Privacy Concerns with DNA Ancestry Tests: It's All Fun and Games Until...?
Last updated May 2019
While it’s fun to submit DNA to a testing service to learn you might be 10 percent Nigerian, Norwegian, or Native American, these tests sometimes lead to unforeseen or unwanted consequences, and there are serious privacy issues at stake—after all, we’re handing off our entire genetic identities.
There’s little profit in charging $60–$100 to analyze DNA to report on ethnicity. The real profit potential lies in selling all the genetic data they are scooping up.
Most DNA ancestry companies ask customers if they wish to participate in affiliated research projects. Because most of us want to help find cures for devastating diseases like cancer, Alzheimer’s, and Parkinson’s, opt-in rates are high—23andMe says 80 percent of its customers do so.
These companies share de-identified data—they remove your name and other details. If you opt in but later change your mind, all the companies make it fairly easy to notify them you want out; there’s usually a page under account settings, or you can send a message to a help desk. But they won’t retrieve your genetic info from projects already begun and can’t remove it from completed ones.
Is Privacy a Priority?
Because these companies hold customers’ entire genetic identities, plus their names, DOBs, credit card info, and family relationships, they’re big targets of hackers. But some have done poor jobs at safeguarding these data: In 2018, MyHeritage disclosed it lost account details for more than 92 million customers to hackers. In 2017, Ancestry lost 55,000 customer sign-ins to hackers. Both claimed their customers’ genetic data wasn’t stolen, but these breaches are nonetheless alarming.
Even if the company carefully safeguards your data, “it is being passed along to a lot of other companies—labs, IT contractors, marketing analysts, researchers, and others—and I can’t imagine that every single company uses the most stringent methods to protect your data,” says Katie Hasson, Program Director for the Center for Genetics and Society, a nonprofit that encourages responsible uses of genetic and reproductive technologies.
And although companies provide researchers with de-identified, aggregate genetic data, Hasson warns that because so much data from DNA tests are now publicly available, “one thing that’s really worrying is that it turns out it’s pretty easy to re-identify people’s data.”
What Will They Do with Your DNA?
There are also reasons to worry about what these companies do with the DNA they collect. We don’t think customers are always given adequate disclosure about what happens to their submitted DNA when they opt in to research projects. Customers are essentially giving these outfits unlimited licenses to do whatever they want with their DNA, and that of their families, too.
“We don’t have a lot of visibility into these companies’ plans, and there are no consumer protections for these data,” says Jennifer King, Director of Consumer Privacy for Stanford Law School’s Center
for Internet and Society.
While most of us are happy to help researchers looking for breakthrough medical cures, you might not agree with—or even be able to learn about—the purposes or research goals of studies that use your data. If you opt in, you can’t object to inclusion in a study if you don’t like the subject matter. “The research can be looking for expensive cures for baldness, not just the sort of humanitarian projects you might happily agree to help with,” notes Hasson.
Some DNA ancestry services seek commercial partnerships with “third parties.” 23andMe is partially owned by Alphabet, the holding company that also owns Google. In addition to licensing data to researchers, it has many data-sharing commercial partnerships. For example, in July 2018 pharma giant GSK announced a $300 million investment in 23andMe for access to its data.
Helix, National Geographic’s DNA-testing partner, sells its data to about 25 companies.
AncestryDNA now says it shares data only with non-commercial research institutions. But until recently it had a partnership with Calico, a secretive company formed with a $1 billion investment from Google that has an ambiguous mission of “tackling aging and increasing healthspan.” Although AncestryDNA and Calico announced in 2018 that their agreement had ended, neither made any public disclosures about what was accomplished by the partnership or even what research was done.
“Their customers think they are helping to cure cancer, with little skepticism of what else they might do with their genetic data. Sure, they’ve partnered with cancer researchers, but they’re also working with other companies, and little is known about some of these projects,” says King. “Some companies getting your genetic data look like they’re interested in behavioral marketing. For example, 23andMe is working with Procter & Gamble Beauty. What do they want to know about me?”
Although these companies have received millions from private investors who expect eventual big payoffs, you won’t share in any windfall profits made from analyzing your genes.
We think these companies can provide greater transparency about exactly what they do with their genetic info. What projects are ongoing? Why are they being done? Who is doing the research? What findings or discoveries have been made? While companies’ carefully worded privacy statements and terms of use agreements promise to protect their customers’ identities, there are few details or notifications about what exactly they do with their data and no way to back out of individual projects.
Few Legal or Regulatory Protections
The federal Health Insurance Portability and Accountability Act (HIPAA) provides strong patient privacy protections but covers only info handled by hospitals, doctors, health insurance plans, and other specifically named entities—it doesn’t apply to genetic information you collect and send to DNA ancestry outfits.
Other laws bar employers from using genetic information to discriminate, and prevent health insurance plans from using it to decide whether to offer someone coverage or to set their rates.
But no laws prevent life, disability, or long-term-care insurers from considering genetic info when offering coverage and pricing. The only barrier to them getting and using your genetic info to see if you’re predisposed to, say, Alzheimer’s before signing
you up are the policies of the DNA-testing services themselves. And those policies are malleable. While AncestryDNA, for example, currently promises it won’t share your data with commercial parties such as insurers “without your express consent,” its policy also says, “We may modify this Privacy Statement at any time.”
Law enforcement agencies are also very interested in these genetic data. Investigators famously solved the Golden State Killer case by comparing his DNA collected at a crime scene to samples his relatives submitted to an open-source genetic database. Police have used similar methods to solve other cases.
With So Many Risks, Consider Opting Out of Research
Even if companies become transparent about what they do with their customers’ genetic data, and even if the partnerships they have in place now protect individual privacy, contribute to medical research, or are otherwise innocuous, what happens if a company’s values change? For example, AncestryDNA isn’t currently working with any private commercial partners, but it might change its mind about that in the future—and, remember, it already did have a still-mysterious partnership with a Silicon Valley startup.
What happens if a company changes its terms and conditions? Will it send a new version of its 30-page agreement for customers to wade through? What if a company is purchased by a new company with drastically different values? The terms and conditions customers sign off on state future ownership can enact new rules. And we just can’t predict what can be done—for good or bad—with these data 50 (or even five) years from now.
On the other hand, medical researchers are using these data to accomplish great things at an incredible pace. And most of our concerns about privacy are so far theoretical: Life insurance companies aren’t yet using genetic info to decline coverage or set rates, and we don’t right now live under a government that uses DNA testing to determine who gets to vote or reproduce or eat (although China is collecting DNA samples to track people of Uighur descent). But there are certainly enough serious privacy concerns for you to think about opting out of sharing and instructing any company to destroy your sample once you’ve received your report.
Or not buying at all.