OHRP Suspends Compliance Action Against SUPPORT Study Sites Pending Public Hearing & Guidance

Posted on June 5, 2013 by Meyer Michelle

UPDATE: A class action lawsuit has been filed in federal court against UAB providers and IRB members on behalf of infants enrolled in the SUPPORT study (through their parents). The Amended Complaint, which was filed May 20, can be found here. In addition, here are two more sets of reactions to the SUPPORT study in the NEJM, both in defense of it, from a group of prominent bioethicists and from NIH. Here is a new post from John Lantos at the Hasting Center’s Bioethics Forum blog. And here is coverage of the most recent developments in the New York Times. I’ll continue to aggregate links as warranted.

Regular readers may recall that recently, OHRP sent a determination letter to one of multiple sites (the University of Alabama at Birmingham (UAB)) involved in an RCT (the SUPPORT study) of optimal oxygen levels for premature infants (prior coverage here, here, and here). OHRP’s criticism itself led to considerable criticism among many research ethicists and physician-researchers (see, e.g., here, here, and here), as well as the SUPPORT researchers themselves (here), while others defended OHRP to varying degrees (here, here, and here).

Now, in a new letter to UAB, OHRP clarified that it has no objections to the study design; its objections, instead, pertain to what parents were told in the informed consent documents. Then, in a remarkable move, it announced that it is suspending its compliance actions against UAB, and plans no further action vis-a-vis other SUPPORT sites, pending its issuance of new guidance to address the risks that must be disclosed when conducted clinical trials like SUPPORT. OHRP promises not only the usual notice and comment period following the draft guidance but also an open public meeting, presumably in advance of the draft.

As the OHRP letter itself suggests, the fight within the research ethics community over the SUPPORT study can be seen as part of a larger conversation about the future of human subjects research regulation in the learning healthcare system. OHRP’s guidance-making process in this matter will clearly be one to watch.

Looking for the Next Maryland v. King

Posted on June 5, 2013 by Meyer Michelle

In my last post on Maryland v. King, I suggested that both proponents and opponents of King should find the philosophical case for a universal DNA database stronger than they might otherwise have thought. Obviously, moving in that direction — or even including mere suspects in a database — would raise legal questions that merit (and, one hopes, receive) further consideration by the Supreme Court. But how likely is it that the Court will have another opportunity to consider the constitutionality of a statute that continues to draw the line at arrestees?

The Supreme Court’s decision in King was necessarily limited to the fact pattern presented by Maryland’s particular statute authorizing the collection of DNA from arrestees. For instance, the Court repeatedly noted that the Maryland statute at issue limited DNA collection from arrestees to those who had been “charged” (not, in fact, merely arrested) with “serious crimes,” defined as crimes of violence or burglary, or attempts to commit these crimes. (Although Justice Scalia expressed skepticism that, under the Court’s analysis, it would or could find in any subsequent case a limiting principle preventing the collection of DNA from, say, those arrested for traffic violations, it is of course possible that the Court could find such a distinction.) The Court also noted that in Maryland, samples may not be processed or added to the database until after arraignment, when a judicial officer “ensures that there is probable cause to detain the arrestee.” The presence of probable cause, and the arrestee’s corresponding reduced expectation of privacy, were “fundamental” to the Court’s decision to uphold the collection of DNA from “arrestees.” The Court also noted that samples must be expunged if the arrestee is not convicted. Finally, the Maryland statute strictly limits use of the DNA database to solving cold cases and identifying remains and missing persons; use of the database for other purposes (research, to test for paternity, to analyze health or other traits) is criminalized. The Court explicitly said that a database that was not so limited would raise additional privacy concerns that would require a new analysis.

As usual, it’s more likely that the Court will have another opportunity to examine the constitutionality of DNA collection from arrestees if a circuit split arises regarding one or more of these or other practices. And that, in turn, depends, on how widely states and the federal government vary in their authorizing statutes. An Urban Institute report from May 2013 suggests that variation is, in fact, widespread on these potentially constitutionally relevant factors:

Seriousness of offense

Of the 28 arrestee DNA states, 13 collect DNA from those arrested or charged with any felony; 14 (like MD) collect only from a subset of felonies, typically involving violence, sexual assault, or property crimes; 7 collect from anyone arrested or charged with select misdemeanors; 1 (OK) collects from “any alien unlawfully present under federal immigration law”; and the federal government accepts profiles of any arrestee and any non-US citizen detained by the US government. In addition, 2 states collect DNA immediately upon arrest only if the arrestee has been previously convicted of a felony (CT) or other qualifying crime (TX).

Continue reading →

Maryland v. King, Low-Stringency DNA Database Searches, and the Case for a Universal Database

Posted on June 4, 2013 by Meyer Michelle

Disclaimer: I’m not a Fourth Amendment person. Rather, my interest in King is in its implications for policies for the use of DNA in the criminal justice system. I spent the better part of a year after my Ph.D and before beginning law school helping to research and edit a book on DNA and the criminal justice system and co-authoring its final chapter with the book’s editor, David Lazer. Although that was ten years ago now, most of the major policy issues in this area have not much changed over the last decade. So, with that caveat, and an invitation to readers to point out anything I say that is out of date or otherwise inaccurate, here are a few quick thoughts on King.

