Silence is Compliance

The genealogy community has been mum when it comes to a recent breach of policy in use of 23andMe’s API. Is it purposeful?

Let social security numbers get removed from the SSDI online and the genealogy community is all over it. Blogging, vlogging, tweeting. Everything.  Let the policy change for releasing information on social security applications for the deceased, and again, the genealogy community is all over it. Blogging, vlogging, tweeting. On the other hand, let a developer create an application that willingly discriminates a website’s users based on the racial and gender characteristics identified in their genome…and you don’t hear a peep.

What Exactly is API and Why Should You Care About it?

In layman’s terms, API gives access to a proprietary database to folks who don’t own it or otherwise have access to it. For example, Tweetcaster uses Twitter’s API so it can send out tweets for you although Tweetcaster is not owned by Twitter. Or, if you use Facebook to log into another website like Pinterest, Pinterest is using Facebook’s API to log you in which keeps you from having to remember yet another login. 23andMe has an API that includes information for the folks who have used their test. If a developer develops an app that uses 23andMe’s API, then users have to agree to allow the app to access their data if they decide to utilize the app.

In this instance, the developer used the information to create an app that could discriminate users based on their genetic makeup. For the test example they used, if a user logged in with their 23andMe credentials, and they didn’t have at least 40% euro DNA, they would be blocked from access to the app or website. Sounds ridiculous, right?

OK, perhaps I’m reaching kinda far.  I really want to believe that. But you know what, I don’t think I am.  Why? Because this could only affect certain groups of people. Because it could continue to give an advantage to those in the majority. Because as long as it doesn’t touch the majority’s front door, it shouldn’t be an issue and we shouldn’t even talk about it. Right?

In fact, the code for this preposterous violation STILL lives on the Github website as of the publishing of this blog post.  Thankfully, 23andMe has blocked it because it violates their terms of service.  The author claims the following:

Using the 23andme API it is now possible to utilize genetic profile information and likely phenotypes in custom applications. This means you can restrict access to your site based on traits including sex, ancestry, disease susceptability, and arbitrary characteristics associated with single-nucleotide polymorphisms (SNPs) in a person’s genotype.(1)

Just when you thought that was irritating enough…there’s more! Under Possible Uses:

  • Creating “safe spaces” online where frequently attacked and trolled victim groups can congregate, such as a female-only community
  • Ethnoreligious sects may wish to limit membership, e.g. Hasidic Jewish groups restricting access to Ashkenazi or Sephardic maternal haplogroups with the “Cohen” gene
  • Safer online dating sites that only partner people with a low likelihood of offspring with two recessive genes for congenital diseases
  • Pharmaceutical applications that check for genetic predisposition to negative drug interactions before dispensing
  • Groups defined by ethnic background, e.g. Black Panthers or NAACP members(2)

So, you’re probably thinking, this can’t be legal, can it? Well, it actually depends on the state you live in. It doesn’t violate any federal genomic laws from what I can see.  On the other hand, it can violate Civil Rights laws.

So, again, why is the genealogy community completely silent on this breach? It’s been more than a week since this was announced. Sound off about your thoughts below.

This post was updated on August 3, 2015.

Endnotes

(1) Genetic Access Control, Github. Accessed August 1, 2015.
(2) Ibid.

Facebook Comments

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.