When the unsolved case of the Golden State Killer was solved via a DNA sample, given by a relative to an ancestry and heritage site, it was cause for celebration. It wasn’t the first crime solved using DNA sent to a commercial organisation, and it’s likely it won’t be the last.
Though catching criminals can only be a good thing, these breakthroughs have left people wondering exactly what has happened to their DNA after entrusting it to a site like MyHeritage or Ancestry.com.
You might not expect law enforcement in the USA to have access to your genetic data if you’re posting it off from the UK. Equally, you might not expect that your DNA data could be sold to pharmaceutical development companies, or worse, that it could be lost to criminals in an attack.
Genetic testing has really taken off in the last few years, and it’s estimated that the DNA testing market worldwide will be worth more than $10 billion by 2022. Though these ‘casual’ DNA tests can help us to find out more about our ancestry, it’s important to consider the security risk that comes with posting away genetic data that is completely unique to you.
You wouldn’t give away your credit card details or your email password, because this would obviously be a risk. With that in mind, should you post away your DNA?
Popular DNA ancestry tests
You don’t have to browse Groupon or other shopping deal sites for long before you come across offers on genetic testing.
Some of the most popular brands are AncestryDNA, which gives great insight into ethnicity through detailed geographic regional splitting, MyHeritage – a top budget option – and FamilyTreeDNA, which includes YDNA and mtDNA tests for those who are serious about genealogy.
There are also options like 23andMe, for general genetic health screening, and Living DNA which is popular for anyone with roots in the British Isles.
MyHeritage and FamilyTreeDNA are open about the fact that they’ll keep your DNA on file for 25 years, while the other three options mentioned keep it indefinitely.
Who has access to that DNA data?
Who your data might be shared with varies a bit depending on the particular company you choose, so read the small print.
23andMe recently announced a partnership with the pharmaceutical company GlaxoSmithKline, allowing them access to home DNA results for their new drug research. Ancestry are fairly open about the fact that they can and will use your DNA for their own tests and research, while another company, Invitae, state that your data can be shared with public databases, laboratories and universities.
Life insurance, long-term care insurance and disability insurance companies in the US are also legally permitted to access genetic testing data if they wish, which means they can charge people higher rates for their coverage based on the results.
While some services are keen to say that will anonymise data before selling it on, critics have been quick to call out these suggestions because of the impossibility of fully anonymising such unique and personal data. As well as the risk involved in sharing your DNA, it’s also wise to consider the implications should that DNA data be connected to your online accounts and activities.
DNA data breaches
In 2018, MyHeritage suffered a major data breach. 92 million users had their email addresses and passwords stolen, giving cause for concern about what hackers could access when furnished with such information in relation to a genetic DNA account.
For those who had left breadcrumbs connecting their device’s IP address to their MyHeritage account, biological information risked being connected with address and credit card details, to name a few.
There has been outrage in recent years about the ability of tech behemoths like Google and Facebook to harvest and sell user data. But at the same time, millions of people all over the world have been not only handing over their DNA to commercial businesses, but even paying them for the privilege.
Some ancestry sites give you the option to download your detailed genetic code, while others are more limited. Though the MyHeritage breach is the one that’s made headlines, users shouldn’t assume that no other attacks have happened or succeeded – only that they have been better managed and contained.
You may be able to change your email address and/or password in the event of an ordinary data breach, but there is little that can be done when your DNA data has been compromised but to wait and see where it shows up, or what ransom is requested for its safe disposal.
How to maintain your privacy
Privacy is important both on the internet and off it, and it’s crucial to consider the connections that can be made between a leak of your DNA data and the rest of your online identity.
To keep other information private, like your phone or laptop’s IP address and your contact and payment details, a smart move is to use a VPN when you’re sending or receiving information online.
These apps add encryption to your network and spoof your location, meaning your browsing activities and interests can’t be traced back to you or joined together from one site to the next.
While VPNs are a great privacy and security tool, they can’t protect you from a data leak if your DNA is stored by another organisation.
When you join up your DNA with your email address and bank details, it becomes almost irrelevant later that you did it using a spoof IP address and secure connection. That information is stored on a third-party site, and it’s their security and adherence to privacy best practices that you’re relying on.
The DNA testing industry may be hugely popular, but realistically, the best way to ensure your DNA data isn’t sold or stolen is not to send it away in the first place.
Even when better guidelines and regulations are brought in to protect DNA test users, there is still no guarantee that any company will stay hack-free – and there’s a lot at risk if something as irreplaceable as your DNA goes AWOL.