So, you’re thinking about using a commercial DNA testing kit! You’re not alone. Tens of millions of people have already spit into a little vial and mailed it away to a company promising to tell them where their ancestors are from, to show them cousins they didn’t know they had, and to explain once and for all why they hate the taste of cilantro.
“Begin your DNA Journey,” invites the FamilyTreeDNA kit. “Welcome to you,” says 23andMe’s gift box. DNA feels intensely personal: It is in us … it is us, after all.
But what else are you doing when you send your DNA away? Where are all the places that your DNA could end up as a result of your genealogical curiosity?
Medical Researchers and Drug Companies
When you send your DNA to a company like 23andMe or Ancestry.com, you can opt in to allow the companies to send your data to researchers who are studying genetics, demographic patterns, and diseases.
23andMe also says it sends your personal data to its “collaborators,” which include Pfizer and other pharmaceutical companies, and it announced last year that it would give people the option of getting alerts for clinical trials nearby that may be relevant to those with certain medical conditions.
The company says that genetic information and names are stored in separate databases, so that when it sends your genetic data to researchers, “you cannot reasonably be identified.” (As you’ll see below, though, that depends on your definition of the word reasonable.)
Sometimes your data can get stolen. Veritas, a startup that says it can sequence a person’s entire genome for $599, has admitted that it experienced a data breach—although it also said that the portal that had been breached did not include genetic data.
Meanwhile, researchers at the University of Washington recently demonstrated how the free and public genealogy database GEDMatch was “vulnerable to multiple kinds of security risks,” and “a malicious user could also construct a fake genetic profile to impersonate someone’s relative.”
Two geneticists at the University of California, Davis, also showed in an experiment last year that it was not that hard to “hack” the GEDMatch database — someone can locate a specific person in the database by bulk-uploading publicly available sets of DNA profiles until there is a match to either that person or to one of the person’s relatives. (GEDMatch has since been acquired by a private company that may change its policies.)
If that doesn’t persuade you to be wary, unnamed “personal and operational risks” even prompted the Pentagon to advise U.S. troops not to use consumer DNA tests.
“We can’t change our genetic information, and so once it’s out there, it’s a hard decision to reverse - it’s not like a credit card, where you can get a new one if need be,”
says UC Davis geneticist Michael Edge.
The government DNA databases that law enforcement uses to try to connect crime-scene evidence to perpetrators are strictly regulated, and they contain far less sensitive types of genetic information than commercial databases. A government database might contain just enough DNA to identify a person but not enough to connect someone to distant relatives, for instance.
Which is why law enforcement officers have occasionally sought access to commercial databases, which contain more detailed DNA information, and from more people. BuzzFeed News reported that FamilyTreeDNA has voluntarily agreed to test DNA evidence for the FBI and upload those profiles to its database for law enforcement searches. And The New York Times reported that GEDMatch, which had opted all of its users out of being included in law enforcement searches, complied with a warrant from a Florida police chief investigating a crime anyway.
Think that doesn’t affect you if you haven’t committed any crimes? Read on.
Other DNA Databases
Some years ago, a man named Michael Usry sent his DNA to something called the Sorenson Molecular Genealogy Foundation, a nonprofit surname-research project sponsored by the Mormon church. Sorenson’s database was later bought by Ancestry.com, and Usry’s DNA joined that larger database.
In 2014, police investigating a cold-case murder from 1996 in Idaho uploaded some crime-scene evidence to Sorensen and Ancestry.com and searched for possible matches. A partial match popped up, but Sorensen’s policy blocked the police from seeing the person’s name.
However, Ancestry.com told police that it would hand over the information if they got a search warrant, so they did, according to The New Orleans Advocate. Police found Usry’s name and started mapping out his family tree; eventually their suspicion landed on his son, Michael Usry Jr., because he had connections to Idaho and because he made horror films.
Long story short: Usry Jr. didn’t do it, but it took a police interrogation, another DNA test, and weeks of living in fear of a mistaken murder charge before he was cleared.
As law professor and forensic expert Erin Murphy writes in her book Inside the Cell, Usry’s father
“had no idea that his DNA sample would be readily traceable back to him directly, much less sold to a for-profit company, much less lead to the eventual accusation of his son for murder,”
all because he decided to research his genealogy.
Into the Future …
Let’s face it: Whether or not you’ve used a DNA-testing kit, it’s pretty much game over for DNA privacy. Because of the popularity of genealogical research, technological advancements in forensic science, and the ways that our shared genetic material connects us all, we’re pretty close to having a de facto national DNA database.
A rapidly increasing percentage of Americans can already be identified through these databases — through either the DNA they themselves have contributed, or by triangulation of the DNA that their distant relatives have. (Fun fact: you could have more than a hundred third cousins and more than a thousand fourth cousins!)
In other words, even if you decide not to use that DNA testing kit, if someone as distantly related to you as your great-great-great-uncle’s great-great-granddaughter has, then it’s almost the same as if you have anyway.