Should you be worried about your DNA privacy?
There's a lot of fine print with at-home DNA tests
Recommendations are independently chosen by Reviewed’s editors. Purchases you make through our links may earn us a commission.
I’ve always been wary of at-home DNA tests, and I don’t think I’m alone in that. There are a lot of things I regularly do that might compromise my personal information—online shopping, banking, and healthcare communications spring to mind—but sending off a sample of my DNA to some huge corporation? No, thank you.
So when my editor floated the idea of doing a deep-dive into the privacy and security practices of at-home DNA kits, I was first in line to volunteer. I was genuinely curious to find out just how well these companies protect their users' information, and some of the things I found during my research surprised me.
For this article, we’re going to focus on a few key privacy concerns, including:
- Data storage
- Third-party information access
- Biospecimen handling
- And law enforcement probes
However, you should always carefully review the terms and conditions of any DNA testing service to ensure you fully understand your rights and how the company plans to protect your privacy.
How secure is your data, really?
One of the first issues that comes to my mind with any type of sensitive information is whether it’s susceptible to a data breach. After all, if huge corporations such as Equifax can be compromised by cybercriminals, what’s stopping hackers from going after a DNA testing company?
In fact, it’s happened before. Just last year, DNA-testing firm Veritas Genetics experienced a data breach, according to Bloomberg, and security experts aren’t surprised: “Any data repository with rich personal data in it will be a target for cybercriminals,” explains cybersecurity expert Tony Anscombe, Chief Security Evangelist at internet security company ESET.
“The potential for sensitive information, such as genealogy, to be used by cybercriminals in extortion campaigns is highly probable if the information was to be compromised in a data breach,” Anscombe continues. “While regulation is no guarantee of security, it would seem logical for genetic data to be covered under a regulation such as HIPAA or something similar to ensure that companies provide adequate cybersecurity measures to protect the data.”
HIPAA is the common term used for the Health Insurance Portability and Accountability Act, which sets strict national standards for the protection of sensitive patient health information—chances are you’ve had to sign HIPAA forms at your annual doctor’s appointments. However, these standards have yet to be extended to DNA testing services, despite the fact that genetic information is health information.
“Personal information and genetic information are stored separately in secured, segmented databases,” explained a 23andMe spokesperson. “We employ the highest industry standards for authentication, encryption, and authorization to our systems … We also use the highest industry-standard security measures to encrypt sensitive information both at rest, in transit, and while processing in our databases. Access to sensitive information is limited to authorized personnel, based on job function and administrative need. 23andMe access combines token-based, multi-factor authentication, and strict least-privileged authorization controls.”
23andMe also noted that “no unauthorized incident in which customer data has been accessed or exfiltrated has been detected to date.”
AncestryDNA said it takes similar measures: “DNA Data is secured by industry-standard security measures,” said Eric Heath, Chief Privacy Officer at Ancestry. “For example, DNA samples are identified only by a barcode and we store all DNA Data in encrypted databases to ensure restricted access, and all DNA data is encrypted at rest and in transit.”
It definitely seems like data security is top-of-mind for these companies, and I would take some solace in the fact that they store genetic and personal information separately. However, at the end of the day, no company is 100% safe from data breaches, so the only way to guarantee your information is secure is to not give it out in the first place.
Who has access to your personal information?
If you’ve ever looked into or taken an at-home DNA test, you probably know there are certain choices for you to make about how your information will be shared. You can opt-out of things like scientific research, but every company has its own policies on who has access to your personal information—and the number of companies that make the list might surprise you.
We asked them for clarification on what type of service providers this refers to, and here’s what a spokesperson told us: “Examples of service providers with which we may share certain information, such as certain registration information, in order to provide services to our customers include our payment processor to enable purchasing a kit on our site, our distribution center to ship kits to customers, or our third-party CLIA-certified genotyping lab to process customer samples.”
