Can you have both?

Thanks to several companies, DNA testing has become a popular way to learn more about your family history and your health. While this seems neat and helpful, it’s not without risk. Some cold cases have also been solved using DNA from relatives of killers. Do you know if your privacy is being protected? Are there other are risks involved in submitting your DNA to these companies?

DNA Testing & PrivacyThe use of DNA testing in medical and scientific settings has been going on for decades. The latest trend of direct-to-consumer testing kits is still relatively new. The three biggest companies, you’ve probably heard of them, are 23andMe, and MyHeritage. In addition, participation in public databases, such as Promethease and GEDmatch, has skyrocketed too. Their goal is to provide you with evidence about your genealogy and, in some cases, statistics about what diseases you’re most susceptible to. Many people desire to learn this information. As of last fall, over 19 million people had taken a test from Ancestry or 23andMe. DNA sequencing had gotten better and cheaper, which is why the size of these genealogical databases has grown rapidly. One study found that the DNA of 90% of Americans of European descent will soon be identifiable using genetic genealogy. In order to use these services, you’re required to send them a piece of your DNA via swabbing your cheek or giving a saliva sample. Many people don’t realize just how sensitive this material is, but it’s the most intimate data we can provide about ourselves. Often, it’s being used for ends that the participating individuals aren’t even aware of and can’t always control. While some companies are transparent about the sharing of data, others are less so. One survey done in 2016 showed that only a third of the 90 companies that were offering genetic testing services described how the data would be used.

What most people aren’t aware of is that the DNA testing companies sell your DNA and other data to third parties. These third parties are often pharmaceutical companies who want to use the information for research purposes. The material allows researchers to identify links between certain genes and a disease, so they then try to develop drugs that interfere with the action of disease-causing genes. Some of the DNA testing companies require you to fill out a separate agreement giving permission to use your DNA data for this purpose. Over 80% of 23andMe customers have agreed to let the company share their DNA with research partners. However, as part of this agreement, you waive all claims to a share of any profits that come from the research. When you take into account that those profits could be substantial, it should make you question whether or not this is fair. In addition, when you agree to allow the companies to sell your information, it’s supposed to be stripped of any identifying labels like your name or address. Sometimes, companies use what’s called de-identified aggregate data, which is summaries that don’t specifically distinguish individuals. However, genealogy research experts are able to re-identified individuals from that data, which is very concerning. Since 2009, researchers have proven that by comparing large sets of supposedly anonymous DNA data with public datasets from censuses or voter lists, they could correctly identify between 40% and 60% of all genetic testing participants. This is worrisome since pharmaceutical companies aren’t the only ones who want access to this genetic health information. Others, such as insurance companies, individuals involved in paternity/inheritance disputes and law enforcement agencies, want it too. Some experts surmise that in the future, this important data could be used for identifying terrorist suspects, tracking military personnel and limiting treatment in overstretched healthcare systems. Some of the companies also have a family finder feature that lets potential relatives contact you if your DNA matches. Another permission you might be asked to give is to allow the DNA testing company to store your sample, which would allow them to go back and test it again if more advanced techniques are developed in the future. The issue is that with all of these databases there is uncertainty about who has access to them and for what purposes. Just how well is your privacy protected?

In 2017, a research team looked at DNA testing companies’ privacy policies and discovered most of them were lacking. They found that 40% of them don’t have a written policy that specifically mentions genetic data. The team pointed out that there are fewer protections regarding genetic material with consumer DNA testing kits than there would be if you were taking a medical test. This is because when a doctor takes a DNA sample, that sample is protected by the Health Insurance Portability and Accountability Act (HIPAA), which means there are limits on how it can be shared. Obviously, a health tech company is not a doctor, so they don’t have to follow the same rules. The only regulatory body that oversees DNA testing companies would be the Federal Trade Commission (FTC). They don’t have a specific policy regarding genetic data but have the ability to regulate unfair and deceptive business practices in all industries. Back in 2018, a Fast Company report showed that 23andMe and Ancestry were being investigated by the FTC over their policies of handling personal info/genetic data and how they share that info with third parties. There are some additional regulations, like the Genetic Information Nondiscrimination Act (GINA), but it’s severely deficient in its ability to protect individuals. The Act only covers companies with more than 15 employees; doesn’t apply to federal workers, soldiers and officers; and individuals who receive their insurance through the Federal Employees Health Benefits, the Veterans Health Administration, the U.S. Military (TRICARE) and the Indian Health Service. Also, it doesn’t prevent you from being discriminated against because of your genetic test results when you apply for life, disability or long-term insurance.

