How secure is DNA testing?
What you might be giving away in an ancestry test.
Scientists only mapped the human genome 16 years ago, but today you can get a basic test of your genetic code from Walgreens. It's estimated some 26 million people have already sent their spit to direct-to-consumer DNA-testing companies, and the number is predicted to multiply to 100 million by 2021.
The more people plug their genes into a database, the more useful the service becomes for finding distant family or tracing one's ancestry. There are deeper implications too: medical research, investigating cold cases, adoptees locating their parents. 23andMe, which along with Ancestry has the largest genetic database of these companies, also has FDA approval to test for genetic health risks like Alzheimer's and Type 2 diabetes. Then there are the weirder frontiers: companies that claim to match you with genetically compatible roommates, dates, diet plans and vacation spots.
The business only works because we share our unique genetic identity. But the more this data is shared with strangers, researchers and corporations, the less private that data becomes. We've looked at the data policies of big tech companies before and found them severely inconsistent. Your genes are as personal as it gets.
On top of that, privacy experts say that direct-to-consumer DNA testing is highly unregulated. A genetic test in the doctor's office is protected by HIPAA laws, which limit its sharing. These newer companies are bound primarily to their own privacy policies as well as committing to voluntary best practices by the Future of Privacy Forum.
The problem is, according to a major 2017 study from Vanderbilt University of 90 DNA testing companies, 39 percent of them had no written policy online about how they use genetic data. We looked at four of the biggest companies -- 23andMe, Ancestry, MyHeritage and FamilyTreeDNA -- to see what they really do with your identity.
What kind of data is being shared?
All four companies have accessible privacy policies online. And all four companies talk about "de-identifying" your genetic data. This can take two forms.
Aggregate data is generally a summary -- say, the percentage of men who have a certain genetic trait. Most companies will use this data both internally and externally. 23andMe says it shares aggregate information "to perform business development, initiate research, send you marketing emails and improve our services."
Individual data pertains to a specific person's genotypes and characteristics but with identifying details like name and contact information removed. To have this information shared with third parties usually requires an opt-in and for good reason. Some research has shown that it may be possible to locate individuals using public information based on their genetic profile.
What the companies say about de-identifying data
23andMe
"Registration Information is stripped from Sensitive Information, including genetic and phenotypic data. This data is then assigned a random ID so the person who provided the data cannot reasonably be identified."
"We may share Aggregate Information, which is information that has been stripped of your name and contact information and combined with information of others so that you cannot reasonably be identified as an individual, with third parties."
Ancestry
"Data and Biological Samples, may be shared with Collaborators and Collaborator Partners, but will be shared without your name, contact information or other common identifying information. When your Biological Sample is shared, it is labelled only with a code. ... When Researchers publish results from the Project, such results may include your Data, but only as part of aggregated results."
"Ancestry may disclose user information in an aggregated form as part of the Services or our marketing, or in scientific publications published by us or our research partners."
MyHeritage
"While the Survey Research Information shared (through publication or with another entity) will never contain information that typically permits identification of an individual, such as a name or address, people may develop processes that would allow someone to re-identify the previously de-identified data."
FamilyTreeDNA
Under "The types of Information FamilyTreeDNA collects":
"Aggregate Information: Information that has been combined with that of other users and analyzed or assessed as a whole, such that no specific individual may be reasonably identified."
"Pseudonymous Information: Information that has been stripped of your Account Information and other identifying data, such that you cannot easily be identified as an individual to the public, and is instead only identifiable by a kit number or other alphanumeric sequences."
Who gets your data?
With this in mind, you should be aware of three major groups that DNA-testing companies may share data with: research institutions, private corporations and law enforcement.
Sharing of de-identified individual data for research requires an opt-in for Ancestry, 23andMe, MyHeritage and FamilyTreeDNA. But there are subtle differences. FamilyTreeDNA asks for customer approval for every specific research project; 23andMe's consent form says, "For the most part, we won't be able to contact you every time we would like to share your data."
Last year, 23andMe announced a $300 million deal to share data with pharmaceutical company GlaxoSmithKline and has had partnerships with P&G Beauty and Pfizer. 23andMe's unique approval to test for health risks also means that it collects more information from your saliva sample than other companies. Wirecutter reported that regardless of whether you purchase the biomedical or ancestry analysis, the company still tests your DNA the same way.
In the Vanderbilt University study, only 12 companies said explicitly that they wouldn't share genetic data with third parties. For those that said they would share the data, "no company provided a specific or exhaustive list of exactly which third parties would receive access to the data, or for what specific purposes."
This proved to still be true for the four big testing firms. Ancestry lists "some" of its collaborators online like the University of Utah, American Society of Human Genetics and National Marrow Donor Program.
You should be aware of three major groups that DNA testing companies share data with: research institutions, private corporations and law enforcement.
When it comes to law enforcement, 23andMe states, "We will not provide information to law enforcement or regulatory authorities unless required by law to comply with a valid court order, subpoena, or search warrant."
MyHeritage says, "It is our policy to resist law enforcement inquiries to protect the privacy of our customers" unless the company is served a court order. It does not assist in cold case investigations.
Ancestry similarly states, "If we are compelled to disclose your Personal Information to law enforcement, we will do our best to provide you with advance notice, unless we are prohibited under the law from doing so." Last year it had 10 requests relating to credit card misuse, fraud and identity theft but none that required disclosing genetic information.
However, FamilyTreeDNA doesn't just share data when it's legally compelled. This year, the company confirmed that -- unlike the other three companies -- law enforcement can create accounts to upload DNA from crime victims and search its database. Customers can choose to opt out of "Law Enforcement Matching."
Each company's full privacy policy:
How can you delete it?
The safest thing you can do after taking a company's test is delete your data and get your DNA sample destroyed. (The main trade-off would be missing out on future matches, if locating family members is a primary reason for taking the test).
All four companies allow you to erase your account and destroy your DNA sample either through their websites or by contacting customer service. 23andMe destroys saliva samples after analysis unless you opt-in to having it stored.
But how far your genetic information has spread by then may be unclear. Your DNA info can be removed from the testing company's servers, but it can't be recalled from the third-party corporations or universities who may already have it. In general, the less diffused your data is, the less likely it will escape into the wrong hands.