Remember When There was a Thing Called Privacy?
Happy belated #DataPrivacyDay.
I have to admit that I didn’t know what to get you. And oh yes, and this is a bit of a rant.
In the part of my life where people actually pay me to do stuff, I spend a lot of time thinking about how information is governed and secured and protected. And from this part of my life, I would probably get you a brand spanking new privacy policy for #DataPrivacyDay to create the feeling that privacy exists in the modern world. I might also get you an automated records management system with which to insure compliance with that policy.
In the other part of my life where people do NOT pay me to do stuff, I spend a lot of time and money (I shudder to think how much I have paid Ancestry.com over the years) working on a side hustle focused on trying to solve the mystery of my vanished grandparents (https://www.searchformygrandparents.com/). And in this other life, I would likely tell you that no matter what privacy policy you signed at the time you spat into that DNA tube, you likely kissed the concept of privacy goodbye forever.
And there-in lies my quandary.
The net-net of my uncompensated family history and records management side hustle [spoiler alert] is that my Italian immigrant grandparents disappeared (separately) in the New York State Asylum system in the 1930s, never to be seen or heard from or mentioned by anyone for over 60 years.
The villain in this work — I know they aren’t really villains, but it makes me feel better to think about things this way — is the New York State Mental Health System, which refuses to release my grandparents’ paper medical records due to “privacy” concerns. As someone who has been in the records management world for many years, I struggle with this.
Traditional concepts of privacy are embodied in the concept of “consent” — direct or implied or assumed. Exactly what privacy concerns do long dead people have? What “policy” did they sign? I’m pretty sure there are no HIPAA documents on file. Even more frustratingly, if I am perhaps the ONLY person in the world who would even care about these records, and I can’t have access to them, why is the State of New York even bothering to keep them?
The paper-based and consent-based mindset that all of this embodies is reflected in privacy policy structures that are popping up all over the place. One example with which I am very familiar is the GDPR, the European General Data Protection Regulation.
The General Data Protection Regulation (EU) 2016/679 (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas. The GDPR's primary aim is to give individuals control over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. (Source: Wikipedia)
The reason I bring up GDPR is that over the last few years, organizations have spent billions on lawyers to write organizational privacy policies to show that they care about consent. And they have spent billions more deploying systems to prove they are complying or to create the impression that they are complying. As an American living in a marketplace in which privacy is not a human right, but a tradable consumer good, I applaud the good intentions.
But does “consent” really matter any more, and what is the appropriate public policy response to privacy concerns? In an era where we have massive systems to both accumulate data — even when we are unaware it is being collected — AND the means to actually analyze and connect that data, is the concept of “consent” even relevant anymore?
Let’s think about these questions of privacy and consent in the context of something that is familiar to everyone. Like millions of other people — and likely tens of millions more as a result Christmas presents received this year — I gladly spat into an Ancestry tube in order to get: 1) one of those super cool heritage pinwheels; and 2) maybe find a long-lost cousin or two who might help me unravel some of the mysteries of our own family history.
When I did so, I merrily clicked off on the “consent” disclaimers. Agree. Agree. Agree. I noticed the statement, “If you’d like to receive an ethnicity estimate without being listed as a match to potential relatives, you can choose not to see your DNA matches or be listed as their match. The option to hide DNA matches provides you with more control over your own data and privacy.” But to be honest, I had no real idea what I was doing. I just wanted the pinwheel and maybe some 2nd or 3rd cousins who might pop up who could provide insight into the fate of my grandparents. Here’s what I found:
32% — Northern Italy
17% — Leinster, Ireland
14% — England & Northwestern Europe
11% — Scotland
9% — Southern Italy
7% — Southern Sweden
4% — Greece & Albania
3% — Germanic Europe
3% — Norway
I even clicked off on the AncestryDNA Informed Consent document, because, hey, if it helps find cures for diseases, I’m in. I kind of missed this clause, to be honest, and the parenthetical “which may be years from now.”
By giving consent to participate in the Project, you agree that all information and Biological Samples that you share with us (as further described below) through your use of our websites, mobile applications, and products that exist now, or in the future (our “Services”) can be collected and used for research consistent with the Purpose until the Project is completed or ends (which may be many years from now). Anyone who has activated an AncestryDNA test at any time can voluntarily participate in this Project.
I continued on in delightful ignorance and innocence until over the holidays, when I read two terrific books tied to these questions of “consent” and what it means in a era of massive accumulations of data.
The first one — Inheritance, by Dani Shapiro — is a personal memoir. It is the story of how the author wondered all her life whether she really “fit” into her family.
