We all wonder what we are about. Where did our family originally come from? Who do we share our genes with?
There is an easy way to find out all of this and more. All it takes is a little bit of spit, or a swipe of the inside of your cheek.
Personal DNA testing is a relatively cheap and easy way to find out who you’re related to, while also unlocking data on possible health problems or tendencies.
However, if you’re considering buying a DNA test for yourself or as a gift, keep in mind that there might be hidden costs, including long-lasting privacy issues. DNA tests can also expose family-related issues, such as affairs or undisclosed adoptions.
Who Owns Your DNA Data?
While your saliva may belong to you, what about the data the DNA service collects about you by using that spit?
To test your genes, commercial DNA services ask for the rights to your DNA information. As is normal for most cases like this, you can find the details of this buried in the terms of service.
AncestryDNA and 23andMe both include mentions of the companies’ legal rights to use your DNA data.
For example, AncestryDNA mentions in its terms of service that:
“Also, by submitting User Provided Content through any of the Services, you grant Ancestry a perpetual, sublicensable, worldwide, non-revocable, royalty-free license to host, store, copy, publish, distribute, provide access to, create derivative works of, and otherwise use such User Provided Content to the extent and in the form or context we deem appropriate on or through any media or medium and with any technology or devices now known or hereafter developed or discovered. This includes the right for Ancestry to copy, display, and index your User Provided Content. Ancestry will own the indexes it creates. Notwithstanding the non-revocable and perpetual nature of this license, it terminates when your User Provided Content is deleted from our systems. Be aware that to the extent you elected to make your User Provided Content public and other users copied or saved it to the Services, this license continues until the content has been deleted both by you and the other users.”
The above means you are giving AncestryDNA a license to publish, distribute and offer access to your DNA information. However, you can at any time delete your DNA information to prevent AncestryDNA from sharing or offering any further access.
Meanwhile, 23andMe includes a “Waiver of Property Rights” on DNA you submit to the service.
While DNA companies obtain your consent before using your DNA for research, customers may not realize that they don’t have to grant their consent. Often, consent forms are badly designed, and may not clearly lay out the user’s options. This may cause users to believe that giving consent to research is required to get their test results.
What About HIPAA, GDPR and Other Privacy Regulations?
DNA data is health information, right? Doesn’t that mean that it is protected by privacy legislation, such as HIPAA in the United States and GDPR in Europe?
Unfortunately, HIPAA only applies to genetic information gathered under the authority of health providers. Health providers include hospitals, private medical practices, medical clinics. Health insurance companies must also follow HIPAA regulations.
However, these regulations don’t apply to private companies, unless they are performing the services for a healthcare organization.
This means that companies like 23andMe are not subject to these regulations, as they are not health providers. As long as they are testing your DNA for commercial (non-medical) reasons, they are not subject to HIPAA regulations.
If you live outside of the United States, you may have a bit more privacy protection under the law. In Canada, private companies are subject to PIPEDA regulations, which puts limits on the collection, usage, and disclosure of personal DNA information.
In Europe, the General Data Protection Regulation (GDPR) applies to all organizations that collect and process personal data. Genetic data is specifically mentioned in the law, mentioning it in Article 9 “Processing of special categories of personal data”. The 23andMe website includes a specific section to illustrate its compliance with the GDPR.
This means that DNA testing firms can’t do anything with the customer’s DNA data unless the customer gives express written consent. DNA testing firms must also notify users that they have the right to ask for their data to be corrected or removed. The firms also can’t retain the data for any longer than needed to complete the processing the customer has agreed to.
Can Your DNA Affect Your Insurance?
Your DNA can suggest that you may be predisposed to certain medical issues as you age.
This is valuable information to life insurance companies. And they may indeed have access to this information.
While the Genetic Information Nondiscrimination Act (GINA) prevents health insurance issuers from using DNA information to deny health coverage, life insurance companies face no such restrictions. This means that customers whose DNA indicates a genetic predisposition for ailments, such as breast cancer, can be turned down for coverage.
Life insurance companies legally have the right to access your medical records, which can also include DNA tests if you have had one performed.
Wait, I’m Adopted?
It’s a standard bit of lazy writing for soap operas: one of the characters discovers (DUN! DUN! DUN!) that one or both of their parents aren’t related to them by blood.
Unfortunately, thanks to the popularity of DNA tests, there has been a real-life twist placed on parent/child relations. (And in some cases, a bit of a strain between Mom and Dad.)
While paternity testing has been around for decades, when the testing takes place, the paternal relationship is already in question. However, the results you may receive from a DNA test could be quite shocking. It turns out that that man you’ve been calling “Dad” for 30 years is just a nice unrelated man who raised you.
DNA tests can show that there is no genetic connection between a parent and child. This may lead to the discovery that the child was either adopted or the result of an affair. Talk about a lousy Christmas! Remember, as 23andMe warns potential users, “Once you obtain your Genetic Information, the knowledge is irrevocable”.
Also, keep in mind that by giving up your DNA to a testing firm you may be exposing family members without their consent or knowledge.
