In today’s data-driven world, few forms of personal information are as personal and revealing as genetic information. Genetic sequencing has become more widely available and used, from determining health predispositions to investigating ancestry. But this growing availability also poses significant risk. Once digital, genetic information is vulnerable to breaches, abuse, and unauthorized surveillance. In order to safeguard this critical data, robust cybersecurity measures are required—and one of the most effective solutions out there is GNU Privacy Guard (GPG). GPG is open-source, free encryption software that adheres to the OpenPGP standard, used to ensure secure data encryption and digital authentication. Its value as a vehicle for genetic data security protection has grown exponentially in recent times, particularly in the wake of widely publicized breaches against firms. Effective resources such as GPG do exist, however, and ethical considerations are still at the top of the agenda—spanning data ownership dilemmas to the dangers of genetic discrimination.
How GNU Privacy Guard (GPG) Safeguards Genetic Data
GPG employs public-key cryptography to allow users to securely encrypt, decrypt, and verify digital data. When genetic information is encrypted with the public key of the recipient, only their private key can unlock it—offering complete protection from misuse. GPG also utilizes digital signatures, which verify origin and integrity and ensure the genetic data remains undamaged and that it came from a reliable source. Such trust is paramount for organizations responsible for dealing with sensitive genetic information.
How does GPG particularly serve genetic data well? It does end-to-end encryption, ensuring information is encrypted when it transits (such as between labs and providers) and when on storage. Second, as an open-source solution, GPG permits its codebase to be inspected by communities—leading to quicker vulnerability recognition and closure than that from closed-source counterparts. Third, GPG aids in compliance with rigorous privacy policies and protocols such as the Health Insurance Portability and Accountability Act (HIPAA), General Data Protection Regulation (GDPR), and NIST recommendations. No encryption technique is completely secure, however. Handling of private keys in a mishandled fashion, inadequate operation security, or system setting faults can cause confidentiality to be compromised. Encryption must be part of a comprehensive security plan not one huge blob. Perhaps the most significant ethical difficulty in the processing of genetic information is that no informed consent exists. Most consumers of genetic test services do not know that their information can be retained forever or used as research data.
Ethical Implications and Breaches
23andMe and AncestryDNA, some of the most popular DNA testing service providers, have been accused of hiding consent provisions deep within terms and conditions. People must be made aware in a transparent manner how their data will be utilized, to whom it will be revealed, and what the long-term implications will be. In 2018, 23andMe struck a deal with pharmaceutical giant GlaxoSmithKline (GSK), which provided the pharma company access to millions of customers’ genetic maps in an effort to advance medicine discovery. Although these arrangements can benefit medicine, they amplify concerns over commodification of personal intimate data. Genetic information may provide one’s susceptibility to illness, mental illness, or even personality. This is dangerous and doesn’t allow proper consent for all customers.
Examples of genetic data breaches
- Veritas genetics — 2019
In 2019, Veritas Genetics had a server was set up improperly that exposed customer data like sensitive test results. This could have been prevented with access controls and proper encryption.
2. GEDmatch and criminal investigations
GEDmatch is an internet-based service that compares autosomal DNA data from different testing companies. Law enforcement used the service to solve a case that had been pending for decades. But it created ethical and moral questions regarding whether genetic data should be exchanged recreationally or medically should be allowed to be used in criminal investigations.
Citizen’s information is a constitutional right to be protected. As technology evolves, many professionals have tried implementing/worked with the authorities to enforce the following strategies with an ethical perspective:
- Respecting ownership data rights
2. Following GDPR, NIST, and HIPAA regulations
3. Implementing rigorous procedures and incident response policies
4. Implementing consent mechanisms
Such initiatives can enable gap filling of the ethical cybersecurity issue. As genes are increasingly tested, ethical data stewardship will only become more necessary. Innovation v.s. privacy as well as ethics is not only a technological puzzle but also making sure to keep morals alive.
————
References
General Data Protection Regulation. (2024, April 22). General Data Protection RegulationGDPR. General Data Protection Regulation (GDPR). https://gdpr-info.eu/.
GSK and 23andMe sign agreement to leverage genetic insights for the development of novel medicines. GSK. (2018, July 25). https://www.gsk.com/en-gb/media/press-releases/gsk-and-23andme-sign-agreement-to-leverage-genetic-insights-for-the-development-of-novel-medicines/
Orr, J. (2023, August 29). Incident of the week: DNA-testing company Veritas Genetics discloses unauthorized access of Customer Data. Cyber Security Hub. https://www.cshub.com/attacks/articles/incident-of-the-week-dna-testing-company-veritas-genetics-discloses-unauthorized-access-of-customer-data
Ross, R., & Pillitteri, V. (2024). Protecting controlled unclassified information in nonfederal systems and organizations. NIST Special Publication 800-171. https://doi.org/10.6028/nist.sp.800-171r3
Ross, W. L. (2020). Security and Privacy Controls for Information Systems and organizations. NIST Special Publication. https://doi.org/10.6028/nist.sp.800-53r5
Trujillo, M., Collings, P., Klosowski, T., Hussain, S., & Lynch, J. (n.d.). Genetic information privacy. Electronic Frontier Foundation. https://www.eff.org/issues/genetic-information-privacy#:~:text=In%202013%2C%20the%20HIPAA%20Omnibus,or%20long%2Dterm%20care%20insurance.
Wickenheiser RA. Forensic genealogy, bioethics and the Golden State Killer case. Forensic Sci Int Synerg. 2019 Jul 12;1:114-125. doi: 10.1016/j.fsisyn.2019.07.003. PMID: 32411963; PMCID: PMC7219171.
https://gnupg.org/
Infographic Created by Sajdah Muhammad
