You won’t get much for selling your DNA

If you’re a fan of a podcast, you’ve probably heard the ads for 23andMe, a genetic home test kit promising to elucidate what makes you, well, you. You might also have heard of the Ancestry kit, which promises to connect you to your family tree and help you discover your ancestors. Or MyHeritage, LivingDNA and a myriad others out there. Some kits test for allergies, some test your lifestyle disease susceptibility, some your propensity for aggression or anxiety. Put simply, there’s a test kit for everything these days.

The search for our identity and the desire to be an individual is a unifying human experience, particularly in a world where everything feels catered to the lowest common denominator. While the need for a collective identity has fuelled the growth in ancestry services online and now in DNA testing kits, the impersonal approach healthcare seems to favour has seen people refuse the one-size-fits-all approach.

We’re used to measuring our health using tools like body mass index (BMI) and resting heart rate, while fitness trackers are becoming increasingly ubiquitous as manufacturers make them sleeker, cooler and more sensitive to more variables. It feels like a baby step to turn our attentions to what’s under the hood—our genetic code.

On a very basic level, it’s another method of building a family tree, and it makes perfect sense for Ancestry.com—the most popular family-tree service—to offer a kit to test heritage. They’re not alone in this.

Many DNA testing services allow customers access to a database of other users to find long-lost or undiscovered family links. People assembling their family trees can find cousins six-times removed or even siblings; adopted children can learn about their biological families; and there are even stories of people discovering their parents’ infidelity. Imagine taking a light-hearted Christmas present test and discovering your dad isn’t actually your father—your mum had an affair. Merry Christmas, everyone. Some things are secret for a reason.

But it’s not just your background you can look into; you can also investigate your health.

The discovery and mapping of the complete human genome in 2003 introduced the possibility of individualised medicine and personalised nutrition to tailor a person’s lifestyle to their physical and genetic makeup. Genome-wide profiling, offered by the likes of 23andMe, can provide information about a person’s genetic risk for up to 40 common polygenic diseases and proponents state this may result in healthier lifestyle choices. That’s the idea, anyway. But sceptics argue this kind of testing can cause anxiety and harm, potentially even leading people to pursue unnecessary and expensive screening tests and procedures. In one study, a group of subjects had their genomes profiled using commercially available tests, with the results showing no measurable changes in the subjects’ approach to their lifestyles: no change in anxiety levels, dietary fat intakes or exercise frequencies. There are two possible explanations: they saw it as a just-for-fun exercise and promptly moved on with their lives, or they simply didn’t have the follow-up dietary advice or lifestyle change advice to accompany their diagnoses.

That’s one problem with these tests; the propensity for companies to leave their users either bewildered or apathetic. Their customers need more than a simple diagnosis—they need advice.

DNA testing companies search the DNA in your saliva for genetic variations called single nucleotide polymorphisms. Human DNA comprises four nucleotides—or chemical bases—A (adenine), T (thymine), C (cytosine), and G (guanine). We have 3 billion pairs of bases (6 billion nucleotides in total) in a chain: the genome. Most of the sequence is identical in every single human—we wouldn’t be humans if it weren’t—so the companies look for specific single nucleotide polymorphisms, the specific letters that vary from person to person. Various physical traits are associated with certain SNPs (like eye colour) and some point to disease perceptibility.

To those concerned, remember genetic risk is all about probability—you may well have an SNP associated with a 10 percent increased risk for a scary-sounding disease, but if that disease only affects 0.01 percent of people, your risk is still just 0.1 percent. Companies should communicate this, but likely don’t—comforted people can’t be convinced to part with their money. Companies should also tell you that simply having a particular SNP isn’t a diagnosis. A medical professional should be your first port of call for any concerns, not a $99 genetic testing kit.

Companies will typically offer multiple options: a basic package testing for a couple of basic genetic variants (you’re probably from Europe) and pricier kits including tens of thousands of variants (you’re probably from this tiny village you’ve never heard from in Montenegro and you’re probably going to develop diabetes). Some tests will tell you about your strength, your body type or your hot-headedness  but complex traits like intelligence are influenced by many genes and environmental factors can’t be predicted, so steer clear of tests claiming to know your IQ.