The majority and dissenting opinions spill most of their respective ink taking contrary positions on the primary purpose served by collecting DNA from arrestees. The majority somehow manages to argue with a straight face that the primary purpose (and indeed, to guess from its analysis, apparently the only purpose) of collecting DNA from arrestees is to identify the body of the arrested individual sitting in the booking room. As Justice Scalia wrote in dissent, this claim by the Court “taxes the credulity of the credulous” (slip op. dissent at 1). The clear primary purpose and actual use of statutes authorizing the routine collection of DNA from arrestees is to solve other cases than the one “at bar,” if you will, in the booking room.

One might have thought that the Court went out of its way to avoid finding that the primary purpose of the DNA collection at issue is “to detect evidence of ordinary criminal wrongdoing,” (Indianapolis v. Edmond, 531 U. S. 32, 38 (2000), in order to avail itself of the “special needs” exception to the Fourth Amendment’s usual requirement that searches be conducted pursuant to individualized suspicion. But no. The Court ultimately concludes that the special needs cases “do not have a direct bearing on the issues presented in this case, because unlike the search of a citizen who has not been suspected of a wrong, a detainee has a reduced expectation of privacy” (slip op. at 25). In upholding the state’s power to collect DNA from arrestees, then, the Court relied on — along with the minimally intrusive nature of the search — the arrestee’s reduced expectation of privacy. Indeed, the Court deemed the latter feature “fundamental” to its analysis (id. at 24).

Consider, then, that no such reduced expectation of privacy can be attributed to an even larger class of individuals who are indirectly included in DNA offender databases: the relatives of arrestees (and others who are directly included in offender databases).

Continue reading →

U.S. Supreme Court Upholds Constitutionality of DNA Collection Upon Arrest (Maryland v. King)

Posted on June 3, 2013 by Meyer Michelle

The U.S. Supreme Court ruled this morning, in Maryland v. King, that it is constitutional under the Fourth Amendment’s protection against “unreasonable” searches and seizures for the state to compel collection of DNA from arrestees. The probable cause required to arrest someone under the Fourth Amendment permits fingerprinting and taking photographs during the booking process, and the Court held that collecting DNA (limited to 13 loci in supposed “junk DNA”) was not relevantly different. The decision was 5-4, with Kennedy writing for the Court and joined by Chief Justice Roberts and Justices Thomas, Alito, and Breyer. Justice Scalia dissented in his usual spirited way, joined by Justices Ginsburg, Sotomayor, and Kagan.

I suspect that one or more Bill of Health bloggers will have some analysis of this decision once they’ve had the chance to digest it. In the meantime, here is a still-relevant primer I co-authored in 2004 on legal and ethical debates involving DNA and the criminal justice system (including issues related to both offender DNA databases and post-conviction access to potentially exculpatory crime scene DNA). Note that Justice Breyer, in addition to being the Court’s resident patent expert (except him to play a large role in the upcoming Myriad gene patenting decision), has been following debates about DNA and the criminal justice system for some time. He authored Chapter 2 of the book I just linked to.

Science, Art, Policy, and the Importance of Good Science Communication

Posted on May 31, 2013 by Meyer Michelle

Although I promised that I was done commenting on the artist-cum-policy wonk who claims to make 3-D “masks” of unknown individuals from their discarded DNA, Matthew Herper of Forbes has taken the criticisms of her (and the media covering her project) articulated by me and others directly to the artist. I confess that her response does not make me feel any better. Even if you’re “only” engaging in art, it seems to me that when that art has an obvious science policy message — indeed, one that you invite — you have some obligation to be clear about how “speculative,” as she puts it, your art is. But when you decide to move from the world of art into the world of science, and to start leading policy discussions based on your speculative art and working with forensic examiners? Then you really have a strong duty to be very clear about what your work can and cannot do. That means, among other things, taking care when talking with the media, and correcting the media if they get it wrong.

Yesterday, the Social Science Genetic Association Consortium, an international consortium that pools and conducts social science research on existing genome-wide association study (GWAS) data, and on whose Advisory Board I sit, published (online ahead of print) the results of its first study in Science. That paper — “GWAS of 126,559 Individuals Identifies Genetic Variants Associated with Educational Attainment” (plus supplemental data) — like much human genetics research, has the potential to be misinterpreted in the lay, policy, and even science worlds. That’s why, in addition to taking care to accurately describe the results in the paper itself, including announcing the small effect sizes of the replicated SNPs in the abstract, being willing to talk to the media (many scientists are not), and engaging in increasingly important “post-publication peer review” conversations on Twitter (yes, really) and elsewhere — we put together this FAQ of what the study does — and, just as important, does not — show. So far, our efforts have been rewarded with responsible journalism that helps keep the study’s limits in the foreground. Perhaps the DNA artist should consider issuing a similar FAQ with her speculative art.

Public Policy Considerations for Recent Re-Identification Demonstration Attacks on Genomic Data Sets: Part 1 (Re-Identification Symposium)

Posted on May 29, 2013 by Meyer Michelle

This post is part of Bill of Health‘s symposium on the Law, Ethics, and Science and Re-Identification Demonstrations. We’ll have more contributions throughout the week. Background on the symposium is here. You can call up all of the symposium contributions by clicking here. —MM

Daniel C. Barth-Jones, M.P.H., Ph.D., is a HIV and Infectious Disease Epidemiologist. His work in the area of statistical disclosure control and implementation under the HIPAA Privacy Rule provisions for de-identification is focused on the importance of properly balancing competing goals of protecting patient privacy and preserving the accuracy of scientific research and statistical analyses conducted with de-identified data. You can follow him on Twitter at @dbarthjones.

