23andMe Shuts Down App that Uses Genetic Information to Screen Access

July 22, 2015

By Bio-IT World Staff

July 22, 2015 | 23andMe today shut down an app built with its API that enabled web developers to “restrict access to your site based on traits including sex, ancestry, disease susceptibility [stet], and arbitrary characteristics associated with single-nucleotide polymorphisms (SNPs) in a person's genotype.”

Created two days ago on GitHub by user Offensive-Computing, the Genetic Access Control app uses a standard third-party authentication mechanism, OAuth2, to request minimal permissions from 23andme on behalf of the user. “The user is presented with a dialog asking them to approve the sharing of certain genetic data with your application,” the ReadMe on GitHub explains. “If the request is approved a temporary access token is passed to your application which can be used to make API requests to retrieve information, such as ancestry composition and SNP nucleotide sequences. This data can then be used to grant or restrict authorization.”

The possible uses listed on GitHub range from creating a “safe space” for women to enabling dating sites to prescreen potential matches for hereditary diseases to creating closed online spaces for groups defined by ethnic background, e.g. Black Panthers or NAACP members.

Of course more nefarious applications can be imagined. The example on GitHub checks to see if a user’s ancestral makeup is primarily composed of European (minus Ashkenazi) genetic markers to determine whether or not access is permitted.

In the example, a hypothetical user is granted access when his or her ancestry is revealed as 65.1% European. 

success-sm 

fail-sm
 

23andMe tweeted that the Genetic Access Control app had been shut down because it violated 23andMe’s API policy, though the company did not specify which part of the policy was violated. “The developer no longer has API access,” the company said in its tweet. 

 

 

Among other prohibitions in the API policy, developers agree not to use the API to defame, abuse, harass, stalk or threaten others (5.b.3) and not to create applications that promote hate materials or materials urging acts of terrorism or violence (5.b.10)