Turmoil at 23andMe, a company offering popular at-home DNA testing, has upset the industry. Following the resignation of every independent member of the company’s board of directors, its chief executive, Anne Wojcicki, expressed openness to selling the company and its database of around 15 million customers, raising concerns about the misuse of genetic data.
Although Wojcicki has since said she is focused on taking 23andMe private, the data-sharing risks raised by DNA testing and matching companies are already here. A class-action lawsuit filed in August alleges that the operator of GEDmatch.com, a genealogy site that claims to have a database of more than 1 million members, has been sharing users’ information with Facebook. This revelation should alarm us all.
GEDmatch stands apart from companies such as 23andMe. It’s an open, crowdsourced database that anyone can search. Founded in 2010, it emerged as a tool for genealogy enthusiasts to upload DNA results and connect with relatives. It gained notoriety when law enforcement officials announced in 2018 that they had used the service to identify the Golden State Killer.
Initially, the site’s users consented to share DNA to solve only cases of murder and rape. However, GEDMatch co-founder Curtis Rogers unilaterally made an exception to the policy for an assault case. The resulting backlash led to Rogers and his partner making users unsearchable to law enforcement by default; they could opt in to searches if they chose. But later that year, the line between hobbyist’s tool and crime-solving platform blurred further when Verogen, a for-profit forensic sequencing company with government ties, acquired GEDmatch. (Verogen has since been acquired by the multinational company Qiagen.) And last year, reports surfaced that a loophole gave law enforcement agencies access to GEDmatch users who did not consent to those searches.
The August lawsuit alleges that GEDmatch has been secretly sharing users’ genetic information using Meta Pixel, a tracking code embedded in websites, essentially wiretapping users’ interactions. If the allegations are true, that means Facebook could see whether you have taken a genetic test — and could track links you click on to learn more about your DNA, such as, “Are your parents related?” or a comparison tool detailing chromosome matches, or a tool to explore DNA segments linked to physical traits and medical information.
The implications of genetic data breaches are staggering: This information can reveal sensitive information about a person’s health and other characteristics. In the wrong hands, it carries profound risks. For example, it can lead to discrimination in schools, housing and disability insurance (all areas not covered by the federal Genetic Information Nondiscrimination Act), or to the creation of biological weapons that use DNA to kill a targeted individual. Unlike a compromised password or credit card number, genetic information cannot be changed.
Moreover, your DNA reveals information about not just you but also your family. Even if you’ve never taken a DNA test, if a relative has, your privacy may already be compromised. Research suggests that 90% of white Americans can be identified on genealogy websites even if they’ve never submitted their own DNA.
DNA commodification is no longer a future concern; it’s a present reality. Beyond charging users for their services, some companies have explored selling their data and giving consumers a small cut of the profits or offering other financial incentives to hand over the lucrative samples.
Through a merger, acquisition, sale of assets or bankruptcy, companies could monetize the treasure trove of DNA they have collected. The privacy policies of 23andMe and GEDmatch both make clear that if the companies are sold, a user’s personal information can be transferred as part of that transaction.
The involvement of tech giants such as Facebook adds another layer of concern. Facebook’s business model revolves around sharing information with many third parties. Unlike medical providers, genetic testing companies aren’t bound by health privacy laws such as HIPAA despite the health information DNA contains. Even if these companies ostensibly promise to seek permission before using your data, there’s no guarantee that subsequent buyers will honor the same commitment. Once your genetic information is out there, controlling its spread becomes nearly impossible. It’s often easy to unmask individuals on genetic databases that are technically anonymized.
These risks demand a response. While some states have passed genetic privacy laws requiring express consent for data sharing, these laws often rely on a notice-and-choice model. This approach places the burden on individual consumers who must wade through terms and conditions, clicking through things just to get to the next page. The empirical research is clear that we are woefully bad at managing our own privacy. In addition, when you opt into sharing, you expose the genetic information of the relatives and family members genetically linked to you — future generations included — without their consent
We need a paradigm shift for genetic privacy. We aren’t expected to become experts on food production or vehicle manufacturing to trust that there are minimum standards protecting us. Similarly, we shouldn’t need to be genetic-privacy experts to protect our DNA.
Instead, we should be able to depend on the government to regulate unsafe data practices. This should include strict oversight of sharing with third parties, such as data brokers, that currently get a pass to purchase and resell our information to the government and others.
Even for those who have already taken genetic tests, robust regulations could prevent their data from being exploited in unforeseeable ways, including those enabled by new technology. Such protections also would safeguard future users of genetic testing services, ensuring that curiosity about one’s ancestry doesn’t come at the cost of privacy.
Our DNA is the most personal information we possess. It’s time we treated it that way.
Nila Bala is a law professor at UC Davis who researches criminal law and emerging technologies.
