In late October, genetic testing startup 23andMe did something unusual: It issued a transparency report that disclosed how many times law enforcement had requested access to its customers’ data. Transparency reports themselves — regularly updated documents that disclose statistics of government requests for user data, records, or content — aren’t unusual: Google, Facebook, Twitter, and Microsoft all now issue them. What was different was the nature of the requests: Instead of seeking information about someone’s location or communications, the government was asking for people’s DNA.
Ultimately, 23andMe said it didn’t comply with the requests. However, as more health technology companies track ever more discrete data about our bodies — from our genes to our heart rate — law enforcement agencies will increasingly attempt to access this information. But for now, at least, because most health technology companies do not issue transparency reports, those requests remain a black box.
For example, Fitbit, which has a market cap of $8 billion, has sold more than 30 million activity trackers since its 2007 inception. Asked by BuzzFeed News, a spokesperson said the company does not currently issue a transparency report because it’s received an “extremely low number of requests in the single digits” for customer data, but will start doing so “when the numbers are higher.” The spokesperson would not say whether Fitbit had complied with any requests so far.
But Lee Tien, a senior staff attorney at the Electronic Frontier Foundation, said that divulging even low numbers can help boost a company’s image. “If you’re not getting very many [requests], which is what people expect to get, then I don’t think there’s any sort of negative publicity or stigmatizing effect,” he said.
Customers might be concerned about cops having access to their minute-by-minute whereabouts, the kind of information collected by the GPS-tracking Fitbit Surge wristband. But even data as seemingly innocuous as steps can be incriminating under certain circumstances. While visiting Lancaster, Pennsylvania, in March, Jeannine Risley of Florida called 911 to report that an unknown man had pulled her out of bed, beat her, held a knife to her, and raped her with a bottle, causing her to lose her Fitbit Surge in the process, according to the police affidavit.
But when cops got her permission to log in to her Fitbit account, they discovered that Risley had been awake and walking around the whole night, instead of asleep as she’d said, according to the affidavit. That discovery partly led the police to arrest Risley on suspicion that she’d lied about the whole situation.
Other criminal cases have relied in part on the app Strava, where runners and cyclists upload fitness data from wireless trackers. Three years ago, Christopher Bucchere biked through a pedestrian crosswalk in San Francisco and killed a 71-year-old man; Strava data showed that he was going 32 mph in a 25 mph zone. (Bucchere pleaded guilty to felony vehicular manslaughter.)
Strava CEO Mark Gainey told BuzzFeed News in an email, “Our athletes are the focus of everything we do at Strava, and protecting their privacy is a foundational value for us. Though we do field occasional inquiries from governmental agencies, we have no current plans to publish a transparency report.” Jawbone, one of Fitbit’s biggest rivals, told BuzzFeed News it also does not plan to issue a transparency report. AncestryDNA, which, like 23andMe, has also collected more than 1 million DNA samples, and it told BuzzFeed News it is working on a transparency report. It also owns a family DNA database which, earlier this year, helped lead police to briefly and erroneously link a New Orleans filmmaker to an unsolved murder.
The privacy policies of all the companies mentioned in this story warn users that their data may be disclosed to law enforcement.
To be fair, a transparency report isn’t a perfect document. It won’t necessarily capture, say, when the National Security Agency collects users’ information in bulk rather than formally requesting individual data through the company. “The transparency report isn’t actually that transparent at the end of the day,” said Elliot Hosman, a senior program associate at the Center for Genetics and Society, a bioethics watchdog group.
But Tien said it would nevertheless be a step toward understanding how often these companies are actually getting inquiries. “If people have been transparent about this for one year, two years, three years, we’ve got a baseline. Then it’d be possible to say, ‘I don’t get very many, I wonder why,’ or, ‘Gee, they sure get a lot,’” he said.
After all, health and biometric data can be even more personal than an email. “DNA is the ultimate level of a biometric,” Tien said. “That kind of information and that kind of biological sample need to be treated very, very carefully and with a great deal of accountability.”
The story has been updated to say that a transparency report from AncestryDNA is in development.