-Discrimination Act in May which makes mandatory testing or disclosure illegal.

But that doesn't eliminate the risk of potential breaches, and — unlike other personal information such as credit card numbers — genetic information is in a class all its own.

In email responses to CBC, Ancestry and 23andMe emphasized data won't be sold to third parties or used for research purposes without consent and can be destroyed upon request. Ancestry also said DNA data is not sold to insurers, employers, health providers or third-party marketers.

Security not guaranteed

Ancestry customers can, however, "opt in" to the Ancestry Human Diversity Project — a collaboration with Calico Life Sciences, Ustar Center for Genetic Discovery and The American Society of Human Genetics — for research in areas such as migration and disease therapy, Erlich said.

Similarly, 23andMe spokesperson Andy Kill said that company offers customers the option to participate in research "overseen by an independent third party to ensure ethical and legal measures are met" and data "is de-identified and aggregated to protect privacy."

But both companies acknowledge that, even with the best safeguards, security is never guaranteed.

"Data about you could become public as the result of a security breach," Ancestry warns in its consent form. "We cannot provide a 100 per cent guarantee that a breach will never happen."