Re-identification Rain-makers

The media’s “re-identification rain-makers” have been hard at work in 2013 ceremoniously drumming up the latest anxiety-inducing media storms. In January, a new re-identification attack providing “surname inferences” from genomic data was unveiled and the popular press and bloggers thundered, rattled and raged with headlines ranging from the more staid and trusted voices of major newspapers (like the Wall Street Journal’s: “A Little Digging Unmasks DNA Donor Names. Experts Identify People by Matching Y-Chromosome Markers to Genealogy Sites, Obits; Researchers’ Privacy Promises ‘Empty’”) to near “the-sky-is-falling” hysteria in the blogosphere where headlines screamed: “Your Biggest Genetic Secrets Can Now Be Hacked, Stolen, and Used for Target Marketing” and “DNA hack could make medical privacy impossible”. (Now, we all know that editors will sometimes write sensational headlines in order to draw in readers, but I have to just say “Please, Editors… Take a deep breath and maybe a Xanax”.)

The more complicated reality is that, while this recent re-identification demonstration provided some important warning signals for future potential health privacy concerns, it was not likely to have been implemented by anyone other than an academic re-identification scientist; nor would it have been nearly so successful if it had not carefully selected targets who were particularly susceptible for re-identification.

As I’ve written elsewhere, from a public policy standpoint, it is essential that the re-identification scientists and the media accurately communicate re-identification risk research; because public opinion should, and does, play an important role in setting priorities for policy-makers. There is no “free lunch”. Considerable costs come with incorrectly evaluating the true risks of re-identification, because de-identification practice importantly impacts the scientific accuracy and quality of the healthcare decisions made based on research using de-identified data. Properly balancing disclosure risks and statistical accuracy is crucial because some popular de-identification methods can unnecessarily, and often undetectably, degrade the accuracy of de-identified data for multivariate statistical analyses. Poorly conducted de-identification may fail to protect privacy, and the overuse of de-identification methods in cases where they do not produce meaningful privacy protections can quickly lead to undetected and life threatening distortions in research and produce damaging health policy decisions.

So, what is the realistic magnitude of re-identification risk posed by the “Y-STR” surname inference re-identification attack methods developed by Yaniv Erlich’s lab? Should *everyone* really be fearful that this “DNA Hack” has now made their “medical privacy impossible”? Continue reading →

An Open Letter From a Genomic Altruist to a Genomic Extrovert (Re-Identification Symposium)

Posted on May 29, 2013 by Meyer Michelle

This post is part of Bill of Health‘s symposium on the Law, Ethics, and Science of Re-Identification Demonstrations. You can call up all of the symposium contributions here. We’ll continue to post contributions throughout the week. —MM

Dear Misha:

In your open letter to me, you write:

No one is asking you to be silent, blasé or happy about being cloned (your clone, however, tells me she is “totally psyched”).

First things first: I have an ever-growing list of things I wish I had done differently in life, so let me know when my clone has learned how to read, and I’ll send it on over; perhaps her path in life will be sufficiently similar to mine that she’ll benefit from at least a few items on the list.

Moving on to substance, here’s the thing: some people did say that PGP participants have no right to complain about being re-identified (and, by logical extension, about any of the other risks we assumed, including the risk of being cloned). It was my intention, in that post, to articulate and respond to three arguments that I’ve encountered, each of which suggests that re-identification demonstrations raise few or no ethical issues, at least in certain cases. To review, those arguments are:

Participants who are warned by data holders of the risk of re-identification thereby consent to be re-identified by third parties.
Participants who agree to provide data in an open access format for anyone to do with it whatever they like thereby gave blanket consent that necessarily included consent to using their data (combined with other data) to re-identify them.
Re-identification is benign in the hands of scholars, as opposed to commercial or criminal actors.

I feel confident in rejecting the first and third arguments. (As you’ll see from the comments I left on your post, however, I struggled, and continue to struggle, with how to respond to the second argument; Madeleine also has some great thoughts.) Note, however, two things. First, none of my responses to these arguments was meant to suggest that I or anyone else had been “sold a bill of goods” by the PGP. I’m sorry that I must have written my post in such a way that it leant itself to that interpretation. All I intended to say was that, in acknowledging the PGP’s warning that re-identification by third parties is possible, participants did not give third parties permission to re-identify them. I was addressing the relationship between re-identification researchers and data providers more than that between data providers and data holders.

Second, even as to re-identification researchers, it doesn’t follow from my rejection of these three arguments that re-identification demonstrations are necessarily unethical, even when conducted without participant consent. Exploring that question is the aim, in part, of my next post. What I tried to do in the first post was clear some brush and push back against the idea that under the PGP model — a model that I think we both would like to see expand — participants have given permission to be re-identified, “end of [ethical] story.” Continue reading →

Reidentification as Basic Science (Re-Identification Symposium)

Posted on May 26, 2013 by Meyer Michelle

Arvind Narayanan (Ph.D. 2009) is an Assistant Professor of Computer Science at Princeton. He studies information privacy and security and has a side-interest in technology policy. His research has shown that data anonymization is broken in fundamental ways, for which he jointly received the 2008 Privacy Enhancing Technologies Award. Narayanan is one of the researchers behind the “Do Not Track” proposal. His most recent research direction is the use of Web measurement to uncover how companies are using our personal information.

