Quantified Self, Privacy, and PATRIOTism

This was a paper that I wrote for my Intellectual Property and Information Law class Fall 2013. I’m sharing it here, along with the presentation slides because I think it is important information to disseminate. A classmate asked under what circumstances I would use Personalized Genomic testing. I replied that it would have to be covered under HIPAA protections for me to consider using it. As such, I pitched the idea to the Henry Ford Health System earlier in the semester as a concierge service.

The Quantified Self, Privacy and PATRIOTism

This paper will explore the emerging field of the Quantified Self, in particular the use of personalized genomic testing. As consumers document more and more of their personal lives online, it is important to consider the security of such information. Knowing where the information is stored and who has access to it is imperative for consumers. The impact of the PATRIOT Act on electronic surveillance and the implications for the quantified self will also be discussed.

What is the Quantified Self?

The quantified self is about turning your daily activities, habits, and bodily functions into parsable data. Individuals can use this data to learn more about themselves and, in some cases, attempt to change their behaviors. The Quantified Self (QS) movement began during 2008 with Gary Wolf in San Francisco. It has grown to include contingent groups in 23 other cities around the United States.

In some ways, we have always quantified our lives, but until recently, it was in the form of journals or diaries and tracking was done once or twice per day. Dr. Kent Bottles notes four reasons for the increased momentum,

“First, electronic sensors got smaller and better. Second, people started carrying powerful computing devices, typically disguised as mobile phones. Third, social media made it seem normal to share everything. And fourth, we began to get an inkling of the rise of the global superintelligence known as the cloud.” (2012)

Now individuals can collect reams of data not just once day but minute-by-minute including aspects like heart rate, skin temperature, mood, ovulation cycles, sleep quality, and quantity. In the last several years, the devices involved have also diversified to include the FitBit, smart scales, sleep tracking headbands and the recently developed smart tooth sensor that is wifi enabled to track your oral activity such as eating and drinking. (Li, Chen, Chen, Huang, & Chu, 2013)

Emerging technologies follow two curves. The first is the diffusion of innovations curve (innovator, early adopters, early majority, late majority, laggards) that was developed by Everett Rogers. This is a bell curve that accounts for the portion of a population who adopt innovations at a given time in the life cycle of the technology. As noted by Bottles, Quantified Self is still in the early adopter range (about 20% of the population has adopted it in some way), with scholarly study and widespread notice just now starting. The second caveat is concerning the hype cycle. Gartner, a technology and information advisory and consulting firm releases a report every year that frames the emerging technologies for the year within Fenn’s Hype Cycle. (Gartner, 2013) Fenn’s cycle includes the stages of enthusiasm that are experienced as innovative markets emerge. As excitement grows, enthusiasm reaches “the Peak of Inflated Expectations, the subsequent disappointment that leads to the Trough of Disillusionment and gradual success over time that concludes in the Slope of Enlightenment and the Plateau of Productivity.” (Bottles, 2012) Figure 1 is the Hype Cycle as illustrated by Gartner for 2013. As you can see, they mark Quantified self as still in the early stages of initial enthusiasm with an expectation for it to plateau in the next 2-5 years.

Gartner Hype Cycle 2013
Figure 1 Gartner Hype Cycle

Healthcare providers have begun to watch the progression of this trend. There is conjecture that personalized healthcare could be integral for helping patients with chronic illness, with perhaps limited application in the healthier population. (Bottles, 2012) While there are many possible ways individuals can attain, “self knowledge through numbers” (Beato, 2012), an emerging market is developing within the QS community. They are attempting to map deeply personal attributes such as the microbiome (the micro-organisms of the human gut), the metabolome (the waxing and waning of metabolites such as hormones in the human system) and the genome (the full genetic heredity of the individual).

What is personalized genomic testing?

Personalized genomic testing, or direct-to-consumer (DTC) genomic testing, involves providing a saliva sample to a testing company. That company then analyzes your sample and provides you with a personalized report. The service can range from $2000 for a full genomic sequencing and review with a qualified geneticist to $99 that includes only well known genomic markers with distinct causal relationships to disease. The two most popular services for lay people are AncestryDNA and 23andMe. AncestryDNA is a service provided through the genealogy site ancestry.com. This testing focuses primarily on ethnicity and connecting distant relatives.

