UC Berkeley DNA Testing: Trust Us, We’re Using Barcodes
Recently, UC Berkeley has
announced that they will offer complimentary DNA testing to incoming
Letters and Science freshman. The testing will be optional, confidential, and
look at three genetic markers related to alcohol, lactose, and folate
tolerance. While the project intends to provide a unifying educational experience
and help students prevent health issues, it has become the subject of criticism because
of the ethical and privacy concerns associated with genetic information.
One dimension of the system that
should not be ignored is the threat
model. According to the FAQ
on privacy for the program, the confidentiality of the system relies on two bar codes sent to each
student. The student sends one back and keeps the other to view the results. This description is too simplistic to give me any confidence in the system. In order to provide
confidentiality, these barcodes would need to be randomly generated. There
would never be a time when the bar codes associated with student names were
viewable by another person (who is stuffing the envelopes?). And, the web site
that provides the information would have to be free of security
vulnerabilities. Given that the only time I'm ever received an SB1386 "sorry, we've been
hacked" letter was from UC
Berkeley and involved a website compromise, I think that this is a big
assumption.
Like other dilemmas
involving ethics
and privacy,
the people responsible for the decision should deeply consider the security
risks. Ensuring privacy often means ensuring the confidentiality of
information, which is tremendously
difficult
to guarantee.
I'd like to see more organizations analyze and present the security concerns
and how they impact privacy before making unfounded guarantees and rushing
towards their desired conclusion.