Narayanan is an affiliated faculty member at the Center for Information Technology Policy at Princeton and an affiliate scholar at Stanford Law School’s Center for Internet and Society. You can follow him on Twitter at @random_walker.

By Arvind Narayanan

What really drives reidentification researchers? Do we publish these demonstrations to alert individuals to privacy risks? To shame companies? For personal glory? If our goal is to improve privacy, are we doing it in the best way possible?

In this post I’d like to discuss my own motivations as a reidentification researcher, without speaking for anyone else. Certainly I care about improving privacy outcomes, in the sense of making sure that companies, governments and others don’t get away with mathematically unsound promises about the privacy of consumers’ data. But there is a quite different goal I care about at least as much: reidentification algorithms. These algorithms are my primary object of study, and so I see reidentification research partly as basic science.

Continue reading →

I Never Promised You a Walled Garden (Re-Identification Symposium)

Posted on May 25, 2013 by Meyer Michelle

By Misha Angrist

Dear Michelle:

You know I respect your work immensely: your paper on the heterogeneity problem will be required reading in my classes for a long time to come.

But as far as this forum goes, I feel like I need both to push back and seek clarity. I’m missing something.

As you know, the PGP consent form includes a litany of risks that accompany the decision to make one’s genome and medical information public with no promises of privacy and confidentiality. These risks range from the well documented (discovery of non-paternity) to the arguably more whimsical (“relatedness to criminals or other notorious figures.”), including the prospect of being cloned. You write:

Surely the fact that I acknowledge that it is possible that someone will use my DNA sequence to clone me (not currently illegal under federal law, by the way) does not mean that I have given permission to be cloned, that I have waived my right to object to being cloned, or that I should be expected to be blasé or even happy if and when I am cloned.

Of course not. No one is asking you to be silent, blasé or happy about being cloned (your clone, however, tells me she is “totally psyched”).

But I don’t think it’s unfair to ask that you not be surprised that PGP participants were re-identified, given the very raison d’être of the PGP.

I would argue that the PGP consent process is an iterative, evolving one that still manages to crush HapMap and 1000 Genomes, et al., w/r/t truth in advertising (as far as I know, no other large-scale human “subjects” research study includes an exam). That said, the PGP approach to consent is far from perfect and, given the inherent limitations of informed consent, never will be perfect.

But setting that aside, do you really feel like you’ve been sold a bill of goods? Your deep–and maybe sui generis–understanding of the history of de-identification demonstrations makes me wonder how you could have been shocked or even surprised by the findings of the Sweeney PGP paper.

And yet you were. As your friend and as a member of the PersonalGenomes.org Board of Directors, this troubles and saddens me. In the iterative and collaborative spirit that the Project tries to live by, I look forward to hearing about how the PGP might do better in the future.

In the meantime, I can’t help but wonder: Knowing what you know and having done your own personal cost-benefit analysis, why not quit the PGP? Why incur the risk?

Warm regards,

Misha

Reflections of a Re-Identification Target, Part I: Some Information Doesn’t Want To Be Free (Re-Identification Symposium)

Posted on May 24, 2013 by Meyer Michelle

This post is part of Bill of Health‘s symposium on the Law, Ethics, and Science of Re-Identification Demonstrations. You can call up all of the symposium contributions here. Please note that Bill of Health continues to have problems receiving some comments. If you post a comment to any symposium piece and do not see it within half an hour or so, please email your comment to me at mmeyer @ law.harvard.edu and I will post it. —MM

By Michelle N. Meyer

I wear several hats for purposes of this symposium, in addition to organizer. First, I’m trained as a lawyer and an ethicist, and one of my areas of scholarly focus is research regulation and ethics, so I see re-identification demonstrations through that lens. Second, as a member of the advisory board of the Social Science Genetics Association Consortium (SSGAC), I advise data holders about ethical and regulatory aspects of their research, including issues of re-identification. I may have occasion to reflect on this role later in the symposium. For now, however, I want to put on my third hat: that of data provider to (a.k.a. research participant in) the Personal Genome Project (PGP), the most recent target of a pair of re-identification “attacks,” as even re-identification researchers themselves seem to call them.

In this first post, I’ll briefly discuss my experience as a target of a re-identification attack. In my discussions elsewhere about the PGP demonstrations, some have suggested that re-identification requires little or no ethical justification where (1) participants have been warned about the risk of re-identification; (2) participants have given blanket consent to all research uses of the data they make publicly available; and/or (3) the re-identification researchers are scholars rather than commercial or criminal actors.

In explaining below why I think each of these arguments is mistaken, I focus on the PGP re-identification demonstrations. I choose the PGP demonstrations not to single them out, but rather for several other reasons. First, the PGP attacks are the case studies with which, for obvious reasons, I’m most familiar, and I’m fortunate to have convinced so many other stakeholders involved in those demonstrations to participate in the symposium and help me fill out the picture with their perspectives. I also focus on the PGP because some view it as an “easy” case for re-identification work, given the features I just described. Therefore, if nonconsensual re-identification attacks on PGP participants are ethically problematic, then much other nonconsensual re-identification work is likely to be as well. Finally, although today the PGP may be somewhat unusual in being so frank with participants about the risk of re-identification and in engaging in such open access data sharing, both of these features, and especially the first, shouldn’t be unusual in research. To the extent that we move towards greater frankness about re-identification risk and broader data sharing, trying to achieve clarity about what these features of a research project do — and do not — mean for the appropriateness of re-identification demonstrations will be important.

