Earlier this year, Facebook CEO Mark Zuckerberg was on Capitol Hill to face questions about privacy and how his company uses your personal information. The same questions could be asked about those popular home DNA test kits.. and what the companies behind them do with your genetic information. Our Lisa Fletcher investigates the promise and profits of DNA.
Lisa: Unlocking who you really are...is the promise of take-home DNA testing. Heather Townsend wanted to trace her roots, so she submitted a sample to the company, MyHeritage (*statement below).
Heather Townsend: I always knew I’m Scottish and English, all these things and so it was kind of expecting it to be reaffirmed is just kind of a fun thing. It kind of gives you some rough percentages and from these select countries you have DNA from.
Sheldon Krimsky heads the Council for Responsible Genetics - a public interest watchdog group, focusing on genetic technologies. He wrote a consumer guide about DNA tests and suggests the results may not be worth the risk.
Sheldon Krimsky: People can use your DNA in ways you may not like.
So instead of focusing so much on tracing Heather’s lineage of Scottish, English and Scandinavian ancestry, let’s trace some of the concerns about DNA testing. One: Selling your chromosomes, for cash.
Lisa: So the objective here isn’t just to sell DNA kits for fun?
Sheldon Krimsky: That’s only part of the business plan. The other part of the business plan is to sell that information to some other companies who are interested in your DNA.
Back in 2013, a 23andme board member said in an interview with Fast Company, ‘The long game here is not to make money selling kits. Once you have the data, the company does actually become the google of personalized health care.’ The big buyer of your DNA data: Researchers.
Sheldon Krimsky: Somebody comes over to you and says, I want to you use your DNA for research. And you might say: What kind of research? .. .Oh, I don’t know, I want to do research on building biological weapons. ‘Oh no, not my DNA. Forget it. I’m not interested in that.’ In this case, you may not have a choice because they’re not going to ask you.
23andMe (*statement below) allows users to opt in to research, as it hopes to begin drug development. But if you opt in, and your DNA is the key to a breakthrough, you’ll never know.
Sheldon Krimsky: If you have a very unusual genotype, very unusual, that’s so valuable to a company, they’ll make money on it, you won’t see a penny.
The next concern...privacy.
Sheldon Krimsky: Your privacy is not so well-protected. It may be that somebody gets your DNA and it’s anonymized, but there are so many ways of de-anonymizing your DNA that eventually somebody can find out who that DNA belongs to.
As science surges forward, the law lags behind. The genetic information non discrimination act was signed in 2008. It says your healthcare provider and your employer can’t seek out your DNA to make a decision about your care or your job. But if you make it available…that changes the game.
Sheldon Krimsky: If you’ve put it on your social media sites, that’s up for grabs, then they can use it.
Lisa: Are people a bit naive in posing that information?
Sheldon Krimsky: Yes, absolutely. If you post information that you have a certain mutation for example, and your health care provider sees that information, they can use it.
The at-home DNA testing kit is ever expanding. The FDA has approved marketing of at-home testing kits for risks for serious diseases like Parkinson’s and Alzheimer’s and most recently...cancer. The more tests, the more reasons to swab and send, the larger the DNA database grows. Now, let’s chart who is responsible for protecting you. You are your own watchdog. Senator Chuck Schumer led calls for transparency by the DNA testing industry - and for protection of your data.
Sen. Schumer: DNA testing firms don’t clearly disclose exactly what they’re doing with the DNA once a person’s cheek swab is sent in.
Last December, the Federal Trade Commission made note of the issue, posting this article urging the consumer to ‘consider the privacy implications.’ That means...you’re on your own.
Heather Townsend: I kinda get numb to check the box and read the fine print. But I haven’t really read the fine print as you know. It’s kind of like I’m used to all these electronic things and it’s like, here’s your rights, check the box.
Sheldon Krimsky: The companies will say, ‘check our site - we’re going to change our privacy policies from time to time. So keep checking our site.’ Well that’s hardly...how many people are going to do that?
In the next 4 years, at-home genetic tests are expected to be a 340 million dollar a year industry. That’s only the kit sales. The real cash cow is that DNA database. By some estimates, the potential gene market will be worth as much as $100 billion by 2030. Townsend says she’d do it all again, but through a very different lens.
Heather Townsend: Things should be more explicit in the disclaimer. So I feel like they can say, you know, your data can be out there. That might scare people though. So I think that’s probably why they don’t do it.
Scientists can comb through your genetic material looking for something like genetic resistance to cancer or HIV. That could be developed into a treatment or vaccine worth billions of dollars, and you'd never be the wiser. We should note My Heritage DNA - the test Heather took - says it does not sell *any* genetic information. Both 23andme and Ancestry.com told us users are in control - and they can opt out of research. Their statements are below.
