Monthly Archives: June 2014

About That Creepy Biometric Database, FBI, We’d Like to Know a Bit More

The FBI’s facial recognition database, into which it wants to put 52 million of our mugs by the end of 2015, is only part of its larger Next Generation Identification (NGI) program. The NGI program is intended to give the feds a full range of means to identify us according to biometric markers, including facial feature, digitized fingerprints, photographs of tattoos, scans of the irises of human eyes…

It’s a lot of data for tagging people, all going into a centralized system. That has plenty of people worried about misuse, abuse, and the overall nudge this sort of capability gives us toward a total surveillance state.

Yesterday, 32 organizations from across the political spectrum, including the American Civil Liberties Union, the Electronic Frontier Foundation (EFF), and R Street Institute, asked Attorney General Eric Holder to explain just how the United States government plans to use the system it’s building and the data contained therein. Specifically, they want the federal government to perform a formal Privacy Impact Assessment (PIA) to follow up on the last such report, done in 2008.

Among other concerns raised, that 2008 PIA conceded that “Electronic searching of criminal justice images also entails the risk that the electronic search process may not be sufficiently reliable to accurately locate other photos of the same identity, resulting in an unacceptable percentage of misidentifications.” That concession is underlined by revelations by the Electronic Privacy Information Center that federal specifications on the Next Generation Identification system facial recognition software allow for tagging “an incorrect candidate a maximum of 20% of the time.”

The Electronic Frontier Foundation’s Jennifer Lynch has also raised concerns about the sources of some the photos in the database, which are only vaguely identified. “The FBI does not define either the ‘Special Population Cognizant’ database or the ‘new repositories’ category,” Lynch warned in April.

Maybe Holder can tell us just where those photos are coming from.

Of course, Privacy Impact Assessments don’t mean that government agencies won’t proceed with the projects being assessed. They just give us a better idea of what we’re being subjected to.

Signatory organizations are: American Civil Liberties Union, Bill of Rights Defense Committee (BORDC), Brennan Center for Justice, Center for Digital Democracy, Center for Democracy & Technology, Center for Financial Privacy and Human Rights, Center for National Security Studies, The Constitution Project, Constitutional Alliance, Consumer Action, Consumer Federation of America, Consumer Watchdog, Council on American-Islamic Relations, Council for Responsible Genetics, Cyber Privacy Project, Defending Dissent Foundation, Demand Progress, DownsizeDC.org, Electronic Frontier Foundation, Electronic Privacy Information Center (EPIC), Friends of Privacy USA, Government Accountability Project, Liberty Coalition, NAACP, National Association of Criminal Defense Lawyers, National Urban League, OpenTheGovernment.org, Patient Privacy Rights, Privacy Rights Clearinghouse, PrivacyTimes, R Street Institute, and the World Privacy Forum.

J.D. Tuccille is managing editor of Reason.com.

Read the Letter:

CRG Coalition to Attorney General: Review FBI’s Massive Biometric Database

CRG Coalition to Attorney General: Review FBI’s Massive Biometric Database

Council for Responsible Genetics, EPIC, EFF, ACLU, Defending Dissent, and a coalition of over 30 organizations have urged Attorney General Holder to immediately conduct a privacy assessment of the FBI’s proposed “Next Generation Identification” system. The system is set to go fully operational despite a required privacy assessment.

When completed, the NGI system will be the largest biometric database in the world. The vast majority of records contained in the NGI database will be of US citizens. The NGI biometric identifiers will include fingerprints, iris scans, DNA profiles, voice identification profiles, palm prints, and photographs. The system will include facial recognition capabilities to analyze collected images. Millions of individuals who are neither criminals nor suspects will be included in the database. Many of these individuals will be unaware that their images and other biometric identifiers are being captured. Drivers license photos and other biometric records collected by civil service agencies could be added to the system. The NGI system could be integrated with other surveillance technology, such as Trapwire, that would enable real-time image-matching of live feeds from CCTV surveillance cameras. The Department of Homeland Security has expended hundreds of millions of dollars to establish state and local surveillance systems, including CCTV cameras that record the routine activities of millions of individuals. There are an estimated 30 million surveillance cameras in the United States. The NGI system will be integrated with CCTV cameras operated by public agencies and private entities.