Having argued here about how not to think about the ethics of re-identification studies, in a later post, I plan to provide some affirmative thoughts about an ethical framework for how we should think about this work.

Continue reading →

Data Sharing vs. Privacy: Cutting the Gordian Knot (Re-Identification Symposium)

Posted on May 23, 2013 by Meyer Michelle

PGP participants and staff at the 2013 GET Conference. Photo credit: PersonalGenomes.org, license CC-BY

By Madeleine Ball

Scientists should share. Methods, samples, and data — sharing these is a foundational aspect of the scientific method. Sharing enables researchers to replicate, validate, and build upon the work of colleagues. As Isaac Newton famously wrote: “If I have seen further it is by standing on the shoulders of giants.”

When scientists study humans, however, this impulse to share runs into another motivating force — respect for individual privacy. Clinical research has traditionally been conducted using de-identified data, and participants have been assured privacy. As digital information and computational methods have increased the ability to re-identify participants, researchers have become correspondingly more restrictive with sharing. Solutions are proposed in an attempt to maximize research value while protecting privacy, but these can fail — and, as Gymrek et al. have recently confirmed, biological materials themselves contain highly identifying information through their genetic material alone.

When George Church proposed the Personal Genome Project in 2005, he recognized this inherent tension between privacy and data sharing. He proposed an extreme solution: cutting the Gordian knot by removing assurances of privacy:

If the study subjects are consented with the promise of permanent confidentiality of their records, then the exposure of their data could result in psychological trauma to the participants and loss of public trust in the project. On the other hand, if subjects are recruited and consented based on expectation of full public data release, then the above risks to the subjects and the project can be avoided.

—Church, GM “The Personal Genome Project” Molecular Systems Biology (2005)

Thus, the first ten PGP participants — the PGP-10 — identified themselves publicly.

Continue reading →

Breaking Good: A Short Ethical Manifesto for the Privacy Researcher

Posted on May 23, 2013 by Meyer Michelle

This post is part of Bill of Health‘s symposium on the Law, Ethics, and Science of Re-Identification Demonstrations. We’ll have more contributions throughout the week, and extending at least into early next week. Background on the symposium is here. You can call up all of the symposium contributions here (or by clicking on the “Re-Identification Symposium” category link at the bottom of any symposium post).

Please note that Bill of Health continues to have problems receiving some comments. If you post a comment to any symposium piece and do not see it within half an hour or so, please email your comment to me at mmeyer @ law.harvard.edu and I will post it. —MM

By Yaniv Erlich

1. Increase the general knowledge –Like any other scientific discipline, privacy research strives to increase our knowledge about the world. You are breaking bad if your actions are aimed to reveal intimate details of people, or worst to exploit these details for your own benefit. This is not science. This is just ugly behavior. Ethical privacy research aims to deduce technical commonalities about vulnerabilities in systems not about the individuals in these systems. This should be your internal compass.

This rule immediately asserts that your published findings should communicate only relevant information to deduce general rules. Any shocking/juicy/intimate detail that was revealed during your study is not relevant and should not be included in your publication.

Some people might gently (or aggressively) suggest that you should not publish your findings at all. Do not get too nervous by that. Simply remind them that the ethical ground of your actions is increasing the general knowledge. Therefore, communicating your algorithms, hacks, and recipes is an ethical obligation and without that your actions cannot be truly regarded as research. “There is no ignorabimus … whatever in natural science. We must know — we will know!”, the great Mathematician David Hilbert once said. His statement applies also to privacy research.

Continue reading →

Re-Identification Is Not the Problem. The Delusion of De-Identification Is. (Re-Identification Symposium)

Posted on May 22, 2013 by Meyer Michelle

This is the second post in Bill of Health‘s symposium on the Law, Ethics, and Science of Re-Identification Demonstrations. We’ll have more contributions throughout the week, and extending at least into early next week. Background on the symposium is here. You can call up all of the symposium contributions by clicking here (or by clicking on the “Re-Identification Symposium” category link at the bottom of any symposium post).

By Jen Wagner, J.D., Ph.D.

Before I actually discuss my thoughts on the re-identification demonstrations, I think it would be useful to provide a brief background on my perspective.

Identification≠identity

My genome is an identifier. It can be used in lieu of my name, my visible appearance, or my fingerprints to describe me sufficiently for legal purposes (e.g. a “Jane Doe” search or arrest warrant specifying my genomic sequence). Nevertheless, my genome is not me. It is not the gist of who I am –past, present or future. In other words, I do not believe in genetic essentialism.

My genome is not my identity, though it contributes to my identity in varying ways (directly and indirectly; consciously and subconsciously; discretely and continuously). Not every individual defines his/her self the way I do. There are genomophobes who may shape their identity in the absence of their genomic information and even in denial of and/or contradiction to their genomic information. Likewise, there are genomophiles who may shape their identity with considerable emphasis on their genomic information, in the absence of non-genetic information and even in denial of and/or contradiction to their non-genetic information (such as genealogies and origin beliefs).

