The 2020-2021 Bioethics Public Seminar Series continues next month on March 24. You are invited to join us virtually to learn about artificial intelligence and healthcare data ownership. Our seminars are free to attend and open to all individuals.
Healthcare Artificial Intelligence Needs Patient Data: Who “Owns” the Data About You?
Artificial intelligence (AI) is increasingly used in modern medicine to improve diagnostics, therapy selection, and more. These computer algorithms are developed, trained, and tested with our patient medical data. Certainly beyond the healthcare space, many companies—from Facebook to Amazon to your local pub—are using our consumer data. This is data about you, but is it your data? What rights do you have versus the owners of the data? Does medical data used for the benefit of future patients deserve different treatment than consumer data? This lecture will explore examples of AI and an evolving view of data ownership and stewardship in medicine.
Join us for Dr. Alessio’s online lecture on Wednesday, March 24, 2021 from noon until 1 pm ET.
Adam M. Alessio, PhD, is a professor in the departments of Computational Mathematics, Science, and Engineering (CMSE), Biomedical Engineering (BME), and Radiology. He earned a PhD in Electrical Engineering at the University of Notre Dame and then joined the University of Washington faculty where he was a Professor in the Department of Radiology until 2018. He moved to MSU to be part of the new CMSE and BME departments and the Institute for Quantitative Health Science and Engineering. His research is focused on non-invasive quantification of disease through Artificial Intelligence-inspired algorithms. Dr. Alessio’s research group solves clinically motivated research problems at the intersection of imaging and medical decision-making. He is the author of over 100 publications, holds 6 patents, and has grant funding from the National Institutes of Health and the medical imaging industry to advance non-invasive cardiac, cancer, and pediatric imaging. Dr. Alessio is also the administrative director of the new Bachelor of Science in Data Science at MSU and is looking for partners in the development of a data ethics curriculum at MSU.
In a state of public health emergency, such as the one brought on by COVID-19, different countries have invoked extra powers to help mitigate the public health threat. These special powers would under normal circumstances be considered infringements on our liberty and privacy. A recent Wired article addressed that big tech companies like Google and Facebook are having discussions with the White House to share collective data on people’s movement during the current pandemic. For example, using phone location data or private social media posts to help track whether people are remaining at home and keeping a safe distance to stem the outbreak, and to measure the effectiveness of calls for social distancing. In the U.S., the government would generally need to obtain a user’s permission or a court order to acquire that type of user data from Google and Facebook. But as mentioned above, the government has broader powers in an emergency.
Obtaining this data could help governments prepare for the coming weeks of this public health emergency. For example, smart phone location data analysis from the New York Times has shed light on the disparities regarding which groups can afford to stay home limiting their exposure to the coronavirus. This is certainly useful to better understand the spread of the disease in different areas and across different socioeconomic groups. Facebook is working with Chapman University and other collaborators to develop maps that show how people are moving between areas that are hotspots of COVID-19 cases and areas that are not, and such maps could be useful in understanding the spread of the disease. Announced in a news release this month, Apple and Google have launched a joint effort to help governments and health agencies reduce the spread of the virus by using application programming interfaces and operating system-level technology to assist in enabling “contact tracing.”
Image description: an illustrated image of a pink brain coming out of the top of a person’s head; a magnifying glass with a brown handle, silver rim, and blue lens is above the brain as if looking into it. The background is light green. Image source: artwork from vecteezy.com.
While this sounds promising, one of the main obstacles has to do with concerns over the privacy of users whose data might be handed over by the companies. It would be unprecedented for the government to openly mine user movement data on this scale. To add to the issue, the current state of affairs where many more people now rely on digital tools to work or attend classes remotely, as well as to stay connected with family and friends, makes the amount and type of data gathered richer. However, as pointed out in a New York Times editorial, we should not sacrifice our privacy as a result of this pandemic.
Another relevant concern related to the use of collective data is government surveillance. For example, the use of mobile data to track the movement of individual coronavirus patients in China or South Korea can be seen as more controversial uses of the collected data.