There is a substantial risk that personally identifiable information could be lost or misused as a result of the creation of the NGI system. Among the private contractors involved in the deployment of NGI are Lockheed Martin, IBM, Accenture, BAE Systems Information Technology, Global Science & Technology (“GST”), Innovative Management & Technology Services (“IMTS”), and Platinum Solutions. Arizona, Hawaii, Kansas, Maryland, Michigan, Missouri, Nebraska, New Mexico, Ohio, South Carolina, and Tennessee are actively participating in the NGI program. The FBI is pursuing an aggressive deployment of the NGI program, scheduled for completion and full deployment by 2014.

Read the Letter:

CRG Coalition to Attorney General: Review FBI’s Massive Biometric Database

Who Owns Your Genetic Data? Hint: It’s Probably Not You

As we move closer to an era when a sequence of every human genome is the norm, an important question looms: who will own this data? It seems intuitive to many of us that each person owns his or her genetic data and therefore should control access. But the reality is more complex.

Consider any number of analogies: cell phone data, credit card data, email information. You have a sense of ownership for all of that, right? But it’s hard to make the case that you truly own it when Verizon Wireless, American Express, or Google has more control than you do over account access, data storage, and which other parties get to see your information. (Ahem, NSA.)

The concept of data ownership is so contentious in part because of its nature. Data moves, it morphs, and most of us can’t even say where it lives. (“The cloud” is not an answer.) For people who grew up thinking that possession is nine-tenths of the law, data is too slippery to fit into the usual framework.

Throw in the morass of regulations surrounding medical data, and you get an idea of why ownership of genetic data is such a complex issue. The Supreme Court’s verdict that companies cannot patent naturally occurring genes told us who doesn’t own our genes — that’s a start.

Depending on circumstance, genomic information may or may not be considered protected health information under the U.S. Health Insurance Portability and Accountability Act of 1996, better known as HIPAA. That means sometimes there will be a number of barriers between you (or anyone) and that information, and other times it will be freely accessible, but in ways that supposedly prevent anyone from knowing whom the data comes from. In fact, scientists have already demonstrated that it takes remarkably little know-how to link this de-identified information, as it is known, back to its source.

With that basic protection up in the air, the federal government and many states have passed or are considering legislation that would settle the ownership question, or at least prevent discrimination based on the data. The landmark Genetic Information Nondiscrimination Act was passed by U.S. Congress in 2008 to prohibit unfair treatment based on DNA information — particularly among health insurance companies — but does not apply to providers of life, disability, or long-term care insurance. Bills introduced since then in Massachusetts, Vermont, and California aim to close those loopholes and also establish clear property rules to ensure that each individual is the sole owner of his or her genetic information.

As that piece of the puzzle is addressed, some companies are trying to solve the issue of how and where this data will be stored. Coriell Life Sciences, for example, was spun out of the nonprofit Coriell Institute for Medical Research to offer a data-hosting service for genetic information. A person’s genome sequence is stored on Coriell’s computers, and as that person needs to know more about it, approved providers can access that sequence and interpret certain sections of it.

For example, let’s say you have your genome sequenced at age 35. At the time, what you really care about is whether you’re a carrier of certain diseases, so you give permission to one interpretation service to scan the associated portions of your genome and tell you about those diseases. Later in life, you decide you want to know whether you’re at increased risk for developing Alzheimer’s disease, so you allow another interpretation company to access your DNA sequence and look for that specific genetic marker. The idea is that genetic information is safest when it is stored in one place for a person’s whole life, rather than being shipped here and there for various interpretations. The use of permissions to access certain parts of the DNA sequence adds another layer of protection.

