Between 2012-2013 Heather Dewey-Hagborg worked on her “Stranger Vision” project to bring awareness on how our DNA can be used without our consent. Early this year I had the great pleasure seeing her “Stranger Vision” project in person at the “Designs for Different Futures” exhibition in the Philadelphia's museum of art. Reading her project a few years ago made me wonder how safe our DNA is with the emerging technologies we are seeing nowadays, such as commercialized DNA testing kits.

From Heather’s personal website it says, “Heather Dewey-Hagborg is an artist and biohacker who is interested in art as research and technological critique.”1 In addition, in her 2014 TedTalk she expresses attaining 0 knowledge on how to analyze DNA before this project.2 She also describes her idea of this project began when she was at her psychiatrist’s office and saw a strand of hair stuck behind a glass. It was at that moment when she started to ponder the owner of this hair. How they acted? Their life? Where are they from and most importantly, how did they look? Her obsession with these questions and seeing how much DNA we leave behind daily led her to find out if there is a way to find these answers.

Her first step was becoming a member at a DIY lab name genSpance in downtown Brooklyn. Here she learned about biotechnology such as how to extract, amplify, and analyze DNA to learn about ancestry. She applied her learning by extracting DNA from hair, cigar butts, chewing gum, and nails that she found on the streets of Brooklyn. Through many weeks of trial and error, Heather was able to print the stranger’s eye color, hair color, and face structure by analyzing the DNA extracted from those random objects she picked up.

While those DNA were extracted, she printed the face of a man named Orta that shared his 23andMe raw DNA file on the coding sharing website, github.3 She also took the 23andMe test to extract her DNA information to 3D print her face . By having these two faces printed with the results of a paid consumer DNA testing kit, it goes to show that if these companies that hold our DNA data are ever breached and someone takes a hold of your raw DNA file, then it is possible for someone to literally steal your face.

This begs another question, can we trust these DNA testing kit companies? These companies are becoming more popular each year. We see so many videos of youtubers reviewing their 23andMe results and these kits are sometimes given out at sporting events for free.4 What is concerning about these kits, is that you are essentially giving your rights away. For example, 23andMe shares your DNA results to 3rd parties and research pharmaceutical companies.5 Yes, you can opt out from providing your data and yes they do take your name and other sensitive personal information out before sharing your data, but, these DNA testing kit companies can always update their policies leading you to accidentally opt in and all DNAs are unique so it is possible to do some backward engineering on the DNA to decipher or piece together your name and personal information.

It is also not uncommon to hear a company was hacked. For example, not too long ago twitter, one of the biggest tech companies, was hacked.6 So at any time, these DNA companies are vulnerable of a cyber attack and that is what just happened this week. GEDmatch, a free online DNA database where anyone can share their data from consumer DNA testing kits such as 23andme, was breached. GEDmatch was on the news last year for working closely with the law enforcement and helping aid the arrest of the Golden State Killer7 through DNA family matching. GEDmatch has roughly 1.5 million users and the breach reset all of their users' accounts and opted them in to share their DNAs to law enforcements even if the user chose to opt out.8 All of this lasted roughly 3 hours. The company owner of GEDmatch said the following on a facebook post, “[This was] orchestrated through a sophisticated attack on one of our servers via an existing user account.”9 This breach is still undergoing investigation as to what was the motive. The following week another breach was made by a phishing scam to GEDmatch’s sister company myHeritage, an Israel-based genealogy website. It seemed the hackers that breached GEDmatch accessed the email addresses and phished those emails to a fake website where users give their credentials on a fake login page. It was reported 7 users fell into this phishing scam.

As we have seen with the breach of GEDmatch, not all DNA companies might have great security and are vulnerable to hackers. 23andme gave out a statement last year when GEDmatch gave access to law enforcement to their data for 24 hours. This is what 23andme stated in a blog post, “In our 13 year history, 23andMe has never turned over any customer data to law enforcement or any other government agency. Protecting the security and privacy of our customers’ information is at the core of what we do as a business. Unfortunately, not all businesses adhere to these same principles. That is in part why we warn our customers about uploading their genetic data to third-party, public websites like GEDmatch.”10From my research it seems like 23andMe and Ancestry strive to protect their customer’s genetic privacy but as 23andMe has pointed out in their statement, not all the other DNA companies are doing the same and that is concerning. It is also concerning how the law enforcements are leaning to solve cases by constructing a family tree by looking at these DNA databases that consumers of DNA testing kits submit in the hopes of finding relatives, a disease, or to learn more about their ancestry. Most likely, the consumers were not uploading their DNA to these databases expecting to know they had a family member who is a serial killer or a rapist. Maybe this is a piece of information someone would like to know and they have no problem with it but it was not the original intent of DNA testing kits. These kits are now taking the form of a new purpose. A purpose that has no regulation law or checks and balances.

