The Shell Game Played with Your DNA, or 23 and Screwing Me

So you want to know how much Neanderthal is in your genes.

You are curious about the percentage of Serbo-Croatian, Hmong, Sephardim or Ashanti blood that runs through your veins. Or maybe you hope to find a rich great-aunt near death, seeking an heir.

How much is this worth to you?  Two hundred bucks? That makes sense.

But what about other costs:

– like sending your cousin to prison for life (and discovering that you grew up with a serial killer)?

– like all major companies refusing to insure you due to your genetic make-up?

— like ruining your family holidays when you find that your grandfather is not really genetically linked to you and grandma had been playing the field?

– like pharma companies making millions using your genetic code to create new drugs and not crediting you at all (not even with discounts on the drugs created by testing your cells)?

– like finding that your “de-identified” genetic code has been re-identified on the internet, exposing genetic propensity for alcoholism or birth defects that turn your fiancé’s parents against you?

How much are these costs worth to you?

According to former FDA commissioner Peter Pitts, writing in Forbes, “The [private DNA testing] industry’s rapid growth rests on a dangerous delusion that genetic data is kept private. Most people assume this sensitive information simply sits in a secure database, protected from hacks and misuse. Far from it. Genetic-testing companies cannot guarantee privacy. And many are actively selling user data to outside parties.” Including law enforcement.

Nothing in US Federal health law protects the privacy of DNA test subjects at “non-therapeutic” labs like Ancestry or 23andMe. Information gleaned from the DNA can be used for almost anything.  As Pitts said, “Imagine a political campaign exposing a rival’s elevated risk of Alzheimer’s. Or an employer refusing to hire someone because autism runs in her family. Imagine a world where people can have their genomic building blocks held against them. Such abuses represent a profound violation of privacy. That’s an inherent risk in current genetic-testing practices.”

Genetic testing companies quietly, and some would argue without adequate explanation of facts and harms which are lost in a thousand words of fine print that most data subjects won’t read, push their customers to allow genetic testing on the customer samples provided. Up to 80% of 23andMe customers consent to this activity, likely not knowing that the company plans to make money off the drugs developed from customer DNA. Federal laws require labs like those used by 23andMe for drug development to keep information for more than 10 years, so once they have it, despite rights to erasure provided by California and the EU, 23andMe can refuse to drop your data from its tests.

Go see the HBO movie starring Oprah Winfrey about medical exploitation of the cell lines of Henrietta Lacks, or better yet, read the bestselling book it was based on. Observe that an engaging, vivacious woman who couldn’t afford health insurance was farmed for a line of her cancer cells that assisted medical science for decades and made millions of dollars for pharma companies without any permission from or benefit to the woman whose cells were taken.  Or any benefit to her family once cancer killed her. Companies secured over 11,000 patents using her cell lines. This is the business model now adopted by 23andMe. Take your valuable data under the guise of providing information to you, but quietly turning that data into profitable products for their shareholders’ and executives’ benefit. Not to mention that 23andMe can change its policies at any time.

As part of selling your genetic secrets to the highest bidder, 23andMe is constantly pushing surveys out to its customers. According to an article in Wired, 23andMe Founder Ann Wojcicki said, “We specialize in capturing phenotypic data on people longitudinally—on average 300 data points on each customer. That’s the most valuable by far.” Which means they are selling not only your DNA information, but all the other data you give them about your family and lifestyle.

This deep ethical compromise by 23andMe is personal for me, and not because I have sent them any DNA samples – I haven’t and I never would. But because, when questioned publicly about their trustworthiness by me and others close to me, 23andMe has not tried to explain its policies, but has simply attacked the questioners in public. Methinks the amoral vultures doth protest too much.