But companies don’t practice discretion in offering tests: if someone wants to buy, they’ll happily sell. BRCA1 and BRCA2 testing can predict your likelihood of developing breast cancer, and some people do use this information to pursue mastectomies—but companies don’t ask if you’re Ashkenazi Jew, who are at much higher risk of possessing the faulty gene, and should therefore be warned of their higher chance of testing positive. The companies don’t care if you’re a person of colour or of African descent and will therefore receive a report saying your heritage is of ‘low confidence’ or ‘inconclusive’—hardly the result you were promised or looking for. You’ve bought the test and it’s likely you’ll buy another if you’re really dedicated to gleaning every bit of information you can.

Oh, and if you’re not a white man, take all your results with a pinch of salt.

Results acquired in one population are rarely generalisable to other populations and most research is conducted on white men. On top of that, people with European backgrounds are overrepresented in the reference data, and those from the Middle East or Asia are likely to get very vague predictions as to their ancestry. Fortunately for everyone, as more research is done on a more diverse range of people and as more people contribute their data to the research bank (your DNA will be used to compare against future customers), analyses can be improved to provide more detailed information to people around the world.

Except, that’s really not fortunate at all. More people taking these tests means more data for these companies to exploit. You’d hope this exploitation would benefit mankind, and indeed, in some cases, it does: using customer-provided data 23andMe has reported some preliminary discoveries linking detached earlobes with the risk of Parkinson’s disease. Crowdsourced science at its best.

But for every positive, there’s a minefield of negatives—most concerning of which is genetic privacy.

A proper regulatory climate is necessary to empower and protect the individual, given the ethical issues at stake: once you take that test, the companies—money-making businesses—hold your DNA. If you thought access to your email inbox was bad, think how bad handing over the literal password to you could be. Policymakers around the world need to ensure there are stringent laws in place to guarantee data protection and privacy, and on top of that, an enforcement environment should regulate the information disseminated to consumers. This kind of industry needs an unbiased scientific knowledge base, a regulatory body, and water-tight data protection laws: it needs checks and measures and tight global control.

More than 12 million people have had their DNA tested by commercial services, and that number is expected to grow substantially as everyone jumps on the bandwagon, but few people seem to be questioning what happens to your genetic information once you’ve had a brief introduction to it.

Do people simply underestimate the potential in a tube of their spit?

Genetic data can be stored indefinitely. It’s a line of biological computer code—no need for cold storage or specialist facilities. If you had the time (and space) to write 6 billion letters on a sheet of paper, that would do.

Ancestry.com released a telling statement when one woman discovered her biological father was her parents’ fertility doctor: ‘DNA testing helps people make new and powerful discoveries about their family history and identity.’ (So far, so good.) ‘With Ancestry, customers maintain ownership and control over their DNA data.’ (So ends the good.)

Yes, anyone who takes a test ‘can change their DNA matching settings at any time, meaning if they opt out, their profile and relationship will not be visible to other customers,’ says the statement, but that tells us nothing about the control Ancestry.com now has over your genetic code.

The sale of DNA databases for private research is a huge ethical concern and should worry you. However, the public at large has a myopic attitude to exactly what a company will do with your most personal information. It is naïve to assume the companies offering the tests have ‘fail-safe privacy and security policies’ or that the European GDPR protects us. Creating regulations isn’t the same as creating compliance: GDPR is evidence enough of that.

Companies offer ‘cheap’ DNA analysis for the same reason Facebook and Google are free: you are selling your data in exchange.

This data is not being used to benefit humanity. It’s sold to undisclosed third parties to benefit another private company’s bottom line. GlaxoSmithKline gave $300 million to 23andMe for access to its database, and 23andMe is owned in part by Google Ventures. Alphabet, Google’s parent company, pays Ancestry.com for its data.

And it’s not as though you can anonymise DNA.

