ST. LOUIS — This holiday season was a hot one for at-home genome testing. Providers like 23andMe and Ancestry.com promoted their heritage and health testing services as a gift for families who want to learn about their genetic makeup.
It might look like the gift that keeps on giving, with new relatives and health findings popping up all the time, but experts told 5 On Your Side that customers may be giving away something they’ll never get back. The history of your DNA doesn’t end when you send it in. It might just be the start of the journey your data can take from testing provider to healthcare companies or the police.
How well do you know you?
Dan Smith’s wife surprised him with a DNA testing kit from Ancestry.com a few years ago. He got more surprises when he saw his results.
“Everybody else on my mom's side was mostly German and Irish,” Smith said. “I always prided myself more on the German part.”
Like many customers who see inside their genomes for the first time, Smith's view of his own background changed.
“It turns out I’m more English,” he said. “The one that really, really surprised me, even though it's only 1% is, uh, from Cameroon in the Congo. I did not expect that on my DNA at all.”
The Ancestry.com results also connected Smith with a relative his family never got to know.
“Me and my sister knew all our lives we had a half brother but we've never known who because it was a closed adoption,” he said. “This guy came up as a potential sibling.”
Kathy Smith, unrelated to Dan Smith, used a 23andMe test given to her to learn more about her future rather than her family’s past. She wanted to know her risk of diseases that run in her family. The news she got was reassuring.
“For some people that would be very frightening. I loved it. I thought it was interesting,” Kathy Smith said.
Where did your DNA data go?
The price of these findings is that private companies get to know all that information and more. While direct-to-consumer genetic testing providers generally have privacy policies to tell customers how their data will be stored and shared, genetic code is sensitive information on a whole new level. It can connect you to your relatives, predict your risk of disease and even help identify suspects in criminal investigations all over your family tree.
In December, the Department of Defense sent a memo advising employees to stay away from the tests, which they called “largely unregulated.”
David Chronister, CEO of Parameter Security, said the cautious outlook could be warranted.
“From a technological standpoint, from an exploitation of information [the Department of Defense] sees five to 10 years down the road of what corporate America is looking at. So, I would say if they're really being leery about their employees taking these tests, I would really take heed to that,” Chronister said.
Cathy Roberts, associate editor for health at Consumer Reports, also sees reasons to stay alert.
“It is kind of a Wild West as far as regulation,” she said.
Roberts pointed out that federal law prohibits employers and insurance companies from discriminating against anyone based on their genetics, but the law is silent on some other people who could use your data.
Worst-case scenarios
“That law does not protect against discrimination in other settings. Some big examples are life insurance companies, long-term care insurance, disability insurance. These insurers can make decisions about your premiums, about your coverage, based on genetic information,” said Roberts.
Dan Smith admitted there might be findings in his data that he would want to keep out of certain hands.
“That's a very, very scary thought,” he said.
RELATED: Four-decade old cold case solved when Ga. woman uploaded DNA test results to public website
In one potential worst-case scenario, both Roberts and Chronister said someone could hypothetically impersonate you using your DNA.
By hacking your online Ancestry.com or 23andMe account, someone could attempt to exploit relationships with long-lost relatives, impersonate you and learn more about your health. Unlike a credit card number, once hackers have your genetic information, you can never really get it back.
DNA testing companies aren’t bound by the same laws that protect private health information in the same way as insurers, hospitals and doctors. The rules that consumers need to know are in the privacy agreements they acknowledge when they send in their samples.
Roberts added that companies can change their privacy rules at any time. So, while you may be OK with how they handle data now, they’ll still have that data if the rules change and they decide to allow more partners to see that data.
“It's unfortunately on the consumer to keep up with that, and we think that's not how it should work,” Roberts said.
Who protects your DNA privacy?
Layoffs at both 23AndMe and Ancestry since January came with statements that the DNA testing industry is slowing down. While the future of DNA testing is uncertain, the data those companies have collected also hangs in the balance. Combined, those two providers have 25 million genetic profiles. They could be an appealing asset if either company is sold, and a new owner might have different ideas about data privacy.
“Once it's outside the confines of the company especially, it's really hard to tell what exactly is happening with that information,” Roberts said.
Here’s what the privacy policies of the two biggest DNA testing providers say about what could happen if either company sells.
Ancestry: “If Ancestry or its businesses are acquired or transferred (including in connection with bankruptcy or similar proceedings), we will share your Personal Information with the acquiring or receiving entity. The promises in this Privacy Statement will continue to apply to your Personal Information that is transferred to the new entity.”
23andMe: “In the event that 23andMe goes through a business transition such as a merger, acquisition by another company, or sale of all or a portion of its assets your Personal Information will likely be among the assets transferred. In such a case, your information would remain subject to the promises made in any pre-existing Privacy Statement.”
More than a million DNA profiles changed hands late in 2019 when a company that specializes in crime scene DNA analysis bought GEDmatch. While GEDmatch doesn’t test samples, it lets people upload data from tests conducted by providers like 23andMe and Ancestry to find even more relatives and health details.
