AVG Signal Blog Privacy Privacy Tips The Privacy Implications of DNA Testing

Written by Colin Asher
Published on September 22, 2019

The last decade has seen the advent of consumer DNA testing companies like 23andMe, AncestryDNA, MyHeritage DNA, and FamilyTreeDNA. These companies are banking on the fact that you wouldn’t feel life is complete without having an encyclopedic knowledge of your DNA. And guess what? They wouldn’t feel complete without that knowledge either. 

This article contains :

    The recent emergence of DNA companies’ big plan — sharing customers’ DNA with third-parties — has come together with the terrifying obviousness of the third act of a Bond film, and it’s thrown into question the phenomenon of consumer DNA testing.

    This article will give you an overview of consumer DNA testing: the privacy concerns, the potential benefits, the legal aspects surrounding it, and its connection to larger trends of privacy abdication in today’s world.

    What can a DNA test tell you?

    One main draw is learning more about your genealogy and ancestry. If you send a spit sample, information will be provided to you about the percentage of different ethnicities that make up your heritage and who you are related to — which means other people who can be traced in the database. Another main use has to do with your biology. This runs the scope of fun facts about your earwax texture, all the way to the risk you might have for getting a certain disease.

    As for the latter, it’s important to note that DNA information is not the full picture of what’s going to happen to a person health-wise; it’s not a crystal ball. Though to the layman, the very ring of the term “DNA” has an inevitable, fated quality to it, experts remind us that DNA is probability, not fate. Even if you do have a gene that increases the risk of Alzheimer’s, most people will not develop it; plus, living a healthy lifestyle will reduce your chances. Others have questioned the accuracy of the tests and also caution that you shouldn’t let the results of such DNA tests scare you into pumping yourself full of expensive, side-effect laden drugs in the chance you might get a bad disease one day.

    You’re not special, your DNA is data

    About 30 million people so far have been tested with consumer DNA kits.

    10 million of these are reportedly from 23andMe. The company, whose folksy slogans currently include, “One unique you,” and “Welcome to you,” is much more than a cheery spit-testing center: it’s a purveyor of DNA data. One of the lofty, public-facing goals of 23andMe is a kind of utopia of shared DNA data. According to them, disease diagnoses have been blindsiding humanity as a result of our disconnection, but we can now elect to share our DNA in the service of helping mankind. 

    While they claim to put healthcare back into the customer’s own hands, the ultimate irony is that much leaves the customer’s hands during this transaction.

    The company’s website offers the user the chance to let their test results be used for research, and apparently, 80% of 23andMe’s customers made that choice. However, many of them were angered upon last year’s announcement of the company’s partnership with pharmaceutical giant GlaxoSmithKline, an arrangement that will allow the DNA test results to be used in the manufacturing of drugs. On a similar and somewhat quieter level, AncestryDNA partnered with Google biotech research subsidiary, Calico. Data swap, anyone?

    While informed sources seemed to have been onto 23andMe’s general plan since 2007 — to use its DNA data for the purpose of scientific research (partnering with drug companies) — the average spitter was as unaware as they were about, for example, Facebook and Google’s liberal use of their personal data. And the same way Facebook does what it wants with the information you decide to share about your morning porridge, companies like 23andMe and AncestryDNA can and will make use of the information they collect. In an age where data is currency, their entire enterprise would be rendered moot if they didn’t.

    Fine print 2.0

    It is always very easy to check a box in assent of a certain condition without fully contemplating what it entails. It used to be that people didn’t read the fine print. Now, in the best cases, the fine print is shortened and put front and center, but it still eludes comprehension.

    At this point there should perhaps be a word coined for when you give a private company your private info and are still surprised/outraged they might do whatever they want with it — not only if the company was slippery enough to change the terms of service under your nose, but even if you already checked a box or two that said you didn’t mind if they used it. 

    Just one indication that you’re in quite a legal grey area: direct-to-consumer DNA testing companies are currently not subject to the HIPAA laws that regulate the transfer of health information in a traditional medical setting. 

    It’s pretty evident by now that consumers stand no chance against Silicon Valley legalese. The privacy policies of 23andMe, AncestryDNA, and MyHeritage are predictably long and byzantine. The point here is loopholes and caveats, such as the part in FamilyTreeDNA’s policy which allows law enforcement to make accounts and search its database. Or how about 23andMe’s statement that, "for the most part, we won't be able to contact you every time we would like to share your data," (which is the kind of notification that would give consumers more clarity and control). And, as touched on above, these companies can change the terms and conditions whenever they want.

    Ramifications of losing control of your DNA

    In 2008, The Genetic Information Nondiscrimination Act (GINA) was passed, which technically makes it illegal for health insurance providers to change your coverage based on genetic information. This law doesn’t, however, apply to disability insurance, long-term care insurance, or life insurance. Indeed, DNA discrimination from insurance companies remains a top concern in this arena. Having access to this information could cause them to raise rates and alter your coverage.

    And while a DNA-topia would be heaven for the likes of David Caruso and co. on the TV show CSI, the untrammeled access to online DNA by law enforcement could be one more step in the direction of a security state. It was recently disclosed that the capture of the Golden State Killer, who was at large for decades, was aided by searching GEDmatch (a public DNA database). The investigation also included a subpoena issued to FamilyTreeDNA, for the disclosure of information. And while capturing criminals might sound all well and good, it’s not hard to imagine how this power could get easily abused by law enforcement.

    The bottom line is, using such services puts a lot of trust in a given company. Importantly, that data is also never 100% secure. You’ve probably heard enough about data breaches already; well, DNA data can be leaked too. One DNA testing service, Vitagene Inc., had DNA information that was linked with customer names stored on public cloud servers for years — not very secure. In 2018, MyHeritage had a massive breach of user account data, though luckily it didn’t include actual DNA information. If the companies themselves don’t misuse your data, then hackers could do things like hold stolen DNA data ransom (it’s happened before with health records). So, using DNA tests would open you up to multiple fronts of privacy breach. As with all user-data-driven companies, the best way to ensure privacy remains non-participation.

    And while the ability to delete your DNA after testing is something these companies offer, it may not be quite so simple. If your DNA has already been shared with third parties, it is rather impossible to claw it back. While these companies often claim that the DNA used in studies is anonymized, it isn’t a massive stretch to trace it back to you using zip codes and birthdates and DNA from your relatives in databases.

    This all begs the sad question: after DNA, at what deeper level could data possibly be mined?

    Final strand

    In the wake of the recent downfall of blood-testing startup Theranos, everyone’s spidey sense is a bit tingly around biotech. However, the FDA, which often provides a big hurdle to health startups, has lessened its grip in the last few years, giving 23andMe approval for tests for certain diseases. The question is whether these companies can convince people of their more dire medical benefits, since it seems, after millions have already gotten tested, the market for those who are curious enough to pay for ancestry information is finally hitting a lull.

    Connect privately on your Android with AVG Secure VPN

    Free trial

    Connect privately on your iPhone with AVG Secure VPN

    Free trial
    Privacy Tips
    Colin Asher