Law enforcement can make undisclosed requests for your genetic code which isn’t necessarily a bad thing if it’ll catch criminals like in the case of the Golden State Killer, but it would at least be nice if they asked permission first. Currently, they just need to issue ‘a valid request’ with no definition for ‘valid’. Health insurance companies could raise your premiums or even deny you coverage if they can see everything about you—you take a seemingly harmless and fun test to discover a little more about yourself and suddenly you can’t get health insurance. Sure, you can delete your data at any time from your DNA testing company’s online database, but that makes no difference if they’ve already sold it on.

According to the American Counsel for Life Insurers, a life insurance company may ask an applicant for any relevant information about their health—including the results of a genetic test. Applicants are under no obligation to share this data, but there’s nothing stopping the testing companies selling it behind your back. Many companies share the same privacy policy—which few people read because it’s long and boring and we’re used to just hitting accept on long and boring terms and conditions—allowing them to sell your information to third parties ‘in order to perform business development (make more money), initiate research, send you marketing emails (make more money), and improve our services (make more money).’

On top of companies selling your data, people are stealing it. In June 2018, MyHeritage announced that 92 million users had their data leaked from the company’s website—fortunately, this was ‘just’ their emails and log in passwords so their DNA information was ‘safe’. 300,000 users of Ancestry.com suffered the same in 2015. Emails and passwords sounds tame compared to the potential breach of security surrounding your genetic makeup, but experts reckon that kind of leak is just around the corner. As databases grow, the temptation to steal increases. ‘If I know someone’s mother, father, sister, and descendants, imagine how convincing a phishing email I could create. Imagine how I could fool your bank,’ said security expert and founder of Have I Been Pwned Troy Hunt. 

Even if no one nicks your data and you find the one scrupulous company that won’t sell your information, you’ll probably do it yourself. The one thing we all have in common? We all love to talk about ourselves. Given the information, you’ll share it—that’s just human nature—and in today’s world, you’ll share it online. You’ll share a snap of your report and unleash unencrypted and unprotected data to the third-party platforms just waiting to devour it.

You have no legal protection in any case. The California Supreme Court case Moore vs Regents of the University of California found individuals no longer have claim over their genetic data once they relinquish it for medical testing or other forms of study. When your testing company sells your information to a pharmaceutical company or a research project, which you allow them to do in the terms and conditions you accepted, that’s that—it’s no longer your information.

Even worse, so many people have now used these services that we’ve reached saturation point: every one of those 12 million people has contributed so much information to the public database that you don’t even need to share your own DNA to be tracked down. That’s how the Golden State Killer case was solved: an old DNA sample from a crime scene was used to create a fake profile on one of the testing sites, which was matched with one of the killer’s relatives, which then led to him. Three steps, case closed. Good for law enforcement; bad for personal privacy. Imagine a hostile government tracking down protestors via DNA left at a rally; or debt collectors chasing you because they found you share a great-great-grandparent with a deceased debtor.

One study in Nature found up to 60 percent of Americans of European descent could be identified by the information about their third cousin—on average, each person has around 850 relatives who are third cousins or closer. If an investigator knows your age, that ‘reduces your search space by a factor of 90 percent.’ If they can put your location within a 50-mile radius, that’s another 50 percent of searches excluded. If they know you’re female, that’s the number cut in half again. It takes some digging to get to you from your third cousin, but given all the data we already share online with no qualms, not impossible in the slightest.

Some companies have been listening to the concerns and a new set of voluntary guidelines have been produced to protect customer privacy. Companies 23andMe, Ancestry, Helix, MyHeritage and Habit have all signed and will now ‘obtain express consent’ from customers before transferring their genetic data to third parties, and promise to publish annual transparency reports about the data access by law enforcement. Voluntary guidelines are not regulations and rely on the companies involved keeping each other in check; compliance is only ensured by a company’s disclosure and there’s nothing stopping them from simply lying. Cynical but true.

In exchange for a smattering of information about your health or history, these companies are getting everything about you. Don’t let curiosity lead you to blindly give away everything about you. You can change your name, your appearance, your phone number and even remove your fingerprints if you need to disappear—but you cannot change your DNA.