Statement from 23andMe
23andMe strives for transparency in all of our data practices. We are committed to ensuring our company’s policies are clearly articulated and easily accessible through a number of resources available to all customers and prospective customers, including our Privacy Center, Privacy Statement, Help Center and Transparency Report. All of these documents are published online. We outwardly discuss these practices regularly, both directly with our customers in the form of email when there are significant announcements, and publicly with media (as just one example, we distribute press releases on agreements such as the following, as well as send emails to our customer base reminding them of their research consent options: https://mediacenter.23andme.com/press-releases/23andme-genentech-pd/). We also publish videos on how the testing process works, including data and sample storage: https://ru-clip.com/video/U3EEmVfbKNs/dna-testing-and-privacy-behind-the-scenes-at-the-23andme-lab-smarter-every-day-176.html
Further, it's important to note we do not sell individual customer information nor do we include any customer data in our research program without an individual’s voluntary and informed consent. This is a separate consent, beyond our terms of service agreement, and is presented as such to the customer. It's not required in signing up for the 23andMe service. Our customers are in control of their data — customers can choose to participate in research, or not, at any time. Our Research program is built on established ethical principles as laid out in the Belmont Report and the Common Rule, and is overseen by an independent third party (IRB) to ensure research meets all legal and ethical standards.
To ensure data protection, 23andMe uses robust multilayered encryption and authentication methods in line with the highest industry standards for security. We also employ software, hardware, and physical security measures to protect the systems where customer data is stored. Data are de-identified and segmented across logical database systems to prevent re-identifiability. In other words, personally identifying information is stored separately from genetic data.
Access to 23andMe databases is limited, and is strictly monitored and logged. If a person has consented to Research, a limited number of qualified scientists access to de-identified information for scientific research purposes.
Research consent is entirely optional, and requires a separate signed document beyond our terms of service. It's intentionally an opt-in process to allow each customer to make an informed, explicit decision to participate, rather than have to opt-out of a decision we make for them. If you opt-in, you can opt-out at any time (for more on research consent please see the above answer). Research breakthroughs require aggregated data from tens or hundreds of thousands of customers. As an example, 23andMe helped discover new variants associated with depression which required data from more than 200,000 participants. The research breakthroughs we've made have largely been part of pro-bono research collaborations which do not result in monetary gain. Rather this research, published online, serves to benefit the greater good by allowing the broader scientific community to take these discoveries and conduct further research.
Customers can elect to have us biobank (store) or destroy their samples, it's completely up to them.
Statement from Ancestry.com
At Ancestry, privacy is our highest priority. For over 20 years, people have trusted us with personal information about themselves and their families. We understand the personal nature of the data we’re dealing with and are committed to always being a good steward. We make the following commitments to our users:
You own your data and you always maintain ownership of it
We do not and will not sell DNA data to insurers, employers, health providers or third-party marketers
We will only share DNA data with researchers if you opt in to our research initiative
You may request that we delete your data or account at any time
Our customers’ DNA stays with Ancestry – to offer our services to them and others unless the customer has consented to share their DNA with outside parties. Outside of a customer taking his or her DNA data and giving it to a third party directly, the only way customer DNA data is made available to others is through our research project (Ancestry Human Diversity Project), where customer DNA may be part of an aggregate data set used by a research partner.
[For background, Ancestry’s monetization strategy is very different from some other companies. Our revenue is generated predominantly by DNA kit sales and our family history subscription business – and not commercial research partnerships. Ancestry has one existing commercial research relationship with Calico that is focused on understanding human longevity and developing ways that all of us can lead longer and healthier lives. We list all of our collaborations on our website: https://www.ancestry.com/cs/collaborations]
All customer physical samples are stored in a secure facility to enable the possibility of future testing as new techniques and science become available. No personally identifying information is stored with the Raw DNA or physical samples. As mentioned above, customers can request the deletion of their data and destruction of their sample at any time.
Every customer that activates a DNA kit is presented with the choice to opt-in to our Institutional Review Board approved research project (Ancestry Human Diversity Project). Regardless of whether the customer chooses to participate they can always view their research consent status within the DNA settings tab, where they can find the Research Consent” option, which provides information on the research, identifies your participation status, and gives you an opportunity to change your setting.
Customers can withdraw their consent at any time and we will cease using their Data for the Project within 30 days. The only exception to this is if a user opts in to the Ancestry Human Diversity Project where their de-identified data could become part of an ongoing study or published research. To be clear, once a customer opts out of the Ancestry Diversity Project (or deletes their DNA), it is not included in any future research projects.
Ancestry maintains a comprehensive information security program designed to protect customers’ Personal Information using administrative, physical, and technical safeguards. Customer saliva samples are only identified with a code from submission to the lab and throughout the genotyping process.
Statement From MyHeritage:
People have the option to block their DNA from matching with other users in their DNA privacy settings.
No other user can see the DNA results of the kit bar the DNA manager and the person to whom the DNA kit is assigned to.
We do not allow any 3rd party company to conduct any research utilising the information gathered in our databases. We are not in the business of selling any customer's DNA to a 3rd party company.
If a MyHeritage customer is ring up regarding their DNA we would need to clarify that we are speaking to the account holder before we disclose any information regarding the DNA kit.
A user can request to destroy their DNA samples.