My genome can tell you probabilistic information about me, such as my superficial appearance, health conditions, and ancestry. But it won’t tell you how my phenotypes have developed over my lifetime or how they may have been altered (e.g. the health benefits I noticed when I became vegetarian, the scar I earned when I was a kid, or the dyes used to hide the grey hairs that seem proportional to time spent on the academic job market). I do not believe in genetic determinism. My genomic data is of little research value without me (i.e. a willing, able, and honest participant), my phenotypic information (e.g. anthropometric data and health status), and my environmental information (e.g. data about my residence, community, life exposures, etc). Quite simply, I make my genomic data valuable.

As a PGP participant, I did not detach my name from the genetic data I uploaded into my profile. In many ways, I feel that the value of my data is maximized and the integrity of my data is better ensured when my data is humanized.

Continue reading →

Applying Information Privacy Norms to Re-Identification Demonstrations (Re-Identification Symposium)

Posted on May 21, 2013 by Meyer Michelle

This is the first post in Bill of Health‘s symposium on the Law, Ethics, and Science of Re-Identification Demonstrations. We’ll have more contributions throughout the week. Background on the symposium is here. You can call up all of the symposium contributions by clicking here (or by clicking on the “Re-Identification Symposium” category link at the bottom of any symposium post). —MM

By Stephen Wilson

I’m fascinated by the methodological intersections of technology and privacy – or rather the lack of intersection, for it appears that a great deal of technology development occurs in blissful ignorance of information privacy norms. By “norms” in the main I mean the widely legislated OECD Data Protection Principles (see Graham Greenleaf, Global data privacy laws: 89 countries, and accelerating, Privacy Laws & Business International Report, Issue 115, Special Supplement, February 2012).

Standard data protection and information privacy regulations world-wide are grounded by a reasonably common set of principles; these include, amongst other things, that personal information should not be collected if it is not needed for a core business function, and that personal information collected for one purpose should not be re-used for unrelated purposes without consent. These sorts of privacy formulations tend to be technology neutral; they don’t much care about the methods of collection but focus instead on the obligations of data custodians regardless of how personal information has come to be in their systems. That is, it does not matter if you collect personal information from the public domain, or from a third party, or if you synthesise it from other data sources, you are generally accountable under the Collection Limitation and Use Limitation principles in the same way as if you collect that personal information directly from the individuals concerned.

I am aware of two distinct re-identification demonstrations that have raised awareness of the issues recently. In the first, Yaniv Erlich used what I understand are new statistical techniques to re-identify a number of subjects that had donated genetic material anonymously to the 1000 Genomes project. He did this by correlating genes in the published anonymous samples with genes in named samples available from genealogical databases. The 1000 Genomes consent form reassured participants that re-identification would be “very hard”. In the second notable demo, Latanya Sweeney re-identified volunteers in the Personal Genome Project using her previously published method of using a few demographic values (such as date or birth, sex and postal code) extracted from the otherwise anonymous records.

A great deal of the debate around these cases has focused on the consent forms and the research subjects’ expectations of anonymity. These are important matters for sure, yet for me the ethical issue in re-anonymisation demonstrations is more about the obligations of third parties doing the identification who had nothing to do with the original informed consent arrangements. The act of recording a person’s name against erstwhile anonymous data represents a collection of personal information. The implications for genomic data re-identification are clear.

Continue reading →

Kudos to This American Life

Posted on May 14, 2013 by Meyer Michelle

A few weeks ago, I blogged about a recent episode of This American Life, “Dr. Gilmer and Mr. Hyde,” about the quest of one Dr. Gilmer (Benjamin) to understand why another, beloved Dr. Gilmer (Vince), had brutally murdered his own father after hearing voices that compelled him to do so. The episode ends (spoiler alert) with the revelation that Vince suffers from Huntington’s, a rare, neurodegenerative disease that causes progressive physicial, cognitive, and psychological deterioration.

Listeners, it seemed to me, could naturally conclude from the episode that it was Vince’s Huntington’s that had caused him to murder his father. That might or might not be true in this particular case. Huntington’s can cause behavioral and mood changes, including irritability, aggression and belligerence. It can also cause (less often) psychosis. But even if Huntington’s caused Vince to murder his father, or somehow contributed to the murder, the extreme violence that Vince displayed — strangling his father, then sawing off his father’s fingertips to preclude identification — is in no way typical of the Huntington’s population as a whole. And so what most troubled me about the episode was its failure to note just how rare this kind of extreme violence is among those with Huntington’s, just as it is very rare among human beings generally. And so I wrote to TAL, requesting a clarification.

I’m happy to report that the TAL producer for the episode, Sarah Koenig — who had not intended to suggest any causal link between Vince’s murder of his father and his Huntington’s, much less between murder and Huntington’s more generally — has issued a clarification on the show’s blog, and promises to make a similar clarification in the episode itself, should they ever re-air it. Kudos to TAL, and many thanks to Sarah for being incredibly gracious in our exchanges.

One clarification deserves another. In my earlier blog post, I also worried that some listeners might conclude that Vince’s father was similarly driven to commit horrific acts of sexual abuse on Vince and his sister because he, too, was (presumably) suffering from Huntington’s (an autosomal dominant genetic disease). Although I think that a listener who didn’t know better could reasonably conclude that Huntington’s causes people to become sexual predators almost as easily as they could conclude from the episode that Huntington’s causes people to become murderers, nothing in the episode suggests that Sarah, Benjamin Gilmer, or anyone else at TAL believe that Huntington’s causes sexual abuse, or that they intended for listeners to reach that conclusion. I regret anything in my earlier post that suggested otherwise.

