23andNotMe

Somebody else is wearing my genes

“I am this person, I have read this document, and I DO GIVE CONSENT.” 

– 23andMe consent form.

For those of you considering to willingly share your DNA to a large genealogy company, striving to discover your percentages of your oh-so-unique ancestry, you might want to reconsider; I know I did, but it was too late by the time my spit was shipped in the mail.

DNA testing companies offer the public features such as highly-detailed health reports, ancestry and connections to biological relatives. This enables users to get an in-depth understanding of themselves and their DNA. 

But hold your horses, and quite frankly, your saliva. As someone who takes a particular interest in genealogical research, I am worried about what genetic testing companies are capable of. 

You see, these companies can instantly gather plenty of information by reading your raw data. Each of the 23 segments of DNA tell a rather illustrative story about you. For instance, some of us may have been blessed with the genome of liking cilantro, while those who are less fortunate tend to taste soap rather than a delicacy of an herb (but that’s an opinion to save for another day). However, others may be told they have an increased likelihood of carrying more serious characteristics genes relating to Parkinson’s disease or late-onset Alzheimer’s disease.

Some employers have previously required genetic information to make decisions about hiring or promoting individuals, an idea brought to existence decades ago. In the early 1970s, for instance, some employers used genetic screening “to identify African Americans who carried a gene mutation for sickle cell anemia.

Health insurance companies, too, have treated customers differently on the basis of varying genes, earning itself the label of “genetic discrimination.” However, federal laws like the Genetic Information Nondiscrimination Act (GINA), which went into effect in 2009, are designed to protect people from this form of discrimination, ensuring companies don’t require genetic information. 

Note that GINA has its limits, though. It does not protect companies with under 15 employees, those in the military or people receiving health benefits from the Veterans Health Administration or Indian Health Service.

I skimmed through the 23andMe Research Consent Document and the Full Privacy Statement to find information on their connection to third parties. The information was vague at points and was somewhat difficult to find.

Then I came across this: “Your genetic data and any other personal information you enter into the website … may be analyzed in research … This includes non-profit organizations, academic institutions and pharmaceutical companies.”

While users can opt out of research at any time for many of these genealogy companies, storage of their data is within their system forever, unless they choose to delete their data and waste the money spent on the original kit. Plus, in the midst of all the excitement of finding out about whether they are German, Kenyan or Fillipino, a majority of users rarely bother to read whatever they’re agreeing to before swiftly pressing the big, green button to opt into research.

Several of the company websites make it clear that the companies the data is being shared with do not receive registration information (name, contact information and credit card information). However, there still is a “very small chance that someone with access to the research data or results could expose personal information about you,” according to 23andMe.

Understand that I am not an alarmist however, I have good reason to be slightly on edge about that “very small chance,” even with their industry standard security measures. Your DNA is not a car, a house or any other possession whose loss would be upsetting but redeemable — your DNA is literally you on a biological basis, and far transcends the information your personal doctor has on you. In the case of a data breach of a genealogy company, or more likely, a data breach of a third party paired with the company, the biological makeup of millions could be compromised, even for those who do opt out of research.

Third parties are notorious for being the cause of massive leakages, such as the American Medical Collection Agency data breach from 2018-19, a third-party provider for billing services of large healthcare providers. According to HIPAA Journal, at least 21 companies were affected by the data breach, and the total number of patients potentially affected by the breach stands around at least 24.4 million.

Choose wisely, or your most private information your DNA might be shared in ways you cannot control.