“23andMe’s mission is to be the world’s trusted source of personal genetic information.” (23andMe, 2013) This lab provides both ancestry and disease related metrics using SNP genotyping (mapping about 1% of the genome). It is worth noting here that although SNP genotyping covers only a small portion of the genome, it can be used to accurately identify individuals if there is a comparative sample. (Abravaya, et al., 2003) In order to complete the testing, users have to register with 23andMe, provide financial information for ordering, provide a saliva sample, connect registration information and the barcode for the sample, and access results via the web interface.

What does Privacy Mean in this Context?

The 23andMe site correctly notes that GINA (Genetic Information Non-Discrimination Act) helps to protect the consumer. This was legislation enacted in 2008. It prevents employers and insurance companies from discriminating based on genetic information. (NIH, 2013) 23andMe has a separate privacy policy provided to consumers regarding the collection and storage of their information by the company.

Key types of information they collect and store are registration information, genetic information, self-reported information, user content, web behavior, and referral information. Interestingly, they provide users with a condensed “highlights” version of their privacy policy with a link to the full policy at the end. This statement is not included in the condensed version:

“Under certain circumstances Personal Information may be subject to disclosure pursuant to judicial or other government subpoenas, warrants, or orders, or in coordination with regulatory authorities. You acknowledge and agree that 23andMe is free to preserve and disclose any and all Personal Information to law enforcement agencies or others if required to do so by law or in the good faith belief that such preservation or disclosure is reasonably necessary to: (a) comply with legal or regulatory process (such as judicial proceeding, court order or government inquiry) or obligations that 23andMe may owe pursuant to ethical and other professional rules, laws and regulations; (b) enforce the 23andMe TOS; (c) respond to claims that any content violates the rights of third parties; (d) protect the rights, property, or personal safety of 23andMe, its employees, its users, its clients, and the public. In the event we are required by law to make a disclosure, we will notify you through the contact information you have provided to us in advance, unless doing so would violate the law or a court order.” (23andMe, 2013)

Additionally, they note in the privacy policy that they use, “a range of reasonable physical, technical, and administrative measures to safeguard your Personal Information…In particular, all connections to and from our website and mobile application are encrypted using Secure Socket Layer (SSL) technology.” (23andMe, 2013) Finally, the company shares that anonymous samples are against their terms of service.

Until this year, the discussions around quantified self and privacy focused primarily on the fact that, “Forgetting is the highest form of forgiving, and our inability to pinpoint exactly how we deploy our energies and resources allows us to live comfortably in the face of our own mediocrity.” (Beato, 2012) In other words, personal surveillance was destructive only in that it is persistent across time in a way that memory is not. This year however, the conversation has taken a marked turn following the whistle blowing efforts of Edward Snowden.

The PATRIOT Act and the rise of NSA surveillance
As Bob Fraser noted in his class discussion of the PATRIOT Act, the Foreign Intelligence Surveillance Act (FISA) came into being long before the PATRIOT Act. FISA put limits on the surveillance of U.S. citizens by the government and provided for Congressional and Judicial oversight of surveillance efforts. FISA became the primary source of search warrants for the National Security Agency (NSA) both with and without court order in the case of electronic surveillance. With the passage of the PATRIOT Act in 2001, several changes reduced the rigor required to obtain domestic intelligence including the relaxation of wiretapping standards and a reduction in the amount of Congressional oversight required. Section 505 of the PATRIOT Act provided for one of the mechanisms for reducing oversight, National Security Letters (NSL). These letters, independent from subpoenas, are served to record holders such as libraries and internet service providers.

