DNA testing poses privacy risks

DNA testing services purchased online has gained significant popularity amongst consumers, despite its shortcomings. However, it is vital to understand the potential risks associated with such testing. 

Background

Deoxyribonucleic Acid (DNA) is a molecule that carries the genetic instructions for the growth, development, functioning and reproduction of all known organisms. It is one of the four major types of macromolecules that is critical in all known forms of life. First identified by Francis Crick and James Watson in 1953, understanding one’s DNA is considered beneficial to predicting health-risks and ancestry, as well as holding the keys to genetic diseases that plague mankind.

A genealogical DNA test analyses specific locations on an individuals’ genome in order to verify genealogical relationships, or to help estimate the ethnicity of the individual. Testing companies employ different ethnic reference groups in order to provide an approximate ethnic ancestry of an individual. The variance in these reference groups often yields varying results across various providers. The tests are not intended to serve as a diagnostic or medical tool.

The United States Department of Health and Human Services defines a data breach as “a security incidence in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorised to do so.” Hacks are often a major reason for data breaches. Recent events across the world, associated with privacy and security concerns, have placed renewed emphasis on information security. 

Analysis

MyHeritage, a large Israeli genealogical testing company revealed that it may have exposed the personal information of 92 million of its clientele. Although the company insisted that the breach only involved email addresses and hashes passwords, the situation highlighted the sensitive nature of online DNA testing. Most users of DNA tests procure their services from Direct-to-Consumer Genetic Testing (DTCGT), using tests that are available for purchase over the internet. Results are also often delivered over the internet. Industry experts predict that DNA testing will be a US$50 billion business by 2026.

With data fast becoming the most coveted currency in the information age, new sources of information, especially those that contain sensitive medical and identifying material are of particular concern. Some of the world’s largest companies, such as Facebook and Google, make their money through targeted advertising. The mammoth amount of data stored in one’s DNA is of tremendous value, posing significant risks to unwary users. The data gleaned from one’s DNA can provide immense insight into one’s past, present and future by way of ancestral lineage, genetic medical conditions and health-risks respectively.

Although testing companies have asserted that their privacy and security protocols ensure the safety of their clientele, one is forced to question their effectiveness, given past compromises of what are supposed to be the most secure information databases in the world; banks, governments, airlines etc. Included in the terms and conditions of the majority of service providers, is the ability to use one’s test results in meta-data geared at enhancing the service, yielding a dataset subject to theft and hacking. If the data set of a testing company is compromised, it renders the clientele the product. Once the data set is compromised it is impossible to retrieve while removing all public traces of the information.

The president of FamilyTreeDNA, one of the largest DTCGT companies in the US, issued a public apology for covertly sharing data with the FBI in crime investigations. Also of particular concern is if DNA testing becomes standard instituted practice. For example, an insurance company demands the findings of a DNA test when issuing insurance policies as a method to hedge their bets. The lack of laws and regulations pertaining to the testing is of international concern. The regulatory ramifications in borderless cyberspace against the personal information of an individual subject to the boundary of a state requires further delineation. Although most industries operate on a level of consumer trust, the DNA testing industry is often unable to provide verifiable levels of trust, although it continues to engage in campaigns aimed at highlighting its novelty, dismissing concerns of privacy and security.

Assessment                                           

Our assessment is that given the current state of DNA testing technology, as well as the immense privacy and security concerns that accompany it, it is prudent not to engage in business with DTCGT companies. We believe that if DNA testing is of significant importance, one must physically visit a medically-certified DNA testing facility that ensures its customers their security and privacy, as well as the option to remove all one’s personal data from their files. We encourage those who have used such services to research and prod their service provider to remove all traces of one’s personal information.