Surreptitious Genetic Testing: WikiLeaks Highlights Gap in Genetic Privacy Law

The top news story the past two weeks: the release of hundreds of thousands of confidential American diplomatic cables by WikiLeaks. While dissecting diplomatic maneuvering is not a traditional area of expertise for the Genomics Law Report, a pair of cables did catch our eye.

The first is primarily a curiosity: the allegation that Chinese authorities are spying on deCode Genetics, Iceland’s most prominent genetic research company and provider of the direct-to-consumer genetic testing service, deCODEme. Nobody seems to know exactly what China is looking to gain by clandestinely exploring Iceland’s genetic genealogy. You are welcome to speculate in the comments.

The second raises broader issues: the revelation that the State Department’s ongoing human intelligence collection directives include requests for “biometric information” on key world leaders, including United Nations arms inspectors, the Director General of the World Health Organization (WHO) and key advisors and aides to United Nations Secretary General Ban Ki-moon. A separate cable detailing intelligence collection priorities in Africa’s Great Lakes region clarifies that “biometric information” includes “health [data]…fingerprints, facial images, DNA, and iris scans.”

Not disclosed in the WikiLeaked cables: why the State Department wants the biometric data or whether any have been successfully obtained.

Surreptitious Testing: An Overview. The cables are, however, a reminder that the law surrounding the surreptitious collection and testing of biometric data, including DNA, remains extremely murky.

While the extent to which surreptitious testing is performed in diplomatic and intelligence contexts is not publicly known, such testing is commonplace in law enforcement settings. For example, police routinely collect and analyze “abandoned DNA” during forensic investigations. Indeed, one of the primary indices of the FBI-run Combined DNA Index System (CODIS) is the Forensic Index. The Forensic Index is comprised of DNA profiles constructed from biological specimens from unidentified individuals collected at crime scenes. These DNA profiles are then compared against similar offender and arrestee indices, which are also housed in CODIS, to aid in law enforcement efforts. Several high-profile criminal investigations, including the recent arrest of the “Grim Sleeper” serial killer, have been aided by this technique.

Concerns about surreptitious sampling and testing have also appeared in other contexts. During this past summer’s Congressional hearing on direct-to-consumer (DTC) genetic testing, the Government Accountability Office (GAO) presented results from a series of undercover encounters with DTC companies. One recording appeared to show a company (later identified as Pathway Genomics) encouraging a prospective customer to collect and send in a saliva sample from her fiancé without his consent, in order to surprise him with results of a genetic test.

In 2009, New Scientist reporters Peter Aldhous and Michael Reilly used similar tactics to demonstrate that it was possible to obtain genetic information about someone without that individual’s consent and detailed their experiences in a special investigation: how my genome was hacked.

Shortly after the 2008 presidential election, an article appearing in The New England Journal of Medicine (NEJM) considered the possibility that, by the time the 2012 election rolls around, presidential candidates might be at significant risk of surreptitious genetic testing. The authors worried that “persons or groups opposing a candidate [and] hoping to harm his or her chances for election” would obtain and release genetic information without consent, a form of “genetic McCarthyism.” This would not be very difficult, the authors concluded, since “sufficient DNA for amplification and analysis can be obtained from loose hairs, coffee cups, discarded utensils, or even a handshake.” The WikiLeaks revelations about State Department officials seeking biometric information on world leaders indicate that the NEJM speculation may already be reality on the world stage.

There are numerous other scenarios in which surreptitious genetic testing might be employed to acquire information about less famous but equally unwitting individuals, including to establish paternity or to evaluate a potential romantic partner.

Legal Uncertainty Surrounds Surreptitious Testing. To many, it seems like “there oughta be a law” against surreptitious genetic testing, at least in certain settings. However, as reported last year by the Genetics & Public Policy Center, there are “limited legal safeguards against surreptitious DNA testing or its potential consequences for those subject to nonconsensual testing.”