Additionally, the company’s policy states that they “may share some or all of your Personal Information with other companies under common ownership or control of 23andMe, which may include our subsidiaries, our corporate parent, or any other subsidiaries owned by our corporate parent.”
When asked the same question, AncestryDNA referred us to their (extensive) privacy statement, which reads: "We work with other companies when providing and marketing the Services. As a result, these companies will have some of your information in their systems. These companies are subject to contractual obligations governing privacy, data security, and confidentiality consistent with applicable laws. These companies include our:
- Laboratory partners;
- DNA test shipping providers;
- Payment processors;
- Cloud services infrastructure providers;
- Biological sample storage facilities;
- Vendors that assist us in marketing (including advertising), consumer research analytics, fraud prevention, and security;
- Communications infrastructure providers; and,
- Some Member Services functions."
There's also a note further down in the statement that says: "If Ancestry or its businesses are acquired or transferred (including in connection with bankruptcy or similar proceedings), we will share your Personal Information with the acquiring or receiving entity."
This is important to note, as the company was, in fact, acquired just this year. In August, it was announced that the venture capitalist firm Blackstone Group agreed to acquire Ancestry, according to Reuters. Once the deal is closed, Blackstone will then have access to all your personal information, which is concerning to privacy experts, given the company's other holdings in the healthcare and insurance sectors.
"The big concern when there is a big deal like this is that investors might be interested in that data for other reasons, and not in the ways that consumers intended when they gave over that information," Alan Butler, interim executive director and general counsel of the Electronic Privacy Information Center, told CBS News. Blackstone has said it will not be able to share data with its other companies in its investment portfolio, but these policies could very well be changed down the line.
Why would VC firms even want your DNA data? Such large databases of health information have huge potential for drug development—in fact, 23andMe has successfully created a medication that treats inflammatory diseases, according to Bloomberg. Given that pharmaceuticals is such a lucrative industry, it's no surprise that DNA and health data are in hot demand.
So while you may feel comfortable sharing your information with, say, AncestryDNA, they're far from the only company that will have access to your sensitive data. Your DNA results—and other personal details—may be kept in the databases of several companies, and it could very well change hands down the line, ending up in the possession of businesses with more lax security and privacy standards.
What do companies do with your biological samples?
Most DNA tests require you to either swap the inside of your cheek or spit into a tube—but what happens to these biological samples once testing is complete? You might assume the company destroys them, but that’s rarely the case unless you specifically request it.
“All customers have the choice of whether or not to have their saliva sample biobanked, or stored,” explains the 23andMe spokesperson. “If they do not elect to biobank their sample, it is destroyed after testing is completed.”
AncestryDNA, on the other hand, stores user DNA as a default: “After testing is complete, any remaining DNA from your test is archived and stored in a temperature-controlled, secure facility with 24-hour monitoring and limited access,” the company explains. You can request to have your biological sample destroyed, but you have to contact their customer support team to do so.
Ancestry also offers users the option to delete all their data, including DNA test results, noting that it will be permanently erased from “production, development, analytics, and research systems within 30 days.”
Can law enforcement access DNA databases?
Last, but perhaps most pertinently, many people (myself included) are wary of their DNA being accessed by law enforcement. After all, a database with millions of peoples’ DNA results is basically a goldmine for police and other agencies, allowing them to identify suspects in cases where DNA evidence is (or was, in the instance of cold cases) collected but has no match in public databases.
Even if criminals themselves aren’t in the database, there’s a good chance one of their relatives might be. Case in point: Law enforcement used information from the genealogy site GEDmatch to help track down the Golden State Killer in 2018 using DNA information from his distant relatives, according to The New York Times. And while I, for one, am happy that a serial killer and rapist has been brought to justice, I’m still not entirely sure I would want my DNA accessible by the police—after all, I’m a good, law-abiding citizen.
