Proton

DNA companies are using, sharing, and profiting from millions of people’s genetic data in ways they can’t always control.

Genetic testing companies have become very popular in the last decade as people seek to find out who they are and where their ancestors came from. However, the privacy implications of for-profit companies owning the genetic data of millions of people need to be addressed, as these DNA testing services reveal some of your most private data. This data can then be used for ends you may not be aware of and can’t always control. 

What is at-home DNA testing?

At-home DNA genetic tests are commonly sold online directly to consumers by high-tech testing companies. These tests use a biological sample that you collect yourself (such as saliva, blood, or a swab from inside your cheek) and send back to the vendor, which then checks the DNA of your cells.

These tests can give you information about:

  • Your health
  • The health of your family
  • Who your biological parents are
  • Your ancestry
  • Your ethnicity
  • The likelihood that you will contract certain diseases in the future

Some genetic tests even claim they can tell you which sports you will excel in or what type of wine you will enjoy(new window). However, people who take at-home DNA tests are usually curious about their ethnic history or parental background, or they hope to use the results to inform lifestyle changes that may reduce the likelihood of contracting a disease they are genetically predisposed to.

At-home genetic DNA tests are not the same as genetic tests prescribed by a medical professional for diagnostic purposes. Instead, at-home tests are run by for-profit companies that give customers insight into their genome.

Who runs genetic testing services?

Traditionally, genetic testing has been carried out by scientific or healthcare organizations  that use genetic samples to conduct large-scale medical research or screen individuals for genetic diseases. However, there has been a proliferation of direct-to-consumer genetic testing services in the last decade as the testing methods have become cheaper and more accessible. The most popular genetic testing company in the US  is 23andMe(new window), which gives their customers information primarily about their health and ancestry.

The important thing to note about these direct-to-consumer genetic testing companies is that they are for-profit high-tech businesses, which means they do not need to follow the same regulations as scientific or healthcare organizations. These companies can be sold (along with their data) and can change their privacy policies at will.

DNA testing privacy issues

Genetic testing reveals some of your most personal and intimate data;your biological makeup can identify tendencies or vulnerabilities that you yourself might not even be aware of. This data can also be used to implicate you in crimes, reveal family secrets, or deny you some types of insurance. If stored insecurely, your personally identifiable information and genetic data could also be hacked, exposed, or leaked.

DNA data breaches and leaks

In 2018, the genetic testing company MyHeritage reported a data breach(new window) that included all the email addresses and hashed passwords of over 92 million users. Although credit card and genetic information were stored separately and not affected by the hack, this breach shows that you cannot always trust companies to secure your data. 

A hack that exposed the genetic information of millions of people could have severe consequences. For example, genetic data could: 

Unlike other data breaches that expose credit card information or passwords, you cannot change your DNA after it has been leaked online.

Law enforcement and genetic tests

Like all companies, direct-to-consumer genetic testing companies are subject to the laws of the country they are based in. As such, they must comply with any legitimate legal requests from the authorities of that country. Privacy laws that govern who can access citizens’ data and what  it can be used for vary from country to country.

Both Ancestry(new window) and 23andMe(new window) have transparency reports and law enforcement guides on their websites that detail the circumstances in which they will hand over their users’ data to law enforcement agencies.

Using forensic genetic genealogical data to find and apprehend criminal suspects is a growing trend within law enforcement, particularly in the US, where several high-profile cases have been solved using this method (sometimes called long-range familial search). This method of investigation uses DNA samples gathered at a crime scene, which is then used to find potential relatives of the suspect by comparing their DNA to the DNA profiles held in a genetic testing company’s database.

The most famous case that was solved using genealogical data is that of the so-called Golden State Killer(new window) — a case that went unsolved for over 40 years. During the investigation, law enforcement subpoenaed a DNA testing company, forcing them to reveal the identity of one of their customers whose genetic markers partially matched with the killer’s. This genetic data cast suspicion on an elderly man living in a nursing home(new window). Investigators obtained a warrant to take his DNA, and he was subsequently proven innocent. Four months later, the case was solved using further genetic data that genealogical enthusiasts had uploaded to a public database.

The Golden State Killer case highlights genetic data’s capability to bring violent criminals who might otherwise have escaped to justice. It also exposed how databases of people’s genetic makeup can lead to people finding themselves implicated in crimes they had nothing to do with, even if they did not share their DNA themselves.

Family secrets

Direct-to-consumer genetic testing can also reveal long-hidden family secrets, which in some cases have caused life-changing family breakdowns, leading to questions about informed consent and whether these companies have the right to expose such information.

While adoptees might find genetic testing useful in the search for their biological parents, there have also been cases of people accidentally discovering that they were conceived by donor sperm(new window) or as the result of an extramarital affair. Genetic databases can also reveal that people have siblings they did not know about or that their family misled them about their ancestry.

This information is life-changing for the people who discover it, but could be used to blackmail or extort people in the wrong hands. In the case of DNA theft(new window), the person who receives your genetic analysis may not even be you but someone imitating you and hoping to use your results for nefarious means.

