Genetic testing has become something of a trending business in the last few years. Worldwide, the DNA testing market is set to reach more than $10 billion by 2022, with plenty of people keen to find out more about their heritage by sending off samples to companies like Ancestry and MyHeritage.
While just-for-fun DNA tests can be entertaining, and help us to find out more about ourselves, it’s worth considering the security risk involved in posting away your DNA to be stored by a profit-led organisation. Despite people generally becoming more aware of how revealing digital metadata can be, it seems that our desire to keep our unique genetic data private isn’t quite as strong.
Your DNA can provide information on your health, personality and history, and if you’ve sent it away to an ancestry site, you’ve trusted that organisation with the very essence of who you are.
Finding out whether your great-great-grandparents were royalty, or whether you’re actually 5% Spanish, is all a lot of fun. But with some of the bigger companies now stating that they reserve the right to use your DNA in their own research, and that they may even share it with third-parties, it’s time to think seriously about the privacy risk that comes with posting your DNA.
Notable events in the sharing of personal DNA
The Golden State Killer was caught last year because one of his relatives uploaded their DNA to an ancestry website. While that’s great news for justice, and cause for jubilation at the closing of a long-time unsolved case, it left many people asking questions. Was their DNA now also now on file somewhere in the American judicial system? What other organisations might it have been shared with?
Also in 2018, MyHeritage suffered a major data breach. While they state that only email addresses and passwords were stolen, this has still raised concerns about what such hackers could do with access to information about people’s DNA. In particular, when anyone who has logged in to a DNA heritage site may have left a breadcrumb trail of data through their device’s IP address, connecting their unique biological information with their online identity, address and credit card details.
While controversy rages over the fact that companies like Facebook and Google are harvesting and using people’s digital data, millions of people around the world are not just handing over their DNA to profit-making companies, but paying them handsome sums for the privilege.
Who can access your DNA?
Different ancestry sites share your DNA with different groups of people, and some are more private than others.
For example, Ancestry.com note in their terms and conditions that when you submit your DNA to them, you’re acknowledging that it will be used in their own research. That research can include studies on ethnicity-related health and aging, scientific and historical research, among other things.
FamilyTreeDNA voluntarily gives law enforcement services routine access to its database, regardless of whether a court order is in place or not, while other providers say they’d only share your DNA with a government body if it was legally required.
Of course, it’s not just in the quest to solve crimes that your DNA might be shared – if that was the case, presumably fewer people would object. The two key considerations for anyone posting their genetic information away are the risk that it’s sold off in drug development (like the DNA that 23andMe sold to GlaxoSmithKline) or that it isn’t properly secured, and gets accessed by criminals.
Some people fear that the sharing of DNA information between businesses could lead to people’s health insurance premiums rising, or that people could find themselves being refused new job roles because of a family history of a certain medical issue.
Though the intention behind heritage DNA services is lighthearted, the risk of misuse of such personal data is incredibly high. Customers might think that their DNA is being safely locked away somewhere, but in many cases, it’s being sold and shared far beyond expectations.
Maintaining your privacy on and offline
It’s important to think about your personal privacy both on and off the internet, and to consider the connections that can be made between digital data and DNA. For the time being, it seems like the only way to be sure your DNA won’t be shared or misplaced without you knowing it is simply to keep it away from places it doesn’t actually have to be.
It’s one thing for a doctor to have access to your DNA, but quite another for a family tree website to do so.
While you can protect the majority of your life online by using encrypted virtual private network connections, which hide your activities and interests from prying eyes, even the most stringent privacy methods can be undermined by DNA. When you connect your DNA with your email address or bank account details, it doesn’t matter if that was done from a spoof IP address in another location – it’s still very definitely traceable to you.
Of course, part of the point of these services is to locate other family members spread out across the globe. Using a fake name or alias would somewhat defeat the point, and still offers no guarantee that you won’t be traced.
Until there are guidelines and regulations in place which ensure the safety of your genetic profile, the safest bet is to steer clear of online ancestry tests. Even the most reputable and transparent companies can’t necessarily guarantee you that they will stay hacker-free, and there’s a lot at stake should a hacker ever access something as personal and irreplaceable as your DNA.
About the author: Tony writes for a number of international data security brands, as well as contributing to the travel and wellness site Just Can’t Settle.
