December 1, 2022 • 27 mins
Genetic testing services like 23andMe can tell us a lot about our health and ancestry. But whenever you’re giving your DNA to a company, it’s important to know the risks. On today’s episode of There Are No Girls On The Internet (TANGOTI), host Bridget Todd is joined by 23andMe Senior Privacy Counsel Zerina Curevac for a deep dive on what you need to know before you spit.
See omnystudio.com/listener for privacy information.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:03):
Have you ever thought about how incredibly complex I spit is.
It may only be water, but just aliva isn't simple.
That remaining one percent holds incredibly meaningful information that could
change everything. And I'm not just talking about your family
treat Hi. I'm Barrett to Day Thurston. And on this
(00:23):
season of Spit and I Heart Radio podcast with twenty
three and Me, we explore how DNA isn't just about ancestry,
it can also be key to understanding your health. Hello,
and welcome back. On today's show, we have Bridget Todd,
host of the podcast There Are No Girls on the Internet.
(00:45):
Each week, Bridget chronicles marginalized voices in technology, the voices
that have always been at the forefront of tech, but
far too often go overlooked. Bridget has investigated how marginalized
communities are more likely to be impact by technology and
historically have been skeptical of data collection and privacy. So
when Bridget decided to take a twenty three and Me test,
(01:08):
she saw an opportunity to not only gain insightful information
on our ancestry and health, but also to alleviate concerns.
And she had light on exactly how twenty three and
me protects your information. In today's episode, Bridget unpacks her
own hesitancy about taking the twenty three and ME test.
As a critic of tech, she's examined the ways that
(01:29):
privacy policies can, but sometimes don't, protect the intimate details
of our lives. But when she reviewed twenty three and
These privacy policy, Bridget was very happy to see a
clear set of guidelines in plain English to help better
understand all the ins and outs. Bridget sits down with
Zarena Kovac from twenty three of These Data and Privacy
(01:50):
Team to learn more. But that's not all. Bridget also
shares some of what she learned from her reports, including
the discovery of a whole bunch of cousins she didn't
know she had. I know the feeling, Bridget, I know
the feeling. It's a very important episode that you don't
want to miss. Let's listen is There Are No Girls
(02:16):
on the Internet. As a production of I Heart Radio
and Unbossed Creative. I'm Bridget Todd, and this is There
Are No Girls on the Internet. So it's probably no
secret to anyone listening that I consider myself to be
a bit of a tech critic. I just think it's
important to interrogate who has the power and technology and
(02:38):
how that power is being used. And this has been
particularly important to me as somebody who is traditionally marginalized.
So last Thanksgiving and my cousin was telling her family
all about how he used the ancestry and DNA kit
and me to find out more about our family legacy
and history. The entire family was listening to him, completely
captivated while he talked about what he had found, and
(03:00):
I could already feel all their eyes on me, like
they were all just waiting for me to reign on
the parade. But it actually sounded like he had found
out some pretty compelling information that made us all feel
more deeply connected to our family story, which frankly had
always been a little bit murky, so kind of out
of character for me. I actually started to get pretty
interested in DNA and ancestry kits like twenty three and me.
(03:22):
But as interested as I was, I was also really
really hesitant. You know, I knew it could be used
to learn more about my family, my background, and to
learn more about my health so I can make more
informed choices, But I also know this whole fraught history
of people, particularly our people when it comes to things
like DNA being misused or worse, used against us. So
(03:44):
I checked out twenty three's website and was surprised to
find a privacy policy written more or less in plain
English that I felt like I could actually kind of understand,
you know. I read a ton of tech privacy policies
for there are no girls on the Internet, and I
feel like I have a pretty could handle on them.
But I am no lawyer or data privacy expert, so
(04:04):
I still had a lot of questions. So I turned
to an actual expert. Hi, I'm Serena kervac Um at
twenty three and me and my title is UM Director
Senior Privacy Council. So there, Bena. I know that you've
(04:25):
kind of been in this privacy space for a while.
How did you get into this work? How did this
come to be something that you do for a living?
You know, it was so random. One day I learned
about the e f F, the Electronic Frontier Foundation, and
I was like, this sounds so interesting. You're thinking about
digital identities and flipprints that people leave on the Internet,
(04:46):
and um, I was in the midst of law school
and I was like, uh, you know, I thought I
was going to do intellectual property and I was not
liking it, and un while I like, World of Privacy
just seemed so fascinating, so um, I put all my
eggs in one basket and just went for it. Yeah.
E f F was one of my first for ways
into thinking seriously about technology and sort of the implications
(05:10):
of the trails that we leave online. And I had
never really thought about it before, even as somebody who
was like a super user of the Internet, until I
really encountered their work. Yeah, and it's really good stuff.
I think that they do a good job of making
it very accessible and easy to understand and meeting people
like who are regular consumers um and understanding like privacy
and like what the Internet is like and what your
(05:32):
data is. Okay, I'm so glad I'm talking to you
about this because you're the expert. And when I went
to do my twenty three and me, I of course
had questions, and one of the things I appreciated was
that the questions, like the answers about privacy on the
twenty three and the side are actually like pretty plain English.
I read a lot of privacy policies and I'm like,
I'm no lawyer, I do not understand this. So I
(05:53):
really appreciated that they're pretty straightforward and like I felt
like I could have a handle on them. But I'm
really that I'm talking to you because you're the expert.
And so, you know, as we know, we're in this
climate where folks, particularly people who are marginalized, are understandably
pretty concerned about privacy when it comes to their data.