In 2018, investigators identified the Golden State Killer through connections to relatives found through GEDmatch. In response to public concerns about sharing DNA data with police without asking users first, the company changed its privacy policy to limit police to searching the data of users who specifically opted into sharing with law enforcement. Despite the privacy policy, a judge granted a Florida detective’s warrant to search the entire GEDmatch database in October 2019, even the profiles of users who opted out of having data shared with law enforcement.
Steps to secure DNA data now
Kathy Smith worries now that the test could cost her family more in the future, if her data has an impact on her descendants.
“As a grandmother, I worry about the fact that we've all taken this test." Gesturing to her grandchild, she added, “This could impact him down the road if that data ever was ever compromised, you know?”
Consumers can decide that they would rather not let testing providers or databases keep their genetic data and sample. First, you should choose whether you want to keep a copy for yourself.
23andMe and Ancestry both provide the option to download the raw data of your genome. It’s sensitive information that should be kept in a safe place, but it may be valuable to keep in case you choose to share it with a healthcare professional or another testing service.
The account settings for both providers also allow users to delete their test data from the companies’ databases. This ensures that the companies cannot continue to use or share data, but if the data was already shared with partners for research purposes, the partners may still have that data after a user asks for it to be deleted from 23andMe or Ancestry’s databases.
Deleting the data doesn’t necessarily destroy the sample you sent to the testing service. 23andMe and Ancestry have different ways of handling that sample, and consumers can ask that any samples that were retained to be destroyed. A user of 23andMe whose sample was stored can ask for the sample to be destroyed after processing is finished. For users of Ancestry, samples are generally destroyed when a user requests their data be deleted. You can also ask Ancestry to destroy your sample even if you don’t want them to delete the genome data.
For more information about data management and other databases, Consumer Reports has a complete guide.
Ancestry.com didn't answer the I-Team's specific questions about how many times its privacy agreement has been updated, but they did provide the following statement:
“Protecting our customers’ privacy and being good stewards of their data is Ancestry’s highest priority. We do not share customer DNA data with insurers, employers, or third-party marketers. Ancestry also will not share customer personal information with law enforcement unless compelled to by valid legal process, such as a court order or search warrant. We will always advocate for our customers’ privacy and seek to narrow the scope of any compelled disclosure.
With regard to research, Ancestry provides our customers an option to participate in research to contribute to scientific discoveries. This participation is entirely voluntary. Customers must review and sign an informed consent if they want to participate. Any data used in research is de-identified (i.e., stripped of any personally identifying information).
Ancestry recognizes our responsibility to lead by example and set the bar for industry innovation. For that reason, we partnered with the Future of Privacy Forum (FPF), and other personal genomic testing companies to release the Privacy Best Practices for Consumer Genetic Testing Services. These guidelines are the first of their kind for our industry, and set a self-governed policy framework for the collection, protection, sharing and use of data collected by consumer genomics companies. In alignment with these guidelines, Ancestry provides consumers clear methods to delete their account and genetic data should they wish to do so.”
23andMe answered all of our questions in detail. Check out their responses below:
What does 23andme do to protect users privacy?
Our customers' data privacy is of utmost importance to 23andMe. 23andMe will not sell or share customer data to any third party without explicit consent. We employ robust authentication methods, encryption and restrict access to our systems through policies and protocols. We also employ software, hardware, and physical security measures to protect the computers where customer data is handled and stored. Furthermore, customers' genetic information, phenotypic data and personally identifiable information are stored in entirely separate computing environments.
Is a users DNA used for research, or shared with third parties?
We do not share or sell individual customer information nor do we include any customer data in our research program without an individual’s voluntary and informed consent. 23andMe customers are in control of their data — customers can choose to consent, or not to, at any time. More than 80% of our customers do consent to participating in research. Our consent document and privacy statement are published online for everyone to read and our research is overseen by an institutional review board or IRB, an independent third party that ensures our research meets all legal and ethical standards.
How can you get your DNA deleted from your database?
Customers are in control of how their data is shared, and how their data is stored. They can choose to have their sample stored at our lab, or have it destroyed. They can also download their information and close their account at any time.
If the company is sold, what happens to user DNA and info?
Per 23andMe's policies, in the event of a business transition such as a merger or an acquisition, customer information would remain subject to the promises made in our pre-existing Privacy Statement.
Any response to the Dept of defense warning?
As mentioned, all of our customers should be assured that we take the utmost efforts to protect their privacy, and that the results we provide are highly accurate. Our FDA-authorized health reports have been tested to be over 99% accurate and provide reproducible results. All of our testing is done in the US, and we do not share information with third parties without separate, explicit consent from our customers.
More I-Team investigations:
- Stolen phones keep getting sold to recycling kiosks
- McDonald's workers say they’re not trained to handle increasing violence
- Investigation into 'Cannabus' continues after undercover video raises questions about drug dealing
- Homeowner says work was left undone by roofing company Illinois attorney general previously sued
- Family forced to abandon meth-contaminated home welcomes baby girl 2 months early
- O'Fallon, Missouri fights to remove tire retaining wall for child with autism
- Man accused of stalking former classmate going to mental health court