The privacy cost of consumer DNA profiling

3 min read
Julia

No entry sign over DNA double helix strings.

Let’s talk about data. No, not your Facebook likes that companies use to spam you with targeted advertising. Or your metadata, which reveals a great deal about you (and your cat). We’re talking about the actual data of you. Your DNA.

Your DNA is your genetic fingerprint. Your DNA is utterly unique. Your DNA can tell things about your health, personality, history, and more. Oh, and your DNA might be owned by Ancestry.com, 23andMe, or some other genetic ancestry company.

Wait… what?

What data are we handing over to DNA profilers?

What’s in your DNA? Well, it contains markers for disease, hair and eye color, possible personality traits, your heritage… Fundamentally, DNA is what makes you, you. Hey, you could probably even clone someone from a saliva sample some years down the track.

And we are giving this to a commercial company just for a chance to see if our great-great-great-great grandmother was royalty, or if we’re distantly related to George Clooney?
More importantly, to whom are we handing over the essence of ourselves? And by what rules are they bound?

By what rules do genetic testing companies have to play?

At present, there is little, if any overarching legislation regarding direct to consumer genetic testing guidelines. While France and Germany have banned consumer genetic testing, other nations have no specific law.

In the US, the FDA has come up with some guidelines such as testing requirements and a review. But in terms of laws surrounding governance? That’s on a state-by-state basis and derived from other non-specific regulations.

Could this be a case of technology accelerating faster than the regulators? By the time the possible implications of massive commercial DNA databases are properly discussed in a regulatory sense, it’s going to be like trying to play catch up with Usain Bolt.

A look at the privacy policies of genetic testing companies

At present, it’s mainly up to the DNA profiling companies themselves to put in place security and privacy policies. So how are they doing?

Let’s break down part of the privacy policy at Ancestry.com, for example:

“[Ancestry.com] may also use your information in genealogical or genomic research projects, to improve or develop new products and services, and for internal business purposes…”

Meaning, Ancestry.com will use your DNA:

  • in research (what kind of research exactly? Researching if there’s a serial killer gene?)
  • for new products and services (“great idea Jim! Let’s open a dating arm of the business!”)
  • for “internal business purposes” (okay, so what if my genetics end up being able to determine how susceptible I am to certain forms of marketing, eesh!)

“[Ancestry.com] do not share common identifying information linked to your genetic or health data with third parties unless we obtain your explicit consent or are required to do so.”

There are no conditions of what constitutes “required,” but, in 2017, US-based Ancestry.com received 34 criminal subpoenas from the US, Germany, Canada, and the UK. And they released data in 31 of those cases.

“[Ancestry.com] use your Personal Information to market new products and offers from us or our business partners. This includes advertising personalized to you based on your interests.”

This one speaks for itself!

How secure is the data you submit for genetic testing?

Well, how secure is any data? If you’re a US citizen with a credit report, your sensitive personal data was probably exposed by Equifax along with 143 million other people’s.

3 billion (billion!!) Yahoo users were also found to be hacked in 2017 using forged cookies. And Aadhaar, the identity system for over 1 billion Indians which includes biometric info, has been compromised numerous times.

Whatever systems that people have in place, we’ve learned by now that nothing is infallible. A combination of software flaws and social engineering tricks used by hackers can have a global impact.

Your reckless family and their DNA will betray you

Want to know the most disturbing aspect of all this? You don’t even have to provide a sample yourself to be caught up in it.

If your brother, sister, or great aunt Lilly submit their DNA, then familial markers mean there’s a good chance that your essence is on file too.

We don’t yet know all the secrets our DNA contains. But with big enough datasets and machine learning algorithms, you can bet these companies are barrelling along trying to find out.

Why? So they can make more money from you of course. In 2017, the direct to consumer genetic testing market was valued at $117.12m. In 2026 it’s predicted to reach $611.24m.

Tech writer and ex-software developer with a penchant for travel, techno, and data. I believe in the right to a free and open internet and will rabbit on about it for hours if given half a chance.