Some experts point out that these companies have a good reason to protect your DNA because their business’ future relies on maintaining the trust of consumers. This is why they typically remove personal identifiers, such as your name, from your genetic code before they sell it to researchers or drug companies. In addition, they usually store your personal information and your genetic data in separate environments to protect against a potential hack. Unfortunately, this isn’t foolproof. Hacking is a major concern with any data. Since your genetic data is typically stored in the cloud, it’s very possible that hackers can get access to it. For example, in June 2018, over 92 million accounts from MyHeritage were found on a private server. Thankfully, the DNA data wasn’t breached. Another concern is that once your information is sold to a third-party, how does it stay protected? While most DNA testing companies make clear that they will not share your DNA with any third party unless you explicitly consent to it, they can’t guarantee what happens to it once it leaves their database. This is troublesome since the vast majority of consumers opt-in for this choice. Another concern is that over time, a company’s situation, or privacy policy, can change and what happens to your data then? Experts say the current way of operating doesn’t adequately protect users and feel that, at minimum, the platforms should encrypt all genetic data, have users create a login that isn’t their email address and use two-factor or multi-factor authentication, which is a security step used by many banks and data companies. This means you would be required to provide two or more pieces of evidence before being allowed to access sensitive information.

One of the worst things about DNA testing and your privacy is that you don’t need to perform any tests yourself to compromise your data. If your siblings or distant relatives decide to test their genome, it’s almost as good as if you did it, too. For a sibling, around 50% of your DNA matches. A skilled genetic genealogist can compare an anonymous DNA sample with identified ones, which allows them to focus in on a person’s relatives, and then, identify the person themselves. One study hypothesizes that if there was a genetic database of 1.3 million US residents, roughly 60% of all white Americans could be traced to a third cousin, who is someone who shares a set of your 16 great-great-grandparents. We all have at least 800 of these individuals out there somewhere and there’s a good chance that some were excited enough about genealogy to join one of the many sites. In regards to this finding, an additional item that you should be concerned about is that law enforcement knows these companies have this DNA material and they’re asking for it. Others who may request this information are the federal government, including the State Department or US Military. Both 23andMe and Ancestry provide a transparency report on all requests made by law enforcement and government. While none of the leading genetic testing companies allow users to upload raw DNA samples, you can download your genetic data from your account and share it with GEDmatch or another open personal genomics and genealogy database. This is how law enforcement was able to track down a suspect in the Golden State killer case. The person arrested was 72-year-old Joseph James DeAngelo, a former police officer. He is believed to have killed at least 12 people, raped over 45 and burglarized hundreds of homes throughout California in the 1970s and 1980s. To crack the case, law enforcement agents uploaded their suspect’s DNA to GEDmatch using a sample from a crime scene. Using a team of experts, they were able to examine and compare several sets of data until they found their suspect. Even though DeAngelo had never participated in any genetic testing, 24 of his relatives had and this is how they were able to identify him. The announcement of how he was arrested led to a revolution in forensics that has helped to solve more than 50 rapes and homicides in 29 states. Many experts feel the technique could be used to solve a vast number of cold cases across the country, including at least 100,000 unsolved major violent crimes and 40,000 unidentified bodies. A forensic consulting firm, Parabon, has used the technique to garner 49 genetic identifications that have reopened a variety of cold cases, like the 1987 murder of a young Canadian couple, six rapes in North Carolina and the slaying of a Stanford University graduate that happened 46 years ago. So far, it has resulted in at least 17 arrests, some of whom were never considered a suspect. The National Center for Missing and Exploited Children said it’s revisiting almost 700 cases involving unidentified children’s remains. They’ve already been able to identify about 15.

