How Private is Your Data Once You've Taken a Home DNA Test?
Getting your DNA tested so you can establish your ancestry or get the benefit of a diet and fitness plan that’s specific to your genetic needs sounds interesting, even if not entirely fun.
You don’t have to draw blood or spit into a tube and you can get the results back within a matter of weeks. Home DNA tests aren’t even particularly expensive, so what’s stopping you from finding out more about yourself, or giving a loved one the same opportunity? Privacy, possibly. Or trust.
Issues surrounding how your DNA data is handled and shared once it’s been voluntarily submitted to a DNA testing company are becoming increasingly controversial as the home DNA-testing market continues to expand. Recent events have given rise to further concerns about how that data is actually being used and who has access to it.
After doing a cheek swab DNA test, you’ll send your sample into a laboratory for testing. Each cell within that sample contains your entire DNA, including the mutations that make you a unique individual. Sharing such intimate data with anyone requires a certain level of trust and it’s unclear whether home DNA testing companies are really worthy of it.
Are Drug Companies Using Your DNA?
One of the latest DNA-related stories to hit the headlines revealed how DTC DNA-testing company, 23andMe, recently sold a massive share of its business to pharmaceutical giants, GlaxoSmithKline.
This is both good and bad news, depending on your perspective. The idea that 23andMe’s expansive database of genetic profiles could help further research into specific illnesses and potentially develop new drugs that could help sufferers is extremely exciting.
On the other hand, the notion that they might be using private individual’s data without fully informing them first is more than a little disconcerting.
23andMe have been quick to reassure potential clients that they have a choice as to whether or not to participate in any research the company’s involved in, and the right to opt out at any time. If you read the small print, however, things can get rather confusing.
For example, although the company says you can delete your information from 23andMe’s database at any time, when you actually attempt to do so, you may well be information that, in order to comply with the 1988 Clinical Laboratory Improvement Amendments, 23andMe is obligated to store your genotyping results for at least two years!
This is just one example of the confusing and contradictory nature of many DTC DNA testing companies. Another clause in 23andMe’s Privacy Statement explains that, if you choose not to consent to research, “your Genetic Information and Self-Reported Information may still be used by us and shared with our third party service providers as outlined in this Privacy Statement”.
Unfortunately, that means that for the consumer is that they have very little control at all over who sees their genetic information or for what purpose.
Furthermore, the director of consumer privacy at Stanford Law School’s Center for Internet and Society, Jennifer King points out, just because a pharmaceutical company has access to your DNA, it doesn’t necessarily mean it’s being used to save the world. “If your DNA helps develop a drug for a pharmaceutical company, there is nothing governing what they do”, King said. “It could be a drug they sell at a high profit but doesn’t help the world become a better place”.
How Much Can Your DNA Sample Reveal About You?
This is a tricky question and while there are many fear-mongering and naysayers out there who are more than happy to regale you with stories of just how vulnerable sharing your DNA might be.
There is another side to the story, however, that should also be given a voice. According to one blogger, “Your identity cannot be stolen from this data sampling of your DNA” because, essentially, those people looking at it, even on an open source site like GEDmatch, only see the overlap where it matches another individual’s DNA and not the entire profile.
Furthermore, FamilyTree DNA, a company that was recently in the news after it allowed the FBI access to its database, compares storing your DNA in their database to putting your money in a bank account – it may be in a remote location, but it’s still yours, they say.
You also have the right to ask for it to be destroyed or even sent to you for safekeeping whenever you choose.
FamilyTree DNA CEO Bennett Greenspan also explained that, as law enforcement agencies used the service in the same way as other users, creating accounts and uploading DNA samples, “they would not be violating user privacy and confidentiality”.
Although DTC DNA testing companies claim their results are very accurate, it could just be that the lack of accuracy is what gives you the most protection. According to a report published by the UK non-profit organization, Sense of Science, DTC ancestry report is far from specific.
On the contrary, the information and history you receive in your report “could equally be given to thousands of other people”. That’s not to say the information isn’t interesting or enlightening, but it is reassuring when it comes to the question of your genetic data and how it affects your online privacy.
Ok, so your genetic data isn’t 100% safe once you’ve submitted it for a home DNA test but, then again, it isn’t going to make you half as vulnerable as the alarmists want you to believe.
What Do You Risk When you Submit a DNA Sample?
As with any information that is transferred or stored digitally, there are potential cyber risks involved. Not only could your DNA data be lost or corrupted, but it could also be hacked into.
Last year, MyHeritage.com announced an extensive security breach that affected 92 million accounts. According to the DNA testing company, email addresses and hashed passwords were found on a private server outside the company’s system and were therefore vulnerable to cyber attacks and hackers.