Is that something that twenty three and Me takes really seriously. Yeah. Absolutely,
(06:15):
you know, I think some of the things that you'll
see all over our website is you know, choice and
transparency being our key values in our privacy approach our customers.
It's really important to us that our customers are in
control of their data and we don't make any assumptions
about the way that they want to share their information
when we build out our features. UM customers make choices
about whether they want to view certain sensitive health information
(06:38):
or you know, with whom they want to share their information,
whether they want to participate in certain features or programs
such as DNA Relatives or twenty three and me research.
UM and Customer choice also means allowing individuals to change
their mind at any time. UM. You know, if you
want to revoke your consent to participate in research or
um DNA relatives, it's easy to do that at any time,
(07:00):
Just go to your account settings and boop, you're out. UM.
And these meaningful choices are also like they require transparency,
and we work hard to make that information accessible, including
presenting that information in a way that's easy to understand.
And sometimes that can be hard, and it's an iterative approach,
especially as you're dealing with like not only like the Internet,
(07:20):
but genetic information and like there's a lot of you know,
fun interesting things that can come out of that UM.
And recently we've updated our privacy statement to add like
more graphics and visuals to improve readability. UM. And we
were very closely with our customer care team because they're
the ones who really like talk to our customers, have
that first touch to be able to address those privacy
(07:41):
topics and concerns UM that are important to people. Yeah,
that's really helpful. I know there are so many reasons
that a person might decide to undergo the kind of
genetic testing that twenty three and MEDAS and you being
part of the privacy part, you being part of the
privacy team, I know that part of your job is
to think about the risks involved than that, what do
I have that right? Is that a big part of
your job? Oh? Yeah, for sure. So at twenty three
(08:04):
and me, I'm you know, there's me, and there's a
whole privacy team that works cross functionally with like nearly
every team in the company to think through how we
use data and the risks involved so that we maintain
not only our strict privacy commitments to our customers, but
to also provide them with a secure and private place
to learn about themselves and make sure we comply with
(08:25):
a tapestry of evolving privacy laws. Um and we work
a little closely with teams like product engineering, security, marketing, HR,
coustomer care research and everyone in between to do that.
Um and. So, when you think about it, privacy not
only should be at the heart of every single cup organization,
but especially a place like twenty three and me where
(08:46):
we are dealing with such sensitive data. You know, whenever
a new product or idea comes up, we work with
our product and engineering teams very closely at the early
stages to address those privacy risks early on. Rather than later,
so it's not like an ad hoc solution at the end.
UM and we also continue to work with you know,
other UM stakeholders outside of our company, like the Future
(09:09):
of Privacy Forum the FPF UM. It's a think tank
and advocy advocacy group that's focused on data privacy. We've
collaborated with them and other genetic testing companies to develop
consumer genetic testing industry best practices. UM and twenty three
and is also part of a Coalition for Genetic Data
Protection UH, the c GDP UM and we work to
(09:31):
advance legislation and policies that support privacy and security for
UM genetic data, so all genetic testing companies will be
held to that same high standard that we have. And
so those are all of the great things that we
get to work on as the privacy team. Can you
tell me, like, walk me through some of the steps
that twenty three and ME does take to keep people's
(09:52):
data secure. Yeah, there's a lot that goes into that.
So UM twenty three and ME is ISO sort of fide.
We also hold other certifications to confirm our commitment to
customer security and privacy. Um ISO certifications are awarded after
extensive audits by an independent third party, so not within
(10:12):
twenty three and me UM, and we've been identified, we've
been certified under IS one seven oh one and twenty
seven eighteen UM and we're the first directed consumer genetic
testing company to be assessed against all those three standards.
So that's what we do on like the security front,
and there's a lot more. You know, we encrypted our
customer data so that like it's obviously more secure, so
(10:36):
INCRUP customer data. We limit access to customer data internally,
and we store data like in segregated databases, so it's
not like we just lump everything together UM. For example,
of customers, registration information like their name an email is
separately stored from their genetic information UM, and so this
reduces the risk of and incentive to commit a breach UM.
(11:00):
And we also empower customers to take UM take their
like security in their own hands, and we give them
tools like to step verification UM and other other like
guidance materials and things like that to keep themselves safe
and play that important role in maintaining their account security.
What about for folks who might be genetically rare, who
(11:23):
might be thinking like I have something particular about my
genetics that I feel might identify me or there's particular
ways that you all, UM could approach that kind of privacy. Yeah,
definitely UM For twenty three and me customers, as I mentioned,
like controls really important UM and how they how someone
wants to use their data or share it, they get
(11:44):
to make that choice. In addition to like the privacy
and security protections that we've talked about, UM, we have
the identification that we employ, so you know, removing that
registration information from genetic information and so on. That's a
measure of protection. We you know, store things in separate
places so that things aren't on together. UM. Customers who
(12:05):
want to participate in things like research, UM, they can
rest as shirt that we do take many measures to
protect their research participants and minimize associated with that participation. UM.
Not only are there access controls for customer information UM,
there are people you know, like we go buy role
based functions, so like not you know, one person doesn't
have access to every single customer at twenty three and ME.
