Tech View: Protecting your DNA data could pay off in the future

Select an option below to continue reading this premium story.

Already a Honolulu Star-Advertiser subscriber? Log in now to continue reading.

Get unlimited access

From as low as $12.95 /mo.

Subscribe Now

With genealogy sites all the rage, many folks willingly submit DNA samples to see their family trees. For a few, unintended consequences have surfaced, at least anecdotally, some taking on the status of the urban legend “What do you mean my dad was the postman?” But it’s the unknown unintended circumstances that give us pause.

Why? Bear with us for a visit to the way-back machine. In the very early days of e-commerce, right around the turn of the century, there may or may not have been a local IT consulting firm that claimed to be able to facilitate credit card payments over the web. Purportedly, though, all they did was take your unencrypted credit card info off a simple website, then have an intern call the bank a couple of times a day to process the payments manually. At the time, none of this was illegal, or even really frowned upon, simply because the concept, not to mention the technology, was so immature there were really no rules governing such transactions.

At that time, hacking into websites and web-accessible databases was minimal, especially compared with current times. So while contemporary cybersecurity folks would cringe at the insecure nature of this process, the data was never compromised. At least, that’s their story … and the statute of limitations has long expired.

Since then, regulations governing such transactions have been codified into the Payment Card Industry Data Security Standard — PCI DSS — or often just PCI because you can’t have a tech column without at least one acronym.

We’re now up to version 4.0 of the PCI standard, and it’s continually updated. Version 1.0 was released in 2004 and was quite basic. Adherents to the standard had to attest, “I promise I won’t steal any money.” Obviously, this is quite a simplification but really not too far off. Nowadays, PCI governs not only principles, but also the processes at a very detailed level, as well as the technologies that need to be employed for secure payment card transactions.

Back to DNA. There is currently no equivalent of PCI DSS for DNA data. There are a mishmash of rules around privacy, but no umbrella standard. And, DNA data can have much more widespread implications than PCI data. PCI is a narrow scope compared with DNA. Scientists are still figuring out how to use DNA data. So who knows what such data can be used for in the future? While such uses are expected to be primarily beneficial, there is always a chance that some less ethical folks will figure out a way to use the data for unfavorable purposes.

Don't miss out on what's happening!

Stay in touch with top news, as it happens, conveniently in your email inbox. It's FREE!

By clicking to sign up, you agree to Star-Advertiser's and Google's Terms of Service and Privacy Policy. This form is protected by reCAPTCHA.

This is not to say that the direct-to-consumer testing companies are bad. There is no evidence whatsoever that such companies are using your data for nefarious purposes. There is no evidence of those organizations abusing your data. But there is also little to no regulation on the processes and technologies that those organizations must or should follow. Tying it back to our example from the way-back machine, it is entirely possible that your DNA data is being handled by a low-paid or unpaid intern.

———

John Agsalud is an IT expert with more than 25 years of information technology experience in Hawaii and around the world. He can be reached at jagsalud@live.com.