Fortunately, MyHeritage.com keeps sensitive data such as genetic information and family trees on separate, segregated systems that are protected by several layers of security. So, yes, some information could be hacked but, even in the worse security breach, it’s doubtful your DNA data could actually be linked to you or be used to identify you.
Taking risks with your own private data is one thing, but making your loved ones vulnerable is quite another and, unfortunately, if you submit a DNA sample, you threaten to expose all those related to you.
Remember the case of the notorious Golden State killer? Between 1974 and 1986, a series of crime sprees in California resulted in 12 murders, more than 100 burglaries and over 50 rapes. The police investigation carried on for over 30 years until DNA gave them the breakthrough they’d been waiting for.
Having secured sample DNA from one of the crime scenes, law enforcement agents had turned up nothing when they ran it through official databases. When, however, they turned to a public database, GEDmatch, they located 15 possible relatives, enabling them to narrow down the search and, eventually, pinpoint the suspect, 73-year-old Joseph James DeAngelo.
After this technique became public, a research team at MyHeritage.com took a closer look at their own database and projected that, if you are of European descent and living in the US, there’s a 60% chance that one of your relatives has uploaded a DNA sample into their database.
In other words, if you upload a DNA sample, you effectively compromise the privacy of anyone related to you, even if they’re as distant as a third cousin.
What’s Protecting You and Your Genetic Data?
To be fair, not a lot. In the US at present, the only legislation relating to your DNA is the Genetic Information Nondiscrimination Act (GINA) which was passed 11 years ago. Genetic testing has come a long way in the past decade but authorities don’t seem to be keeping up.
GINA prevents employers from using genetic information as the basis of their decisions, be they hiring or firing someone. It also forbids insurance companies from using such information for the basis of any decisions relating to eligibility, cover or premiums. Beyond that, you’re pretty much on your own. Even the Health Insurance Portability and Accountability Act (HIPAA) doesn’t include genetic information.
While there are some positive repercussions from having large databases of genetic information, there are also some very valid concerns. For instance, while most of those who’ve conducted a home DNA test are pleased to hear that the technology is helping law enforcement agencies locate and arrest dangerous criminals, some are also worried about whether such agencies will know when to stop.
One DNA home test user, writer Kylie Charles, said “It makes me a little nervous, not in the sense that this technology is being used to stop violent criminals, but whether law enforcement will know when to stop. Will it just be used to catch murderers? Or will it be used to catch protesters one day, too?”
As with any digital information, you also need to be accountable for its security. If you use a weak password, like 1234 or password, to protect your home DNA test account, you deserve very little sympathy if that account is hacked into. Practicing common sense and managing your own online security is as vital to your DNA reports as it is your credit card details.
At the end of the day, however, whether to test or not comes down to a very subjective point: do you trust DNA testing companies, laboratories, drug companies, and law enforcement agencies to handle your sensitive DNA data responsibly? If the answer’s no, then you should probably put off doing a DNA test until legislation or business protocols change… which may not be in the too distant future.
The Future of DTC DNA Testing and Storage
Since the security breach last year, MyHeritage.com has announced its plans to increase security through a two-factor authentification process which will make online accounts and DNA reports safer and less vulnerable to cyber attacks.
Another company has gone a step further and last year launched the first pilot of its anonymous blockchain-based genome sequencing system. Yes, that’s quite a mouthful but what it basically means is that your DNA could be uploaded and stored in an incorruptible digital ledger.
The only thing linking your DNA sample with your account or ‘wallet’, would be a code that is only revealed once – on the DNA sample collection kit. In other words, not even the company knows who you are!
DNAtix was founded in 2014 and started investigating how blockchain technologies could be incorporated into the DTC genetic testing industry in 2017. Recognizing that DTC genetics tests require “consumers to sacrifice their anonymity and relinquish control of their personal data”, DNAtix seems to have got to the heart of the DTC DNA industry’s biggest problem.
The DNAtix solution is to isolate blocks of information and encrypt them, separating them using a peer-to-peer network. In other words, DNAtix is adapting some of the cybersecurity solutions utilized by VPN providers to solve the privacy issues facing DTC DNA companies.
It’s definitely not all doom and gloom and it looks as though online privacy and your genetic data are finally being given the attention they deserve.
While few of us would want to prevent drug companies from having access to data that could galvanize their development of life-saving medicines, or stop law enforcement agencies utilizing genetic data to track down violent criminals, many of us would prefer to have a little more control over our private DNA data, how it’s stored and who gets to access it.
With the FTC very much on the case and investigating just how DTC DNA testing companies handle user data and safeguard personal privacy, and companies like DNAtix coming up with alternative systems to ensure anonymity and data security, the future for home DNA testing is looking bright.
So, even you’re currently reluctant to conduct a home DNA test because of the privacy implications, the chances are, those issues will have been resolved in the near future, making the whole process more user-oriented and placing personal privacy at the top of the industry’s priorities.