- Genetics testing companies, like Veritas Genetics, Ancestry and 23andMe, are providing consumers with an unprecedented level of access to their personal genome.
- Privacy risks are not well understood by consumers.
- Law enforcement and the federal government can pressure these companies to share your DNA.
The business of personal genetic-testing kits is booming, with consumers able to learn about their ancestry and health risks at the cost of just $99 to a few hundred dollars. Should you be afraid?
Some individuals worry they will discover things about their DNA that will be frightening — namely, the risks they run of contracting various diseases — and not know how to move forward with the information. Professional scientific skeptics contend the information may not even be as accurate as claimed, and lead people to make questionable health decisions. But there's another type of risk that consumers aren't focusing on as much, and it's a big one: privacy. There is nothing more private than your personal genetic information, and sending away for a personal genome kit means sharing your DNA with the testing companies. What do they do with it, beyond providing consumers with genetic and health assessments?
That's a question consumers need to weigh as they consider genome testing.
Companies in this space, including 23andMe, Veritas Genetics and Ancestry, have a good reason to protect your DNA — their business future depends on maintaining the trust of consumers. But there are thorny issues related to genetic privacy that still today don't have easy answers or iron-clad legislative protections. And regulators aren't convinced they are doing right by consumers. A recent Fast Company report indicates that 23andMe and Ancestry are being investigated by the Federal Trade Commission over their policies for handling personal info and genetic data and how they share that info with third parties.
"The key thing about your genetic data ... it is uniquely yours. It identifies you, so if you are going to entrust it to a company, you should try to understand what the consequences are," said Jennifer King, director of consumer privacy at Stanford Law School's Center for Internet and Society, whose research on the issue and interviews with individuals shows a lack of consumer knowledge.
Here are five of the biggest privacy risks for consumers sharing their DNA with testing companies.
Obviously, this is not a risk that the genetic-testing industry alone faces, but it is an industry that has a unique set of information on its consumers. And there was a recent hack in the space. More than 92 million accounts from the genealogy and DNA testing service MyHeritage were found on a private server, the company announced earlier this month. DNA data, specifically, was not breached, the company said. But a hack in this space is a concern, regardless.
"Protecting customer data remains Ancestry's highest priority," a spokeswoman for the company said. "We have invested heavily in building strong data security, and we make ongoing investments to continuously strengthen our security measures."
One of the most compelling signs that consumers have a positive view of these companies is that a majority agree to let them share DNA with researcher partners. All of these companies make clear that they will not share your DNA with any third-party unless you explicitly consent to it, but as 23andMe data shows, the vast majority of consumers opt in — at 23andMe, more than 80 percent. Ancestry and Veritas do not provide data on the opt-in percentage.
23andMe provides consumers the choice of opting into research conducted on behalf of academic, nonprofit and industry organizations. They also offer an option to consent separately to specific disease studies in which their DNA is used in conjunction with for-profit drug companies, such as the Parkinson's disease research conducted with Genentech and the lupus and IBD research conducted with Pfizer.
"If customers don't consent, none of their data is shared," a 23andMe spokeswoman said.
More from CNBC Disruptor 50:
Consumers seem to have made the decision that altruism is the proper course of action: If their DNA can help find a cause of, or cure for, a disease, they want to be part of that process. But it also means that one day a drug company may be bringing a drug to market based, in part, on your DNA.
"People do think they are helping the world, helping society, even though they may not as an individual benefit," King said. "But if your DNA helps develop a drug for a pharmaceutical company, there is nothing governing what they do. It could be a drug they sell at a high profit but doesn't help the world become a better place."
Veritas Genetics CEO Mirza Cifric said what it learns from research becomes immediately available to consumers through updates to their own genome or publication that moves science forward. "Our primary interest is unlocking secrets that exist in the genome, not engaging pharmaceutical companies to develop drugs, although we see potential value in that," Cifric said.
Marcy Darnovsky, executive director at the Center for Genetics and Society, said this research process also means that data is shared with and passes through many partners, and in her opinion, no matter what the testing companies say, they can't ensure what those partners are doing with your DNA.
An Ancestry spokeswoman noted that the decision to share DNA for research is not irrevocable, and consumers can request to revoke that permission at any time through their account settings. But King isn't convinced: "Quitting one of these services isn't as simple as just clicking Delete. How do you verify that they've actually deleted your genetic profile or destroyed a physical sample?"