In the spring of 2016, through a genealogy website to which she had whimsically submitted her DNA for analysis, Dani Shapiro received the stunning news that her father was not her biological father. She woke up one morning and her entire history — the life she had lived — crumbled beneath her.
The net-net [spoiler alert] was that Dani’s parents had been unable to conceive. Her biological father was a sperm donor in the 1960s. He had given his “consent” to the donation, understanding that the act was completely anonymous, never to be revealed. Little did he have any idea that this “consent” — rendered in a time before cell phones and PCs and the Internet — would be rendered moot not by any conscious decision he would make, but by radical technology advances 50 years in the future and by a stranger spitting in a tube.
The other book — The Lost Family: How DNA Testing is Upending Who We Are, by Libby Copeland — pushes the story to the next level.
Indeed, all the major DNA testing companies state in their policies that they don’t sell or share genetic data for research purposes without customers’ explicit consent. Companies with research programs generally make them optional. But the problem is, it can be difficult for consumers to understand exactly what they’re signing up for—both how their data could be used and how it is being protected. I spent many hours poring over the companies’ language about privacy, and then diving deeper into their various policies, all of them thousands of words long, trying to parse the definition of terms like “personal information,” and thinking how much easier this would be if I’d gotten that law degree. Do such contracts make sense given the way we behave online? One 2008 study estimated that if American Internet users attempted to read the privacy policies they regularly encounter online word for word, they’d spend upward of two hundred hours a year doing so.
The privacy implications of all of this get even more complex when you think about massive aggregations of data that individually are anonymous, but collectively, anything but. For example, Dani Shapiro’s biological father didn’t take any active initiative to find her — he didn’t even know she existed. Nor did he initially do the “spit in the tube” thing and get a match. Dani did her test, a person she assumed was her half-sister did one as well, and someone in her biological father’s extended family did one, and the inconsistencies and connections became quickly obvious. A bit of not very complicated detective work on Facebook and Google and voila, she discovered her biological father.
To be sure, there are great benefits to all of this data aggregation. For the “seekers” looking missing pieces of family background, data has allowed separated family members have found each other after a lifetime of separation. Serial killers have been identified through 1) overlaps between unidentified DNA collected at the scene and samples already in a database, 2) identification of the most recent common ancestor, and then 3) analysis back down the family tree. Per Libby Copeland, “The people who were getting DNA kits for Christmas had no idea what was coming for them. And the ramifications of what they might find would not be short-lived; rather, they amounted to a fundamental reshaping of the American family.”
There is another consideration moving forward that relates to those who have released their DNA for public spirited research. It’s a scenario common to many free services we use. The often attributed comment, “If it’s free, you’re the product” comes to mind, except in this case MILLIONS of people like me have PAID for their DNA to be analyzed in order to get one of those cool ethnicity pinwheels.
The accumulated data from these and other consumer-facing data gathering exercises has FAR more value to the one that accumulates it than to the one who provided it. Data that has incredible value to pharmaceutical companies and insurance companies and finance companies and health care providers and Google and Amazon and etc., etc., etc. Who gets to monetize this value, and how? As Libby Copeland notes, “Did people who signed up to participate in research truly comprehend how asymmetrical their relationship with 23andMe was — how much it and other companies stood to profit off the information they and millions of others had paid for the privilege of providing?”
I’m sure everyone involved realized that all of the above was possible when they clicked AGREE to get their pinwheel, said no one ever.
I should say at this point that I am not trying to pick on Ancestry or DNA companies. I am a long-time and happy customer of Ancestry. My point is that we all constantly check off “Agree” to all sorts of data gathering permissions and make all sorts of privacy compromises without giving them a second thought or even knowing we are doing so. When we use Facebook. When we use Google. When we use Netflix. When we use Amazon. When we took one of those personality quizzes on Facebook that allowed Cambridge Analytica to hijack our political system. And on and on and on.
“Consent” is a VERY complicated concept in an era of massive data analytics. We give “consent” blindly and continually, whatever that means in the world of massively aggregated data. Even if we actually gave all those AGREE clicks a second thought and became part-time lawyers and read those privacy policies, would it even matter? Because we can no more imagine the uses to which our data will eventually be put than the sperm donor in the Dani Shapiro book could back in the early 1960s.
And now for the “throw up my hands” part of this post.
I have no idea what the right public policy response to all this should be.
I hope some people a lot smarter than me are thinking about the technology side of all of this rather than writing 23-page privacy policies.
Happy #DataPrivacyDay.