It is certain that during this challenging time, data sharing and collaboration between academia, governments, civil society and the private sector is key to monitor, understand and help mitigate this pandemic. However, without rules for how companies should anonymize the data, and without clear limits on the type of data they can collect and how the data could be used and kept secure by researchers and governments, the perils might be greater than the promises. Furthermore, we need a clear path for what happens after all of this is over. For example, people should be given the option to delete user profiles they created as part of new work and school arrangements.
Given past scandals around privacy and transparency surrounding these big tech companies (in addition to the several scandals with the current government administration), it is hard to trust that the idea would be to only gather aggregate trends, and that they would not collect any identifying information about users, or track people over long periods beyond the scope of the pandemic.
Civil groups and academics have discussed the need to protect civil liberties and public trust, arguing for the need to identify best practices to maintain responsible data collection, processing, and use at a global scale.
The following are some of the key ideas that have been discussed:
In a public health emergency like the one we are living, some privacy intrusions might be warranted, but they need to be proportionate. For example, it would not be proportionate to gather 10 years of travel history of all individuals for the type of two-week incubation disease we are dealing with.
This type of government and big tech company partnership needs to have a clear expiration date, as there is a hazard for improper surveillance that could come with continuation of data gathering after the crisis is over. Given the historical precedents on how life-saving programs used in a state of emergency have continued after the state of emergency was resolved, we as a society need to be very cautious with how to ensure that such extraordinary measures do not become permanent fixtures in the landscape of government intrusions into daily life.
The collection of data should be based on science, and without bias based on nationality, ethnicity, religion, or race (unlike bias present in other government containment efforts of the past).
There is a need to be transparent with the public about any government use of “big tech data” and provide detailed information on items such as the information being gathered, the retention period, tools used, and the ways in which these guide public health decisions.
Finally, if the government seeks to limit a person’s rights based on the data gathered, the person should have the opportunity to challenge those conclusions and limits.
A few weeks ago the European Data Protection Board issued a statement on the importance of protecting personal data when used in the fight against COVID-19. The statement highlighted specific articles in the General Data Protection Regulation legislation. For example, Article 9 mentions that processing of personal data “for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health” is allowed, provided such processing is proportionate to the aims pursued. In the U.S. we are far from having such a framework to start discussing data collection, sharing, and use under the current circumstances.
There is no doubt as to potential public health benefits associated with analysis of such data and surveillance. For example, the utility of identifying individuals who have traveled to hotspot areas, or tracing and isolating contacts of those infected. However, without a clear framework on how digital data collection companies will address privacy and surveillance concerns, the more cautious we should be about access to other areas of our life, access that would also be shared with governments. Without due caution, not only will public trust continue to be undermined, but additionally people will be less likely to follow public health advice or recommendations, leading to even worse public health consequences.
Laura Cabrera, PhD, is an Assistant Professor in the Center for Ethics and Humanities in the Life Sciences and the Department of Translational Neuroscience at Michigan State University.
Join the discussion! Your comments and responses to this commentary are welcomed. The author will respond to all comments made by Thursday, May 7, 2020. With your participation, we hope to create discussions rich with insights from diverse perspectives.
Article narration by Liz McDaniel, Communications Assistant, Center for Ethics.
You must provide your name and email address to leave a comment. Your email address will not be made public.
The search for a brain device capable of capturing recordings from thousands of neurons has been a primary goal of the government-sponsored BRAIN initiative. To succeed would require developing flexible materials for the electrodes, miniaturization of the electronics and fully wireless interaction. Yet this past summer, it was corporately funded Facebook and Elon Musk’s Neuralink that stepped forward with announcements regarding their respective technological investment to access and read our human brains.
Image description: A black and white graphic of a person’s head with an electric plug extending out of the brain and back of the head. Image source: Gordon Johnson from Pixabay
Elon Musk, the eccentric technology entrepreneur and CEO of Tesla and Space X, made a big announcement while at the California Academy of Sciences. This time it was not about commercial space travel or plans to revolutionize city driving. Instead Musk presented advances on a product under development at his company Neuralink. The product features a sophisticated neural implant which aims to record the activities of thousands of neurons in the brain, and write signals back into the brain to provide sensory feedback. Musk mentioned that this technology would be available to humans as early as next year.