For example, a couple of years ago, my friend, co-author and privacy expert Theresa Payton noted on a Fox News segment that people who provide DNA information to 23andMe do not know how such data will be used because the industry is not regulated and the company could change its policies any time. 23andMe was prompt and nasty in its response, attacking Ms. Payton on Twitter and probably elsewhere, claiming that the 23andMe privacy policy, as it existed at the time, was proof that no surprises could ever be in store for naïve consumers who gave their most intimate secrets to this company.

[BTW, for the inevitable attacks coming from 23andMe and their army of online protectors, the FTC endorsement guidelines require that if there is a material connection between you and 23andMe, paid or otherwise, you need to clearly and conspicuously disclose it.]

Clearly Ms. Payton was correct and 23andMe’s attacks on her were simply wrong.

Guess what? According to the Wall Street Journal, 23andMe sold a $300 MM stake in itself to GlaxoSmithKline recently and, “For 23andMe, using genetic data for drug research ‘was always part of the vision,’ according to Emily Drabant Conley, vice president and head of business development.” So this sneaky path is not even a new tactic. According to the same WSJ story, “23andMe has long wanted to use genetic data for drug development. Initially, it shared its data with drug makers including Pfizer Inc. and Roche Holding AG ’s Genentech but wasn’t involved in subsequent drug discovery. It later set up its own research unit but found it lacked the scale required to build a pipeline of medicines. Its partnership with Glaxo is now accelerating those efforts.”

And now 23andMe has licensed an antibody it developed to treat inflammatory diseases to Spanish drug maker Almirall SA. “This is a seminal moment for 23andMe,” said Conley. “We’ve now gone from database to discovery to developing a drug.” In the WSJ, Arthur Caplan, a professor of bioethics at NYU School of Medicine said “You get this gigantic valuable treasure chest, and people are going to wind up paying for it twice. All the people who sent in DNA will be paying the same price for any drugs that are developed as anybody else.”

So this adds another ironic dimension to the old television adage, “You aren’t the customer, you are the product.” You pay to provide your DNA – the code to your entire physical existence – to a private company. Why? Possibly because you want information that may affect your healthcare, but in all likelihood you simply intend to use the information for general entertainment and information purposes.

You likely send a swab to the DNA company because you want to learn your ethnic heritage and/or see what interesting things they can tell you about why you have a photic sneeze reflex, if you are genetically inclined to react strongly to caffeine, or if you are carrier of a loathsome disease (which you could learn for an additional fee). But the company uses the physical cells from your body not only to build databases of commercially valuable information, but to develop drugs and sell them to the pharmaceutical industry. So who is the DNA company’s customer? 23andMe and its competitors take physical specimens from you and sell products made from those specimens to their real customers, the drug companies and the data aggregators.

These DNA processing firms may be the tip of the spear, because huge data companies are coming for your health information. According to the Wall Street Journal,

“Google has struck partnerships with some of the country’s largest hospital systems and most-renowned health-care providers, many of them vast in scope and few of their details previously reported. In just a few years, the company has achieved the ability to view or analyze tens of millions of patient health records in at least three-quarters of U.S. states, according to a Wall Street Journal analysis of contractual agreements. In certain instances, the deals allow Google to access personally identifiable health information without the knowledge of patients or doctors. The company can review complete health records, including names, dates of birth, medications and other ailments, according to people familiar with the deals.”

And medical companies are now tracking patient information with wearables like smartwatches, so that personally captured daily health data is now making its way into these databases.

And, of course, other risk issues affect the people who provide data to such services.  We know through reporting following the capture of the Golden State Killer that certain genetic testing labs (like GEDMatch) have been more free than others with sharing customer DNA with law enforcement without asking for warrants, subpoenas or court orders, and that such data can not only implicate the DNA contributors but their entire families as well. In addition, while DNA testing companies claim to only sell anonymized data, the information may not remain that way.

