USA TODAY International Edition
IS YOUR PRIVACY UNDER RISK?
Data breaches raise worries as test kits proliferate
DNA testing is all about unlocking secrets. But sometimes surrendering your saliva also may mean surrendering a bit of privacy – yours or someone else’s.
“I think people need to be prepared and warned that they might find out something that could make them very uncomfortable,” said Jeff Hettinger, one of the growing number of people who submitted a sample and discovered a sibling he never knew existed. His dad had never told him.
DNA testing from the likes of leading services 23andMe and Ancestry, among others, always has boiled down to risk and reward, a fascination and curiosity about one’s roots and/or predispositions to disease, balanced against trepidations around privacy, security, and, for sure, the possibility of an awkward or identity-altering discovery.
Yet rising concerns of data breaches or an overreach by law enforcement
have made some people reticent about voluntarily spitting into a tube or taking a swab of the cheek, even as this popular pastime continues to grow.
It also has some of the top DNA testing companies in the industry banding together to put privacy front and center.
MIT Technology Review estimates more than 26 million people have taken an in-home ancestry test.
The DNA risks to uncovering secrets
But experts counsel DNA newbies to consider what for some could turn into an unpleasant flip side.
“Are there secrets in the family?” asks Whitney Ducaine, director of cancer genetics services at Informed-DNA in St. Petersburg, Florida, who knows of cases where individuals found out they had no biological connection to people they had believed were blood relatives.
James Hazel, research fellow at Vanderbilt University Medical Center, raises another issue that may cut both ways: “The ability of people to readily identify anonymous sperm donors who wished to remain anonymous when they provided that sample.”
On the health front, 23andMe asks customers to affirmatively “opt-in” before receiving sensitive reports that may show a genetic predisposition for BRCA variants, which may indicate an increased cancer risk, or late-onset Alznieces, heimer’s Disease, says Adriana Beach, the company’s corporate counsel for privacy.
Could someone steal my identity from DNA details?
Meanwhile, frequent reports of database ruptures in all areas of tech and business are likely to give pause to people wondering about genealogy data landing in the hands of identify thieves and scam artists.
Seeking out distant relatives also means you, or your data, may have to be exposed to some degree, so that you, in turn, can be found.
A year ago, the MyHeritage testing service, acknowledged a breach of email addresses and “hashed,” or scrambled, passwords of more than 92 million users that turned up on a private server the previous October.
The company’s then-chief information security officer Omer Deutsch said that no other sensitive data, including family trees and DNA, was compromised since such data is stored on separate systems. Still, the episode sounded alarm bells.
“We haven’t really seen any reporting surrounding a security breach involving the genetic data of customers in the United States with any of these large ancestry or health-testing companies,” Hazel says. But “as the databases grow in size, they represent an increasingly valuable target to potential hackers or others who may wish to gain access to that info.”
Even so, Hazel and others think the greater risk to privacy and security is more likely to come not from genetics data but from all the other information that can be found on the internet, including Social Security numbers, passport information and financial records.
“If someone wanted to work with you on identity theft, there are a lot of easier ways to do it than to try to figure out your great-grandparents,” agrees David Nicholson, co-founder of the Living DNA testing service in the U.K.
When police use these DNA databases
Privacy advocates also have flagged major concerns around the use of DNA by law enforcement.
DNA forensics have helped solve decades-old cold cases, leading notably to the arrest of the suspected “Golden State Killer” in California.
Investigators were able to uncover clues via the public database GEDMatch, which hosts data people voluntarily upload from private testing services as a way to find matches with potential relatives who tested their DNA elsewhere.
The worry, though, is that by permitting law enforcement to poke around such DNA databases, a legal shadow may be cast over innocent family members, some of whom never even submitted their DNA anywhere, much less gave their blessing to be searched by the police.
“You decide to contribute your DNA to one of these services and you have by default included your parents, your siblings if you have any, your kids if you have any or your future kids, and future nephews and everybody else,” says Jen King, director of consumer privacy at Stanford Law School’s Center for Internet and Society.
Family TreeDNA faced a backlash this year after acknowledging that it cooperated with the FBI on crime solving. The authorities were able to set up profiles on the site hoping to match DNA samples collected from crime scenes.
But I didn’t sign up for this ...
Family TreeDNA subsequently changed its privacy policy allowing users to opt out so that their DNA could not be matched up against such profiles.
GEDMatch also recently changed its policy. It now requires people to specifically state if they’ll allow their information to be shared with law enforcement.
“Prior to that time, we had always warned our users in our terms of service that our site might be used by some for purposes other than genealogy,” says co-creator Curtis Rogers, who insists there are many misconceptions about GEDMatch.
“Criminal suspects are not identified on our database,” Rogers says. Rather, “genetic genealogy is only the beginning of a long-complicated process that if ultimately successful will lead to a person or persons of interest. Law enforcement still have to do a complete investigation, often including getting a traditional DNA sample, before they can name a suspect and make an arrest.”
Such investigations may involve social media, census data, family trees, newspaper articles, cemetery records and courthouse records.