Skip to content

Personal Genome Project UK email disaster: If you can’t guarantee privacy, at least try to ensure trust

It’s not often that you can write on a topic in ethics whilst rolling around laughing, so I shall take this rare opportunity to make a few comments on the ludicrous breach of privacy that occurred last night when the Personal Genome Project messed up something as simple as an email list.

I’d expressed an interest in taking part in this project which aims to sequence the genomes of hundreds of thousands of people and make these available, together with trait information, to researchers. There are clear potential worries about privacy here, as there is a potential to identify individuals from such a rich source of information. Nonetheless, I was excited to take part. After all, many of the people I know and love the most would not be alive today were it not for advances in medical science which have helped to treat diseases such as cancer and type 1 diabetes. In the past, many have risked life and limb for medical science. What was the potential of a little breach of privacy to worry about? Besides which, there has been considerable attention to ethics, privacy, and security around this project. There’s a whole ethics crew. Presumably they only hire the crème de la crème of data and IT experts. Surely these guys could be trusted to use our information wisely, and to do all they could to prevent irresponsible use?

So, knowing that there had seemingly been a large interest in taking part, I rushed to complete the initial online enrolment, hoping that I was going to be chosen. The next part of enrolling required reading through extensive documents and promised to take over an hour to complete, so at that stage I went to bed. Only to wake this morning to an email inbox chock full of hundreds of emails from other participants; the email list just copied and sent emails back to everybody who was trying to enrol. Some of these emails just gave the name of other participants, and for those who’d replied to the list, some email addresses were also visible.

Hilarious! A quick check on twitter revealed a lot of enraged, bemused and amused tweeters. Here’s a selection:

Signed up for Personal Genome Project – be sequenced for med research. They’ve publicised email addresses of all volunteers. Privacy anyone?

Can we get a hashtag going for the #PersonalGenomeProject fuckup? #isurvivedtheemailstorm

I won’t be taking part in the personal genome project. Ridiculous questionnaires & don’t appreciate >140 spam emails because of incompetence

Woke up to hundreds of emails from Personal Genome Project volunteers, cheers. Such incompetence, very reassuring, wow.

Withdrawing from Personal Genome Project – if going to be this careless with emails then I don’t think I want to be sequenced after all.

I wonder if #PersonalGenomeProject are making a point to drum home the potential implications of contributing to the project

Really starting to regret signing up to the personal genome project, too many emails, really not happy!

Greatly enjoying the Personal Genome Project train wreck that is happening in my email inbox right now.

I’ve got about fifty emails from the Personal Genome Project mailing list. They said they couldn’t guarantee privacy, but this is ridiculous

Dont think I’ll trust personal Genome Project UK (PGP-UK) with my DNA if they cant even keep their email system anonymous

HOLY SHIT this email storm is from the Personal Genome Project. If they cant handle email-list privileges then they’re not getting my Genome

These responses are pretty predictable. At least they have solved at a stroke the problem of how to sift through the excess number of people who volunteered – I wonder if they will make the total number of volunteers needed now?

There is a simple lesson to be learned from this – the fragility of trust. There are two basic strategies for ensuring ethical conduct of research: one, through robust regulations and practices which protect participants; two, through the trustworthiness of those managing research – that they have the competence and virtues necessary to handle the information entrusted to them, for the betterment of humanity whilst protecting the individual.

Anyone who wished to volunteer for this would have to be pretty comfortable with the possibility that their privacy could be breached, because there would be so many points of information available that it would be more than a theoretical possibility that to narrow this down to a precise individual. But those volunteering would also presumably probably have a commitment to advancing medical science and knowledge of human biology; and perhaps, like me, considered that the potential for privacy breach by outsiders was weighed against a prima facie high degree of trust that the Personal Genome Project was being managed by researchers with a high degree of probity, academic excellence, and competence. They must employ the best people, right? They must use the latest data management techniques, right? They’re at the cutting edge of all this, right?

Well, actually, no. This morning, a few tried to downplay this disaster by pointing out that email addresses weren’t shared, but this was false: actually whilst most of the emails that came round only displayed people’s names, for those who then replied, their email addresses then became visible to the whole group. Moreover, people can be identified from their names, of course!  Not everybody is called Mary Smith or John Brown.

But the real point is not that names and email addresses were shared. It’s not just that people were irritated that, for the trouble of volunteering for this project, their email boxes were chock full of rubbish. It’s that trust evaporated overnight with this idiotic breach of security. The entire point of this project depends upon something utterly crucial to the heart of it: the trust that those running it know how to manage data. The project is all about good data management. And they can’t even do that. A glitch in how the email list is managed can be sorted out in a minute or two. A breach of trust takes much, much longer.

Share on

8 Comment on this post

  1. I can’t say I was too happy to find my inbox clogged with several hundred responses to PGP-UK’s email from other angry individuals who, like myself, had expressed interest in volunteering to support this project. All those people will have thought that the value to science would make their participation worthwhile. They probably assumed that in view of the sensitive nature of the data, PGP would be demonstrating the very highest possible standards in management of personal data.
    Sadly, this monumental own-goal at the very outset will result in many people pulling out of this valuable research. Still, better to have PGP’s incompetence exposed at this early stage, rather than with any real data.