At the moment, Coriell’s business model is geared toward physicians; it assumes they are the ones depositing data on their patients’ behalf, and they control access permissions. But as people demand more control over their data, the model could shift to put consumers in the driver’s seat. Coriell Life Sciences is just one player in a rapidly shifting field; we will see many variations on it, both better and worse, in the coming years.

Right now, few of us have personal genomic data. But consider results from any individual gene tests you may have had — or, failing that, any result from a medical test. Chances are, your physicians or hospital have a stronger ownership claim to that information than you do: they probably keep it in a file and have the authority to grant access to it as needed, whereas you might not even remember what the results were. Until consumers find it important to stake their claim for their own genetic data, this situation is likely to remain the status quo in the coming years.

Meredith Salisbury, Huffington Post

The Genome’s Big Data Problem

Medicine will be revolutionised in the 21st century, thanks largely to our increasing understanding and collection of genetic data.

Genetic data is information pertaining to part or all of your genome: the DNA structure that makes you you. This is translated into a massive string of letters—approximately six billion characters in length—that can reveal all sorts of things about you.

Thanks to the rise of genome sequencing, prescription medicines could end up being tailored towards individuals, increasing the drugs’ effectiveness and minimising their side effects. Treatments could be developed for previously resilient diseases thanks to greater information available for research. It could even be possible to predict how predisposed infants are to various conditions as they grow up.

One program already using genetic data is the Personal Genome Project (PGP), an open call to those who wish to contribute to scientific research. If someone decides to participate in the project, they naturally have to sign a consent form—but it’s not as easy as blindly clicking ‘I have read and agree to the Terms and Conditions.’ The New York Times reported that participants need to pass a test to make sure they fully understand what they are enrolling in, and what risks they are taking. These include the potential to be refused health insurance, or denied a job, because of a predisposition to a disease revealed by genome sequencing.

Some of the scenarios on the consent form may sound far-fetched, but they’re not unfeasible: someone could plant synthetic DNA to implicate you in a crime, for instance, or use your data in cloning.

So for all its benefits, there are still serious concerns around genetic data that need to be handled before we all jump on the genome band wagon. How will the data be stored? Who will be able to access it? What security will be in place?

When I was recently at the European Parliament in Strasbourg, I asked an expert panel what problems we were likely to see as genetic data proliferates. I was given an answer that equated to “We don’t know.” Unsatisfied, I decided to look into some of the issues myself.

PRIVACY

Privacy is the main concern around the debate of genetic data, because, by its very nature, the data can be used to identify an individual and their relatives much more accurately than other types of personal information. Indeed, those behind the Personal Genome Project recognize this. As Albert Sun at the Times wrote, “With the amount of data being shared, participants cannot be guaranteed of anonymity or privacy. While their names are not directly associated with their data, other information about them is, including birth dates, genders, ZIP codes, genomes and medical histories.”

Other projects are not so open about the risks. In the UK, the National Health Service (NHS) has proposed a genetic database, and those behind that plan claim that it is possible to remain “pseudo-anonymous” while listed within the system, by omitting certain parts of the data such as name or address. However, others have suggested that identification of people by genetic data combined with other public databases will be possible.

“Genetic data is not data that can be anonymised,” Pascal Borry, an assistant professor of bioethics at the Centre for Biomedical Ethics and Law, told me.

“I think that everyone agrees that if somebody puts in enough effort, and they have genetic data, they can probably re-identify,” said Tim Caulfield, a professor in the Faculty of Law and the School of Public Health at the University of Alberta. “The disagreement is in the ease with which this could happen.”

Another concern is how the data is stored. 23andMe, a commercial sequencing company, says it stores its data “with multiple levels of encryption and security protocols protecting your personal information.” Some researchers are developing ‘homomorphic’ protection, a novel approach that would greatly strengthen the security of the data. At the moment, however, a massive amount of computing power is required for such a method, so it won’t be becoming widespread any time soon.

