Consumer DNA Testing Kits Are a Privacy Risk Now and In The Future

Posted on by Wendy Zamora

Consumer DNA testing kits are a well-intentioned but ultimately dangerous booby trap into which millions have already fallen, the repercussions of which are not yet fully realized today. If the point of testing your DNA is to understand your personal past, we’d all be wise to remember other lessons history has taught us and keep some information under the cap. A seemingly innocuous decision could have lasting ramifications on data privacy, security, employment, insurance and health—plus invite legal woes, deep state surveillance and possible threats to the very freedom we all take for granted today.

But let’s start with the accuracy of the tests themselves.

In a March 2018 study by scientific journal Nature, researchers found that 40% of the gene variants reported in consumer DNA testing services were false positives, meaning that many of the genetic mutations flagged as “at risk” were actually benign. If a cybersecurity product were to produce the same percentage of false positives among its detections of malware, it would be considered an inaccurate nuisance. Nature’s findings are validated by stories of customers who’ve received dramatically different results from different DNA testing kit companies about their race, ethnicity and heritage.

It’s for this reason, and because the results are delivered without context or doctor analysis, that many health professionals recommend users take the data from commercial DNA tests with a grain of salt.

In an interview for Malwarebytes Labs, Brianne Kirkpatrick, a genetic counselor and ancestry expert with the National Society for Genetic Counselors (NSGC), said, “The biggest drawback is people believing that they understand the results when maybe they don’t.”

Kirkpatrick said, for example, that many people don’t understand that the BRCA1 and BRCA2 testing DNA companies provide is only helpful if you’re Ashkenazi Jew. The fine print explains that the company only looks at three variants expressly for this population (out of thousands of possible variants).

“People rush to make a conclusion because at a high level it looks like they should be either relieved or worried,” said Kirkpatrick. “It’s complex information, which is why genetic counselors exist in the first place.”

If testing results are inaccurate or misinterpreted, users might make important decisions about their health based on false premises. What happens if those (inaccurate) results are released to the public? Under federal law, companies are not allowed to use genetic information to discriminate against people for health insurance or employment. That protection, however, doesn’t extend to long-term care or life insurance, and could impact coverage costs or result in denied coverage altogether. In addition, members of the military are subject to genetic scrutiny—which is likely why the Pentagon recently issued a warning to its personnel that consumer DNA testing kits create security risks, are unreliable and could negatively impact service members’ careers.

But there’s an even bigger risk with consumer DNA testing than inaccurate results or obstacles to insurance and employment, and that is the unknown. We don’t yet know the full scope of what legitimate companies, cybercriminals and even governments are capable of doing with a combination of our genetic code and a whole host of Personally Identifiable Information (PII). Consumer DNA testing kits gather huge batches of PII alongside that small vial of spit in order to conduct scientific research, yes, but also to sell to third parties, such as business partners, Big Pharma and advertisers.

In fact, scouring through End-User License Agreements (EULAs) from Ancestry®, 23andMe and Helix, you’ll find that, outside of extensive customer surveys, direct-to-consumer (DTC) genetic testers also gather PII from social media profiles, newspaper/website mentions, and public and historical records, as well as birth, death and marriage records. Users can opt out of having their PII collected, but many remain hooked in so they can learn more about themselves or participate in research.

All that PII and DNA in a single company’s hands make a handsome target for cybercriminals, who have already breached consumer DNA testing companies, such as startup Veritas Genetics in November 2019 and MyHeritage two years prior, where 92 million customer account details were hacked. In addition, the US Department of Health and Human Services recently issued an alert about new scam tactics developing around genetic testing fraud. Coupled with privacy warnings from the Federal Trade Commission, this information alone should give consumers pause before sending their DNA to for-profit companies.

However, the ways in which governments are quietly amassing DNA databases of their citizens and immigrants—often with the help of commercial DNA testing services—are most frightening of all. In 2018, Reuters reported that Canada was using DNA testing and ancestry websites to investigate the nationality of migrants. In October 2019, we learned that the Department of Justice planned to collect DNA from migrants crossing the US-Mexico border and add it to an FBI criminal database. China already partners with US corporations in a massive surveillance program that aims to create a national DNA database to track and control its citizens. It’s not hard to imagine how these programs could be abused by tyrant leaders and fascist dictators.

Many a friend and family member have scoffed at my warnings to stay away from consumer DNA testing kits, remarking that they have nothing to hide or that there’s no harm in releasing their DNA into the hands of researchers. I honestly hope they’re right.

I hope they never have to fear having their health insurance ripped away because of pre-existing conditions or increased risk of developing certain diseases. I hope they aren’t inundated with marketing emails about cancer-preventative nutrition or the best new medicines to prolong the onset of Alzheimer’s. I sincerely hope they’re never targeted by racial-profiling police officers, denied a job by a prejudiced employer or buried in paperwork after having their identity stolen by a hacker. And I fervently hope they’ll never have to hide their genetic profile from a government hell-bent on ridding its country of a certain ethnicity or race.

Wendy Zamora

Editor-in-chief, Malwarebytes Labs



Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs