This Christmas, you may be thinking of gifting a DNA testing kit, and exploring your genetic and family roots. But these popular services may come with associated privacy risks and lead us to question how private our DNA actually is.
When it comes to privacy, we usually recommend things like the best VPNs, and discussing how to stay safe online. But what about genetic data sharing? Is it possible to protect your personal privacy when it comes to these testing kits?
What are the concerns?
Data removal service Incogni has extensively analyzed the health data privacy policies of the 10 leading DNA testing services, investigating potential areas that could compromise users' most sensitive personal information – their genetic data.
Legal language in the companies' privacy policies was described as "muddy," and research uncovered significant trends regarding data anonymization, the storage and destruction of physical DNA samples, and the policies governing data sharing with law enforcement.
Four out of 10 services (23andMe, SelfDecode, Toolbox Genomics, and Everlywell) collect personal data for marketing purposes, claiming to do so with aggregated or anonymized data.
Four services (SelfDecode, LetsGetChecked, Toolbox Genomics, and Everlywell) state they comply with law enforcement when "legally compelled only" or under a "good faith belief" that disclosure is necessary. These terms are vague and could allow information sharing without a warrant.
Four out of 10 do not specify where physical samples are stored. The remaining services reference storage locations such as a "secure facility" (Ancestry), "Biobank" (23andMe), or a "lab in Houston" (FamilyTreeDNA). All services retain physical samples for extended periods.
Half of the services (Living DNA, FamilyTreeDNA, DNA Complete, SelfDecode, and Toolbox Genomics) lack a clear Health Data Privacy Policy.
Finally, every service analyzed collects technical user data and user interactions, such as IP addresses and browser details. These can be used to identify users even when anonymized.
How are these companies using your data?
Incogni found that customer's genetic data was being used for four things. Firstly, for advertising and marketing, although the services add a disclaimer saying that genetic data used for advertising is anonymized and aggregated.
It is used for conducting research, although users have to opt-in to DNA based research. In addition, it is used for improving, and providing a service.
Further risks
Users put a lot of trust in the hands of these companies when handing over their genetic information, and it is vital anyone using these services reads the privacy policy, fully understanding how their data is used.
Two of the services have faced lawsuits for alleged mishandling of customer data. In October, DNA Complete (previously Nebula Genomics) faced federal action in Chicago for allegedly violating Illinois state law by disclosing users' genetic information without written consent.
Everlywell was the subject of a lawsuit back in April as it was found to have exposed users' protected health information to Facebook and Google through tracing pixels.
There is also the risk of data breaches and some of the companies analyzed have experienced a breach in recent years.
In December 2017, Ancestry was hit by a breach which exposed 297,000 user email and password combinations, although customer DNA data appeared to be unaffected. In October 2017, details of over 92 million MyHeritage users, including email addresses and passwords, were exposed in a security breach.
A credential-stuffing attack hit 23andMe in 2023. The attack targeted Ashkenazi Jewish and Chinese users and profiles, and sensitive information was put up for sale on the dark web. The failure to notify and protect customers led to a lawsuit in which 23andMe paid out a reported $30 million.
That isn't the only issue 23andMe has experienced recently, as the company is reportedly on the brink of bankruptcy. This could have serious ramifications for customer data, as genetic information could be sold. Data that has already been sold is unable to be deleted.
Customers do have the ability to delete their data, however the company appears to keep it for three years following deletion, citing "compliance with legal obligations."
This shows how little control over their genetic data, customers appear to have, and many will be worrying what would happen to their data should 23andMe (or similar company) collapse.
By law, the processing of personal information must match the terms outlined by the original data processor (service), or the new data processor must obtain explicit consent from users.
However, it’s possible for users to miss such notifications or neglect to read new terms fully which could have serious implications for their privacy, which is why fully understanding these policies is so crucial.
Is there a way to protect yourself?
The first, and arguably simplest step, would be to not purchase or gift one of these testing kits. Many of us are intrigued and curious about our genetic and family origins, but these desires should be weighed up against the risk posed to our genetic data.
If you choose to go ahead purchase and complete one of these kits, then there are some things you can do to potentially reduce your risks.
Analysis found that these companies received non-genetic user information from third-parties. Data removal services, such as Incogni, are useful tools for removing your personal information from the internet.
Data removal services seek out data brokers, and if they hold records of your data, send removal and deletion requests. This means the data brokers can't sell your data to other third-parties. Incogni repeats these requests on a regular basis, closely monitoring for appearances of your data.
Data is collected and sold through cookies and trackers, so use a VPN when browsing, and remember to always reject optional or marketing cookies. VPNs change your IP address, making it appear as though you are in a different country. They also encrypt your traffic so it cannot be seen by third-parties.
Secure browsing is an emerging technology, and VPN provider IPVanish recently introduced this feature to its service. Its secure browser is an industry first and works via the cloud. Your browsing session is encrypted and private, with trackers and cookies eliminated.
The DNA services are collecting technical information, including IP addresses, when you access their sites. Using a VPN when visiting these sites will allow your information to remain private, as the IP address seen visiting the website will be that of the VPN company and not your personal, and identifiable, IP address.
Many of the top VPNs have no-log policies. This means no identifiable data is collected or stored, and you can remain private online.
The collecting of this technical and non-genetic personal information means that even though your genetic data may be anonymized, it is possible to re-identify you when all the data is put together.
Serious questions need to be asked
Incogni's research is damning, and reveals the true extent of the data privacy risks DNA testing kits pose. Jigsaw identification is possible through the collection of other personal and technical data, leaving users vulnerable – especially data that singles out users from ethnic minority backgrounds and groups.
Data breaches, mishandling, and vague privacy policies all pose significant risks to users, and serious questions need to be asked about the future of genetic data collection.
Disclaimer
We test and review VPN services in the context of legal recreational uses. For example: 1. Accessing a service from another country (subject to the terms and conditions of that service). 2. Protecting your online security and strengthening your online privacy when abroad. We do not support or condone the illegal or malicious use of VPN services. Consuming pirated content that is paid-for is neither endorsed nor approved by Future Publishing.