(12:27):
It really depends on what their role is and what
makes sense for them to have access to UM and
under our main research consent UM when we share research
results outside of twenty three and ME, whether that's like
in a publication or with a third party collaborator, we
only share like the summary advocate information UM, and those
(12:48):
summer results in twenty three and publications are like statistics
or calculations UM that describe like the research findings UM
about some genetic associations that were discovered. UM. So for
an example, it's like, you know, in our study, variant
X was present in five percent of participants and was
associated with a higher risk of this disease. UM. And
(13:11):
so if a customer chooses to UM not often to
participate in research, or they were in research and then
they change their mind, UM, they're still able to access
all of the same reports and product features as a
customer who is participating in the research program. So UM,
you know, not only are there all these like different
privacy and security safeguards UM that customers can take themselves,
(13:34):
but we also make sure that we're really like keeping
data segregated, keeping access really locked down limited. But we're
also you know, in those instances like research where there
is that collaboration with outside collaborators, you know, making sure
that like that data is the identified, aggregated and really
minimized UM really really minimize at risk to our participants. Yeah,
(13:57):
I mean that's that's good to hear, and you kind
of touched on it it, you know, especially given the
kind of climate that we're in. I know, the big
question everybody has every time I give any kind of
information about myself to anyone anywhere, The big question is
always like what third parties are they? Are they giving
this information to write? Like I might consent to my
information being shared with twenties three and me, but are
(14:18):
they selling my data? Are they? Are they going to
give it to police? Like? How are they working with
organizations and institutions that are not twenty three and me?
So can you tell me a bit about how twenty
three and me handles data when it comes to third parties? Yeah, yeah,
of course, I think. You know, like, just like every company,
we have service providers who help us do the things
that we do, from like operating the business to improving
(14:38):
it UM And there's also you know, choices that a
customer can make about how their data is being handled
throughout the platform, like whether they want to participate in
research UM and so in that case, if someone does
participate in research, we only share their data based on
their explicit consent, and you know again that whole participation
(14:59):
is often entirely voluntary. So it's really about making sure
that the customer is pretty aware of who they're sharing
who their information will be shared with. Absolutely, Yes, that
makes a lot of sense. And but there's so many
other like genetic testing. You know, kids out there UM
are there just sort of like talking to usually put
(15:22):
me at ease in terms of like the privacy risks.
But I wonder, like are their privacy risks associated with
with genetic testing in general that folks should just be
aware of if this is something they're going to decide
to do for themselves. Yeah, you know, I think some
of the main privacy risks consumer may have. Consumers may
have UM concerned things like finding out stuff about themselves
(15:44):
or their family that they may not be prepared to
learn about UM and also law enforcement access into genetic
data UM so at twenty three and me. UM customers
are not automatically visible to others in the platform. You know,
they have to UM opted to in a relatives and
if they do, then they become visible to others and
they can also see who their genetic relatives are and
(16:07):
see those results. UM. Additionally, customers can also choose on
an often basis whether they want to see health reports,
particularly any sensitive health reports like our BRACA reports for
breast cancer risks and UM. We have educational materials and
training modules and things like that to also support and
prepare customers for that kind of information that they might receive.
(16:29):
And on the law enforcement access front, we are the
first direct to consumer genetic custing company to publish a
transparency report UM and that happened back in two thousands fifteen. UM.
It details you know, the types of law enforcement requests
that we've received and how we've responded UM. And this
is updated on a quarterly basis, and so far, we
(16:49):
haven't released any individual user data UM to any law
enforcement UM. And you know, something to be aware of
is also like that not all genetic custing companies share
these same values UM that we might have a twenty
three and so it's really important that customers who are
concerned with things like law enforcement request or how are
they going to become visible to other potential genetic relatives
(17:13):
or you know, the health reports that they're about to
get UM, those are things that are really important to
look into, um before choosing a genetic testament provider. More
after a quick break, let's get right back into it. Yeah,
(17:40):
just ask someone, I mean, like, while I've got you here,
as someone who knows a lot about privacy, what do
you see as the biggest privacy risk today that folks
should be aware of and have on their radar. Well,
I don't mean for this to sound like a uh,
I don't mean for this has done like a general
sort of like response here, but I do think that
(18:00):
one of the biggest privacy risks across industries, not just
genetic genetic testing, is that technology is rapidly changing and
evolving the way that we collect, interpret, use, share data,
and the laws are not necessarily keeping up with that. Um.
There are a lot of positives that come from technology
changing so quickly, Like you know, you have more data,
(18:21):
better insights, and there's more potential impact to your personal
health and wellness. Um. However, like the privacy risks that
come with that can be hard to predict. So it's
important that customers and like companies especially embrace privacy by
design values and get ahead of those risks. Um. Um, Yeah,
get ahead of those risks. Yeah, are there are there
any tips or ways that you would give folks to
(18:44):
like try to stay ahead of that. Like I am
someone who is I make a tech podcast. I try
to stay plugged in, but even things change and I
don't realize that, Like, are there are there ways that
folks can kind of get ahead of that. That's a
good question, I think, Um, you know, it's just really
it's kind of hard. There's so much going on at
any given time. UM. And you have certain industries that
(19:06):
are like going to change the way that we see
the world in ten years, like you know, machine learning
and AI and so on. UM. But I think, like,
you know, as a consumer, it's just really important to
understand how your data is being used and whether like
the values of a company are aligned with what you
care the most about, you know, any given sort of interaction. UM.
(19:27):
You know, as I mentioned for like genetic testing, what
a lot of consumers tend to be concerned about is
you know, law enforcement access or you know, what they're
gonna learn and how they're gonna be coached through that experience. UM.
And so you want to make sure if those are
things that are important to you, that you will like
find the right provider for that um so, short of
telling you read the privacy statements and like I know,
(19:49):
I know, sure, you know you like just being smart
about like how you're engaging with companies and the data
that you provide uh to them, I think is key.