Again, I’m very grateful to Sarah and everyone else at TAL for hearing me (and other listeners) out and for agreeing to make the clarification — and just in time for HD Awareness Month!

Online Symposium on the Law, Ethics & Science of Re-identification Demonstrations

Posted on May 13, 2013 by Meyer Michelle

Over the course of the last fifteen or so years, the belief that “de-identification” of personally identifiable information preserves the anonymity of those individuals has been repeatedly called up short by scholars and journalists. It would be difficult to overstate the importance, for privacy law and policy, of the early work of “re-identification scholars,” as I’ll call them. In the mid-1990s, the Massachusetts Group Insurance Commission (GIC) released data on individual hospital visits by state employees in order to aid important research. As Massachusetts Governor Bill Weld assured employees, their data had been “anonymized,” with all obvious identifiers, such as name, address, and Social Security number, removed. But Latanya Sweeney, then an MIT graduate student, wasn’t buying it. When, in 1996, Weld collapsed at a local event and was admitted to the hospital, she set out to show that she could re-identify his GIC entry. For twenty dollars, she purchased the full roll of Cambridge voter-registration records, and by linking the two data sets, which individually were innocuous enough, she was able to re-identify his GIC entry. As privacy law scholar Paul Ohm put it, “In a theatrical flourish, Dr. Sweeney sent the Governor’s health records (which included diagnoses and prescriptions) to his office.”

Sweeney’s demonstration led to important changes in privacy law, especially under HIPAA. But that demonstration was just the beginning. In 2006, the New York Times was able to re-identify one individual (and only one individual) in a publicly available research dataset of the three-month AOL search history of over 600,000 users. The Times demonstration led to a class-action lawsuit (which settled out of court), an FTC complaint, and soul-searching in Congress. That same year, Netflix began a three-year contest, offering a $1 million prize to whomever could most improve the algorithm by which the company predicts how much a particular user will enjoy a particular movie. To enable the contest, Netflix made publicly available a dataset of the movie ratings of 500,000 of its customers, whose names it replaced with numerical identifiers. In a 2008 paper, Arvind Narayanan, then a graduate student at UT-Austin, along with his advisor, showed that by linking the “anonymized” Netflix prize dataset to the Internet Movie Database (IMDb), in which viewers review movies, often under their own names, many Netflix users could be re-identified, revealing information that was suggestive of their political preferences and other potentially sensitive information. (Remarkably, notwithstanding the re-identification demonstration, after awarding the prize in 2009 to a team from AT&T, in 2010, Netflix announced plans for a second contest, which it cancelled only after tussling with a class-action lawsuit (again, settled out of court) and the FTC.) Earlier this year, Yaniv Erlich and colleagues, using a novel technique involving surnames and the Y chromosome, re-identified five men who had participated in the 1000 Genomes Project — an international consortium to place, in an open online database, the sequenced genomes of (as it turns out, 2500) “unidentified” people — who had also participated in a study of Mormon families in Utah.

Most recently, Sweeney and colleagues re-identified participants in Harvard’s Personal Genome Project (PGP), who are warned of this risk, using the same technique she used to re-identify Weld in 1997. As a scholar of research ethics and regulation — and also a PGP participant — this latest demonstration piqued my interest. Although much has been said about the appropriate legal and policy responses to these demonstrations (my own thoughts are here), there has been very little discussion about the legal and ethical aspects of the demonstrations themselves. As a modest step in filling that gap, I’m pleased to announce an online symposium, to take place here at the Bill of Health the week of May 20^th, that will address both the scientific and policy value of these demonstrations and the legal and ethical issues they raise. Participants fill diverse stakeholder roles (data holder, data provider — i.e., research participant, re-identification researcher, privacy scholar, research ethicist) and will, I expect, have a range of perspectives on these questions:

Misha Angrist
Madeleine Ball
Daniel Barth-Jones
Yaniv Erlich
Beau Gunderson
Stephen Wilson
Michelle Meyer
Arvind Narayanan
Paul Ohm
Latanya Sweeney
Jennifer Wagner

I hope readers will join us on May 20.

Live Blogging from FDA in the 21st Century Conference, Plenary 2: Alta Charo on Integrating Speed and Safety

Posted on May 4, 2013 by Meyer Michelle

[This is off-the-cuff live blogging, so apologies for any errors, typos, etc]

Day two of PFC’s FDA in the 21^st Century conference begins with a morning plenary by the very fabulous Alta Charo, of the University of Wisconsin Law School, who is speaking on “Integrating Speed and Safety.”

Today Alta is presenting what she calls “more of an initial idea than an actual proposal,” and she notes that she’s very interested to hear responses to it, so comment away or contact her offline. She wants to integrate into the usual and longstanding “FDA speed versus safety” debate some concerns that should be of interest to industry. “In other words,” she said, “I’d like to be nice to the drug people.”

Alta begins with a brief history of the speed versus safety debate, which turns out to be quite cyclical. Before 1906, she asks us to recall, we had true snake oil: products with high toxicity and little or no efficacy. Often these products were nevertheless perceived as effective because they contained alcohol or other drugs, so made you feel better at least, but of course that’s part of what made these products so dangerous, especially for children.

