As millions of Americans sat down to Thanksgiving dinner, the biomedical researcher James Hazel sent out a stark warning about the genetic-testing kitsthat he surmised would be a hot topic of conversation.
Most of them are neither safe nor private.
Hazel reached this conclusion after reviewing the privacy policies and terms of service of nearly 100 genetic-testing companies that offer their services directly to people. Most people use these services either by submitting a sample of salivaor uploading their raw digital DNA signature to a public database. Their lofty common draw is enabling people to learn more about their health, family history, and ultimately their identity.
Hazel, a researcher at Vanderbilt University, studied companies ranging from popular startups like 23andMe — which offers health and ancestry information — to under-the-radar outfits such as GEDmatch, which simply houses genetic information to help people build family trees. His article, which was published on Thanksgiving Day in the journal Science, found that nearly half lacked even a basic privacy document that governed genetic data.
Privacy isn’t the only concern that experts have with consumer genetic tests. In addition to collecting sensitive data on ancestry, companies like 23andMe claim to show how your DNA affects your health. But clinicians, medical professors, and genetic counselors told Business Insider that this information is misleading and could put people at risk of missing warning signs for diseases like cancer.
“It’s very scary for us because patients think they’ve had a genetic test when they haven’t,” said Theodora Ross, the director of the cancer-genetics program at the University of Texas Southwestern.
Still, comprehensive genetic workups — the kind that require a doctor’s visit — remain expensive and time-consuming.
That’s led millions of Americans to rely on at-home kits for most of their genetic knowledge. This holiday season, genetic-testing kits broke sales records. Ancestry announced after Thanksgiving that it had sold 14 million DNA kits worldwide. 23andMe has assembled genetic data on more than 5 million customers.
Experts agree it’s time for a different model, something between a pricey doctor-ordered test and the limited spit kits available in drug stores. And though several companies are trying new approaches, none has emerged as a leader. In the meantime, sensitive customer data is being uploaded and housed in large databases — sometimes forever.
For law-enforcement officials to arrest suspected Golden State Killer Joseph DeAngelo on charges including four murders and dozens of rapes, they did not need him to participate in any genetic-testing services.
Instead, DeAngelo’s arrest hinged on the participation of several of his distant family members. At some point, 24 people distantly related to him uploaded their genetic data to a public DNA database called GEDmatch.
After creating a fake GEDmatch profile using DNA they’d gathered at the scene of a 1980 crime, investigators were led to those people. By cross-checking the list against several other databases such as census data and cemetery records, they were able to close in on DeAngelo.
That’s something Hazel and other researchers call “reidentification.” He said it’s a significant risk for people, even if they haven’t ever personally taken a genetic test.
“The fact that law enforcement has access to this with just a subpoena, that was the impetus for my article,” Hazel said. “I wanted to use it to highlight the deficiencies of the system.”
Still, the process required a specialist and years of work, Curtis Rogers, the cofounder of GEDmatch, told Business Insider.
“It takes many people, each supplying little bits of information, to begin the complicated process of solving a cold case,” Rogers said.
‘Informed consent’ is not always informed
Most genetic-testing companies say they use something called “informed consent” to verify that people understand what their genetic data may be used for. Most well-established companies like Ancestry or 23andMe ask for consent when a customer signs up or registers their kit; others put it in a 10- or 20-page terms-of-service document.
Informed consent is especially important because some companies keep genetic data for a long time, sometimes indefinitely. That means it can be used in different ways, including for purposes like solving a murder, that customers might not have anticipated.