Popular Genetic Testing Services Like Ancestry and 23andMe Are Forking Over Your Data to Government Agencies

Over one million people worldwide have been genotyped by 23andMe. All that genetic data is wide open to government agencies.
Publish date:
October 23, 2015
privacy, FBI, PRISM, genetic testing, family genetics

Founded in April 2006, popular genetic testing site 23andMe sounds like a dream come true for some people — a chance to learn more about their medical and family history, to trace their lineage, and sometimes just to find neat, random things in their DNA, along with the occasional surprise, like an unexpected extra X chromosome.

With over one million global customers, the biotech company is doing a thriving business, but there's a hidden price that should make you think twice before spitting in that tube: There are almost no regulations when it comes to how all that data can be used, a problem across the information aggregation era that has huge implications when it comes to genetic data.

With the rise of the tech industry's current iteration, commentators often say that users are the product, and it's not a far cry from the truth. Sites like Facebook and companies like Google don't profit because people use their services: They profit because they can sell an incredible wealth of data about the people who use their services to third party companies, often with very limited restrictions. The fine print on some terms of service might come as a surprise to some users.

Many high-profile tech companies have been targeted with warrants and records requests from government agencies seeking to ferret out information on people, usually in the name of the war on terror, which has considerably eroded privacy protections in the United States. Google has very open connections with the NSA and PRISM, for example, while Verizon merrily handed over phone records without warrants.

The latest firms in the news have been genetic testing companies, which appear to be law enforcement's next targets, and the reason why is obvious — they represent a huge pool of genetic data that may not be stored in law enforcement databases. If you use any technology services without taking personal privacy measures, you are exposing yourself to warrantless surveillance — and that's not paranoia talking.

When it comes to services like 23andMe, there aren't any specific regulations regarding the collection, use, and storage of your data — unless you agree to participate in private research, in which case the terms set out by an institutional review board (IRB) include securing personally identifying information like the genetic code of subjects. Users thus have a choice: They can agree to let private firms use (and profit from) their DNA in trade for security, or they can leave it unsecured and run the risk that a government agency will access it without their knowledge, though 23andMe claims that it will notify users subjected to information requests and attempt to deny them when possible.

There are also considerable questions, notes Sarah A. Downey at Venturebeat, about how exactly users can control their data. Individuals submitting samples can request that they be destroyed, but this, she says, still means that the company retains a digital copy of the consumer's data — and with good reason, because it's potentially salable. If a consumer closes an account, she asks, does the company delete its records? Or do they sit there, waiting like a time bomb? Theoretically, the site honors requests to delete information, but that doesn't apply to data it's already shared — the data you consented to have shared when you signed up.

With DNA testing, this comes with some pretty serious implications. Pre-Obamacare, the ability to access DNA records could have helped insurers decide on which people they'd choose to extend coverage to, allowing them to avoid people with a genetic legacy that might indicate a higher risk for costly medical conditions. Life insurance firms today can still discriminate on the basis of genetics, and are wise to do so, as their business model involves reducing risks in the insurance pool, not increasing them.

Perhaps the greatest risk of all, of course, is in law enforcement investigations. Agencies can let rape kits sit untested (sometimes to the point of becoming too degraded to use) for decades, but meanwhile, they have access to a vast pool of aggregated genetic material linked with given individuals or families. People are basically happily volunteering their genetic material, with no need for a warrant, and those in databases like 23andMe and Ancestry (which until very recently was publicly searchable) aren't just threatening their own privacy, but that of their genetic relatives — because genetic markers can be used to find people related to a subject. (It's why, for example, genetic tests of the British royal family were used in an attempt to identify the Romanovs.)

This isn't just theoretical, though thus far, 23andMe reports that it's received only four requests for data, all of which it has denied. In 2014, a New Orleans documentary filmmaker found himself under suspicion of murder courtesy of a genetic sample submitted by his father to a research database. The service has also outed parents who gave children up for adoption, or connected genetic relatives who didn't want to have contact with partial (or full) siblings — while people have to mutually agree that they're interested in finding family members, sometimes this results in the emergence of family skeletons people weren't ready to find.

Kate Black, the company's chief privacy officer, told Stephanie M. Lee of Buzzfeed that such requests aren't functionally practical because of concerns about the chain of custody:

One of 23andMe’s main lines of defense for protecting data is that the person who orders a mail-home 'spit kit' online is not necessarily the one who submits a sample. Cops curious about a 23andMe customer’s DNA — and if, say, it matches a sample found at a crime scene — therefore can’t be certain that the DNA in fact belongs to that person.

While this may be the case, could a test be used as grounds for a warrant to determine if the identified customer is a match? This is one of the many questions surrounding law enforcement use of such information, with few states (California is among them) making regulatory moves to protect people who use DNA testing services without thinking about the potential privacy implications, or social concerns.

Technology is at an important tipping point, as the digitization and collection of vast amounts of data means that many companies are actually sitting on more material than they know what to do with, waiting for opportunities to leverage it. Users need to be proactive about privacy concerns because the companies they work with usually don't have a vested interest in retaining their privacy, and in fact have a desire to do just the opposite — a robust privacy policy puts limits on how information can be used, which makes it less valuable to a parent company.

Simply being online and using essentially any app or web service requires a certain amount of privacy sacrifice, something to be continually mindful of, as this is a situation that will only get worse. If you don't want material being collected without a warrant or your awareness — companies that claim to notify customers can still be subject to gag orders that prevent them from saying anything — don't submit it to a private company. And think carefully about the risks embedded in a given piece of personally identifying information like a phone number before you freely hand it out.

Still determined to see if you're really related to Sir Francis Drake or if you carry the gene for smelly asparagus pee? Downey, who's a security expert, has a detailed guide on how to get tested pseudonymously, protecting your privacy while still getting your hands on the goods.

Images: Nathan Siemers, John Goode (Flickr/CC)