Why you should pay attention to your at-home DNA test’s privacy policies

picture alliance/picture alliance/Getty Images
Originally Published: 

The past few years have seen at-home DNA tests explode in popularity. And while they may seem like a harmless activity to give you insight into family history, they could have devastating privacy consequences. Recently, the Pentagon warned military personnel to avoid home DNA tests citing security risks. You might think this warning is irrelevant if you aren't in the military, but the Pentagon's concerns are echoing those of privacy advocates.

The warning went out in an internal memo signed by Joseph D. Kernan, the undersecretary of defense for intelligence, and James N. Stewart, the assistant secretary of defense for manpower. According to Yahoo News, it read, "Exposing sensitive genetic information to outside parties poses personal and operational risks to Service members."

By the start of 2019, over 26 million people had taken an at-home DNA test. If you aren't sure what that means, think companies like Ancestry and 23andMe, who make up some of the outside parties that the Department of Defense is concerned about.

The memo went on to add that at-home DNA tests are "largely unregulated and could expose personal and genetic information." This could then "potentially create unintended security consequences and increased risk to the joint force and mission."

Concerns around at-home DNA testing aren't limited to the Pentagon alone. Last year, GEDMatch, an open database site where users upload their own genetic information, gained publicity after police used it to find Joseph DeAngelo, the Golden State Killer responsible for over a dozen murders and rapes in the 1970s and 1980s.

Many people started to look positively at DNA tests as a result. However, Slate noted that the move had similarities to Facebook's Cambridge Analytica leak, further illustrating that your data is never just yours.

"When you sign up for an online service, it's rarely just your own data that you're handing over," Will Oremus wrote. "In many cases, you're also giving up the goods on people you know — often, without their knowledge, let alone consent."

In response to people's concerns, GEDmatch updated its policy, which would only let law enforcement use its database to look for suspects in "murder, nonnegligent manslaughter, aggravated rape, robbery or aggravated assault." Most importantly, people were given the decision to opt-out of having public, searchable data.

Then, the New York Times reported in November that law enforcement could use your DNA test, whether you consented to it or not. The implications of this are huge. Think of it like police searching your home. In order to do so, police need to identify a specific person, a specific house, and get a warrant.

Having a warrant for a house on one block does not give you permission to search their neighbors. However, that's not the case with DNA databases. Law enforcement can gain access to everybody in the database to find one person — which, in the cases of GEDmatch, is 1.3 million people. Essentially, it's now like police can search an entire state.

In the world of at-home DNA tests, GEDmatch is small because it doesn't offer its own kit. Ancestry and 23andme are the big fish with 15 million and 10 million users respectively. Even if Ancestry and 23andme incorporate better privacy policies, law enforcement was already able to access GEDmatch's entire database, including those who did not consent to it. It could just be a short time before other databases face the same scrutiny.