DNA testing privacy

Have you ever wondered what makes you? Mused over how you came to be, and who you share genes with? There’s a new option to find answers, and all it needs is a drop of spit. 

It should come as no surprise that commercial DNA tests are rising in popularity. Genealogy itself is, after all, an ancient practice: members of the royal family of the United Kingdom, for example, can trace their ancestry down to Henry VII. Now with commercial DNA testing, genealogy maps are very accessible.  Your DNA is a map that holds traits of every person who came before you. With the right analysis, DNA tests can also unlock data on health problems or predispositions. 

But if you’re considering a test, not so fast. It turns out that knowledge comes with a price, one with potentially long-lasting consequences. Your DNA can expose secrets, even those that aren’t your own, and put you at risk in ways that aren’t advertised. There are huge, privacy concerns with commercial DNA testing, starting with what you agree to in the fine print. 

Who owns the data? 

Your spit might belong to you, but the unraveled code, in digital form? That’s different. In order to test your genes, commercial DNA services ask for the rights to your information. These details are frequently found within the terms of service, and can be very unnerving. AncestryDNA for example, states that it « does not claim any ownership rights in the DNA submitted for testing”, however: 

« By submitting DNA to AncestryDNA, you grant AncestryDNA and the Ancestry Group Companies a royalty-free, worldwide, sublicensable, transferable license to host, transfer, process, analyze, distribute, and communicate your Genetic Information for the purposes of providing you products and services, conducting Ancestry’s research and product development, enhancing Ancestry’s user experience, and making and offering personalized products and services. » 

Other providers include similar statements in their terms. 23andMe, for example, includes a ‘Waiver of Property Rights’ on submitted DNA. 

While companies obtain consent before using DNA for research, users may not realize they have a choice. Judy Russell, The Legal Genealogist, points out options are often unclear. Consent forms are frequent examples of bad design. As a result, users may feel giving consent to research is necessary to be tested. As Russell suggests in her blog: 

« So when AncestryDNA says that many hundreds of thousands of its more than 1 million test takers have agreed to participate in the research study, I don’t believe for one minute that more than a tiny fraction knew that (a) they didn’t have to agree and (b) if they did agree, they were agreeing to disclose every last jot and tittle of their family history.”

When HIPAA and other health privacy regulations don’t apply

Since DNA is health information, many users may expect the data is protected by privacy legislation. HIPAA, for example, is the well-known health privacy legislation in the United States and in Canada health privacy laws exist in most provinces. If a doctor requests genetic testing, safeguards and limitations on use are enforced by law.

However, HIPAA only applies to genetic information when under the authority of ‘health care providers’. Hospitals, individual clinics and private medical practices must uphold HIPAA privacy practices, as do insurers. Other private companies do not unless they are performing a service for a HIPAA health care entity. To give a clear example, a business that provides X-ray technology for hospitals typically complies with HIPAA. This is because their hospital clients are responsible for business associate privacy practices. HIPAA does not apply, however, if the x-ray company never works with health care providers. 

Companies including AncestryDNA and 23andMe are not health care providers. So long as their labs are sequencing DNA for commercial purpose and interest, HIPAA does not apply. As Peter Pitts, writing for Forbes, puts it, “The Portability Act was passed when genetic testing was just a distant dream on the horizon of personalized medicine.” This begs the question, now that genetic testing can be commonplace, should the legislation be expanded to include organizations or laboratories that process genetic information even if not affiliated with health care providers?  

What about other legislation, like the GDPR?

For individuals outside the United States, the law may offer more protection. In Canada, private companies are subject to PIPEDA, which includes limitations on collection, use and disclosure. Health information may also be under the jurisdiction of provincial health information acts. The Personal Health Information Act of Ontario, for example, includes “laboratory or a specimen collection centres” as health care custodians. This places restrictions on how data may be used without consent; notably, data may not be disclosed outside the province of Ontario without consent, or unless for the purpose of health care planning.

In Europe, the General Data Protection Regulation applies to all organizations that process personal information. Genetic information is explicitly called out in the law, under Article 9, ‘Processing of special categories of personal data’. Commercial DNA Testing companies who include processing of European genetic data are conscious of the law and may apply higher levels of safeguards to European data subjects. The website for 23andMe includes a specific page to illustrate compliance with the GDPR.

