I was stunned. The report concluded that there was virtually no government oversight and regulation in the burgeoning field of genetic analytics. The government was far behind the curve.

I printed a copy of the story for Myron to read and then went to GT23’s website to look for any acknowledgment that the services the company provided and the security it promised were not backed by government regulation. I found none. But I did stumble across a page that outlined how researchers could go about requesting anonymized data and biological samples and the fields of study the company supported:

On the website the recipients of data and bio samples were called collaborators. It was all presented in a cheery, change-the-world-for-the-better pitch that I was sure was crafted to allay any potential participant’s concerns about anonymously putting their DNA into the great unknown of genetic analysis and storage.

Another section of the website contained a four-page privacy- and-informed-consent statement that outlined the anonymity guaranteed with the submission of one’s DNA in a GT23 home-sampling kit. This was the boring fine print but I read every word of it. The company promised participants multiple layers of security in the handling of their DNA and required all collaborators to meet the same levels of physical and technical protection of data. No biological sample would be transferred to a collaborator with any participant’s identity attached.

The consent statement clearly said that the low cost to participants for DNA analytics, matching, and health reporting was underwritten by the collaborating companies and labs that paid for the anonymized data. As such, the participant was agreeing to field requests from collaborators funneled through GT23 to maintain anonymity. The requests could range from additional information on personal habits to surveys in the specific field of study or even additional DNA samples. It was then up to the participant to decide whether to respond. Direct participation with collaborators was not required.

After three pages of outlining self-imposed security measures and promises, the last page contained the bottom line:

It was the lead sentence of the last paragraph and was followed by a list of worst-case scenarios that were “highly unlikely.” These ran from collaborator security breaches to the theft or destruction of DNA samples while in transit to labs sponsored by collaborators. There was one line in the disclaimer paragraph I read over and over, trying to understand it:

I copied this off the screen and put it at the top of a notes document. Below it I typed: WTF?

I now had my first follow-up question. But before I pursued it I clicked on a tab labeled law enforcement on the menu. This page revealed GT23’s statement of support and cooperation with the FBI and police agencies in using its genetic data in criminal investigations. This had become a hot-button topic in recent years as police used genetic-analytics providers to help solve cases through linkage of familial DNA. In California, most notably, the alleged Golden State Killer was captured decades after a murder-and-rape spree when DNA from a rape kit was uploaded on GEDmatch and investigators were provided with matches to several relatives of the alleged killer. A family tree was constructed and soon a suspect was identified and then confirmed through further DNA analysis. Many other lesser-known murders were also solved similarly. GT23 made no bones about cooperating with law enforcement when asked.

I was now finished with my review of GT23’s website and I had one question on my notes page. I wasn’t sure what I had or what I was doing. I had a connection among the deaths of four young women. They were connected by their gender, the cause of their deaths, and their participation in GT23. I assumed that GT23 had millions of participants so was unsure if this last connection was a valid common denominator.

I sat up and looked over the wall of my cubicle. I could only see the top of Myron’s head in his cubby. I thought about going to him and saying now was the time to talk. But I quickly dismissed the idea. I didn’t like going to my editor, my boss, and saying I didn’t know what to do next. An editor wants confidence. He wants to hear a plan that will lead to a story. A story that would draw attention to FairWarning and what we were doing.

I stalled the decision by googling a contact number for GT23 and calling the corporate office in Palo Alto. I asked for Media Relations and soon was talking to a media specialist named Mark Bolender.

“I work for a consumer news site called FairWarning and I’m doing a piece on consumer privacy in the area of DNA analytics,” I said.

Bolender did not respond at first but I heard him typing.

“Got it,” he finally said. “Looking at your website right now. I was not familiar with it.”

“We usually partner on stories with more recognizable media outlets,” I said. “L.A. Times, Washington Post, NBC, and so on.”

“Who is your partner on this one?”

“No partner at the moment. I’m doing some preliminary work and—”

“Gathering string, huh?”

It was an old newspaper phrase. It told me Bolender was a former news guy who had crossed to the other side. He was handling media now, rather than being media.

“Only a reporter would say that,” I said. “Where’d you work?”

“Oh, here and there,” Bolender said. “My last gig was twelve years at the Merc as a tech reporter and then I took a buyout, ended up here.”

The San Jose Mercury News was a very good newspaper. If Bolender had been a tech reporter in the breadbasket of technology then I knew I wasn’t dealing with a public-relations hack. I now had to worry that he would figure out what I was really up to and find a way to block me.

“So what can I do for you and FairWarning?” Bolender asked.

“Well, right now I need some general information about security,” I said. “I was on the GT23 website and it says there are multiple layers of security established for handling participant genetic data and material, and I was hoping you could walk me through that.”

“I wish I could, Jack. But you are asking about proprietary matters that we don’t talk about. Suffice it to say, anyone who submits a genetic sample to GT23 can expect the highest level of security in the industry. Way beyond government requirements.”

It was a stock answer and I noted that going beyond government requirements when there were no such requirements meant nothing. But I didn’t want to jump on Bolender and position myself as an adversary so early in the conversation. Instead, I typed his words into the file because I would need to use them in the story — if a story was published.

“Okay, I understand that,” I said. “But on your website you clearly say you can’t guarantee that there will never be a breach. How do you reconcile that with what you just said?”

“What is on the website is what the lawyers tell us to put on the website,” Bolender said, an edge sharpening in his voice. “Nothing in life is one hundred percent guaranteed, so we need to make that advisement. But as I said, our safety measures are beyond question second to none. Do you have another question?”