DNA testing companies, including both 23andMe and AncestryDNA, are the first to loudly proclaim they do everything possible to keep law enforcement out of their databases, including pushing back legally on overly broad or unfounded requests, but at the end of the day, they do have to comply with some subpoenas, warrants, and other court-ordered requests. To this end, both 23andMe and AncestryDNA release annual “transparency reports” detailing how many requests they get from government/law enforcement bodies. To their credit, both companies have been successful in deflecting most (if not all) of these requests for user data.
However, the same can’t be said for all DNA testing companies. At the end of 2019, a Florida judge ruled to give law enforcement access to the entire GEDmatch database, which includes more than 1 million users, according to The New York Times. Experts have warned that this ruling set a new precedent and would likely encourage other agencies to request similar search warrants in hopes of accessing larger databases. For reference, AncestryDNA has more than 15 million users, and 23andMe has upward of 12 million.
To prevent these types of warrants from becoming the norm, some policymakers have sought to pass new legislation to keep law enforcement out of DNA databases—for instance, Maryland is a leading state when it comes to genetic privacy, and last year, its lawmakers proposed a bill that would stop police officers from using DNA databases to look for users related to individuals who left behind DNA at crime scenes, according to Wired.
It sounds great, but other experts warn that it might not be quite so simple: “In an open democratic society, there are mechanisms that could be used to mitigate and govern DNA database access and use,” explains Prof. James Giordano, an expert in biosecurity at the Cyber-SMART Center and a Senior Scholar of the Pellegrino Center for Clinical Bioethics at Georgetown University, Washington, D.C.
“However, given the increasing utilization of DNA and other forms of biomedical, social, and economic data that are being made available to consumers (and being employed in a variety of occupational, and health care settings), the viability and value of accessing and engaging such data for purported public safety and law enforcement purposes is growing in both consideration, as well as relative ease.”
Giordano goes on to explain that while policies and laws could, to some extent, help to govern these issues, “the situation is complicated by the fact that in some cases, DNA and other data derived from ‘at-home’ assays are ‘owned’ by international entities, which may not fully comply with U.S. laws.”
Then again, having international headquarters might not be the worst thing for DNA companies. Certain countries—such as Switzerland—have less intrusive national security policies, which could potentially protect these databases from being probed by law enforcement. (This makes them a popular hub for VPN providers, who are also frequently targeted by government intelligence agencies.) However, I think it's fair to say that consumers would be more wary of shipping their DNA off to foreign-based companies, so it's understandable why the DNA testing giants haven't explored this avenue—not yet, anyway.
If you’re looking for a short answer here, the best I can give you is: It’s complicated. Is it likely that law enforcement will be able to access your DNA? No. Can the scenario be ruled out completely? Also no.
Is DNA testing right for you?
This is a whole lot of information to process, and I give you credit if you actually read this article in its entirety. I think the bottom line is that while at-home DNA testing companies do everything in their power to keep your information private, there are—and always will be—factors outside of their control. So while your genetic and personal information is probably safe, there’s no guarantee.
Anscombe also recommends prioritizing a company that allows you to request your information to be deleted: “If I was opting to take such a test (and I am not and probably never will), I would ensure that the company is located in a jurisdiction that requires them to comply with my request to delete my data on request, either as an option when taking the test or post-test. The personal information is then protected from any future data breach or request by law enforcement as it no longer exists.”
To this end, your best option may be to use a company that gives you the option to delete all your personal information and DNA results from their databases, such as AncestryDNA. No matter which service you choose, be sure you fully understand how they store, use, and share your data before you swab.
Personally, I'm still going to pass on DNA testing, as enough of my personal information is already out there—the last thing I need is for something to steal my DNA and clone me. (Kidding, obviously, but someone did steal my identity and pose as me to get writing jobs, so maybe it's not that far-fetched.) However, if you want to learn more about your genealogy and even your genetic health risks, there are plenty of reputable DNA testing companies to choose from.
Prices were accurate at the time this article was published but may change over time.