DNA testing and HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) protects people’s medical information in the US when it’s managed by doctors, hospitals, and health insurance companies. Although this covers genetic tests ordered by your doctor or healthcare professional, it doesn’t cover tests by for-profit genetic testing companies like 23andMe or Ancestry, as these are not considered medical tests.

These companies are not required to keep your genetic data private like medical professionals are. Instead, they are only bound by their privacy policies (that they can update or alter at any time) or state laws such as California’s Genetic Information Privacy Act(new window). This means using direct-to-consumer DNA tests offers you much less legal privacy protection than having a DNA test done by a medical professional.

Learn more about privacy and HIPAA.

Your genetic data isn’t just yours

When you take a DNA test, you are not only sharing your own personal genetic data with that company. You are also sharing the genetic information of everyone you are related to and those who aren’t related to you but are similar to you in other ways. 

The millions of data points that DNA testing companies receive mean they can make surprisingly accurate predictions about the ancestry, health, and even sexual preference(new window) of people with shared traits, regardless of whether those people are related.

In this way, your DNA is similar to much of the rest of your personal data in that companies or governments can use it to learn about you and predict or influence your behavior. (For more information about how collective privacy benefits us all, read our interview with Carissa Véliz.)

Genetic testing companies can only provide ancestral histories for their customers when the rest of their customers agree to share their genetic data. That is how they can find biological relatives, even ones who had previously been kept secret by the rest of the family, or those who may not want to be found. When customers of genetic testing companies order a DNA test, it’s unlikely they consider whether these for-profit companies can be trusted with their secrets and the secrets of everyone they are related to.

Can DNA testing companies share my data?

Yes. Companies that hold your genetic data for ancestral purposes need to share your data with other customers in their database to make biological links between you and your potential relatives. You can opt out of this service, but then you will be unable to match with your relatives, just as they will be unable to match with you.

DNA testing companies are also forced to share your data with law enforcement agencies if they are issued a legitimate legal request. One of the largest private genetic testing companies, FamilyTreeDNA, doesn’t even require a legal request — they are voluntarily cooperating with the FBI(new window) to give agents access to their genealogy database.

Genetic testing companies such as 23andMe or Ancestry can also sell your de-identified data to research organizations that want to develop new pharmaceuticals if you agree to share your genetic data for research purposes (as 30% of customers do(new window)). However, a 2016 survey(new window) showed that only a third of companies that offer genetic testing services online properly explained to customers how their data would be used.

While developing new effective medicine is good, these companies can make a huge profit(new window) selling your valuable data, while those whose data they’ve sold don’t see any compensation.

Taking care of your personal data

If you still want to get, or have already had, a private genetic test from a company like 23andMe, you can still take steps to protect your personal data. When ordering a test, make sure you do not opt in to more data sharing exercises than you need and make sure you read the privacy policy. For example, you can opt not to share your data for medical research or with people who want to find relatives. You can also get the results emailed to an encrypted email address with Proton Mail(new window), to ensure that they are end-to-end encrypted while at rest on our servers (and therefore cannot be accessed or leaked by anyone without your private key).

If you have already shared your data with a genetic testing company, you can contact them to delete any data they still hold on you. Having your data deleted from their servers means your information will be protected in the event of a hack or data breach at the company.

Once your data has been used for research or otherwise shared with third parties, it generally can’t be called back, even if you contact the company to delete it. Your genetic data may have been used in research that has already been published, for example.

The best way to ensure your data is secure and private is to not share it in the first place. If you are considering getting a genetic test, ask yourself how necessary it is. These tests are not the same as those ordered by a doctor and can’t be used for medical purposes. They also may not be as accurate as you’d hope — as an analysis in Genetics in Medicine(new window) found that 40% of variants associated with specific diseases were shown to be false positives. If you are interested in learning more about your ancestry and relatives, you may be able to find as much information by studying public records as you would from the test, rather than sharing your genetic data with a for-profit company.

Related articles

The cover image for a Proton Pass blog comparing SAML and OAuth as protocols for business protection
SAML and OAuth help your workers access your network securely, but what's the difference? Here's what you need to know.
Proton Lifetime Fundraiser 7th edition
Learn how to join our 2024 Lifetime Account Charity Fundraiser, your chance to win our most exclusive plan and fight for a better internet.
The cover image for a Proton Pass blog about zero trust security showing a dial marked 'zero trust' turned all the way to the right
Cybersecurity for businesses is harder than ever: find out how zero trust security can prevent data breaches within your business.
How to protect your inbox from an email extractor
Learn how an email extractor works, why your email address is valuable, how to protect your inbox, and what to do if your email address is exposed.
How to whitelist an email address and keep important messages in your inbox
Find out what email whitelisting is, why it’s useful, how to whitelist email addresses on different platforms, and how Proton Mail can help.
The cover image for Proton blog about cyberthreats businesses will face in 2025, showing a webpage, a mask, and an error message hanging on a fishing hook
Thousands of businesses of all sizes were impacted by cybercrime in 2024. Here are the top cybersecurity threats we expect companies to face in 2025—and how Proton Pass can protect your business.