A user’s DNA testing data led to a family member’s 2018 arrest for murder. (He was the infamous Golden State Killer.) Investigators compared DNA evidence from a crime scene years ago and compared it to other DNA samples from a commercial DNA platform, GEDMatch. While the suspect hadn’t uploaded his DNA, a relative living in Oregon had.
Investigators were able to map out relatives in a family tree, until they were able to narrow down a pool of suspects and make an arrest.
Law Enforcement Access to DNA Data
Access to DNA testing by law enforcement has proven to be a rising concern. This has led to an ongoing debate as to how much access to DNA law enforcement personnel should have.
23andMe’s terms of service says the firm responds to legal requests for DNA data on a case-by-case basis. AncestryDNA also considers legitimate legal requests, including warrants and subpoenas. The requests continue to be on the rise.
As mentioned above, April 2018 saw the arrest in a decades-long case involving the Golden State Killer. Police took forensic evidence from decades ago and checked it against the data available on a commercial DNA service, GEDMatch.
While the suspect’s DNA wasn’t available on the service, a relative in Oregon’s DNA was available. The investigators were able to use the DNA to narrow down the suspect pool enough to make an arrest.
November 2019 saw courts allow a Florida detective to search GEDMatch’s servers.
If this sets a legal precedent that allows issuing warrants for DNA data, DNA testing companies’ privacy policies will become useless.
However, there is a possibility that this won’t happen. Since GEDMatch populates its database with data from users that upload the data from other services, such warrants wouldn’t be applicable to DNA analysis services that do direct-to-consumer analysis. Companies could challenge such warrants on the grounds of user privacy.
Law enforcement may not require a warrant in some cases. In December 2019, forensics testing firm Verogen acquired GEDMatch. Verogen is a company that specializes in assisting police in investigations. Currently, the firm says customers must opt-in to allow sharing of DNA data with law enforcement.
Why Is Law Enforcement Access to DNA Worrisome?
Growing law enforcement access to DNA data has raised concerns for scientists and civil rights advocates. Researchers fear fewer folks will be open to sharing their DNA data for health research, due to fears that the information may end up in a database accessible to law enforcement.
Others fear that providing DNA information to law enforcement violates the Fourth Amendment, which prohibits unreasonable search and seizure.
Sadly, at least one country (China) is using DNA in conjunction with sketching software to create rough models of a person’s face. The Chinese government is using it to crack down on Uighurs and other Muslim minorities.
Also, while the science of DNA is well-developed and reliable, there are questions about human error during testing, and in many cases the DNA testing method has been found to be in error.
DNA: A Target For Hackers
Even if a company doesn’t voluntarily share your DNA data, and has the most solid privacy policy around, it could still be at risk.
Data breaches occur on what seems like a daily basis nowadays, and DNA repositories are not immune to the breaches.
In 2018, DNA testing site MyHeritage had more than 92 million users’ email addresses and hashed passwords stolen. The company soon after increased its security with two-factor authentication. In November 2019, Veritas Genetics was also hit with a data breach.
Hackers steal DNA information for the same reason they hack into any other system: because it is profitable.
Hackers can sell DNA for ransom by threatening to expose medical conditions and related secrets to the public.
Unfortunately, unlike when login and password information is stolen, DNA cannot be changed – once it has been exposed, it’s always out there.
What Can You Do to Protect Your Privacy?
If you’re concerned about the privacy of your DNA testing data, you can take several steps to help protect your privacy.
First, only deal with reputable, trusted DNA testing companies. In July of 2018, several reputable testing firms agreed to adhere to a set of Privacy Best Practices. The companies that agreed include 23andMe, AncestryDNA, MyHeritage, Habit, African Ancestry and Living DNA.
Before you commit your data to any DNA service, actually read their privacy policy and terms of use. These are available on the companies’ websites. Don’t skim the policies, actually read them. If you have any questions, contact the company for clarification.
Pay close attention to your opt-in privacy options. Much like ballot propositions in California, the wording of privacy options can be somewhat vague. Again, if you’re not sure, contact customer support, or simply opt out.
When it comes to ancestry-related testing, be sure to pay attention to how much of your profile information you wish to make public. It’s a good idea to initially hold back on too much sharing, at least until you can get an idea of how the communities operate.
You can also designate whether or not you’ll allow your DNA-matching relatives to contact you.
While this may be enticing, you should keep in mind that this may result in long-lost distant relatives contacting you if you win the lottery. However, if you’re doing the DNA submission with the idea of finding long-lost relatives (maybe they’ve won the lottery?), you’re going to have to share to see any results.
Make sure that you can block life insurance companies from accessing your DNA info. As mentioned before, life insurance companies can deny coverage because of DNA indicators.
Think twice about uploading your DNA data to third-party databases, such as GEDMatch or Promethease. While these are excellent tools for experienced users, they could further expose your DNA info to increased privacy risks.
In Closing
We’re still learning the risks and dangers of using DNA technology in the wrong way.
Unfortunately, as you might expect, less-than-scrupulous people are looking for ways to profit from illegal use of DNA data, law enforcement has a yen to examine DNA data, and some governments use DNA data to crack down on certain minorities.
DNA testing is important in many ways, and can help you understand your family’s history. However, you should consider the possible drawbacks before submitting your DNA to any company.