Mark Zuckerberg’s Facebook is also funding brain research to develop a non-invasive wearable device that would allow people to type by simply imagining that they are talking. The company plans to demonstrate a prototype system by the end of the year.
These two corporate announcements raise important questions. Should we be concerned about the introduction of brain devices that have the capacity to read thousands of neurons and then send signals to our brains? The initial goal for both products is medical, to help paralyzed individuals use their thoughts to control a computer or smartphone, or in the case of Facebook to help those with disabling speech impairments. However, these products also are considered to be of interest to healthy individuals who might wish to “interact with today’s VR systems and tomorrow’s AR glasses.” Musk shared his vision to enable humans to “merge” with Artificial Intelligence (AI), enhancing them to reach superhuman intelligence levels.
Time will tell whether or not these grand visions, that currently veer into science fiction, will be matched by scientific progress. However, if they ultimately deliver on their promise, the products could change the lives of those affected by paralysis and other physical disabilities. Yet, if embraced by healthy individuals such technologies could radically transform what it means to be human. There are of course sound reasons to remain skeptical that they will be used. First off there are safety issues to be considered when implanting electrodes in the brain, including damage to the vasculature surrounding the implant as well as tissue response surrounding the device. And that is what is currently known about inserting brain-computer interfaces with only a couple of electrode channels. Consider what might happen with thousands of electrodes. There remain simply too many unknowns to endorse this intervention for human use in the next year or so. There also are salient issues regarding brain data collection, storage, and use, including concerns connected to privacy and ownership.
Image description: a black and grey illustration of a brain in two halves, one resembling a computer motherboard, the other containing abstract swirls and circles. Image source: Seanbatty from Pixabay
Beyond these concerns, we have to think about what happens when such developments are spearheaded by private companies. Privately funded development is at odds with the slow, careful approach to innovation that most medical developments rely upon, where human research subject regulations and safety measures are clear. It is the “move fast and break things” pace that energizes start-up companies and Silicon Valley entrepreneurs. The big swings at the heart of these entrepreneurial tech companies also bring considerable risks. When addressing sophisticated brain interfaces, the stakes are quite high. These products bring to mind scenarios from Black Mirror, a program that prompts a host of modern anxieties about technology. On one hand, the possibility of having a brain implant that allows hands-free device interaction seems exciting, but consider the level of information we then would be giving to these companies. It is one thing to track how individuals react to a social media post by clicking whether they “like” it or not, or by how many times it has been shared. It is another thing altogether to capture which parts of the brain are being activated without us having clicked anything. Can those companies be trusted with a direct window to our thoughts, especially when they have a questionable track record when it comes to transparency and accountability? Consider how long it took for Facebook to start addressing the use of customer’s personal information. It remains unclear just how much financial support Facebook is providing to its academic partners, or whether or not volunteers are aware of Facebook’s involvement in the funding-related research.
The U.S. Food and Drug Administration as well as academic partners to these enterprises may act as a moderating force on the tech industry, yet recent examples suggest that those kinds of checks and balances oftentimes fail. Thus, when we hear about developments by companies such as Facebook and Neuralink trying to access the thoughts in our brains, we need to hold on to a healthy skepticism and continue to pose important challenging questions.
Laura Cabrera, PhD, is an Assistant Professor in the Center for Ethics and Humanities in the Life Sciences and the Department of Translational Neuroscience at Michigan State University.
Join the discussion! Your comments and responses to this commentary are welcomed. The author will respond to all comments made by Thursday, September 26, 2019. With your participation, we hope to create discussions rich with insights from diverse perspectives.
You must provide your name and email address to leave a comment. Your email address will not be made public.
It was good news to learn last month that the “Golden State Killer” had at last been identified and apprehended. A very evil man gets what he deserves, and his victims and their families get some justice.
The story of how he was found, however, raised concerns in some quarters. The police had a good DNA sample from the crime scenes, which with other evidence supported the conclusion that the crimes were committed by the same person. But whose DNA was that? Answering that question took some clever detective work. Police uploaded the DNA files to a public genealogy website, GEDmatch, which soon reported other users of GEDmatch who were probably related to the killer. More ordinary police work did the rest.
