By Andrea Flink, Senior Fellow at Fordham Law School’s Center on Law and Information Policy
Upper West Sider Donna MacPhee, a proud daughter of Ukrainian immigrants, was relieved when Ancestry.com confirmed her Ukrainian heritage several years ago. But Russia’s land-grabbing war against its neighbor this year makes her wonder if her Ancestry identity will be redefined by the conflict.
“When my parents were born, Ukraine was part of the USSR [Soviet Union],” she told the Rag in an interview. “I wonder, if Donetsk or other areas of Ukraine become part of Russia in the current war, will they say my ancestors are from Russia, or Ukraine?”
MacPhee made her results accessible for future generations who want to understand more of their family history. She said she would happily respond to any family members who find her results and contact her through Ancestry. “Especially now with everything going on with Ukraine,” she said, “I would reach out to see if anyone needs additional help or support.” When asked if she is worried about privacy, MacPhee told the Rag, “No. I know I should be more worried about privacy, but no.”
MacPhee is not alone. Millions of Americans have sent their DNA to be analyzed by a direct-to-consumer (DTC) testing company like Ancestry or 23andMe. Very few likely give consideration to a host of possible issues: the results they receive may not be accurate, and the private companies that collect the information could share it in ways that have potential, unwanted consequences.
Once the company has your information, there is no guarantee it will remain confidential. HIPAA (the Health Insurance Portability and Accountability Act) does not apply to tests purchased directly from a DTC company. That means a company can share your genetic information freely, subject only to a few applicable privacy laws and the company’s own privacy policies, which typically allow your data to be shared with specified third parties.
While a Consumer Reports investigation found that DTC companies generally do a “relatively decent job” of protecting the confidentiality of users’ DNA data, “at least according to their stated privacy policies,” they also “over-collect personal information about you and overshare some of your data with third parties.” The Rag reviewed the privacy policies of 23andMe, Ancestry.com and MyHeritage and found those companies permit sharing with “service providers” that include laboratories, “biobankers” that store DNA samples, cloud service providers and even marketers. In addition, the companies all permit disclosure of DNA to law enforcement if subpoenaed or requested via another legal process. And your personal information could be transferred to another company upon a change of ownership, bankruptcy or sale of assets by the company that first collected it.
Bottom line: once your data is shared with a third party, you can no longer be certain who has it or how it will be used. “People should think about how they would feel if it were public, because there are many, many cases where the information will get out,” said Dr. George Church, Professor of Genetics at Harvard Medical School and founder of the Personal Genome Project, in an interview with the Rag. “Contracts mostly protect people after it’s too late, and if your goal is not compensation, but to prevent [exposure], laws are not all that great,” he said.
Discrimination based on genetics is one potential hazard. Though federal law prohibits such discrimination by employers and health insurance companies, the law does not protect New York residents when it comes to life, disability or long-term care insurance.
New York State Assemblyman Jeffrey Dinowitz introduced a bill earlier this year to prevent all insurance companies from discriminating on the basis of genetic information. “[I]nsurance companies have gained access to a huge amount of information that was not even conceived of when the relevant section of the Insurance Law was written,” Dinowitz told the Rag. A person with a genetic predisposition to Alzheimer’s, Parkinson’s or other degenerative diseases could end up being denied coverage or charged higher insurance rates, even though “they are exactly who is going to need help paying for their long-term care or providing for their family after they are gone,” said Dinowitz. Though his bill did not pass in the most recent legislative session, Dinowitz told the Rag he “absolutely” will reintroduce the bill next year.
Even though federal law currently protects New Yorkers seeking health insurance from genetic discrimination, before submitting your DNA for testing, remember that laws can be amended, weakened, repealed or overturned, despite being popular when they passed and decades of precedent. Just ask the current Supreme Court.
The consent form for Church’s Personal Genome Project ensures that participants in the public research study consider the risks of public exposure of one’s genetic information, including adverse effects on employment, insurance, financial well-being and/or social interactions, as well as more remote scenarios such as being cloned or framed for criminal activities. “The point of asking people about these scenarios was, if you’re ok with being cloned or having your DNA linked to a crime scene, you should be okay with a lot of things we haven’t thought of,” Church said
DTC companies generally conduct research on a de-identified, aggregated basis, but many studies have shown that anonymized DNA can often be re-identified.
And while a whopping 80% of 23andMe customers agree to allow use of their information for research, according to a company spokesperson, it’s likely that many are not aware “research” is not limited to public health studies; it may also include product development and other uses.
Ancestry, 23andMe and MyHeritage tell customers they can delete their data at any time, but if the data has been used for research, it cannot be deleted from a study. In addition, 23andMe retains the right to keep information “as required by law,” and Ancestry keeps information for legal, regulatory and certain other purposes, such as preventing fraud.
Security breaches are another concern, since all data can potentially be revealed in a data breach. As cybersecurity expert Sandra Joyce told NBC News, “At the end of the day, biometric information is stored digitally, and it’s stored in a way you can both capture and then match to a database. Any database is vulnerable for hackers to come into. So much like any information, biometric information, digital information can be susceptible.”
Millions of Americans have gone a step beyond testing and, hoping to find (or be found by) family members, uploaded their results to a public DNA database like GEDMatch or FamilyTreeDNA. That allows others to access their DNA, including law enforcement. Once information is public, it can be “used in ways they may not be able to anticipate and may not be comfortable with or in their interest,” Dave Pollock, staff attorney in the DNA Unit at Legal Aid in Manhattan, told the Rag. “People should recognize that there is a ton of information in our DNA and very little protecting our privacy.”
Before uploading to any public website (including social media), remember that once you post information that is publicly available it may be impossible to get it back, and that testing your DNA potentially also compromises your family’s genetic privacy (and vice versa). The closer the relatives are, the more identifiable you will be from each other’s DNA.
How will our DNA be used in the future? As autocrats rise to power worldwide, nefarious uses of genetic information that even recently seemed farfetched in the United States inch closer to reality.
Upper West Sider Sally Hess told the Rag she would never have her DNA tested. “Because of my family’s history, I don’t trust large organizations or governments enough to give them such intimate information. It can happen here. My aunt said just that to my German grandparents in 1933. Their deaths at the hands of a fascist regime took from me a sense of personal and generational safety. Safety and privacy are linked.”
At least one federal agency has warned its employees against home DNA tests. In 2019, the U.S. Department of Defense advised military personnel not to purchase DTC tests because they are “largely unregulated and could expose personal and genetic information.” The Pentagon noted “increased concern in the scientific community that outside parties are exploiting the use of genetic data for questionable purposes, including mass surveillance and the ability to track individuals without their authorization or awareness.”
“Genetic information and DNA sequencing is highly sought after by adversaries,” Joyce told NBC News. “New technologies are coming out that possibly in the future could create designer biological warfare weapons targeting a specific genetic population. While we haven’t seen that happen today, we feel that is a concern we need to look at in the far future.”
Church told the Rag that there is a way to test your DNA and protect your privacy called “homomorphic encryption.” It allows researchers to process encrypted data without having to decrypt it; the results also remain encrypted – and thus secure. Church also recommends using companies that offer whole genome sequencing rather than DTC companies because “the results will be higher quality, and one can get all the ancestry information in addition to more reliable medical data than DTC tests provide.”