While the 2008 passage of the Genetic Information Nondiscrimination Act (GINA) prohibits the unauthorized acquisition or use of genetic information in certain contexts (health insurance and employment), it offers only limited protection against surreptitious testing. For instance, while it covers most of the Federal government, including the State Department, GINA does not apply to the military or the VA. It also does not restrict behavior outside of the insurance and employment contexts including, for example, by political adversaries or their supporters during a presidential campaign. (Interestingly, the NEJM article declined to advocate for “laws that would make it a federal crime to sequence a candidate’s DNA without consent,” preferring voluntary restraints and education instead.)

Other Federal statutes, such as the Health Insurance Portability and Accountability Act (HIPAA) may offer protection under certain scenarios (e.g., the use and disclosure of genetic information by covered entities, predominantly health plans and healthcare providers) but, again, fall short of providing a complete and clear prohibition on surreptitious genetic testing.

The 2008 GPPC report also looked at state law to evaluate which states proscribe surreptitious DNA testing (pdf). Determining the exact number of states that prohibit this behavior depends heavily on context. Some state statutes prohibit unauthorized acquisition or analysis of genetic information, while others apply only to unauthorized disclosures. Similarly, some state statutes appear to encompass all manner of genetic information, whereas others cover only certain genetic information (e.g., health-related information) or apply only to certain settings (e.g., employment or insurance discrimination). The National Conference of State Legislatures (NCSL) has also compiled data on state genetic privacy laws and, like the GPPC report, the NCSL data indicates considerable variability at the state level.

In the absence of a comprehensive federal law, state prohibitions are currently the main source of relevant law when it comes to restricting surreptitious genetic testing. But not all states have such laws. Whether surreptitious genetic testing is illegal thus typically depends on a combination of who is doing the testing, whom they are testing, what they are testing for, how they are using the results and, most of all, the state or states in which those activities take place.

Finally, there is a possibility that surreptitious genetic sampling and testing may be prohibited on either common law or constitutional grounds, at least in certain situations. For example, in the Texas newborn blood spot litigation, which we covered earlier this year, the plaintiffs alleged both Fourth Amendment (unreasonable search and seizure) and Fourteenth Amendment (right to privacy) violations resulting from the state’s policy of retaining newborn blood spots for ongoing research without explicit parental consent. While both claims survived summary judgment, and may have helped precipitate the litigation’s settlement, these and other legal theories remain untested in most states and under most circumstances.

What We Should Learn From WikiLeaks. Coming full circle, the leaked State Department communiqués raise important questions to which we do not have clear answers. In particular: under what circumstances is the surreptitious collection of biometric data, including genetic data, appropriate?

For most, the answer to that question will depend to some degree on context. Should State Department officials gathering intelligence abroad have a greater or lesser ability to pursue surreptitious genetic testing than domestic law enforcement agents? Should private individuals be permitted to conduct surreptitious genetic testing in certain circumstances (e.g., to confirm paternity) but not others (e.g., when shadowing a politician or celebrity)?

While individual answers may vary, we expect the law to provide us with clear guidelines. As is made clear by the above analysis, however, there exists a wide range of scenarios where surreptitious genetic testing, should it occur, would fall squarely within a legal gray area.

This is in stark contrast to the situation in other countries. In the United Kingdom, for instance, the Human Tissue Act 2004 made it a “criminal offence to take a sample from someone to test their DNA without their consent, except for medical purposes and lawful investigative purposes” as of 2006. Similarly, while Germany’s new Human Genetic Examination Act (also known as the GenDG) is overly restrictive in many respects, § 8(1) of the GenDG (pdf) clearly prohibits “any genetic examination or analysis” without the “express, written consent of the subject person, both in regard to the respective genetic examination and genetic sample.”

Whether the United States adopts the same approach to surreptitious genetic testing or not, the issue must be addressed. We must articulate, much more clearly than at present, the situations in which unconsented genetic testing, analysis and disclosure is permissible, and those in which it is proscribed.

Each year, the availability of low-cost, high-quality genetic information expands. Along with a wide array of legitimate and beneficial uses, the growing accessibility of this genetic information brings with it an increasing number of opportunities to employ and to abuse surreptitious genetic testing. As we continue to push forward into the era of personal genomics, the time has come to seriously discuss a comprehensive legal framework for surreptitious genetic testing.