You just wanted to find out if you were Portuguese or Spanish, but instead you found out you were related to a mass murderer.
This is a reality in a world where the alleged Golden State Killer, now known as Joseph James DeAngelo, was arrested after DNA found at one of the killer’s crime scenes was checked against genetic profiles from genealogical websites that collect DNA samples.
Popular genetic testing companies 23andMe and Ancestry.com are holding on to more than information about your family tree, which raises privacy conerns. Experts confirm DNA in these databases can be accessed by law enforcement and third party companies under certain circumstances, revealing intimate information about user’s medical history and biological relationships.
“People don’t realize that unlike most medical tests where you find out information, it isn’t just about you,” said Arthur Caplan, director of the Division of Medical Ethics at New York University’s School of Medicine.
Here’s what you should know about DNA privacy rules:
What DNA tests are we talking about?
The largest companies that produce genetic profiles for customers are 23andMe and AncestryDNA associated with Ancestry.com. Tests usually use a saliva sample to determine the user’s genetic ethnicity, and results provide users a look at where their ancestors lived. Smaller websites also now offer options for users to upload DNA profiles and search for relatives. In the case of the Golden State Killer, lead investigator Paul Holes said his team used GEDmatch, a Florida-based website that pools raw genetic profiles that people share publicly, The Mercury News reports.
Who has access to that information?
Ancestry.com and 23andMe both said they don’t release information to authorities unless they receive a court order.
A spokesperson for Ancestry.com, which also has a search for the general public, said the company was not in contact with authorities in the DeAngelo case and will not share member information with law enforcement “unless compelled to by valid legal process.” A 23andMe spokesman said the company “has never given customer information to law enforcement officials” and that their platform doesn’t allow for the comparison of genetic data that was processed by any third party.
According to BuzzFeed, GEDmatch now has more than a million genomes and it’s growing larger and more powerful all the time,.
GEDmatch does not require a court order to access, The Mercury News reports. The site also makes clear in its terms and policy statement that “users participating in this site should expect that their information will be shared with other users.”
Right now, DNA testing companies are largely dictating user confidentiality, and some of those companies resell information. While resold information does not directly identify users, Caplan said there are ways to figure out identity.
“We have the assumption that all of our medical information is private and yet the new world of genetics is in corporate hands,” he said.
How can police use it?
“The ability of third parties, the police or others to see that data is not clear,” Caplan said.
There aren’t strong privacy laws to keep police from trolling ancestry site databases, said Steve Mercer, the chief attorney for the forensic division of the Maryland Office of the Public Defender.
“People who submit DNA for ancestors testing are unwittingly becoming genetic informants on their innocent family,” Mercer said, adding that they “have fewer privacy protections than convicted offenders whose DNA is contained in regulated databanks.”