On March 9th, 2020 ACLU submitted an amicus brief in a South Dakota case arguing that the Fourth Amendment prohibits the police from collecting our DNA without a warrant.11 A brief summary of the South Dakota case was a suspect was charged for murder on abandoning her dead baby 39 years ago by going through the suspect’s garbage to collect her DNA and match it with the baby’s DNA. The investigation was not done while the suspect was under arrest. This was done under a free citizen. The law enforcements defended their stand by stating we give our rights to an object away when we throw them out to the garbage. However, as stated in the amicus brief, there is a difference of dumpster diving for an object and dumpster diving for DNA. The DNA is what makes us, us. We cannot control how we leave behind our DNA.On average we shed about 50 to 100 strands of hair a day. Every two minutes, we shed enough skin cells to cover nearly an entire football field. With a single sneeze, we can spew 3,000 cell-containing droplets into the world.12We cannot control how much and when we leave behind our DNA. Therefore, the police officers are violating our fourth amendment rights when they are going through our garage seeking for our DNA while we are free citizens.

In addition, this technique gives officers the ability to create their own database by collecting our garbage and logging in our DNA. During the 2016 Dakota access pipeline protests, police officers picked up cigar butts from protestors and sent them to a lab to extract the DNA.13 2019, a result of a cigar butt collected in 2016 led to the arrest of Lawrence Malcolm Jr. This protest had more than 100 demonstrators and many of them had their faces covered. They shut down construction and vandalized equipment on the Standing Rock Indian Reservation to fight against the invasion of sacred tribal lands. The main reason for the protest was for religious freedom, tribal sovereignty and human rights. Although there were over 100 protestors covering their faces, Lawrence Malcolm Jr was arrested because law enforcement picked up his DNA on a cigar butt. His arrest was made 3 years later when results finally came in to convict him.

Ever since the Golden State Killer was apprehended by the aid of DNA testing companies, this opened a pool of law enforcements wanting to use the same technology to close some tough cases. Yes, there have been endless cold cases shut because of this new trend but this is pushing into our genetic privacy. Even if you yourself did not participate in taking any of these DNA testing kit or uploaded your DNA information to a database like GEDmatch, it all takes some close relatives to submit their DNA such as your brothers and/or sisters all the way to your third cousin for you own DNA to be puzzled in together because close family members share the some same DNA.

There was a study conducted in 2019 by University of Washington where they tested if they can impersonate a fake genetic profile and link it to a family to gain DNA information of that family. GEDmatch provides graphics on how related you are to a profile by comparing the two DNAs. The team basically created a fake account and toggled around with the graphics results to find out what the target’s DNAs were,”Then the team played a game of 20 questions: They created 20 extraction profiles that they used for one-to-one comparisons on a target profile that they created. Based on how the pixel colors changed, they were able to pull out information about the target sequence. For five test profiles, the researchers extracted about 92% of a test’s unique sequences with about 98% accuracy.”14 The finding of this experiment was shared with GEDmatch. By now this may not be a security risk anymore, but we can say it was back then in 2019 and it took a team outside of the company to bring awareness of such security risk.

What can one do with stolen DNA? Well, there are many emerging technologies which combined with the stolen DNA someone can literally steal your identity. A perfect example of this is with Heather’s “Stranger VIsion” project. The lead author of the University of Washing GEDmatch study stated this genetic invasion, “.... makes the privacy of genetic data particularly important. You can change your credit card number but you can’t change your DNA.” (Peter Nay). All of Heather’s 3D printed face masks can be described as a “familiar face” and as far from what I have seen in my research, no one has stepped forward saying it is their face they see printed because those faces are a rough estimate of the actual owners of the DNA Heather picked up. However, technology is fast approaching. Those faces do not have to exactly match someone. As long as there are keen resemblance this raises a much higher personal security issue. How? Well these faces can be used for criminal activities.