This seems like a very positive use of genetic material. A survey from Baylor College of Medicine found that the majority (91%) of people favor law enforcement’s use of consumer DNA databases to solve violent crimes and about half (46%) for nonviolent crimes. The concern from some ethicists is that it can violate a person’s privacy, especially those who didn’t take a genetic test. This is why after receiving criticism for allowing police to search profiles without users’ permission, in early 2019, GEDmatch changed its privacy policy to restrict law enforcement searches. The company decided that it wanted to make sure members understood explicitly how investigators were using the site. In order to do this, it altered its terms of service to automatically exclude all members from law enforcement searches. If members wanted to permit their information to be used in that manner, then they needed to opt-in. Essentially, this took the number of profiles available to law enforcement from more than 1 million to zero in an instant. This change has made cold cases much harder to crack. Authorities say that it’s allowing some criminals who could be identified and caught to remain undetected and unpunished. However, the number of individuals who’ve decided to opt-in has been steadily growing, so far, it’s around 181,000. Investigators say that they need at least 1 million participants to be able to solve cold cases with regularity. Many experts doubt that the DNA testing companies are going to be willing to cooperate with informal law-enforcement requests since they’re primary goal is to protect the privacy of their members. However, law enforcement has barely begun to test the power of the subpoena in this area, so it’s really unfamiliar territory in the legal domain. Some groups hope to persuade more people to permit law enforcement access to their genetic data. They point out that public crime labs are not equipped to do the kind of DNA analysis required, and police generally aren’t fluent in methods used to build family trees that experts are at the DNA testing companies. On the other hand, some feel that if law enforcement is going to be looking through the sensitive information on these sites, there should be more regulatory restrictions. Some of the ethicists feel this is especially true because a decision by FamilyTreeDNA to move from secretly cooperating with the Federal Bureau of Investigation (FBI) to marketing itself as a way to catch killers has left many of them alarmed. One thing is for sure is that there are thousands of criminal cases at stake and the future of genetic data privacy.

There’s no question that when you’re signing up on a DNA testing company site, they ask a lot of questions that are boring. Nevertheless, if you want to protect your genetic data, you need to read them all carefully. In fact, you should read the company’s privacy policy since this will outline what data the company collects, how it’s used and what control you have over it. You also need to look at what choices you have, in terms of things you can opt into or opt-out of. If you give the company permission to share your data with another research organization, you should be able to revoke it later. Despite having the ability to prevent your information from being shared, you most likely won’t be able to delete your data from third parties that have already received it nor guarantee that those third parties won’t share your data with yet another company or research organization. It’s also a good idea to check out the company’s policy regarding deleting your information. Almost all the major platforms allow you to do this with each one having its own process. For 23andMe, go to your account settings page and find the “Delete Your Data” option under “23andMe Data.” Prior to deletion, you can download any or all of your data. However, experts warn against downloading your personal DNA data because once you do this, it’s no longer protected by any of the company’s security measures. If you had agreed to have your sample saved, it will also be physically destroyed. For Ancestry, you sign in to your account, click the “DNA” tab and choose “Your DNA Results Summary.” Next, go to “Settings” and choose “Delete Test Results.” You’ll have to enter your password again to confirm that you want to delete your information. Not only will this delete your DNA data, but it’ll also prevent you from appearing in any family finder results. For MyHeritage, log into your account, click your name in the upper-right corner, and choose “Account Settings” before scrolling to the bottom of the page and click “Delete Account.” It’s important to note that all of the companies that use a laboratory must follow regulations under the Clinical Laboratory Improvement Amendments (CLIA). This means that some data, such as your DNA, sex and date of birth, will be kept in order to comply with these regulations. However, the company is no longer allowed to use that information. Even after requesting that your data be deleted, how do you know that the company actually did it?

Genetic data is like all data in that once it’s out there, it’s very hard to control, which is why it’s essential to be aware of vulnerabilities when it comes to protecting that information. Yes, the data you share with genetic testing companies is supposed to be private, but upholding that privacy is getting harder. These companies should have the highest level of security and they don’t. According to privacy experts and bioethicists, the best way to protect your data is to not hand it over in the first place. However, if you do want to participate, stick with the larger companies because they’ve got acceptable privacy policies and are more likely to have a vested interest in keeping your genetic data private.