And you know, also understanding that these companies are like
wanting to make sure that you're picking companies that are
thinking about privacy by design UM where it's not like
(20:12):
something that you wire on or you put into the
back end and like or at the end of the project,
and rather you think about it from the beginning. Like
the way that we thought about segregating our databases to
make sure that there isn't like one pool of data. Uh.
That was something that was thought about the first days
that three and Me was created um SO, and for
(20:34):
you know, the time that that was the two thousands,
that was pretty innovative compared to like some of the
other companies out there, UM and so, I think like
it's really about picking companies that think about privacy at
the ideation stages and implementing those privacy by design values
and thinking into their business processes UM that are going
to be the clear winners for consumers who care about privacy. UM.
(20:57):
The other piece of it, too is I think, you know,
legislation is starting to catch up on these privacy issues. UM.
And we've welcomed, you know, that's want to commit. We've
welcomed a lot of legislation on the genetic privacy front.
There's half a dozen date states such as California, Arizona, Utah,
UM and more and that have legislated on genetic privacy specifically. UM.
(21:20):
And we hope to see federal legislation on this front
as well. UM that goes beyond Gina, the Genetic Information
Nondiscrimination Act. UM. Yeah, awesome, that's really helpful. I have
one last rapid fire question for you. What is it
like to be in what I can only assume is
a super male dominated space, you know, privacy law. If
(21:42):
I don't know for sure, I don't have the data
in front of me, but I feel like it's probably
very male dominated. Is that is that accurate to say?
Actually kind of surprising. One thing that drew me into
privacy was that there was a lot of there is
still a lot of women in privacy. UM. And you know,
I think what the draw is is that it is
(22:02):
very like it's very privacy is not something that like you,
it's very um contextual, like there, you know, it takes
a lot of understanding different cultures and um, understanding different perspectives,
and so I do think it actually has a lot
more of a diverse group of people then you usually
(22:25):
might find another corporate functions. UM. And I also feel
like at twenty three and me particularly um, you know,
having a female CEO, we actually do have a lot
of female representation in the company. So it's it's been
a really wonderful environment from that end as well, um,
not only being in privacy, but in a company where
there is a lot of women, um being represented. I
(22:46):
love that. I feel like I asked that question to
a lot of women and so often they're like, girl,
let me tell you it's but it's nice to have
a refreshing answer that's like, actually there are a lot
of women represented here, even at the top, and it's great. Yeah, yeah,
it's funny. You know. Over the years, I've actually just
seen a lot more men showing up to the party
a little late later, you know. UM, So it's it's
(23:11):
been it's been great. I think like, um, this is
going to continue to be a place where there's going
to be a lot of diversity, because it's kind of
a compartment of the job. To do it well and
to think about privacy um in a thoughtful way, you
have to have diverse perspectives at the table. After talking
(23:33):
to Serena, I felt a lot better, and I actually
did the test, and I want to share a little
bit about what I learned because I think it's pretty cool.
Like a lot of black families, my family ties are
not all necessarily by blood. You know, my mom didn't
grow up with our biological family, which means that I
grow up with a lot of what we call play cousins,
and a lot of the people that I called auntie
were not actually related to me by blood. Now, this
(23:55):
is just one of the many layered and beautiful aspects
of black family dynamics. After doing twenty three and me,
I found that I actually have blood cousins and I
had no idea about one of whom is a professional
hypnotist who actually lives in my same city, you know
who knew. I also found that, like a lot of
black folks, I am a carrier for the trait of
the disease sickle cell anemia. Now that's different than actually
(24:18):
having the disease sickle cell. It just means that I
carry the trait for it, and it's actually really really
common in black folks. According to the CDC, the United
States incidents estimate for sickle cell trade was about seventy
three point one cases per every thousand black newborns in
the United States. And it turns out that this is
actually super useful information for me to have because having
(24:39):
this trade has been used as a pretty convenient explanation
for when black people die in police custody, and if
a disproportionate number of black folks have this trait, it
can basically be used as a way to not direct
more scrutiny when a black person dies in police custody.
The president for the American Society of Hematology recently published
a letter in The New York Times on the subject,
(24:59):
call the rush to use sickle cell trade to exuplain
away when a black person dies in police custody the
professional misuse of science that further contributes to racial bias
and social injustice in our country. So knowing that I
have this trade can definitely be helpful for me in
better understanding how I navigate this world as a black woman,
and I learned it from twenty three and me listen.
(25:21):
There are risks involved anytime you were giving your DNA
to any kind of company. But for me, after educating
myself about the risks, I actually felt okay to move
forward and the information I learned about my family and
my health was worth it. If you're looking for ways
(25:42):
to support the show, check out our merch store at
tangodi dot com slash Store. Got a story about an
interesting thing in tech, or just want to say hi,
You can reach us at Hello at tangodi dot com.
You can also find transcripts for today's episode at tangodi
dot com. There Are No Girls on the Internet was
created by me Bridgetad. It's a production of Heart Radio
and Unboss Creative, edited by Joey Pat Jonathan Strickland as
(26:04):
our executive producer, Terry Harrison as our producer and sound engineer.
Michaelmato is our contributing producer. I'm your host, Bridget Todd.
If you want to help us grow, rate and review
us on Apple Podcasts. For more podcasts from I Heart Radio,
check out the iHeart Radio app, Apple podcast, or wherever
you get your podcasts, and That's It on another Dope show.
(26:30):
Did this episode inspire you to take a closer look
at your health history, your genetic makeup. Who new DNA
could reveal so much about our past while also holding
the keys to certain health insights that may impact our future.
