Spitting for Science: The Truth about DNA Testing and Privacy

Originally Published August 4th, 2017 · Updated September 8th, 2018

23andme ignored the FDA

23andme, always preaching the importance of the individual’s right to his own personal data, would not submit to what they saw as an unnecessary barrier to self-ownership. The company continued to ignore the FDA, and in turn the FDA sent Wojcicki a letter ordering her to stop selling DNA kits.1

Remember those potential 82+ million DNA samples the government may be holding? Well, those samples aren’t particularly useful in the field of medical research. Raw genetic data can be compared to other samples to test for common ancestry and find living relatives, but the code alone tells very little about genetic predisposition for disease. This is why the government needs the Precision Medicine Initiative if it hopes to own more usable data than a non-government entity.

In an interview with NBC News, Peter Pitts, president of the Center for Medicine in the Public Interest, spoke out in favor of the NIH and against 23andme.

It’s one thing for NIH to ask people to donate their genome sequences for the higher good. But when two for-profit companies enter into an agreement where the jewel in the crown is your gene sequence and you are actually paying for the privilege of participating, I think that’s upside-down.2

Pitts’ message is clear: Give your DNA (and full name, social security number, and access to all past, present, and future health records) to the government for the higher good. Don’t pay $99 for your anonymized, aggregate data to be used by companies trying to develop better medicines.

But what about the data held by other DNA testing companies?

There are several other reputable and affordable DNA testing companies like Ancestry DNA and FamilyTreeDNA, but these services don’t have compiled health data on their members. The FDA isn’t particularly concerned with their data because it doesn’t have the valuable personal information that 23andme collects.

Also to be noted, the data collected by these companies cannot be verifiably linked to any particular person when users are submitting false names and using throwaway email addresses. Although it’s hard to determine exactly how many people have used a DNA testing service, Ancestry.com has over 10 million samples3 and Family Tree DNA has close to 1 million4. Odds are, at least one of your aunts, uncles, or cousins has already mapped you in their genetic family tree.

Alternately, 23andme has the massive data bank that the US government is trying to obtain. Currently, the power to use this data lies solely with 23andme and its partners, while the government is hoping to obtain a similar database within the next few years. It’s no wonder the FDA and 23andme have been at odds.

Genetic research has the potential to change the way medications are prescribed, the way diseases are treated, and the way people eat asparagus. Fortunately, participating in this research is much safer than most people realize. Way down in section 4.e of 23andme’s privacy policy, it mentions something called a Certificate of Confidentiality.5

If you are participating in 23andMe Research, 23andMe will withhold disclosure of your personal information involved in such research in response to judicial or other government subpoenas, warrants or orders in accordance with any applicable Certificate of Confidentiality that 23andMe has obtained from the National Institutes of Health (NIH)

Special protection for medical study participants

When you become a 23andme customer (and answer a few questions), you are technically joining a medical research study. As a study participant, you are covered by the same protections given to someone who takes part in a traditional in-person study. As of this writing, 23andme is the only home DNA test service that meets the criteria required to offer the protection provided by the NIH-issued Certificate of Confidentiality.

Per the National Institutes of Health, “A Certificate of Confidentiality helps researchers protect the privacy of human research participants enrolled in biomedical, behavioral, clinical and other forms of sensitive health-related research. Certificates protect against compulsory legal demands, such as court orders and subpoenas, for identifying information or identifying characteristics of a research participant.”6 A detailed list of court cases where the Certificates of Confidentiality were upheld can be found here.

23andme has a page documenting all data requests from law enforcement. Since the company’s inception, the government has made only six requests to obtain genetic details on 23andme members. In each of those six instances, 23andme did not provide the requested information.7

But what about Ancestry and FamilyTreeDNA? They don’t offer the extra layer of security provided by the Certificates of Confidentiality, so user data could possibly be shared with law enforcement, but it almost never happens.

Ancestry’s official position on sharing data with law enforcement:

Ancestry will release basic subscriber information as defined in 18 USC § 2703(c)(2) about Ancestry users to law enforcement only in response to a valid trial, grand jury or administrative subpoena.