Whistle blowers existed as early as 2002 stating that the NSA was collecting massive amounts of domestic data through electronic surveillance. (Kelley, 2013) Snowden, however, released startling data related to the efforts of the NSA to decrypt the internet. As noted in the joint publication by The Guardian, The New York Times and ProPublica,

“The agency has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, web searches, internet chats, and phone calls of Americans and others around the world…” (Perlroth, Larson, & Shane, 2013)

This allows the NSA to collect vast amounts of information “on the fly” so there is no need for them to provide NSLs to the owners of the servers. This dragnet style of collection is allowed because the data often crosses borders en route from one server to the next. (Gellman & Soltani, 2013) The types of encryption thought to have been broken include Secure Socket Layer (SSL); the type used by 23andMe.

Applying this to the information collected and stored by 23andMe and you have the potential to not only have identifiable DNA information on the users of the service, but, if you have multiple family members using the service, their DNA can be used to positively identify you. 23andMe reports a user base numbering nearly half a million. Their policy of disallowing anonymous testing ensures that surveillance agencies can attach persons to their DNA profiles and other personal information.

23andMe is in the news this past week because of a crumbling relationship with the Food and Drug Administration (FDA) about the use of genetic results by consumers. The FDA warns that consumes are initiating self-diagnosis and preventative treatment based on SNP genotyping which is less accurate than full genomic sequencing. Charles Seife, in writing for Scientific American, noted that self-diagnosis and treatment should be the least of our worries. “The Personal Genome Service isn’t primarily intended to be a medical device. It is a mechanism meant to be a front end for a massive information-gathering operation against an unwitting public.” (2013) He goes on to acknowledge that this may sound paranoid, but in comparing the service to, for example Google, you could see how an altruistic start may morph over time. Congress is in the process of trying to legislate the NSA back into oversight, but Quantified Self is likely to continue growing along with voluntary sharing of information on the internet. As with many emerging technologies, it is difficult to predict the outcome that such transparency will bring.

Works Cited

23andMe. (2013, Nov 28). Privacy Policy. Retrieved from 23andMe: https://www.23andme.com/about/privacy/

Abravaya, K., Huff, J., Marshall, R., Merchant, B., Mullen, C., Schneider, G., & Robinson, J. (2003). Molecular beacons as diagnostic tools: technology and applications. Clinical Chemistry and Laboratory Medicine, 468-74.

Beato, G. (2012, Jan). The Quantified Self. Reason, pp. 18-20.

Bottles, K. (2012). Will the Quantified Self Movement Take Off in Health Care? Physician Executive Journal, 38(5), 74-75.

Gartner. (2013, August 19). Gartner Press Release. Retrieved from Gartner: http://www.gartner.com/newsroom/id/2575515

Gellman, B., & Soltani, A. (2013, Oct 14). The Washington Post: National Security. Retrieved from The Washington Post: http://www.washingtonpost.com/world/national-security/nsa-collects-millions-of-e-mail-address-books-globally/2013/10/14/8e58b5be-34f9-11e3-80c6-7e6dd8d22d8f_story.html

Kelley, M. (2013, Jun 27). Business Insider Military and Defense. Retrieved from Business Insider: http://www.businessinsider.com/nsa-whistleblower-william-binney-was-right-2013-6

Li, C.-Y., Chen, Y.-C., Chen, W.-J., Huang, P., & Chu, H.-h. (2013, Sept). Sensor-Embedded Teeth for Oral Activity Recognition. Taipei, Taiwan.

NIH. (2013, Nov 28). The Genetic Information Non-Discrimination Act Factsheet. Retrieved from NIH RePORT: http://report.nih.gov/nihfactsheets/ViewFactSheet.aspx?csid=81

Perlroth, N., Larson, J., & Shane, S. (2013, Sept 5). The New York Times – U.S. Retrieved from The New York Times: http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?hp&_r=1&pagewanted=all&

Seife, C. (2013, 11 27). Scientific American. Retrieved from Scientific American: http://www.scientificamerican.com/article.cfm?id=23andme-is-terrifying-but-not-for-reasons-fda

Sensenbrenner, J., & Leahy, J. (2013, Nov 28). The USA Freedom Act. Retrieved from http://sensenbrenner.house.gov/legislation/theusafreedomact.htm


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s