I continue to be inspired by these stories, and I
hope you do as well. Catch you next time. Listen
(26:50):
to Spit, an original podcast from I Heart Radio and
twenty three in the on the I Heart Radio app,
Apple podcast, or wherever you get your podcast. Four
Have you ever thought about how incredibly complex I spit is.
It may only be water, but just aliva isn't simple.
That remaining one percent holds incredibly meaningful information that could
change everything. And I'm not just talking about your family
treat Hi. I'm Barrett to Day Thurston. And on this
(00:23):
season of Spit and I Heart Radio podcast with twenty
three and Me, we explore how DNA isn't just about ancestry,
it can also be key to understanding your health. Hello,
and welcome back. On today's show, we have Bridget Todd,
host of the podcast There Are No Girls on the Internet.
(00:45):
Each week, Bridget chronicles marginalized voices in technology, the voices
that have always been at the forefront of tech, but
far too often go overlooked. Bridget has investigated how marginalized
communities are more likely to be impact by technology and
historically have been skeptical of data collection and privacy. So
when Bridget decided to take a twenty three and Me test,
(01:08):
she saw an opportunity to not only gain insightful information
on our ancestry and health, but also to alleviate concerns.
And she had light on exactly how twenty three and
me protects your information. In today's episode, Bridget unpacks her
own hesitancy about taking the twenty three and ME test.
As a critic of tech, she's examined the ways that
(01:29):
privacy policies can, but sometimes don't, protect the intimate details
of our lives. But when she reviewed twenty three and
These privacy policy, Bridget was very happy to see a
clear set of guidelines in plain English to help better
understand all the ins and outs. Bridget sits down with
Zarena Kovac from twenty three of These Data and Privacy
(01:50):
Team to learn more. But that's not all. Bridget also
shares some of what she learned from her reports, including
the discovery of a whole bunch of cousins she didn't
know she had. I know the feeling, Bridget, I know
the feeling. It's a very important episode that you don't
want to miss. Let's listen is There Are No Girls
(02:16):
on the Internet. As a production of I Heart Radio
and Unbossed Creative. I'm Bridget Todd, and this is There
Are No Girls on the Internet. So it's probably no
secret to anyone listening that I consider myself to be
a bit of a tech critic. I just think it's
important to interrogate who has the power and technology and
(02:38):
how that power is being used. And this has been
particularly important to me as somebody who is traditionally marginalized.
So last Thanksgiving and my cousin was telling her family
all about how he used the ancestry and DNA kit
and me to find out more about our family legacy
and history. The entire family was listening to him, completely
captivated while he talked about what he had found, and
(03:00):
I could already feel all their eyes on me, like
they were all just waiting for me to reign on
the parade. But it actually sounded like he had found
out some pretty compelling information that made us all feel
more deeply connected to our family story, which frankly had
always been a little bit murky, so kind of out
of character for me. I actually started to get pretty
interested in DNA and ancestry kits like twenty three and me.
(03:22):
But as interested as I was, I was also really
really hesitant. You know, I knew it could be used
to learn more about my family, my background, and to
learn more about my health so I can make more
informed choices, But I also know this whole fraught history
of people, particularly our people when it comes to things
like DNA being misused or worse, used against us. So
(03:44):
I checked out twenty three's website and was surprised to
find a privacy policy written more or less in plain
English that I felt like I could actually kind of understand,
you know. I read a ton of tech privacy policies
for there are no girls on the Internet, and I
feel like I have a pretty could handle on them.
But I am no lawyer or data privacy expert, so
(04:04):
I still had a lot of questions. So I turned
to an actual expert. Hi, I'm Serena kervac Um at
twenty three and me and my title is UM Director
Senior Privacy Council. So there, Bena. I know that you've
(04:25):
kind of been in this privacy space for a while.
How did you get into this work? How did this
come to be something that you do for a living?
You know, it was so random. One day I learned
about the e f F, the Electronic Frontier Foundation, and
I was like, this sounds so interesting. You're thinking about
digital identities and flipprints that people leave on the Internet,
(04:46):
and um, I was in the midst of law school
and I was like, uh, you know, I thought I
was going to do intellectual property and I was not
liking it, and un while I like, World of Privacy
just seemed so fascinating, so um, I put all my
eggs in one basket and just went for it. Yeah.
E f F was one of my first for ways
into thinking seriously about technology and sort of the implications
(05:10):
of the trails that we leave online. And I had
never really thought about it before, even as somebody who
was like a super user of the Internet, until I
really encountered their work. Yeah, and it's really good stuff.
I think that they do a good job of making
it very accessible and easy to understand and meeting people
like who are regular consumers um and understanding like privacy
and like what the Internet is like and what your
(05:32):
data is. Okay, I'm so glad I'm talking to you
about this because you're the expert. And when I went
to do my twenty three and me, I of course
had questions, and one of the things I appreciated was
that the questions, like the answers about privacy on the
twenty three and the side are actually like pretty plain English.
I read a lot of privacy policies and I'm like,
I'm no lawyer, I do not understand this. So I
(05:53):
really appreciated that they're pretty straightforward and like I felt
like I could have a handle on them. But I'm
really that I'm talking to you because you're the expert.
And so, you know, as we know, we're in this
climate where folks, particularly people who are marginalized, are understandably
pretty concerned about privacy when it comes to their data.
Is that something that twenty three and Me takes really seriously. Yeah. Absolutely,
(06:15):
you know, I think some of the things that you'll
see all over our website is you know, choice and
transparency being our key values in our privacy approach our customers.
It's really important to us that our customers are in
control of their data and we don't make any assumptions
about the way that they want to share their information
when we build out our features. UM customers make choices
about whether they want to view certain sensitive health information
(06:38):
or you know, with whom they want to share their information,
whether they want to participate in certain features or programs
such as DNA Relatives or twenty three and me research.