Ancestry will release additional account information or transactional information pertaining to an account (such as search terms, but not including the contents of communications) only in response to a court order issued pursuant to 18 USC § 2703(d)8

Ancestry will comply with a court order, but law enforcement officials need to request a the details for a specific customer. This is not a common occurrence. According to Ancestry’s transparency report,

In our history, we have received just one request relating to DNA information—a 2014 search warrant ordering us to provide the identity of a person … We disclosed information in response to that valid warrant.9

Only one request. Ever.

Ancestry complied with a warrant and shared the identity of 1 person out of over 10 million subscribers.

FamilyTreeDNA also has a transparency page and similar protocol for dealing with information requests from law enforcement. Of the three companies mentioned, FamilyTreeDNA has the most detailed genetic information, including detailed Y-DNA test data and users with the most detailed family trees.

As of May 2018 (the date of the company’s last quarterly report) Family Tree DNA states:

We received no requests for information related to genetic information of any FamilyTreeDNA member, and we did not disclose any such information to law enforcement.10

For anyone counting, that’s a total of one person’s DNA data that was shared with law enforcement out of over 15 million registered participants. (This number does not take into account several dozen inquiries regarding credit card fraud and other non-DNA legal issues.)

GEDMatch and the Golden State Killer

Police would need access to an entire database of participants in order to figure out the identity of the person attached to an unknown sample. In the recent Golden State Killer case, DNA from a crime scene was processed by an independent lab. The results were then uploaded to the public DNA database GEDmatch, where others who shared the killer’s DNA had previously uploaded their own data.11

Joseph James DeAngelo, the ex-cop and navy veteran who committed at least 13 murders and 50 rapes from the 1970s until his recent arrest, was identified with the assistance of data found on GEDmatch. Unlike 23andme and other private sites, GEDmatch doesn’t offer DNA tests, but serves as a 3rd party genetic data comparison service, run by volunteers.

GEDmatch is not affiliated with 23andme, Ancestry, or FamilyTreeDNA, nor does it offer the same level of security as those sites. Users acquire their raw genetic data files from a testing company and upload it to the GEDmatch database. In this way, people who’ve tested with Ancestry, for example, may find matches who’ve tested at 23andme and vice-versa.

Although GEDmatch has always been upfront about how data might be used by others, since April 28th, 2018, visitors to the website now see the following disclaimer:

While the database was created for genealogical research, it is important that GEDmatch participants understand the possible uses of their DNA, including identification of relatives that have committed crimes or were victims of crimes.

If you are concerned about non-genealogical uses of your DNA, you should not upload your DNA to the database and/or you should remove DNA that has already been uploaded. Users may delete their registration/profile and associated DNA and GEDCOM resources.12

Update (July 2019): Currently, by default, all new GEDmatch uploads are hidden from known law enforcement kits.

Not everyone wants to learn about their biological heritage or genetic health risks and I support an individual’s right to eschew testing. At the same time, knowing the government will likely have your data soon if they don’t already, I highly recommend owning a copy of your own raw data. It isn’t unreasonable to think that access to affordable private DNA testing may be obstructed by the FDA as Gattaca the Precision Medicine Initiative continues. The government doesn’t like competition.

Page 3 of 3

  1. https://www.fda.gov/ICECI/EnforcementActions/WarningLetters/ucm376296.htm
  2. https://www.nbcnews.com/health/health-news/drug-giant-glaxo-teams-dna-testing-company-23andme-n894531
  3. https://www.ancestry.com/corporate/about-ancestry/company-facts
  4. https://www.familytreedna.com/why-ftdna.aspx
  5. https://www.23andme.com/about/privacy/
  6. https://humansubjects.nih.gov/coc/faqs
  7. https://www.23andme.com/transparency-report/
  8. https://www.ancestry.com/cs/legal/lawenforcement
  9. https://www.ancestry.com/cs/transparency-2015
  10. https://www.familytreedna.com/learn/ftdna/transparency-report/
  11. https://www.theatlantic.com/science/archive/2018/04/golden-state-killer-east-area-rapist-dna-genealogy/559070/
  12. https://www.gedmatch.com

Be the first to comment

Leave a Reply

Your email address will not be published.