By The American Contemporary
The Senate Committee on Homeland Security and Governmental Affairs has recently released a statement on a new bipartisan effort to protect sensitive genetic data from being used, stolen, or exploited by foreign entities. The proposed legislation, which passed the committee on March 6th 2024, would ban bio-technology companies from operating in the United States if they are owned or operated by a “hostile” foreign government. Further, this bill would ban any bio-technology company which is deemed a threat to national security, and prohibits these companies from applying for or receiving US taxpayer funded grants, loans, or government contracts. While the bill is proposed to be broad acting, the listed companies and governments affected primarily center around the Chinese Communist Party (CCP) and Chinese Biotechnology companies BGI Group (BGI), MGI, Complete Genomics, and WuXi AppTec.
The Chinese government (and its associated agents and actors) have a long and frequent history of intellectual property theft allegations, assertions of espionage, and schemes of online/telecommunication skullduggery. Perhaps one of the most widely known cases is that of Chinese telecommunications company, Huawei, which has been accused by the US as well as many European countries of engaging in espionage on behalf of the CCP. Specifically, multiple countries have alleged that Huawei technologies contain “backdoors” in their products which allow third party actors to monitor and spy on users and their conversations. Additionally, the company was accused in 2020 of contributing facial recognition technology to track and monitor religious and ethnic minority groups for purposes of government persecution, such as the Uyghur population in Xinjiang. Further, the company also has a long history of intellectual property theft, with examples including employees photographing and diagraming Fujitsu circuit boards after hours, theft of Cisco telecom IP which was proven through direct code theft and verbatim typos in technical manuals, and the attempted theft of a CNEX solid-state drive with the help of a Chinese University partner. It is worth noting that while both Huawei and the CCP deny these claims and propose these accusations are meant to hinder Chinese development, the list is extensive and not limited to the US marketplace.
The realm of bio-technology and genetic information however presents a new series of security challenges which extend beyond established convention. Americans know all too well the importance of protecting sensitive information such as your social security number. These identifying codes establish proof of citizenry, proof of work, and validate for all intent and purpose that you are who you claim to be. When that number is compromised however, the ramifications are substantial. Thieves and malefactors use this personal data to take loans out in the name of another, access bank or credit accounts, and exploit or trick others to gather additional personal information. However, the single saving grace of these data breaches is that the victim still is clearly identifiable, and can be easily traced to prove the validity of purchases, claims, and other actions. However, when biological material is used in place of general ID data, the issue becomes much more complex.
Genetic materials are some of the most precious identifying compounds in the world. From fingerprints to DNA segments, they uniquely identify you as yourself, and provide unfaltering and unwavering proof of personal identity. It is challenging to forge false genetic information, particularly when needed at the point of inspection, and it is something that you always carry which is distinctly your own. But with the continuous proliferation of biometric security protocols coupled with increased health/genetic testing and analysis opportunities, genetic data is quickly being put at risk for exploitation and abuse.
One such example of this abuse was put forward by the Federal Trade Commission (FTC) in 2023, when the agency released its new Biometric Policy Statement. In the statement, the agency affirms that it will combat “unfair” or “deceptive acts” surrounding biological and genetic information when it comes to consumes. In particular, they concern themselves with a rapid increase in the sale of personal information by domestic technology and genetic testing companies, including things such as facial features, fingerprints, non-confidential health data, racial background, personal history information, etc. to third party organizations. From here, said companies have access to extensive personal information from which they are able to discern things from religious institution attended, to political preference, dietary and health supplement use, and much more for the purposes of targeted sales opportunities. This creates a privacy and ethical debate as to what is considered fair use of such personal identifying information, and the disclosure of personal data use.
The recording of personal biometric data also creates security concerns when it comes to privacy and accessibility of data. The law is extremely gray when it comes to police accessibility of personal information on password protected devices. Generally speaking, the police cannot compel you or force you to give up a password for a device they wish to access, however biometric access such as fingerprints or face-ID create new legal questions. A federal judge in California for example ruled in 2019 that it violated the 5th amendment against self-incrimination to force a suspect to use biometric data to unlock a device, however a separate judge in 2021 ruled in a case for a suspected January 6th participant that police could force the suspect to unlock their device as it was no different than submitting DNA samples to the court or providing a written sample for testing penmanship. The spread and use of this data from a legal standpoint exacerbates the challenges of protecting personal information which is secured via biometric data.
The issue extends beyond biometrics and privacy as well. Malefactors who wish to impersonate, steal, or exploit individuals are empowered by data, and personal information such as genetic information is some of the most valuable they could acquire. Biological information could allow foreign agents to incriminate others in crimes or espionage. It could allow individuals to blackmail or extort based on private medical information that the victim does not want to have exposed. It allows scammers to more accurately represent themselves as family, friends, or celebrities for the purposes of stealing information, money, etc. from vulnerable people. Whether it be deep-faked faces or AI-modified voices, this form of personal information is at the core of what makes us unique, and the exploitation of these nuanced features makes it increasingly challenging to tell the real from the false.
Thus, this newly proposed bill (along with many others put forward by other committees such as the “Protecting Americans’ Data from Foreign Adversaries Act of 2024” bill passed by the House Committee on Energy and Commerce) seek to address very real issues surrounding the expansion of personal data use, and the legal limitations of said use. From a fundamental perspective, this policy is one that I find much good in. The regulation of commerce is, after all, a power of the federal government, and protecting its citizens from financial and physical threats both domestic and abroad are valid and useful ambitions. Increasing scrutiny of foreign businesses also could provide more opportunities for domestic players to establish themselves in the market, creating more opportunities for citizens to find gainful employment or enter the world of entrepreneurship.
There is one major consideration however that should give pause to immediate celebration. Most of these discussions surround foreign and commercial use of biometric and genetic data, which is important. However, few if any proposed laws address governmental and allied government use of such data. Surveillance of citizens, such as those authorized in the Patriot Act, are often widely criticized for their violation of personal rights to privacy. While some may argue that it is better to give up privacy in the name of safety, I would argue greatly against such as thing. From a fundamental perspective, the established rights of privacy granted to citizens must be preserved, for a breach of this would constitute tyrannical augmentation of law and order. While the Patriot Act is no longer officially in effect, new bills which threaten citizen rights are gaining momentum. One such bill is the RESTRICT act (commonly known as the Tik Tok ban bill). While this bill similarly seeks to combat the use of personal information by the CCP, it has faced extreme criticism for its vague language and open-ended enforcement of the law, which could allow the government to spy on and monitor end consumers. Further, the penalties and enforcement of these laws are not inherently dictated by elected officials, but by committee, making transparency all the more challenging.
Much like the proposed genetic data bill, the RESTRICT act provides many benefits on the surface while empowering or failing to address how the federal government could do the same. As we continue to ponder and legislate on concerns of personal data and privacy, it is imperative that we combat domestic threats to our rights and liberties as vigorously as foreign threats. History has shown that allowed abuses of power often result in continued abuses. By stopping these potentially harmful effects before they begin, we can save the nation considerable headache in the future.