UM and Customer choice also means allowing individuals to change
their mind at any time. UM. You know, if you
want to revoke your consent to participate in research or
um DNA relatives, it's easy to do that at any time,
(07:00):
Just go to your account settings and boop, you're out. UM.
And these meaningful choices are also like they require transparency,
and we work hard to make that information accessible, including
presenting that information in a way that's easy to understand.
And sometimes that can be hard, and it's an iterative approach,
especially as you're dealing with like not only like the Internet,
(07:20):
but genetic information and like there's a lot of you know,
fun interesting things that can come out of that UM.
And recently we've updated our privacy statement to add like
more graphics and visuals to improve readability. UM. And we
were very closely with our customer care team because they're
the ones who really like talk to our customers, have
that first touch to be able to address those privacy
(07:41):
topics and concerns UM that are important to people. Yeah,
that's really helpful. I know there are so many reasons
that a person might decide to undergo the kind of
genetic testing that twenty three and MEDAS and you being
part of the privacy part, you being part of the
privacy team, I know that part of your job is
to think about the risks involved than that, what do
I have that right? Is that a big part of
your job? Oh? Yeah, for sure. So at twenty three
(08:04):
and me, I'm you know, there's me, and there's a
whole privacy team that works cross functionally with like nearly
every team in the company to think through how we
use data and the risks involved so that we maintain
not only our strict privacy commitments to our customers, but
to also provide them with a secure and private place
to learn about themselves and make sure we comply with
(08:25):
a tapestry of evolving privacy laws. Um and we work
a little closely with teams like product engineering, security, marketing, HR,
coustomer care research and everyone in between to do that.
Um and. So, when you think about it, privacy not
only should be at the heart of every single cup organization,
but especially a place like twenty three and me where
(08:46):
we are dealing with such sensitive data. You know, whenever
a new product or idea comes up, we work with
our product and engineering teams very closely at the early
stages to address those privacy risks early on. Rather than later,
so it's not like an ad hoc solution at the end.
UM and we also continue to work with you know,
other UM stakeholders outside of our company, like the Future
(09:09):
of Privacy Forum the FPF UM. It's a think tank
and advocy advocacy group that's focused on data privacy. We've
collaborated with them and other genetic testing companies to develop
consumer genetic testing industry best practices. UM and twenty three
and is also part of a Coalition for Genetic Data
Protection UH, the c GDP UM and we work to
(09:31):
advance legislation and policies that support privacy and security for
UM genetic data, so all genetic testing companies will be
held to that same high standard that we have. And
so those are all of the great things that we
get to work on as the privacy team. Can you
tell me, like, walk me through some of the steps
that twenty three and ME does take to keep people's
(09:52):
data secure. Yeah, there's a lot that goes into that.
So UM twenty three and ME is ISO sort of fide.
We also hold other certifications to confirm our commitment to
customer security and privacy. Um ISO certifications are awarded after
extensive audits by an independent third party, so not within
(10:12):
twenty three and me UM, and we've been identified, we've
been certified under IS one seven oh one and twenty
seven eighteen UM and we're the first directed consumer genetic
testing company to be assessed against all those three standards.
So that's what we do on like the security front,
and there's a lot more. You know, we encrypted our
customer data so that like it's obviously more secure, so
(10:36):
INCRUP customer data. We limit access to customer data internally,
and we store data like in segregated databases, so it's
not like we just lump everything together UM. For example,
of customers, registration information like their name an email is
separately stored from their genetic information UM, and so this
reduces the risk of and incentive to commit a breach UM.
(11:00):
And we also empower customers to take UM take their
like security in their own hands, and we give them
tools like to step verification UM and other other like
guidance materials and things like that to keep themselves safe
and play that important role in maintaining their account security.
What about for folks who might be genetically rare, who
(11:23):
might be thinking like I have something particular about my
genetics that I feel might identify me or there's particular
ways that you all, UM could approach that kind of privacy. Yeah,
definitely UM For twenty three and me customers, as I mentioned,
like controls really important UM and how they how someone
wants to use their data or share it, they get
(11:44):
to make that choice. In addition to like the privacy
and security protections that we've talked about, UM, we have
the identification that we employ, so you know, removing that
registration information from genetic information and so on. That's a
measure of protection. We you know, store things in separate
places so that things aren't on together. UM. Customers who
(12:05):
want to participate in things like research, UM, they can
rest as shirt that we do take many measures to
protect their research participants and minimize associated with that participation. UM.
Not only are there access controls for customer information UM,
there are people you know, like we go buy role
based functions, so like not you know, one person doesn't
have access to every single customer at twenty three and ME.
(12:27):
It really depends on what their role is and what
makes sense for them to have access to UM and
under our main research consent UM when we share research
results outside of twenty three and ME, whether that's like
in a publication or with a third party collaborator, we
only share like the summary advocate information UM, and those
(12:48):
summer results in twenty three and publications are like statistics
or calculations UM that describe like the research findings UM
about some genetic associations that were discovered. UM. So for
an example, it's like, you know, in our study, variant
X was present in five percent of participants and was
associated with a higher risk of this disease. UM. And
(13:11):
so if a customer chooses to UM not often to
participate in research, or they were in research and then
they change their mind, UM, they're still able to access
all of the same reports and product features as a
customer who is participating in the research program. So UM,
you know, not only are there all these like different
privacy and security safeguards UM that customers can take themselves,
(13:34):
but we also make sure that we're really like keeping
data segregated, keeping access really locked down limited. But we're
also you know, in those instances like research where there
is that collaboration with outside collaborators, you know, making sure
that like that data is the identified, aggregated and really
minimized UM really really minimize at risk to our participants. Yeah,
(13:57):
I mean that's that's good to hear, and you kind
of touched on it it, you know, especially given the
kind of climate that we're in. I know, the big
question everybody has every time I give any kind of
information about myself to anyone anywhere, The big question is
always like what third parties are they? Are they giving
this information to write? Like I might consent to my
information being shared with twenties three and me, but are
(14:18):
they selling my data? Are they? Are they going to
give it to police? Like? How are they working with
organizations and institutions that are not twenty three and me?
