A recent bill proposed by Rep. David Livingston, R-Peoria, made headlines, as it would have required a vast number of Arizonans to give up their DNA to be put into a state database.
An amendment added to the bill yesterday in the Senate Transportation and Public Safety Committee limits its scope to apply only to rape kits, but major questions still remain, chief among them: Is genetic information truly safe, even in the hands of a government agency that promises to anonymize the data?
The answer, like our DNA, is complicated.
First, we have to go back to 2013 and talk about a young computational biologist named Yaniv Erlich.
Erlich and others discovered that they could identify people in anonymized DNA data given to him by merely using the internet.
They used databases and research tools that are open and free to the public to identify people in the data they were given.
After they released their findings, lawmakers responded by passing legislation that restricted access to that type of data. Previously, it could be accessed by a large variety of entities.
The issue was resolved and everyone felt safer. Or so it seemed.
With the advent of companies like 23andMe popularizing genetic testing and many websites allowing people to connect their DNA test results to large ancestry databases, there has never been more information so readily available to be used and misused.
But it’s all safer now right?
Elrich posted yet another study late last year which used online ancestry databases like Ancestry.com to identify people – even ones who had not given up their genetic information.
“Using genomic data of 1.28 million individuals tested with consumer genomics, we investigated the power of this technique,” the report reads. “We project that about 60 percent of the searches for individuals of European descent will result in a third-cousin or closer match, which theoretically allows their identification using demographic identifiers.”
In essence, what the report says is that, if you are of European descent (approximately 72 percent of the US population in 2010), your genetic information can likely be found due to the fact that so many people are already in the existing databases.
That third-cousin level of relation was all the police needed to catch the Golden State Killer last year.
Elrich and his team of researchers were able to take the genetic information of an anonymous female who was part of the 1000 Genomes Project and uploaded her genetic profile to an online resource. After only an hour of public records searching, they were able to track down the woman and her husband.
Livingston’s bill was the product of a Colorado-based genetics company. The company, ANDE, does rapid genetic testing, something that the bill emphasizes would be used.
ANDE spokeswoman Annette Mattern told Arizona Mirror that security concerns around genealogical companies is justified and expressed her own concerns over how that data is being used. However, Mattern said that the type of genetic information obtained from the testing her company’s equipment performs is not as easily manipulated.
Instead of getting a full genetic profile like many of the popular genealogy companies, ANDE only gets what Mattern referred to as a DNA “VIN number” that doesn’t include some of the genetic identifiers, such as eye color, that would be included in those other forms of testing.
“It’s kinda like saying all cancer is alike,” Mattern said about grouping those concerns over security with ANDE. “It’s more complicated than that.”
If the bill were to become law, the Arizona Department of Public Safety would be in charge of the database.
That makes it safe right?
DPS has a history of being hacked, most recently in 2011 when the hacktivist group LulzSec hacked them twice to expose “evil deeds.”
Yuma County Sheriff Leon Wilmot also added additional concerns in a comment he left for lawmakers on the legislature’s Request To Speak service when he registered his opposition to the bill.
“Speaking with DPS they were not consulted on being able to stand up to this type of operation and are even trying to see how long it would take as well as associated costs,” the Sheriff said adding that the legislation “could impact criminal DNA cases that are pending now as well.”
Other Arizona agencies haven’t fared better, either.
Coconino County had to alert its employees to a hack that exposed protected health information of up to 467 employees and the Department of Economic Security was found to have such lax cybersecurity measures that auditors were able to hack in with no one knowing.
But Livingston’s bill is unlikely to pass due to the fact that it will require a supermajority to pass, as it would increase revenue due to a $250 fee that would be imposed on anyone who has to submit their DNA to the state.
So, is your genetic information safe?
Well if you are white and live in the United States, the answer is likely no.