And so with the Federal Food and Drugs Act of 1906, we get post-market remedies for misbranding, although they require proof of intent. And then in 1937 over 100 children die from elixir of sulfanilamide. And the following year we get the Food, Drug, and Cosmetic Act. But the FDCA targets only safety. (Although rightly Alta notes that it’s hard to see how regulators were truly only looking at safety and not also at some form of efficacy, since there is no such thing as safety in the abstract, only safety relative to purpose for which someone is taking the drug.) Continue reading →

Live Blogging from FDA in the 21st Century Conference, Panel 2: Preserving Public Trust and Demanding Accountability

Posted on May 3, 2013 by Meyer Michelle

[This is off-the-cuff live blogging, so apologies for any errors, typos, etc]

First up is Mark Lange from Eli Lilly (who notes that he is here in his personal capacity only!), speaking about “Data Transparency and the Role of the FDA.”

He prefaces his talk by noting that when he refers to “data,” he means raw, patient-level data from clinical trials. Most calls for the transparency of such data, he says, reflect a common theme about lack of trust in the pharmaceutical industry. So we might wonder: why doesn’t the pharmaceutical industry simply accede to that request and make their data available?

Mark notes that industry has several concerns. One important one pertains to data exclusivity. In several (if not all) markets, data exclusivity rights are premised on keeping the relevant data confidential, and posting it publicly would be deemed a waiver of those rights. In addition, data exclusivity prevents generic competitors from free riding, and publishing data could allow them to circumvent the very point of data exclusivity.

Moving to privacy concerns, Mark notes that research subjects’ understanding is that their data will be used for particular purposes and shared with regulators, but not be publicly posted on the Internet for anyone to do with whatever they want. Relatedly, there is the potential for interpretation of public data to be biased; research results may be over-interpreted and analyses may be flawed or even erroneous. Competitors might look for fairly trivial flaws the the data and try to use them to their advantage rather than sincerely trying to advance scientific progress and transparency.

Mark suggests, however, the choice between privacy and transparency is a false one. A better alternative is available — namely, for objective, expert regulators such as the FDA to receive and vet data in ways that address both audiences and both sets of concerns. The FDA is in fact already experienced in doing this. For example, it determines whether research demonstrates that a drug is safe and effective for a particular use through its marketing application approval mechanism, and it determines the accuracy and adequacy of the portrayal of research results in product labeling and product advertisements. And late last year, it was given responsibility for overseeing clinicaltrials.gov, which includes results from all pre-specified primary and secondary outcomes measures from nearly all clinical trials either conducted in the U.S. or intended to be used in support of an application for marketing approval in the U.S. This new responsibility, Mark suggests, could be a powerful tool, depending on how the FDA uses it. For instance, the FDA could exercise authority to monitor and enforce the absence of required results and the inclusion of false or misleading results data.

In concluding, Mark stresses that, when faced with requests for public access to patient-level trial data, we should consider the important role of regulators as trusted intermediaries who can balance competing concerns. Continue reading →

This American Life and Stigma

Posted on April 18, 2013 by Meyer Michelle

Update: TAL has made a clarification. Please see this post for more.

Let me begin by saying how much I absolutely adore This American Life. I listen to it religiously. I particularly had been looking forward to the most recent pocast episode of TAL: Dr. Gilmer and Mr. Hyde. As the episode’s blurb teases, “Dr. Gilmer and Mr. Hyde” concerns a doctor — Benjamin Gilmer — who takes over the rural South Carolina practice of Vince Gilmer (no relation). Vince is no longer available to see patients because he is serving a prison sentence for killing his father. As Benjamin gets to know Vince’s — and now his — patients, he forms a picture of Vince that’s at odds with his status as a convicted father murderer. How could this doctor who was so devoted to his patients have so brutally murdered his own father?

This episode is right up my alley. True crime? Check. Forensic psychology? Check. The intersection of law and medicine? Yes, please. So when I awoke yesterday morning at 5 am and couldn’t go back to sleep, I eagerly cued up the podcast. The episode recounts, in TAL’s typically-riveting fashion, the story of Benjamin’s search for the truth behind Vince’s murder of his father. I enjoyed every minute of the episode until the last five minutes or so, when I became troubled by one critical omission.

Spoilers follow after the jump; listen to the episode first. Continue reading →

R.I.P. Ronald Dworkin (Dec. 11, 1931–Feb. 14, 2013)

Posted on February 14, 2013 by Meyer Michelle

I woke this morning to the very sad news that legal philosopher and NYU law professor Ronald Dworkin died in London early this morning of leukemia, at the age of 81.

I’m not sure whether his illness was well known to those within the legal academy, but it came as news to me, so I confess I’m slightly shocked by news of his death. Others, of course, are much better positioned to give thoughts about his life and career, and no doubt will, here and elsewhere. I’ll share just one brief remembrance. I was the founding co-editor of the Harvard Law Review Forum, and for our very first issue, I solicited a response from Professor Dworkin to Fred Schauer’s (Re)Taking Hart. These were the days when online supplements to law reviews were new, and we didn’t really know how scholars would view these opportunities. When he readily agreed to provide a response, I recall emailing the news around Gannett, to much rejoicing. This was an especially meaningful “get” for me, as in addition to his work in legal philosophy, I had read and appreciated Life’s Dominion as an undergraduate studying bioethics. I was terribly nervous about interacting with him, but he was incredibly kind and gracious and unassuming throughout the process.

Professor Dworkin leaves behind his wife, two children, and two grandchildren. They and his friends and colleagues are in my thoughts.

Update: Brian Leiter is aggregating memorial notices here.