So can you tell me a bit about how twenty
three and me handles data when it comes to third parties? Yeah, yeah,
of course, I think. You know, like, just like every company,
we have service providers who help us do the things
that we do, from like operating the business to improving
(14:38):
it UM And there's also you know, choices that a
customer can make about how their data is being handled
throughout the platform, like whether they want to participate in
research UM and so in that case, if someone does
participate in research, we only share their data based on
their explicit consent, and you know again that whole participation
(14:59):
is often entirely voluntary. So it's really about making sure
that the customer is pretty aware of who they're sharing
who their information will be shared with. Absolutely, Yes, that
makes a lot of sense. And but there's so many
other like genetic testing. You know, kids out there UM
are there just sort of like talking to usually put
(15:22):
me at ease in terms of like the privacy risks.
But I wonder, like are their privacy risks associated with
with genetic testing in general that folks should just be
aware of if this is something they're going to decide
to do for themselves. Yeah, you know, I think some
of the main privacy risks consumer may have. Consumers may
have UM concerned things like finding out stuff about themselves
(15:44):
or their family that they may not be prepared to
learn about UM and also law enforcement access into genetic
data UM so at twenty three and me. UM customers
are not automatically visible to others in the platform. You know,
they have to UM opted to in a relatives and
if they do, then they become visible to others and
they can also see who their genetic relatives are and
(16:07):
see those results. UM. Additionally, customers can also choose on
an often basis whether they want to see health reports,
particularly any sensitive health reports like our BRACA reports for
breast cancer risks and UM. We have educational materials and
training modules and things like that to also support and
prepare customers for that kind of information that they might receive.
(16:29):
And on the law enforcement access front, we are the
first direct to consumer genetic custing company to publish a
transparency report UM and that happened back in two thousands fifteen. UM.
It details you know, the types of law enforcement requests
that we've received and how we've responded UM. And this
is updated on a quarterly basis, and so far, we
(16:49):
haven't released any individual user data UM to any law
enforcement UM. And you know, something to be aware of
is also like that not all genetic custing companies share
these same values UM that we might have a twenty
three and so it's really important that customers who are
concerned with things like law enforcement request or how are
they going to become visible to other potential genetic relatives
(17:13):
or you know, the health reports that they're about to
get UM, those are things that are really important to
look into, um before choosing a genetic testament provider. More
after a quick break, let's get right back into it. Yeah,
(17:40):
just ask someone, I mean, like, while I've got you here,
as someone who knows a lot about privacy, what do
you see as the biggest privacy risk today that folks
should be aware of and have on their radar. Well,
I don't mean for this to sound like a uh,
I don't mean for this has done like a general
sort of like response here, but I do think that
(18:00):
one of the biggest privacy risks across industries, not just
genetic genetic testing, is that technology is rapidly changing and
evolving the way that we collect, interpret, use, share data,
and the laws are not necessarily keeping up with that. Um.
There are a lot of positives that come from technology
changing so quickly, Like you know, you have more data,
(18:21):
better insights, and there's more potential impact to your personal
health and wellness. Um. However, like the privacy risks that
come with that can be hard to predict. So it's
important that customers and like companies especially embrace privacy by
design values and get ahead of those risks. Um. Um, Yeah,
get ahead of those risks. Yeah, are there are there
any tips or ways that you would give folks to
(18:44):
like try to stay ahead of that. Like I am
someone who is I make a tech podcast. I try
to stay plugged in, but even things change and I
don't realize that, Like, are there are there ways that
folks can kind of get ahead of that. That's a
good question, I think, Um, you know, it's just really
it's kind of hard. There's so much going on at
any given time. UM. And you have certain industries that
(19:06):
are like going to change the way that we see
the world in ten years, like you know, machine learning
and AI and so on. UM. But I think, like,
you know, as a consumer, it's just really important to
understand how your data is being used and whether like
the values of a company are aligned with what you
care the most about, you know, any given sort of interaction. UM.
(19:27):
You know, as I mentioned for like genetic testing, what
a lot of consumers tend to be concerned about is
you know, law enforcement access or you know, what they're
gonna learn and how they're gonna be coached through that experience. UM.
And so you want to make sure if those are
things that are important to you, that you will like
find the right provider for that um so, short of
telling you read the privacy statements and like I know,
(19:49):
I know, sure, you know you like just being smart
about like how you're engaging with companies and the data
that you provide uh to them, I think is key.
And you know, also understanding that these companies are like
wanting to make sure that you're picking companies that are
thinking about privacy by design UM where it's not like
(20:12):
something that you wire on or you put into the
back end and like or at the end of the project,
and rather you think about it from the beginning. Like
the way that we thought about segregating our databases to
make sure that there isn't like one pool of data. Uh.