For example, in 2010 a caucasion man used a lifelike black mask for a string of robberies in Cincinnati, Ohio.15 The police officers falsely arrested an African-American man for these robberies. This incident didn’t happen because DNA was stolen but this is mentioned because in the future this can be achieved to purposefully frame a person by stealing their DNA they uncontrollably leave behind daily and use public resources to reconstruct their faces. Sometimes a DNA is not needed, all that is needed is a familiar face.

With Heather’s project it has been proven a facemask that resembles someone is easily attainable and anyone can do it. What we have learned with the law enforcement obtaining DNA by the garbage we throw out because we “give our rights away” the moment we throw them out shows that DNA can be obtained without your permission or acknowledgement.

There must be a regulation on our DNA that we leave behind. We don’t have control over daily shedding of hundreds of thousands of skin and hair cells. Those cells contain information about who we are, where we come from, and who we will be. We must also bring more awareness of these DNA testing kits and especially those that are working close with the law enforcement. We need to have more open discussion on how we can protect ourselves. Our world around us is fast changing with all this new technology which should also bring new practices on how we must protect ourselves, our family, and those that we love dearly.

References

[1] Dewey-Hagborg, Heather. “Bio.” Hagborg, 2020, deweyhagborg.com/bio.
[2] TEDx Talks. “I Steal DNA from Strangers | Heather Dewey-Hagborg | TEDxVienna.” YouTube, 1 Dec. 2014, www.youtube.com/watch?v=666Kq95xm1o.
[3] Orta. “Orta/Dna.” GitHub, 2011, github.com/orta/dna.
[4]Barker, Jeff. “Ravens Fans to Be Offered DNA Test Kits Sunday in Unusual NFL Promotion.” The Baltimore Sun, The Baltimore Sun, 14 Sept. 2017, www.baltimoresun.com/business/bs-bz-ravens-dna-testing-20170913-story.html.
[5]23andMe. “DNA Genetic Testing & Analysis - 23andMe Europe.” 23andme, 2020, www.23andme.com/en-eu/about/individual-data-consent.
[6] Volkman, Eric. “Twitter Hacked in Apparent Bitcoin Scam: Feeds of Musk, Biden, Gates, and Others Compromised.” The Motley Fool, 16 July 2020, www.fool.com/investing/2020/ 07/16/twitter-hacked-by-apparent-bitcoin-scam-musk-feeds.aspx.
[7] “We Will Find You: DNA Search Used to Nab Golden State Killer Can Home in on about 60% of White Americans.” Science | AAAS, 25 Sept. 2019, www.sciencemag.org/news/2018/10/we-will-find-you-dna-search-used-nab-golden-state-killer-can-home-about-60-white.
[8] “Website Security Breach Exposes 1 Million DNA Profiles.” AP NEWS, 23 July 2020, apnews.com/0def85a68f2d1d5a03d5b27dbcdd45e6.
[9] “Facebook - Meld Je Aan of Registreer Je.” Facebook, 2020, www.facebook.com/unsupportedbrowser.
[10] “Our Stance on Protecting Customers’ Data.” 23andMe Blog, 8 Nov. 2019, blog.23andme.com/news/our-stance-on-protecting-customers-data.
[11]American Civil Liberties Union. “State of South Dakota v. Bentaas: ACLU, ACLU-SD, EFF Amicus Brief.” American Civil Liberties Union, 2020, www.aclu.org/legal-document/state-south-dakota-v-bentaas-aclu-aclu-sd-eff-amicus-brief.
[12] American Civil Liberties Union. “ACLU News & Commentary.” American Civil Liberties Union, 2020, www.aclu.org/news/privacy-technology/police-need-a-warrant-to-collect-dna-we-inevitably-leave-behind.
[13] “DNA from Cigarette Leads to Dakota Access Arrest 3 Years On.” AP NEWS, 6 Sept. 2019, apnews.com/abb444c2e6f14ca49a675e82d4b0d520.
[14] McQuate, Sarah. “Popular Third-Party Genetic Genealogy Site Is Vulnerable to Compromised Data, Impersonations.” UW News, 29 Oct. 2019, www.washington.edu/ news/2019/10/29/genetic-genealogy-site-vulnerable-compromised-data-impersonations.
[15] ABC News. “White Man Used Lifelike Black Mask to Evade Arrest in Robberies.” ABC News, 3 Dec. 2010, abcnews.go.com/US/white-man-lifelike-black-mask-evade-arrest-robberies/story?id=12288529.