Most of the concern was over the fact that the police submitted the DNA under a pseudonym, in order to make investigative use of a database whose members had signed up and provided their DNA only for genealogical purposes.
Image description: a black and white photo of the panopticon inside of Kilmainham Gaol in Dublin, Ireland. Image source: Craig Sefton/Flickr Creative Commons.
My interest in this story, however, is the way it both feeds and undermines a common narrative about our DNA—that it is uniquely identifying, and that therefore any uses of our DNA pose special threats to our privacy. As The New York Times expressed this idea, “it is beginning to dawn on consumers that even their most intimate digital data—their genetic profiles—may be passed around in ways they never intended.”
It’s true that a sample of DNA belongs uniquely to a particular individual. But the same is true of a fingerprint, a Social Security number, or an iris. More importantly, by themselves none of these pieces of information reveals who that unique individual is.
As the Golden State Killer story illustrates, it’s only when put in the context of other information that any of these admittedly unique markers becomes identifying. If the GEDmatch database contained nothing but genetic profiles, you could determine which genomes the killer was related to. But you’d have no idea who those genomes belonged to, and you’d be no closer to finding the killer.
Although an individual genome can’t by itself be identifying, it can provide a link that ties together different information sources which include that genome. It can then be that collection that points to an individual, or narrows the list of possibilities to increase the odds of identification, and the threats to privacy. Imagine the state police maintains a database of forensic DNA linked to records of criminal convictions, and provides that database to criminologists, stripped of any names or other direct identifiers. Imagine as well that one of the hospitals provides researchers with DNA from their patients along with their de-identified medical records (which can include patients’ age, race, first 3 ZIP numbers, and other demographic information).
If we put those together we can do some interesting research: use the DNA link to identify those who both committed various crimes and had a psychiatric history, so we can compare them to convicted felons without a psychiatric history.
But now it may take very little additional information to identify someone in that combined database and invade their privacy. If I’m a researcher (or hacker) who knows that my 56-year-old neighbor was convicted of assault, I can now also find out whether he has a record of psychiatric illness—and a lot more besides. What he had thought private, is no longer so.
The point of this somewhat fanciful example is that as more information is collected about us, from more sources, the threats to our privacy will increase, even if what’s contained in individual sources offers little or no chance of identification.
For this reason, the prospect of merging various data sources for “big data” health research will challenge the current research regulatory framework. Under both the current and the new rules (which haven’t yet gone into effect), the distinction between identifiable and non-identifiable research subjects is critical. Research using information that can be linked to an individual’s identity requires that person’s consent. To avoid this requirement, research data must be “de-identified”. De-identification is the regulatory backbone on which much of the current “big data” research relies, allowing the appropriation of patient medical records and specimens for use in research without consent; and it provides the regulatory basis for uploading the data collected in NIH-supported research into a large NIH-sponsored database, the database of Genotypes and Phenotypes (dbGaP), which most NIH-supported genomic studies are required to do. Data from dbGaP can then be used by other researchers to address other research questions.
The possibilities of merging such “de-identified” databases together for research purposes will only increase, including facial recognition databases being collected online and on the street. As the mergers increase, it will become more difficult to claim that the people represented in those databases remain non-identifiable. As Lynch and Meyer point out in the Hastings Center Report, at this point there will be two choices. We can require that all such research will need at least broad consent, which will have to be reaffirmed every time a person’s data is used in new contexts that make identification possible. Or we will have to fundamentally reassess whether privacy can play any role at all in our research ethics, as the very idea of “privacy” evaporates in the panopticon of everyday surveillance.
Tom Tomlinson, PhD, is Director and Professor in the Center for Ethics and Humanities in the Life Sciences in the College of Human Medicine, and Professor in the Department of Philosophy at Michigan State University.
Join the discussion! Your comments and responses to this commentary are welcomed. The author will respond to all comments made by Thursday, July 12, 2018. With your participation, we hope to create discussions rich with insights from diverse perspectives.
You must provide your name and email address to leave a comment. Your email address will not be made public.