That was something that was thought about the first days
that three and Me was created um SO, and for
(20:34):
you know, the time that that was the two thousands,
that was pretty innovative compared to like some of the
other companies out there, UM and so, I think like
it's really about picking companies that think about privacy at
the ideation stages and implementing those privacy by design values
and thinking into their business processes UM that are going
to be the clear winners for consumers who care about privacy. UM.
(20:57):
The other piece of it, too is I think, you know,
legislation is starting to catch up on these privacy issues. UM.
And we've welcomed, you know, that's want to commit. We've
welcomed a lot of legislation on the genetic privacy front.
There's half a dozen date states such as California, Arizona, Utah,
UM and more and that have legislated on genetic privacy specifically. UM.
(21:20):
And we hope to see federal legislation on this front
as well. UM that goes beyond Gina, the Genetic Information
Nondiscrimination Act. UM. Yeah, awesome, that's really helpful. I have
one last rapid fire question for you. What is it
like to be in what I can only assume is
a super male dominated space, you know, privacy law. If
(21:42):
I don't know for sure, I don't have the data
in front of me, but I feel like it's probably
very male dominated. Is that is that accurate to say?
Actually kind of surprising. One thing that drew me into
privacy was that there was a lot of there is
still a lot of women in privacy. UM. And you know,
I think what the draw is is that it is
(22:02):
very like it's very privacy is not something that like you,
it's very um contextual, like there, you know, it takes
a lot of understanding different cultures and um, understanding different perspectives,
and so I do think it actually has a lot
more of a diverse group of people then you usually
(22:25):
might find another corporate functions. UM. And I also feel
like at twenty three and me particularly um, you know,
having a female CEO, we actually do have a lot
of female representation in the company. So it's it's been
a really wonderful environment from that end as well, um,
not only being in privacy, but in a company where
there is a lot of women, um being represented. I
(22:46):
love that. I feel like I asked that question to
a lot of women and so often they're like, girl,
let me tell you it's but it's nice to have
a refreshing answer that's like, actually there are a lot
of women represented here, even at the top, and it's great. Yeah, yeah,
it's funny. You know. Over the years, I've actually just
seen a lot more men showing up to the party
a little late later, you know. UM, So it's it's
(23:11):
been it's been great. I think like, um, this is
going to continue to be a place where there's going
to be a lot of diversity, because it's kind of
a compartment of the job. To do it well and
to think about privacy um in a thoughtful way, you
have to have diverse perspectives at the table. After talking
(23:33):
to Serena, I felt a lot better, and I actually
did the test, and I want to share a little
bit about what I learned because I think it's pretty cool.
Like a lot of black families, my family ties are
not all necessarily by blood. You know, my mom didn't
grow up with our biological family, which means that I
grow up with a lot of what we call play cousins,
and a lot of the people that I called auntie
were not actually related to me by blood. Now, this
(23:55):
is just one of the many layered and beautiful aspects
of black family dynamics. After doing twenty three and me,
I found that I actually have blood cousins and I
had no idea about one of whom is a professional
hypnotist who actually lives in my same city, you know
who knew. I also found that, like a lot of
black folks, I am a carrier for the trait of
the disease sickle cell anemia. Now that's different than actually
(24:18):
having the disease sickle cell. It just means that I
carry the trait for it, and it's actually really really
common in black folks. According to the CDC, the United
States incidents estimate for sickle cell trade was about seventy
three point one cases per every thousand black newborns in
the United States. And it turns out that this is
actually super useful information for me to have because having
(24:39):
this trade has been used as a pretty convenient explanation
for when black people die in police custody, and if
a disproportionate number of black folks have this trait, it
can basically be used as a way to not direct
more scrutiny when a black person dies in police custody.
The president for the American Society of Hematology recently published
a letter in The New York Times on the subject,
(24:59):
call the rush to use sickle cell trade to exuplain
away when a black person dies in police custody the
professional misuse of science that further contributes to racial bias
and social injustice in our country. So knowing that I
have this trade can definitely be helpful for me in
better understanding how I navigate this world as a black woman,
and I learned it from twenty three and me listen.
(25:21):
There are risks involved anytime you were giving your DNA
to any kind of company. But for me, after educating
myself about the risks, I actually felt okay to move
forward and the information I learned about my family and
my health was worth it. If you're looking for ways
(25:42):
to support the show, check out our merch store at
tangodi dot com slash Store. Got a story about an
interesting thing in tech, or just want to say hi,
You can reach us at Hello at tangodi dot com.
You can also find transcripts for today's episode at tangodi
dot com. There Are No Girls on the Internet was
created by me Bridgetad. It's a production of Heart Radio
and Unboss Creative, edited by Joey Pat Jonathan Strickland as
(26:04):
our executive producer, Terry Harrison as our producer and sound engineer.
Michaelmato is our contributing producer. I'm your host, Bridget Todd.
If you want to help us grow, rate and review
us on Apple Podcasts. For more podcasts from I Heart Radio,
check out the iHeart Radio app, Apple podcast, or wherever
you get your podcasts, and That's It on another Dope show.
(26:30):
Did this episode inspire you to take a closer look
at your health history, your genetic makeup. Who new DNA
could reveal so much about our past while also holding
the keys to certain health insights that may impact our future.
I continue to be inspired by these stories, and I
hope you do as well. Catch you next time. Listen
(26:50):
to Spit, an original podcast from I Heart Radio and
twenty three in the on the I Heart Radio app,
Apple podcast, or wherever you get your podcast. Four
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations.
The Nikki Glaser Podcast
Every week comedian and infamous roaster Nikki Glaser provides a fun, fast-paced, and brutally honest look into current pop-culture and her own personal life.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.