Our genetic information is irreducibly and uniquely tied to who we are. Is it a surprise that as genetic analysis becomes both cheap and publicly available, we can be identified this way?
An article in Science magazine showed how researchers could use data donated by individuals to identify those individuals. A BBC article presents a nice summary of how this was done. The short version is this:
- Individuals donated genetic material ‘anonymously’ to the 1000 Genomes project to help find the the most genetic variants that have frequencies of at least 1% of the population (the consent form for the donation provided assurances about privacy, but no guarantees - as one would expect)
- The researchers accessed the donated data, and correlated it with open access genealogy databases, to back identify individuals that had donated their genetic material.
- 50 individuals were identified
The issues here are fraught, and while researchers who say that there is enormous potential in these data are correct, they fail to note that there is enormous potential for health research and also enormous potential for fraud, identity theft, and invasion of privacy. This is particularly the case in the U.S. where medical fraud is a multi-billion dollar enterprise, or where people regularly self-medicate rather than risk loss of medical insurance or employment through revealing private medical information.
Research consistently shows that people want their medical information protected at the highest level. Treating it as research data to be shared widely without protections with other researchers fails to meet that expectation. According to one survey, “43.2 percent of Canadian patients stated they have withheld or would withhold information from their care provider based on privacy concerns." When I train people on medical privacy I use the example of a patient expressing concern about their hospital gown that leaves their backside exposed and the nurse replying, “Don’t worry, I’ve seen it all before". People usually laugh at the joke but it reveals how some medical staff regularly trivialize patients’ concerns about privacy. This removes agency from a patient when they are feeling there most vulnerable and adds stress that they don’t need.
Trust by patients is at risk because of this. As more and more medical privacy breaches come to light, patients are likely to reveal less and less to their physicians and will be less likely to give consent to research. Unless and until the medical community, especially the research community, starts to actively listen and be open with patients about data AND starts to teach itself how to apply security to health IT systems more consistently, trust will continue to erode.
Other privacy stories of note
Sad to say there is another government privacy breach, where the breach happened months ago and only now is there action.
Facebook introduces "Graph Search”. The New York Times calls it a Privacy Test, saying that Facebook’s greatest triumph has been to persuade a seventh of the world’s population to share there their personal information online. While this is an overstatement, as many people manager their online personas even if they don’t manage their privacy settings, it’s not over the top either. You only have to look at what Gizmodo found to reinforce the two basics rules to understand and use social networking sites:
- SInce you are getting the service for free, you are not the customer - your personal information is the product. Remember this when using ‘free’ on-line service.
- Post nothing on a social network unless you are comfortable with the same thing posted on a billboard outside your parent’s home or your workplace.
It is clearly the case that most police have a NIMBY attitude towards protecting privacy. “Privacy should be protected, but we are the good guys and you can trust us." seems to sum it up. Another way to look at it is that some police regard everyone as suspects first and citizens second.
Many people would agree that scientists need free and open access to data, and to the results of their studies in order to facilitate research. I suspect that most people would also expect that scientists would also accept their responsibilities to ensure the confidentiality of the data that they have, and this is where the false dichotomy of this kind of analysis breaks down. There could be both research and privacy/security if medical researchers consistently applied basic IT security to their systems and their practices. The frequency of medical breaches suggest that medical IT practices don’t live up to this expectation.
"Backscatter" machines being removed after failing to meet congressional deadline to install privacy software on the machines. It’s important to note here that both these and the millimeter wave machines that do have the privacy software installed collect the data for a much more detailed image than the one displayed, which means that this is more of a privacy by remediation than a privacy by design solution.
Once a military technology is built, the building company will always look for new markets. This dovetails nicely with the current climate of fear about <insert random threat of the week> and enables police to surveil everywhere.
Before you rush to judgement on this one, imagine if these were ‘democracy activists’ in the old East Germany. Wouldn’t the destruction of surveillance cameras be considered a defence of civil liberties?