Linda Avey, co-founder of 23andMe, concedes that nothing is foolproof. She told an online magazine, “It’s a fallacy to think that genomic data can be fully anonymized.” This articles showed that researchers have already re-identified people from their publicly available genomic data. For example, one 2013 study matched Y-chromosome data with names posted in places such as genealogy sites. In another study that same year, Harvard Professor Latanya Sweeney re-identified 84 to 97 percent of a sample of Personal Genome Project volunteers by comparing gender, postal code and date of birth with public records.

2015 study re-identified nearly a quarter of a sample of users sequenced by 23andMe who had posted their information to the sharing site openSNP. “The matching risk will continuously increase with the progress of genomic knowledge, which raises serious questions about the genomic privacy of participants in genomic datasets,” concludes the paper in Proceedings on Privacy Enhancing Technologies. “We should also recall that, once an individual’s genomic data is identified, the genomic privacy of all his close family members is also potentially threatened.” DNA data is the ultimate genie, that once released from the bottle, can’t be changed, shielded or stuffed back inside, and that threatens both the data subject and her entire family for generations.

And let us not forget the most basic risk involved in gathering important data. This article has focused on how 23andMe and other private DNA companies have chosen to use the data – probably in ways that their DNA contributing customers did not truly understand – to turn a profit for investors.  But collecting such data could have unintended consequences.  It can be lost to hackers, spies or others who might steal it for their own purposes.  It can be exposed in government investigations through subpoenas or court orders that a company is incapable of resisting.

So people planning to plaster their deepest internal and family secrets into private company databases should consider the risks that the private DNA mills don’t want you to think about.


Copyright © 2020 Womble Bond Dickinson (US) LLP All Rights Reserved.

For more in health data privacy, see the National Law Review Health Law & Managed Care section.

DNA Information of Thousands of Individuals Exposed Online for Years

It is being reported that Vitagene, a company that provides DNA testing to provide customers with specific wellness plans through personalized diet and exercise plans based on their biological traits, left more than 3,000 user files publicly accessible on Amazon Web Services servers that were not configured properly.

The information that was involved included customers’ names, dates of birth and genetic information (such as the likelihood of developing medical conditions), as well as contact information and work email addresses. Almost 300 files contained raw genotype DNA that was accessible to the public.

Vitagene has been providing services since 2014 and the records exposed dated between 2015 and 2017. Vitagene was notified of the accessibility of the information on July 1, 2019, and fixed the vulnerability.

Copyright © 2019 Robinson & Cole LLP. All rights reserved.
This article was written by Linn F. Freedman of  Robinson & Cole LLP.

Ariosa v. Sequenom: In Search of Yes After a Decade of No

The Federal Circuit this Wednesday declined to reconsider its June decision in Ariosa v. Sequenom, a closely watched medical diagnostics case involving patents on cell-free fetal DNA testing. Biotech companies, investors, and patent lawyers alike should expect a prompt petition for certiorari, and should hope that the Supreme Court grants it.  (Disclosure: I was one of twenty-three law professors who submitted an amicus brief urging the Federal Circuit to grant en banc rehearing.)

In the last decade, the Supreme Court has suggested in case after case that the inventions they were considering were not merely unworthy of patent protection because they were, say, not inventive enough or useful enough or disclosed in enough detail. Rather, the Court in these cases gave us information about the very boundaries of the patent system—by placing the disputed inventions outside those boundaries altogether. But they have not yet told us what is just inside those boundaries.

This legal uncertainty has a significant chilling effect on investment in innovation, one that we are increasingly able to quantify.  As USPTO Chief Economist Alan Marco and I explained in a 2013 paper in the Yale Journal of Law and Technology, when a court issues a decision resolving the legal uncertainty over whether a patent was valid, that newfound certainty actually moves the market as much as the initial patent grant does.  In other words, the unpredictability of courts forces the market to discount—by as much as half—how much trust to put in the legal rights that the Patent Office issues.

