Quoth the Raven: “It’s a Match!”

Years ago, when I first heard about online DNA match ser­vices, my reac­tion was some­thing to the effect of, “Stuff you put online lives for­ev­er, you no longer have con­trol of it, so what hap­pens when pri­va­cy breach­es happen?”

 The recent high-pro­file US case of the alleged Gold­en State Killer was one exam­ple of the off-label use of DNA match­ing ser­vices that’s cap­tured the nation’s imagination.

While many peo­ple have a pre­con­ceived notion of DNA being unique, deci­sive, and absolute­ly air­tight, the real­i­ty is a touch more hum­bling, as mul­ti­ple news out­lets and law enforce­ment offi­cials have warned of the per­ils, error rates, and num­bers of false pos­i­tives involved in fam­i­ly match­ing. If any­thing, it rein­forces a need to fol­low the usu­al rules of inves­ti­ga­tion: strive to be more thor­ough, and always tread carefully.

While this par­tic­u­lar legal case has raised a lot of eye­brows, to me it seems to be more about the unmask­ing of a killer than the means by which the lat­est set of leads was gen­er­at­ed. This isn’t a new tech­nol­o­gy, it’s been around for quite some time. Police have used these ser­vices before, but those instances haven’t grabbed head­lines in the same way as the case of the Gold­en State Killer.

To the offi­cers involved, I salute your cre­ativ­i­ty and per­se­ver­ance. Hope­ful­ly, once jus­tice has tak­en its course and the case has been tried, you’ll have been able to give some much-need­ed clo­sure to the fam­i­lies of the victims.

But that’s not why I’m writing.

What’s prob­lem­at­ic about the main­stream­ing of genet­ic sequenc­ing and the sub­se­quent break­down of taboos sur­round­ing our most sen­si­tive per­son­al pos­ses­sion — the DNA code — is not the risk of false pos­i­tives or acci­den­tal misiden­ti­fi­ca­tion in a police inves­ti­ga­tion. It’s the line of oppor­tunists who are eager to acquire that data and bend it to their will for all man­ner of com­mer­cial, insur­ance, med­ical, and oth­er mis­us­es as peo­ple relax their guard and invite more and more strangers to the par­ty to play gate­keep­er to this extreme­ly sen­si­tive information.

If you’ve ever been a vic­tim of iden­ti­ty theft, or if you’ve ever had some­one run up a bunch of unau­tho­rized charges on your cred­it card, you already have a glimpse of how it feels.

Your bank can issue a new cred­it card num­ber, but you don’t get a mul­li­gan once your DNA code makes it into the wild.

It’s unlike­ly you’d ever tru­ly be able to reassert con­trol over your data once such a sit­u­a­tion has devel­oped — it’s already out there, you’ve giv­en it away. The only way to stop it might have been tak­ing steps to ensure it did­n’t hap­pen in the first place.

The only assur­ance that data won’t be lost, resold, or mis­used usu­al­ly comes in the form of an elec­tron­ic agree­ment, writ­ten by some face­less per­son thou­sands of miles away whose IT assets might or might not be ade­quate­ly secured and encrypt­ed, and whose cor­po­ra­tion might or might not be designed with suf­fi­cient finan­cial con­tin­gen­cies and legal safe­guards to prop­er­ly pro­tect its user base in the event of some sort of major orga­ni­za­tion­al failure.

When one’s cho­sen ser­vice winks out of exis­tence fur­ther down the road — regard­less of whether it’s a con­se­quence of vol­un­tary clo­sure, own­er retire­ment, bank­rupt­cy, or cor­po­rate acqui­si­tion — the ques­tion then becomes, who gets to han­dle and retain that data? If you’re told it gets sequestered or destroyed, how can you con­firm that was actu­al­ly the case? Dis­po­si­tion of IT assets is noto­ri­ous­ly incon­sis­tent.

I’ve long felt I had my rea­sons for not get­ting on board with the genet­ic sequenc­ing fad, but none of them come from a dis­like of the tech­nol­o­gy. The prob­lems that affect this unique set of ser­vices are entire­ly caused by peo­ple — in this case, the black-hat hack­ers and oth­er oppor­tunists cir­cling the wag­on, lick­ing their chops as they see noth­ing more than an eas­i­ly exploitable meal ticket.

On that last point, they aren’t wrong. Large data­bas­es have an annoy­ing habit of spring­ing leaks, some­times with fan­fare and oth­er times without.

Are there any vic­tims of the Adobe, Tar­get, Equifax, or Wells Far­go scan­dals in tonight’s audi­ence? (If you’re a US cit­i­zen, for exam­ple, there’s a strong chance that you’re in at least one of these groups and might not know it.)

Despite the major­i­ty of cus­tomers and busi­ness­es being rea­son­able, sys­tems are incred­i­bly com­plex and shit hap­pens. Pro­tect­ing your­self begins with yourself.

Most of us don’t expect some­thing unfor­tu­nate will hap­pen — we should.

Most of us don’t invest in con­tin­gency plans to guard against data theft or finan­cial ruin — we should.

Most peo­ple don’t read the Terms of Ser­vice when they sign up with an Inter­net-based busi­ness or service.

Again, we should.

It’s your data and your choice. Take the gam­ble if you wish, but under no con­di­tions should you be expect­ed to walk into a sit­u­a­tion with­out first get­ting a rea­son­able sense of the dan­gers or see­ing what the big pic­ture looks like.

Incor­rect fam­i­ly match­es are the least of your per­ils on the DNA sequenc­ing road.

Be more thor­ough, and tread carefully.

Comments are closed.