If not stored securely, the theft of genetic data could cause a lot of headaches for program participants. 

COMMERCIALIZATION

Just as the use of genetic data is a new step for scientific research, so it is for businesses. In the same way that personal data has become a commodity traded by companies, businesses are likely to want to capitalize on this new avenue.

“One of the big pushes to get hold of medical data, including genetic data, is to create personalised risk assessments which try to predict future health, and that can be used for personalised marketing,” Helen Wallace from GeneWatch, a non-profit that monitors developments in genetic technology, told me. 

Referring specifically to the NHS plan, the GeneWatch website warns that “a personalised risk assessment is expected to lead to a massive expansion in the market for drugs and other products, such as supplements and cholesterol-lowering margarines, which can be sold using personalised marketing based on an individual’s health data.”

Remember the much-publicised case of Target figuring out a girl was pregnant before her father knew, and sending her advertisements for baby products? Well, genetic data has the potential to go beyond that.

Something unique to the commercialization of genetic data—as opposed to internet browsing or purchasing habits—is how advertisements could also be targeted at your relatives. As well as finding out whether someone has a certain predisposition to a disease, “a company could also find out […] who their relatives were, and maybe sell on that information,” Wallace told me.

Government-run projects will realistically cross over into the commercial sector too. With the NHS database, the plan is that once genetic data has been gathered—and the Health Secretary has recommended that all children have their DNA sequenced at birth—this data will be added to a national database.

However, the NHS has a history of selling information to third parties, including drug and insurance firms. The government has also liaised with Google before about displaying hospital stats in its search results. That time, Google pulled out due to public backlash. But the search giant does seem to have an interest in the market for genetic data, and has for instance shown geneticists how to upload DNA data to the cloud.

The increased likelihood of commercialization of your genetic data is not helped by the “hype around the idea that we should all get our genome sequenced in the first place.” Wallace continued. “In fact, most of the scientific evidence is suggesting this is very useful for some people with rare genetic disorders for or high familal risk for breast cancer, but it’s not actually useful as a screening tool for predicting susceptibility to common disease.”

It is of course in the interest of those who make money from genetic data to make “that market as big as possible,” she said. 

ETHICS AND REGULATION

Here’s one ethical quandary: If your genetic data can reveal intimate details about your family, shouldn’t you obtain their consent before you have your own genome sequenced? 

“If I’m getting my whole genome sequenced, and then joining a biobank [a programme that stores your biological data for research or commercial purposes], that information about me is going to have relevance to my brothers for sure,” health law expert Caulfield said. As for whether you’re currently required then to get their consent, “The answer is, no you don’t. There’s no technical, legal reason to do that.” But then, he said, that might make you ask, “Is the law appropriate?”

A more personal decision that needs to be considered is that this data will be stored or worked on for longer than your lifetime, and that of your relatives. As Caulfield pointed out, giving up your genetic data results in you “donating your biological story for a very long period of time.” 

This leads onto what legal protections should be in place for all of this data. One of the problems plaguing privacy laws already is the huge variation in them across the planet. That becomes an even greater problem when data is being accessed by researchers from different parts of the world. “One of the underlying themes of big data is that the data will be available anywhere,” Caulfield said.

There are attempts at a harmonization of laws that would mitigate this. A powerful new data protection law is being passed in Europe, for instance—but it is yet to gain support from the UK government.

Caulfield pointed out that it’s important whatever laws are applied to genetic data are balanced. “You can also get an over-reaction,” he said. “We saw that with cloning, for example,” Research in that domain was stifled in the US and Europe while it blossomed in countries with different regulations, such as China.

“Having evidence-based, informed laws is really important,” Caulfield said. Similar to protections for facial recognition information, and even more basic biometric data such as fingerprints, legal protections specifically crafted for genetic data are in their infancy. It is “a very complicated issue, and one that needs more investigation,” he concluded.

