Amy Mitchell started getting sick in 2012. Dizzy spells and fatigue became a part of her daily life, followed by numbness in her limbs and painful muscle spasms. After half a dozen doctors over two years couldn’t tell her what was wrong, she sent away for a 23andMe kit. At the time, the consumer DNA-testing company was only giving ancestry reports—the Federal Drug Administration had recently shut down 23andMe’s health information ambitions. But a new doctor had recommended that Mitchell send in her spit anyway, and link her genetic profile to a third-party app that would analyze her DNA for clues.
It wasn’t an FDA-approved test or a genetic panel that her insurance would cover. The app interpreted variations in her MTHFR gene, which were once thought to be linked to hundreds of conditions, before being mostly discarded by mainstream science. But Mitchell was desperate. The $100 she paid for the kit plus $50 for the app seemed a reasonable price under the circumstances. She brought the results to her first appointment with the new doctor and after taking a look, he suggested she switch up her supplements and stop eating gluten. Within days her headaches and dizziness went away, and her energy rebounded. It wasn’t a miracle cure; the 37-year-old Mitchell still has pain and numbness and trouble clearing infections from her body. But she credits the app, and half a dozen others she’s used over the years, with leaving a trail of breadcrumbs for her to follow. And now, she’s worried other people like her won’t have the same opportunity.
This week, 23andMe shut down external apps’ access to its anonymized genomic data through its application programming interface. 23andMe was the first DNA testing company to open an API, back in 2012, and the idea at the time was to “allow authorized developers to build a broad range of new applications and tools for the 23andMe community.”
But a lot has changed since then, pushing the company to rethink how its genetic, behavioral, and health data gets used. For one thing, pharmaceutical giants are now willing to pay 23andMe hundreds of millions of dollars for exclusive access to its stockpile of data, to help with drug discovery.
Meanwhile, the dangers of loose data practices forced their way into the public consciousness earlier this year when it was exposed that a third-party app harvested, and then sold, the personal Facebook data of up to 87 million Americans. At-home genetic testing companies have themselves been cast into a maelstrom of privacy concerns, with the news that detectives cracked the case of the Golden State Killer using genetic profiles uploaded to a publicly available genealogy website.
Beyond privacy considerations, 23andMe is also concerned about the prevalence of diet and fitness apps of dubious scientific merit. “While we have had some great API partners, there are others that do not meet our scientific standards and lack rigorous privacy policies,” a 23andMe spokesperson wrote in an email to WIRED. Going forward, app developers will only be able to access data from the reports 23andMe generates for customers, such as ancestry composition or risk probabilities for genetic diseases like Parkinson’s. In the coming weeks, 23andMe plans to publish new criteria for developers, outlining what sorts of privacy measures and scientific validation are required for future participation. Notably, all apps must return results consistent with what 23andMe itself claims, limiting those apps’ utility.
The company says qualified researchers will still have access to raw genetic data, provided that customers have consented to share their information through the API. And customers will still have the option to download all their data and manually share it with outside apps or services, an action that has its own security risks (computers can get lost, stolen, hacked). 23andMe declined to say how many apps are currently connected to the API, or how many will be disabled by the change.
“We have seen customers choose to share their data with a wide variety of 23andMe’s API partners—and found that some of these partners lacked strict privacy policies—making the risks and potential for nefarious activity increase significantly,” 23andMe global privacy officer Kate Black told WIRED in an interview last week. “In this case, putting that data firmly in the hands of customers to mediate and control is a more responsible approach.”
APIs themselves are not a risky technology; secure transfer protocols are the reason billions of people can safely use credit card information to buy things on the internet everyday. But the ease with which APIs make the automated transfer happen can mask the risks of giving snippets, or even whole copies, of your genetic code to third parties. In 2015, one coder even used the 23andMe API to block people from certain websites based on their race and sex.
“That raw genetic data might be anonymous, but third parties with access to other databases can easily cross-reference them to reidentify individuals,” says Simon Lin, chief research information officer for Nationwide Children’s Hospital and a professor of pediatrics and bioinformatics at The Ohio State University. He studies how clinical and consumer genetic information might be securely integrated into electronic health records systems. “A 23andMe report inherently carries much less risk than the raw genetic file because it’s just much less information. It’s hard to reidentify someone from just knowing their ancestry is Finnish.”
As soon as genetic data is transferred to a third-party app, it becomes subject to that developer’s privacy policies. Which means it’s on customers to read all the fine print to get a sense of how their data might be used. Since releasing its API, 23andMe has warned customers of this fact, but ultimately left the choice in their hands. Now, in a sense, the company is walling off its rapidly growing genetic garden.
Lin says the move is indicative of personal genomics’ increasing maturity. When 23andMe launched, there wasn’t a lot of standardization in the field; the same genetic data points might be interpreted differently by different algorithms. Now there’s a lot more consensus on what evidence constitutes a valid scientific claim. The small startup was also amassing too much information for it to interpret alone. By releasing the first genetics-based API, 23andMe kicked off an ecosystem of services that could each bite off a little piece of the genome. The more customers could do with their data, the more likely they were to send in their spit to 23andMe. “At that moment it truly was a pioneer, and the API served its purpose,” says Lin. Now those motivations are less compelling to the company.
23andMe has always billed itself as empowering people with their own health data. But as the field—and privacy concerns—have evolved, what that means in practice is changing too. Still, Amy Mitchell worries that something has been lost in the process. “I’m lucky that I already got to use all these apps to look deeply into my genetic data,” she says. “But what about everyone else who hasn’t?” Time perhaps to invest in some cloud storage, or a few good hard drives.