365体育备用

Latest in Gear

Image credit:

How secure is DNA testing?

What you might be giving away in an ancestry test.
Chris Ip,
August 27, 2019
Share
Tweet
Share
Brett Putman for Engadget

Sponsored Links

Scientists only mapped the human genome 16 years ago, but today you can get a basic test of your genetic code from Walgreens. It's estimated some 26 million people have already sent their spit to direct-to-consumer DNA-testing companies, and the number is to multiply to 100 million by 2021.

The more people plug their genes into a database, the more useful the service becomes for finding distant family or tracing one's ancestry. There are deeper implications too: medical research, investigating cold cases, adoptees locating their parents. 23andMe, which along with Ancestry has the largest genetic database of these companies, also has FDA approval to test for genetic health risks like Alzheimer's and Type 2 diabetes. Then there are the weirder frontiers: companies that claim to match you with genetically compatible roommates, dates, diet plans and .

The business only works because we share our unique genetic identity. But the more this data is shared with strangers, researchers and corporations, the less private that data becomes. We've looked at the data policies of big tech companies before and found them severely inconsistent. Your genes are as personal as it gets.

365体育备用On top of that, privacy experts say that direct-to-consumer DNA testing is highly unregulated. A genetic test in the doctor's office is protected by HIPAA laws, which its sharing. These newer companies are bound primarily to their own privacy policies as well as committing to voluntary best practices by the Future of Privacy Forum.

The problem is, according to a major 2017 from Vanderbilt University of 90 DNA testing companies, 39 percent of them had no written policy online about how they use genetic data. We looked at four of the biggest companies -- 23andMe, Ancestry, MyHeritage and FamilyTreeDNA -- to see what they really do with your identity.

What kind of data is being shared?

All four companies have accessible privacy policies online. And all four companies talk about "de-identifying" your genetic data. This can take two forms.

365体育备用Aggregate data is generally a summary -- say, the percentage of men who have a certain genetic trait. Most companies will use this data both internally and externally. 23andMe says it shares aggregate information "to perform business development, initiate research, send you marketing emails and improve our services."

365体育备用Individual data pertains to a specific person's genotypes and characteristics but with identifying details like name and contact information removed. To have this information shared with third parties usually requires an opt-in and for good reason. Some has shown that it may be possible to locate individuals using public information based on their genetic profile.

What the companies say about de-identifying data

Who gets your data?

FamilyTreeDNA

With this in mind, you should be aware of three major groups that DNA-testing companies may share data with: research institutions, private corporations and law enforcement.

MyHeritageDNA testing kit

365体育备用Sharing of de-identified individual data for research requires an opt-in for Ancestry, 23andMe, MyHeritage and FamilyTreeDNA. But there are subtle differences. FamilyTreeDNA asks for customer approval for every specific research project; 23andMe's consent form says, "For the most part, we won't be able to contact you every time we would like to share your data."

Last year, 23andMe announced a $300 million deal to share data with pharmaceutical company GlaxoSmithKline and has had partnerships with P&G Beauty and Pfizer. 23andMe's unique approval to test for health risks also means that it collects more information from your saliva sample than other companies. Wirecutter365体育备用 reported that regardless of whether you purchase the biomedical or ancestry analysis, the company still tests your DNA .

365体育备用In the Vanderbilt University study, only 12 companies said explicitly that they wouldn't share genetic data with third parties. For those that said they would share the data, "no company provided a specific or exhaustive list of exactly which third parties would receive access to the data, or for what specific purposes."

This proved to still be true for the four big testing firms. Ancestry lists "some" of its collaborators like the University of Utah, American Society of Human Genetics and National Marrow Donor Program.

You should be aware of three major groups that DNA testing companies share data with: research institutions, private corporations and law enforcement.

365体育备用When it comes to law enforcement, 23andMe states, "We will not provide information to law enforcement or regulatory authorities unless required by law to comply with a valid court order, subpoena, or search warrant."

MyHeritage says, "It is our policy to resist law enforcement inquiries to protect the privacy of our customers" unless the company is served a court order. It does not assist in cold case investigations.

AncestryDNA testing kit

365体育备用Ancestry similarly states, "If we are compelled to disclose your Personal Information to law enforcement, we will do our best to provide you with advance notice, unless we are prohibited under the law from doing so." Last year it had 10 requests relating to credit card misuse, fraud and identity theft but none that required disclosing genetic information.

365体育备用However, FamilyTreeDNA doesn't just share data when it's legally compelled. This year, the company confirmed that -- unlike the other three companies -- law enforcement can create accounts to upload DNA from crime victims and search its database. Customers can choose to opt out of "Law Enforcement Matching."

Each company's full privacy policy:

How can you delete it?

The safest thing you can do after taking a company's test is delete your data and get your DNA sample destroyed. (The main trade-off would be missing out on future matches, if locating family members is a primary reason for taking the test).

All four companies allow you to erase your account and destroy your DNA sample either through their websites or by contacting customer service. 23andMe destroys saliva samples after analysis unless you opt-in to having it stored.

365体育备用But how far your genetic information has spread by then may be unclear. Your DNA info can be removed from the testing company's servers, but it can't be recalled from the third-party corporations or universities who may already have it. In general, the less diffused your data is, the less likely it will escape into the wrong hands.

Still interested?

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
Tweet
Share

Popular on Engadget

Pablo Escobar’s brother is trying to sell refurbished iPhone 11 Pros for $499

Pablo Escobar’s brother is trying to sell refurbished iPhone 11 Pros for $499

View
Philips Hue leaks show new versatility for Lightstrip Plus and Bloom

Philips Hue leaks show new versatility for Lightstrip Plus and Bloom

View
Xbox Family Settings app sets limits on your kids' game time

Xbox Family Settings app sets limits on your kids' game time

View
Amazon won't support HBO Max without Prime Video Channels tie-in

Amazon won't support HBO Max without Prime Video Channels tie-in

View
Twitter’s first fact-check of Trump was a gutless one

Twitter’s first fact-check of Trump was a gutless one

View

From around the web

How secure is DNA testing? | Engadget How secure is DNA testing? | Engadget How secure is DNA testing? | Engadget How secure is DNA testing? | Engadget How secure is DNA testing? | Engadget How secure is DNA testing? | Engadget How secure is DNA testing? | Engadget