Unexpected consequences: when your DNA affects your insurance

Are you predisposed to certain conditions? Does your DNA suggest health problems as you age? In the United States, your insurance company wants to know… and in some cases, may already have access to the information. 

The Genetic Information Nondiscrimination Act (GINA) prevents health insurers from using DNA information to discriminate, but the law does not apply to life insurance. Fast Company‘s Christina Farr reports that customers face denial of coverage over DNA information, such as having a genetic predisposition to breast cancer.  

There’s also a question of whether users have a choice before handing data over. In 2017, the House of Representatives proposed HR 1313, the Employee Wellness Programs Act. This act would allow employers to request genetic testing from employees and families if they want to be covered by the company’s health insurance. Iain Thomson of The Register writes that while testing would not be mandatory, “those who refuse could see their health costs rise by up to 50 percent…The proposed legislation would do an end-run around [GINA] protections.” Fortunately as of 2019,  the act appears to be withdrawn, with the status of “Died in a previous Congress” according to Govtrack.us.

Are your parents who they say they are? 

We’ve all seen it before in movies and soap operas: a character discovers one of their parents isn’t blood-related to them. Paternity testing isn’t new; it’s been used to prove parenthood for over two decades and settle disputes. Commercial DNA sequencing companies, however, do offer a new twist. With a paternity test, the relationship between parent and child is already in question. Results from commercial DNA tests, by contrast, can come as a shock. As a result of the test, families see when there’s no genetic match between parent and child. Depending on the database’s detail, testing may also provide data on potential parents. If parent and child are in the same database, the match can be uncovered. As a reminder of potential consequences, 23and me includes a warning in its Terms of Service. « Once you obtain your Genetic Information, the knowledge is irrevocable. » 

Your privacy vs. the privacy of your family

The ability for DNA to expose genetic parents raises serious ethical issues and unexpected breaches of privacy without consent. To date, adoption agencies may be bound by law not to release identifiable information at the parent’s request.  Adoption privacy laws are a longtime hot button issue. 

Who has the stronger claim: the adoptee’s right to know their parentage or the parent’s right to protect their own privacy? With DNA testing, parents may not have a choice on having their information exposed. If the child takes a DNA test, once they have information on their own DNA, they can test it against different databases to find a match. In some cases, this is advertised by genealogists, such as the blog post by Amie Tennant of FamilySearch titled “Connecting with Your Biological Family through DNA Testing.”

What about the privacy of other family members? How much of your DNA tells a story about other relations? When we give up our DNA to commercial testing companies, we may be exposing family members without their consent. A study in Science Magazine titled “Identity inference of genomic data using long-range familial searches” reveals the truth: 60% of Americans of European descent can be matched to their third cousins or closer relations. Brian Resnick reporting for Vox estimates that number will rise as technology improves and more people give their data to DNA companies. What are the consequences of family connections? 

Already we have one example: in California, a person’s participation in a DNA testing database led to their family member’s arrest. 

Using commercial DNA tests to catch a killer 

In April 2018, the FBI in California made an arrest in a case left unsolved for decades: the Golden State Killer. The news broke headlines, sensational for the arrest and how the suspect was found.  To find the Golden State Killer, investigators tried a new tactic. They took earlier forensic DNA evidence and checked it against a commercial DNA platform, GEDMatch. The suspect hadn’t uploaded their DNA… but a in relative Oregon had. Suddenly the authorities had a new clue.  By taking the DNA match from Oregon and mapping out relatives in a family tree, they could reduce the pool of suspects, until narrowing it down enough to make an arrest. 

Law enforcement using DNA to solve crimes is no new trend. The use of DNA evidence has been acceptable since 1988, the first successful case of DNA testing within a murder trial. However, calls for police access to commercial DNA databases are raising alarms. In the past, DNA evidence was the final nail in the coffin. In 1988, police confirmed a guilty defendant when the DNA of the victim matched a bloodstain on his T-shirt. With the Golden State Killer, investigators did not use DNA to confirm proof. Instead, it became a new search lead.  

More law enforcement access on the rise

DNA Test access by law enforcement is a rising concern. How much access to DNA test results should police and investigators have? In January of 2019, public ire rose when FamilyTreeDNA allowed FBI access to its research. Writing for the Miami Herald, Monique Madan notes 23 and Me responds to legal requests on a case-by-case basis. 