Patent holder Sequenom certainly experienced the downside of that uncertainty, as Wednesday’s rehearing denial sent its stock price tumbling over 14% in just two days.  Others have taken a hit as well, such as the large-cap DNA analysis firm Illumina, which has pursued Ariosa in a separate patent litigation and whose stock price fell 7% across the same two-day period.

The reason for this uncertainty is that we are effectively back in the late 1970s, when the Court was prominently rejecting inventions as patent-ineligible subject matter—Gottschalk v. Benson in 1972 and Parker v. Flook in 1978—without saying anything concrete about what was eligible.  Relief would come only after Diamond v. Chakrabarty in 1980 and Diamond v. Diehr in 1981, when the Court finally produced binding precedents going the other way.

The result is that today’s patentees can only try to run away from the settlement risk mitigation patent in Alice Corp. v. CLS Bank (2014), the breast cancer genetic diagnostic patent in AMP v. Myriad (2013), the thiopurine dosage monitoring patent in Mayo v. Prometheus (2012), the energy futures risk hedging patent application in Bilski v. Kappos (2010), and, although they were never definitively adjudicated, the vitamin deficiency diagnostic patents in LabCorp v. Metabolite (2006).  There is no case yet to run toward.

Ariosa v. Sequenom could have been that case and still can be, if the Court grants certiorari.  Certainly the Federal Circuit order has framed the issue well.  The per curiam order denying en banc rehearing was accompanied by three opinions that addressed in different combinations both the reach and the wisdom of the Supreme Court’s recent precedents.

Judge Dyk’s concurrence concluded that the precedents, particularly Mayo and Alice, do apply to the present facts and that those precedents are generally sound.  He invited “further illumination” from the Supreme Court only on whether the all-important inventive concept must come at the second step of the two-step Mayo test (application of the natural law or abstract idea) or may also come at the first step (discovery of the natural law).  Meanwhile, Judge Newman’s dissent concluded that the precedents, particularly Mayo and Myriad, do not apply here, for the facts “diverge significantly.”  She found the Sequenom patent’s subject matter to be eligible and would have proceeded to more specific patentability analysis under §§ 102, 103, 112, etc.

Their midpoint and the best argument for certiorari was Judge Lourie’s concurrence, which agreed that Mayo controls, with “no principled basis to distinguish this case from Mayo”—but which also urged that Mayo and the Supreme Court’s other precedents from Bilski onward are an increasingly unsound basis for differentiating between natural laws and abstract ideas on the one hand, and applications of those laws and ideas on the other hand.  Echoing a previously expressed position of the Patent Office, he favored the “finer filter of § 112” for issues of indefiniteness or undue breadth (rather than what the agency’s post-Bilski Subject Matter Eligibility Guidelines called the “coarse filter” of § 101).

He also pushed back directly against a argument that the Supreme Court frequently invokes to express its preference for flexible standards that foster over predictable rules that can be manipulated: the draftsman’s art.  Decisions from Flook and Diehr to Mayo and Alice have rested in part on the suspicion that patent lawyers may at any time evade substantive doctrinal limitations through clever claim drafting.  To this Judge Lourie’s opinion aptly responded that “a process, composition of matter, article of manufacture, and machine are different implementations of ideas, and differentiating among them in claim drafting is a laudable professional skill, not necessarily a devious device for avoiding prohibitions.”

In these regards, Judge Lourie’s approach may well represent the “center” of the Federal Circuit on subject-matter eligibility.  He was in the en banc majority in Bilski and authored the panel opinion in Mayo.  He authored both panel majority opinions in Myriad (before and after the Supreme Court’s GVR order).  And he authored the five-judge en banc plurality opinion in Alice, whose analysis was ultimately consolidated and endorsed in the Supreme Court’s opinion in that case.

With the issues so well framed and the recent subject-matter eligibility precedents so well synthesized, then, there is reason to be optimistic that a decade of hearing “no” from the Supreme Court may finally give way to a “yes” and better orient us on the true boundaries of our patent system.

© Copyright 2015 Texas A&M University School of Law