Online DNA Spit Tests Are NOT Secure

DNA gene testing-1 (2)

TechViews News   …..

In the hopes of locating a distant relative, or follow a family tree, many people are turning to online kits that allow you to spit into a tube or swab the lining of your mouth and have your DNA tested and catalogued. That identification process allows technicians to match your DNA with other persons with a similar or close DNA structure.

What you are not told is that your spit sample – and therefore your DNA sample – is not secure. The donation agreement may say security is a top concern of the service, but that’s just for the sample, NOT for the outcome of the tests.

That is resulting in privacy concerns from medical groups, bioethicists, and legislative bodies.

Whether it’s a political figure claiming indigenous heritage or a CEO with a genetic risk for mental illness, any one of these factors could be used against someone if they got into the wrong hands. And unfortunately, that is beginning to happen in a scary Big Brother way.

The most prolific genetic testing companies take thorough steps to protect your privacy, such as scraping personal identifiers like your name from your genetic code – but then they turn around and sell your personal data to researchers or drug companies. They also typically store your personal information and your genetic data for a set amount of time, making it available to others if requested.

But those protocols do not protect against several key vulnerabilities, experts say.

One involves what can happen to the data outside of the tough-to-define walls of a DNA testing service. While genetic testing companies can and frequently do share genetic data with researchers and drug companies, individual users can also upload their private, non-anonymous DNA reports to public databases like GEDmatch. That service, which was used to home in on the Golden State Killer suspect, allows for the identification of relatives who haven’t even taken a genetic test.

Even large pools of anonymized genetic data can theoretically be tied to an individual. For at least the past decade, researchers have demonstrated that by cross-referencing anonymous DNA data with datasets that include personal information, such voter or census rolls, they can correctly identify significant portions of participants.

Privacy experts and bioethicists say all of these issues make the current landscape of genetic testing ripe for potential calamity.

You can cancel your credit card but you can’t change your DNA which identifies your heritage and genetic predispositions, or your chromosomal pairings which identify your true gender.

When you mail your saliva sample to a company like 23andMe, Ancestry, Helix, or any one of a handful of current DNA testing startups, they run an analysis of the genetic data it contains. That DNA data includes your unique genetic code with predispositions as well as your ancestry data, which can point to relatives.

Ancestry, 23andMe, and Helix all claim that their privacy policies are designed to protect people’s data “within the walls of their platforms”. But what happens outside of their domains is where the problems begin.

In the case of the Golden State Killer, law enforcement agents uploaded their suspect’s DNA to the open personal genomics and genealogy database GEDmatch using a sample from a crime scene. Then, with the help of a team of experts, they were able to comb through and compare several sets of data until they found their suspect, Joseph James DeAngelo. Key to their discovery was the fact that 24 of DeAngelo’s relatives had participated in GEDmatch seeking nothing more than other relatives for building a family tree.

Now this sounds good for solving crimes, but what if the DNA match is close but not exact? Several times that has happened and prosecutors have moved forward in charging persons with crimes they didn’t commit. Because there was a “probability” of match was enough for jurisdictions to act.

You share a lot of your DNA with your parents and siblings, and less with more distant relatives. But by comparing an anonymous DNA sample with identified ones, researchers can triangulate in on a person’s relatives, and then, identify the probability of the person themselves.

Dawn Barry, the president and cofounder of genetic research startup LunaDNA and a 12-year veteran of biotech giant Illumina, says:

“We need to prepare for a future in which direct genetic identification is possible,” she told Business Insider Magazine during a meeting on the sidelines of a health conference organized by the Wall Street Journal.

Since roughly 2009, researchers have demonstrated that by comparing large sets of supposedly anonymous DNA data with public datasets from censuses or voter lists, they could correctly identify between 40% and 60% of all genetic testing participants.

And DNA databases have grown exponentially since that 2009 experiment.

As of last fall, more than 19 million people had taken a private Ancestry or 23andMe test. On the heels of their growth, participation in public databases like Promethease and GEDmatch have ballooned as well.

“Data is data — once it’s out there, it lives in the open, public arena,” Hazel said.

Last November, Yaniv Erlich, a geneticist and the chief science officer of ancestry company MyHeritage, led a study published in the journal Science in which he looked at DNA data from GEDmatch and MyHeritage. Erlich concluded that with a current collected genetic database of 1.3 million US residents, roughly 60% of all white Americans could be traced to a third cousin. Many persons identified had never taken a genetic test, much less had their DNA collected.

“In the near future,” Erlich wrote in the paper, “the technique could implicate nearly any US individual of European descent.”

But that is an example of ancestry testing. Imagine a near future where a company, or government jurisdiction wanted to “round up the usual suspects” with only a spit test to go on. Someone could be placed in some future concentration camp for merely having a “probability” of being related to someone.

Now it gets even scarier … most of those services allow you to download – via email – a copy of the written code you provided though your DNA spit test.

Once a customer downloads their genetic data, however, it is no longer protected by any of the company’s security measures.

“What you do with your data is your responsibility, whether that means sharing your DNA results with others, sharing through 23andMe, downloading your data via email, or anything else,” 23andMe’s website reads.

Even bigger, once you have downloaded your DNA code for yourself, you have released the company from continuing to maintain your privacy, since they no longer have control of its contents.

Hazel thinks more users should be aware of these vulnerabilities, as well as the various ways their data may be used that go beyond their initial intentions.

“It comes down to the trade-off,” he said. “How comfortable are you with how the data might be shared and used?”

So … if you haven’t donated your spit to an ancestry tracing laboratory, don’t.

And if you have, contact that company and inquire as to how you can get your data deleted from their records. And, by the way – good luck with that.

Be Safe – Backup Your Data Regularly!

**********

And don’t forget to take advantage of our FREE subscription to the TechViews News Updates. You will receive all of our updates and posts the moment they are published.

Advertisements