Ancestry DNA also follows legitimate legal requests, including those from warrants or subpoenas.  These requests are increasing. 

In November of 2019, courts allowed a detective in Florida to warrant access to search GEDMatch’s full servers. It set an unnerving precedent: if warrants become obtainable, other agencies are likely to use court orders to bypass DNA testing companies’ privacy policies. Speaking with Science News, Erin Murphy of New York University comments the ability to get a warrant is a huge game-changer.  “It’s a signal that no genetic information can be safe.” 

Others however are more skeptical. Also speaking with Science News, lawyer and bioethicist Kayte Spector-Bagdady suggests it won’t be so simple. Unlike companies that do an analysis of salvia, GEDMatch populates its database by allowing users to upload their raw data, free, from other services. The warrant would not apply to companies that do direct-to-consumer private consumer analysis, and if a warrant is given for police search of databases like 23andMe, the company has the right to appeal. If companies feel user privacy is at stake, they “still have the right to challenge warrants in court.” 

That’s assuming, however, that the company requires a warrant to begin with. Before May of 2019, profiles of GED Match were accessible to law enforcement by default, which is how police were able to use the tool to find the Golden State Killer. Soon, users may see those days returning: in December 2019, GEDMatch was bought by forensics testing firm Verogen. As Verogen specializes in assisting police, future law enforcement access is a given.  

Why is law enforcement of DNA an issue?

As law enforcement access grows, scientists and civil rights advocates have concerns. Researchers, for example, worry fewer people will be open to sharing their DNA for health research for fear of ending up in a police database. There are significant differences between genetic data in the hands of doctors, and in the hands of legal agencies. Dr. Caitlin Curtis for the University of Queensland in Australia poses the question:

« It may be acceptable to receive a genetic health risk score from a doctor, but do we want law enforcement to be predicting the mental health of suspects, or for that information to be considered in court? »

Others, including Russel, ask if handing over DNA to police violates the Fourth Amendment, which prohibits “unreasonable searches and seizures”. Reviewing past cases of police use of DNA evidence, it becomes clear that the method isn’t fool-proof. Matthew Sheer, writing for The Atlantic, demonstrates a number of ways in which DNA can get it right.. or get it wrong. Commenting in Sheer’s article, Erin Murph of New York University puts it plainly:  « just because we’re moving forward doesn’t mean mistakes aren’t still being made.”

DNA on the dark web: hackers want in too

Even if a company plans the very best privacy policy, will they be able to uphold it? Police aren’t the only ones who want your DNA: it’s a valuable target for hackers. Data breaches are a common bane of security teams, it’s already happening to DNA repositories. In 2018 DNA testing site MyHeritage suffered a breach of 92 million usernames and passwords. The company has since added two-factor authentication for logins to increase security, but their hack won’t be the last. A year later in November of 2019, attackers gained a trove of data from Veritas Genetics. For those whose DNA is now out in the dark web, options are limited. 

Why would hackers want your DNA? Matt Jancer with Men’s Journal delivers the cybercrime reality. Hackers can sell DNA for ransom, threatening to reveal medical conditions or family secrets to the wrong people. It’s valuable data, and any repository of valuable data is at risk. Worse, there’s a huge difference between a stolen list of passwords and a database of DNA sequences. For starters, your DNA cannot be reset or changed: once out in the dark web, it’s out for good. 

Tip of the iceberg  

The sad reality is, we’re only beginning to understand what can be done with our DNA. Already, technological horrors are becoming real. Adrian Potoroaca of Techspot reveals in China scientists are combining DNA with sketching software to generate rough models of a person’s face. The technique, called DNA phenotyping, allows scientists to visually identify individuals without photographs. More chilling is what the data is being used for. According to Mark Munsterhjelm, from the University of Windsor, Ontario, « the technology is used for hunting people.” 

Other sinister practices aren’t hard to visualize. For example, could stolen DNA be applied to hack biometric security systems? It doesn’t appear to be too far fetched, with researchers like Tsutomu Matsumoto bypassing systems using 3D printing and gummy bears.  When it comes to commercial DNA Testing, customers need to understand that the fun comes with risks. Once your DNA is analyzed, it can be used for much more than finding lost relatives. David Gewirtz with ZNet says it best: “ Your DNA is, fundamentally, the source code to… you.”