  2. It’s not PGP’s fault that so many people don’t understand how to use email. I doubt this fuss will be a stumbling block for PGP, because the people who are baffled by the ‘reply all’ feature are probably too lazy or dim to pass the enrolment exams. If you do enrol you might be cloned, sacked or refused health insurance. You may discover that you’re only related to one of your parents. You could be wrongly accused of murder or rape. You won’t pass the enrolment exams unless you show you understand these risks. So if you have a hissy fit about a few dozen spams from ignorant people, this project is probably not for you.

  3. The thing that disturbed me the most was that some nasty spam emails got into the system, most emails were quite funny and I was amused, then a really scary one popped up. I started to feel a bit worried that I’d been emailed by an individual with dubious understanding of appropriateness.

    I didn’t reply to them, but it was worrying. I’ve completed the exam, but still not sure whether to carry on. I’m worried about the fact they’ve not mentioned any sort of links to the NHS. This isn’t like the US, my NHS GP is hardly going to be interested if I come to her with a worry about the report I’ve received, and it is clear you can get a result that would need medical follow up. There should be a pathway that makes it possible for this to be arranged, and that can be done, especially with a project like this, it’s done for other research. I work in the NHS, hence feeling I wanted to help the research and be involved.

  4. also withdrawing from project as many of the emails I received had peoples id ref no’s included . in this instance they need to find a it person who knows what the hell theyre doing

  5. Paula Boddington

    In reply to Nick H, secure systems need to be fool proof, or they are not secure. There are easy ways of managing an email list so that ‘reply all’ just is not possible.

    I was sure that the Personal Genome Project would do what they could to restore trust. I did somehow however expect a personal reply, not just an announcement placed on their website on Monday, which is copied below. Was a personal apology too much to ask? I wonder what other people affected think. The comment they posted does not actually do much to restore my trust, (even though I went ahead to enroll) because it indicates that they don’t know how this happened apart from the usual ‘human error’, because they say they are still ‘investigating’. Unless the project is not going to be managed by humans, then it needs to try to ensure itself against human error, surely? They say they are devastated – which no doubt they are – but I would like more detail to explain if it could or could not ever happen with people’s data. Full and prompt disclosure is the best way to tackle such a breach of trust.

    “May 19, 2014

    Dear PGP-UK volunteers,

    We are devastated by the email problem, which was the result of human error, and sincerely apologise for it and any distress it may have caused.

    We immediately responded to stop the problem spreading and will ensure that this does not happen again. We ask you for your patience and understanding while we investigate what went wrong.

    Everyone who requested to be removed from PGP-UK will be removed and not receive any future announcements.

    Once again, we apologise profusely to everyone affected and thank you for your continued support.

    PGP-UK Team”

  6. FYI, on the PGP-UK website, the following fairly detailed explanation of what happened appears just below what you quoted above:

    Detailed account of the incident

    Since the Personal Genome Project UK was announced in November 2013, approximately 10,460 people registered to be notified when enrolment opens.

    On Saturday the 17th of May 2014 at 8.42pm, the Personal Genome Project UK staff sent an email to this list of registrants, announcing that enrolment was now open and providing instructions on how to begin the online process.

    Just before midnight on Saturday, one person replied to the email. Due to a configuration error, this email message, including this person’s name and email address, was sent to the entire mailing list, even though the message was intended only for the Personal Genome Project UK staff.

    Within a few hours, approximately 220 people replied to the email list in a similar manner. Each reply, along with the sender’s email address and any other content in the message, including possibly full name, was sent to the whole list of registrants, thus setting off an “email storm” that filled the inboxes of people on the list.

    Upon realizing that a mistake had been made, Personal Genome Project UK staff held an emergency meeting and immediately began working to solve the problem. By 2AM on 18th of May 2014 the misconfigured email address was turned off.

    Personal Genome Project UK staff deeply regret any distress this incident may have caused. The staff is investigating the email configuration error and is taking steps to ensure that this problem never happens again.

    Frequently Asked Questions

    Was my name or email address mistakenly shared with other members of the PGP-UK mailing list?

    The vast majority of names or email addresses were not exposed during this incident. However, if you are one of the ~220 individuals who sent a message to the email list (pgp-uk-list@ucl.ac.uk), your email address, possibly your name, and any contents of your email message were visible to the entire list of registrants.

    How do I remove my name and email address from the mailing list?

    Please send your request for removal to us at: pgp-uk@ucl.ac.uk. We will remove you immediately and you will no longer receive communications from us.

  7. I think it was a good way of filtering out the people who pay lip service to the idea that they don’t mind their details being out there for everyone to see, from the people who really mean it. The email storm was down to simple human error, which happens all the time no matter how good people are at their jobs. I felt really sorry for the team who are trying to work for a good cause. I have signed up as a participant myself.

Comments are closed.