Joseph Cox, Motherboard

GeneWatch UK criticized speech by NHS England Chief Executive Simon Stevens

Genetic information is irrelevant to most people’s care

GeneWatch UK today criticised a speech by the new NHS England Chief Executive Simon Stevens, in which he reportedly argued that the NHS must be transformed to make people’s personal genetic information the basis of their treatments (1). 

Stevens appears shockingly ignorant of the irrelevance of genetic information to most people’s care” said Dr Helen Wallace, Director of GeneWatch UK, “Plans to sequence everybody’s genomes in the NHS are driven by commercial interests and are not in the public interest“.

Successive governments have made attempts to build a DNA database in the NHS in England by stealth, by sequencing every baby at birth and storing whole genomes in electronic medical records, a plan backed by Health Secretary Jeremy Hunt (2). The current version of this plan would involve sharing whole or partial DNA sequences (genomes or genotypes) with companies like Google, which would use genetic information and health data to calculate personal risk assessments for feedback to patients (3). Massive investment from taxpayers would be required as part of a public-private partnership that allowed commercial exploitation of the data. 

Commercial companies wish to exploit genetic information to market products such as drugs and supplements to healthy people, based on genetic risk assessments. This will harm, not benefit, health and risk assessments could also be misused, for example by insurers. Building a DNA database within the NHS would be a massive waste of public money and would also create a system of total surveillance which would allow the government to track every individual and their relatives“, said Dr Wallace.

Some cancer drugs have been successfully tailored to genetic mutations that arise in the cancer tumour, but attempts to select drugs for people based on the genetic make-up they are born with (their genome or genotype) have largely been a failure as genetic differences only account for a part of individual differences in metabolism. For example, a recent study found that targeting warfarin treatment based on genetic make-up did not improve health outcomes, although this application was regarded as the ‘poster child’ of this approach (4). Genes are also poor predictors of most diseases in most people, contrary to misleading claims made to promote the Human Genome Project. The online gene testing company 23andMe, funded by Google, has been forced to withdraw its gene tests from the US market due to failure to prove they can reliably predict individual risks of many common conditions using computer algorithms. The company now wants to target the UK market, where genetic testing is not regulated (5). 

Genetic testing remains useful to diagnose rare genetic disorders, mainly in babies and young children, and whole genome sequencing has helped to identify new mutations causing these diseases. Rare familial (largely inherited) forms of many common diseases also exist, including breast cancer, but these account for only a small percentage of cases of these conditions.

Use of genetic testing in the NHS should focus on prioritising resources for the applications that do work, not on introducing misleading and harmful screening of the whole population and creating unnecessary, expensive databases“, said Dr Wallace. 

GeneWatch UK

Over-sampling DNA in Rhode Island

A bill before the Rhode Island General Assembly would give law enforcement sweeping new powers to collect DNA from people placed under arrest. The legislature should refine this measure, which both overreaches and provides insufficient safeguards for the innocent.

The proposed measure, recently approved by the House Judiciary Committee, empowers police officers to collect DNA samples from anyone arrested for a violent crime. Eligible offenses range from murder to assault, robbery and larceny. The samples may be collected even if a person is never formally charged, a dangerous provision that could tempt the police to indulge in pretext arrests. Adding insult to injury, those who are not charged would have to formally request that their samples be expunged from the state’s database.

Similar efforts to expand DNA collection have been mounted in the past but failed to advance. Currently, Rhode Island law requires DNA samples only from people convicted of a felony. That seems fair. Law enforcement agencies are understandably eager to have more DNA evidence available, but the risk is a steady erosion of privacy. The more DNA samples that are entered in a government database, the greater the prospect of surveillance.

Most states now have DNA collection laws. The more sensible ones require that a person at least be arraigned before having to provide a sample. Rhode Island should also bear in mind that administering such a program is costly. Legislators plan to seek a federal grant to help pay for this effort if the bill passes. But should funding evaporate, Rhode Island taxpayers would be faced with an added burden. The DNA bill should either be more narrowly tailored, or shelved.

Providence Journal Editorial