DNA & Data Security: Is Your Spit Safe?
By Nicole Choy

On January 31, 2019, Buzzfeed News reported that Family Tree DNA, a private genetic ancestry testing company, would be allowing the FBI access to their patient DNA database. As Buzzfeed News reported, this “marks the first time a private firm has agreed to voluntarily allow law enforcement access to its database.”

While law enforcement’s access to DNA databases has played a major role in solving numerous cold cases, the most famous being the capture of the Golden State Killer back in April of 2018, access had only been limited to public databases of genetic information. While news of this partnership with the FBI could lead to huge breaks in unsolved cases, many were still concerned about the implications this might have for privacy issues, prompting Family Tree DNA to change their privacy policies a few weeks after the announcement. Their site now allows users to block law enforcement’s access to their genetic data, but a recent statement issued by Family Tree DNA on March 26, 2019 is encouraging more of its users to allow the FBI access to their genetic information. Part of a larger ad campaign, a video featuring Ed Smart, the father of Elizabeth Smart (a girl who in 2002 was abducted and rescued 9 months later), pleads with the audience to participate in Family Tree DNA’s partnership with the FBI; this partnership will allow the FBI access to their genetic information with the hope of providing answers to victims of violent crimes. Beyond being persuasive in nature, the video fails to acknowledge the extent of the information users would be giving to the FBI by allowing access to their genetic profile.

After all, our DNA is not just our own! We share genetic similarities with every single one of our relatives, and in a study published in 2013 in Science, researchers revealed just how easy it is to determine not only the identity of a person based a sample of their DNA, but the identities of their entire families as well. In fact, it was familial DNA that lead authorities to the eventual capture of the Golden State Killer. Dr. Robert Green, a medical geneticist and professor at Harvard Medical School was quoted in a Time Magazine article discussing the study, “This is the first time we’ve had some sort of thoughtful quantification for how easy it is to track any individual, whether they participated in these databases or not, through the people who have participated in these databases.”

What this study illuminated is the potential that large DNA databases have to impact the lives of individuals who never consented to be involved in the first place. With direct-to-consumer testing becoming almost too readily available, and companies like 23andMe and Family Tree DNA treating our genetic information like another product that can be sold or signed away, it is crucial that we take the time to question whether these companies have our best interests in mind.

Privacy and anonymity in the digital age is almost impossible. Companies like Google and Facebook are constantly collecting personal data from its users; through search histories, social media patterns, and even GPS functions on smartphones, this data is then mined and monetized for targeted advertisements. Beyond that, how these companies use this data is largely unknown. It seems that direct-to-consumer (DTC) genetic testing companies are no different.

The reality of data security when it comes to direct-to-consumer genetic testing companies is that the technology and consumer demand for access to their genetic information has advanced much more quickly than any protective legislation ever could. In fact, in June of 2018, the Federal Trade Commission was investigating 23andMe and Ancestry with regard to their policies on handling personal information and sharing that data with third parties. While several genetic testing companies, including 23andMe and Ancestry, issued a public statement in July of 2018 agreeing to adhere to the “Privacy Best Practices for Consumer Genetic Testing Services,” there is still a lack of legislation dictating the appropriate use of genetic information. Specifically, the current legal protections under the Genetic Information Non-discrimination Act (GINA) are proving to be too narrow for the breadth of applications of genetic information.

While this technology has brought the concept of genetic health risks and precision medicine to the public forum, and has been instrumental in the identification and arrest of numerous criminals, it is important to ask ourselves and the companies that store our genetic information, how might this technology be abused?

What can be done regarding the safe and ethical use of genetic information?

The field of genetic testing is growing so rapidly, the issue is no longer “can we do it?” but rather, “should we?” Currently, legislation has not caught up to the genetic revolution, and it is my belief that before we move forward, it is important that we amend the policies currently in place to protect consumer privacy and to prevent unjust exploitation. I believe the best way to do this is to create a task force comprised of bioethicists, geneticists, genetic counselors, as well as sociologists and experts in data security, to discuss the utility of genetic information, determine the appropriate use of such, and to come up with effective policies regarding the distribution and use of genetic information to third parties by consumer genetic testing companies. Until we begin to examine the potential for use and abuse of the genetic information stored in consumer genetic testing databases, any attempt to distribute or reference such information threatens to set a dangerous precedent for the future use of genetic data.

I’m interested in getting genetic testing done through a private direct-to-consumer genetic testing company. What can I do to protect my privacy? 

Take the time to read and review the company’s “privacy policy” or “privacy statement”. The National Institute of Health’s Genetic Home Reference published a list of questions that can be used to assess a company’s privacy practices prior to submitting your sample. As always, use your best judgement, and be sure you fully understand everything before choosing to go through with any testing.

If you are interested in pursuing genetic testing for health information, the more secure alternative is to speak with a certified genetic counselor. Healthcare workers are required to adhere to very strict policies under the Health Insurance Portability and Accountability Act (HIPAA) to ensure that your personal and health information is kept private. Furthermore, any genetic testing order through a genetic counselor is typically conducted at labs that must also be HIPAA compliant. If you want to learn more about genetic counseling services, visit the NSGC website or learn more on the Grey Genetics website!

References & Further Reading:

• Salvador Hernandez. “One Of The Biggest At-Home DNA Testing Companies Is Working With The FBI.” Buzzfeed News. January 31 2019.
• Sarah Zhang. “How a Genealogy Website Led to the Alleged Golden State Killer.” The Atlantic. April 27 2018.
• Family Tree DNA. “Ed Smart, Father of Elizabeth Smart Teams up with FamilyTreeDNA.” PR Newswire. March 26 2019.
• “Help us catch killers is now the new advertising angle for DNA companies.” MIT Technology Review. March 27 2019.
• Erlich, Y, Shor, T, Pe’er, I, Carmi, S. “Identity inference of genomic data using long-range familial searches.” Science 2018; 362(6415) 690-694.
• Jamie Ducharme. “Millions of Americans Could Be Identified Using Consumer Genetic Databases—Even If They’ve Never Taken a DNA Test.” Time. October 12 2018. Updated: October 13 2018.
• Kim Komando. “How to stop your smartphone from tracking your every move, sharing data and sending ads.” USA Today. February 14 2019.
• Marcus Baram. “The FTC is investigating DNA firms like 23andMe and Ancestry over privacy.” Fast Company. June 5 2018.
• Future of Privacy Forum: Privacy Best Practices for Consumer Genetic Testing Services. July 31 2018.
• Eric Rosenbaum. “5 biggest risks of sharing your DNA with consumer genetic-testing companies.” CNBC. June 16 2018.
• “How do direct-to-consumer genetic testing companies protect their customers’ privacy?.” Genetics Home Reference. April 2 2019.
• “HIPAA for Professionals.” U.S. Department of Health and Human Services. Reviewed: June 16 2017.
• “About Genetic Counselors.” NSGC.