Many privacy experts are concerned that the only law currently covering genetic privacy, the Genetic Information Non-discrimination Act (also known as GINA) is too narrow in its focus on banning employers or insurance companies from accessing this information. Other than GINA, there really is nothing, King said.
There are some select groups of Americans who receive insurance from the government that results in them not being covered by GINA: individuals who receive their insurance through the Federal Employees Health Benefits, the Veterans Health Administration, the U.S. Military (TRICARE), and the Indian Health Service. However, some of these programs have internal policies that prohibit or restrict genetic discrimination, such as The Office of Personnel Management (which oversees FEHB) and U.S. Military's TRICARE insurance program.
The genetic information space is in many respects still uncharted legislative territory, and consumers are taking these companies at their word, and they do state that protecting customers' privacy is their highest priority. Ancestry reminds customers that "you own your data and you always maintain ownership of it," and "you may request that we delete your data or account at any time."
Why might a lack of strict legislation come back to haunt consumers? Keep reading.
4. Law enforcement knows these companies have your DNA, and they may want it. They're already asking.
Requests from law enforcement and courts for your data are already happening and also can be done under subpoena.
Remember the Golden State Killer case that was recently cracked after decades? It was cracked with the help of DNA from a genealogy company. Catching a murderer is a good thing, but the ability of law enforcement to target your DNA through these testing companies is a big issue.
Darnovsky noted that in the Golden State Killer case, law enforcement found their way to the suspect by using DNA from relatives. She said there is a lesson in this for consumers. "When you provide your genetic information to a DNA testing company, you are also providing information about those related to you — including distant cousins. When your relatives, including distant ones whom you may not even know, provide their DNA, they are also providing genetic information about you."
She also noted that while testing companies stress that DNA data is "de-identified" to protect privacy, data shared with researchers can be re-identified in many cases.
Requests may also come from the federal government, including the State Department or U.S. Military. King said it is much more likely the federal government will want this DNA data for law enforcement purposes rather than to exploit any employer-employee loophole in GINA.
All of these DNA testing companies explain this in their privacy statements, and 23andMe makes clear that it stands on the side of consumers. It says it will "resist" efforts of law enforcement.
"Under certain circumstances, personal information may be subject to disclosure pursuant to judicial or other government subpoenas, warrants or orders, or in coordination with regulatory authorities. However, we use all practical legal and administrative resources to resist such requests.
23andMe provides a transparency report on all requests made by law enforcement and government to date. Ancestry provides a similar report.
King said that law enforcement has barely begun to test the power of the subpoena in this area, if at all, and so it's really uncharted territory in the legal realm. But she said there is every reason to believe the companies will defend consumers in a manner similar to how Apple has fought government requests to unlock and unencrypt iPhones.
"I think most companies approach this question from the judgment of, How much do we have to gain by violating our users' trust? vs. How much do we have to lose by not cooperating with law enforcement?" King said. She added, "Tech companies (and potentially direct-to-consumer genetic-testing companies) tend to fight requests from law enforcement and force them to go through a legal process (formally getting a subpoena); on rare exceptions they will fight to quash those. I'm sure the DTCGT are all watching these recent cases of law enforcement uploading suspect samples directly to open DNA databases very, very carefully, especially how the public reacts. I actually doubt that many of them are going to be willing to cooperate with informal law-enforcement requests."
Darnovsky noted that in addition to civil liberty issues, there may be a racial component to be concerned about: "There's great concern in the law-enforcement context both about civil liberties in general and about disproportionate impact on communities of color, because they are already disproportionately in contact with police."
23andMe has itself noted that the genetic testing industry remains challenged by a lack of diversity, and King said, "To the extent that poverty/low income is intertwined with the criminal justice system ... a focus on using these databases to identify criminals will create unease or distrust, especially among historically targeted populations," King said.
Unintended consequences — not just acute incidents like hacking — are also inherent in this business model's risks.
Companies change — they are bought, sold and go out of business — and what happens to your data then? Darnovsky asked.
In the current tech-sector regulatory landscape, privacy statements also change.
"There are no limits on what these companies can do; they just have to state it in their privacy policies, which they can change at any time (though you may have to consent to it again)," King said.
But here's the good news: These companies do have an incentive to be on the consumer's side. Without your faith in their motivations and actions, they won't succeed for long.
"The people I interviewed were generally uninformed about the potential risks and took a very optimistic view on how these companies would treat them in the future. With any luck they will be right," King said.
Full privacy statements from Ancestry, Veritas Genetics and 23andMe: