DNA test security alert: Why you should think twice about getting one [updated twice]

Artistic representation of a DNA coil.
(Image credit: Billion Photos/Shutterstock)

UPDATED with details of 23andMe's decision to go public and its presentation to investors as a company that holds "the world's premier re-contactable genetic database."

Consumer DNA test kits, such as those offered by Ancestry.com, 23andMe and others, create huge privacy risks that most Americans may not be aware of. This is according to a "60 Minutes" report that aired Sunday (Jan. 31) in the U.S.

That's because the user-privacy agreements that customers sign off on can give these companies broad leeway to use their customers' DNA for other purposes, University of California, Davis law professor Lisa Ikemoto told "60 Minutes" correspondent Jon Wertheim.

"You're allowing your personal information to be used by others," Ikemoto said. "That information's being transferred to third parties. And it's being used for uses that you never imagined."

The concerns about misuse of DNA are so great that about a year ago, the U.S. military advised active-duty service members not to submit samples to consumer DNA-testing services.

"These DTC [direct-to-consumer] genetic tests are largely unregulated and could expose personal and genetic information, and potentially create unintended security consequences and increased risk to the joint force and mission," the Pentagon memo said.

The appeal of consumer-DNA services

Why do we continue to use these services? The companies' TV ads show the joy of discovering hidden family histories, yet those ancestry-DNA tests are at best educated guesses. (Ancestry.com calls it an "ethnicity estimate".) 

You are also giving the company vital genetic information about your parents, your grandparents and other ancestors, plus your children and grandchildren, whether or not they've yet been born.

There's no specific Hungarian or Chinese gene, but rather patterns of genes that many, but not all, individuals in a given population will have.

More useful are the tests that look for specific genetic abnormalities that could lead to disease, such as the BRCA mutations linked to breast cancer. Yet 23andMe charges $199 for the health tests and only $99 for the ancestry tests. Ancestry.com, or more specifically its subsidiary AncestryDNA, doesn't offer such a test.

There's money in that there DNA

The real value of 23andMe lies not in the revenue from consumer DNA tests, FBI Supervisory Special Agent Edward You told Wertheim, but in what can be done with all that consumer DNA once the initial tests are completed. 

This may be one reason the privately held 23andMe is reportedly valued at $4 billion, and why Ancestry.com was bought for $4.7 billion six months ago.

"The return on investment is aggregating the data and what they can do with it once they have enough of it," You said. "The value is in the data."

"Everybody is looking at what kind of data do I have access to, how much do I have, and then how can I turn around and monetize it," You added.

Worries about how consumer-DNA samples are being used have come up before. In 2018, 23andMe announced a $300 million deal to "share" its customers' genetic information with pharmaceutical giant GlaxoSmithKline, or GSK. 

To outside observers, it looked like 23andMe was selling DNA data, getting paid a second time for the same DNA that its retail customers had already paid the company to test.

"The problem with a lot of these privacy policies and Terms of Service is that no one really reads them," Tiffany C. Li, a Boston University law professor, told Tom's Guide at the time. "You are paying to help the company make money with your data."

And, as Li had earlier said on Twitter, you're not only giving up your own privacy, but that of all your blood relatives.

Valuable results, but not everyone gets paid

Anne Wojcicki, CEO of 23andMe, told "60 Minutes" that her company had emailed its customers and asked them whether they wanted to allow their DNA to be used in the GSK research.

"Over 80% of our customers opt in," Wojcicki said. "We have empowered individuals with this opportunity to come together, to crowd source research. ... So that everyone is actually benefiting from the human genome."

Partnerships between consumer-DNA testers and Big Pharma aren't necessarily bad. Last June, 23andMe said it and GSK were beginning clinical trials on new cancer treatments

"They might produce something very useful," said Ikemoto. "In that sense, it's good."

But, she added, "it means that 23andMe and GlaxoSmithKline will make a huge amount of money. The people who provided all the cells and tissues or DNA that's being used will make none."

Spitting into the tube may be forever

So what can you do about this? First of all, be aware that when you spit into that tube and mail it off to the DNA-testing company, you are giving the company your entire genetic makeup. In fact, you're paying them to take it from you.

You are also giving the company vital genetic information about your parents, your grandparents and other ancestors, plus your children and grandchildren, whether or not they've yet been born.

So: Read the fine print in the company's privacy agreement first. See exactly what kind of rights the company gives itself to use your DNA data, whether you continue to have opt-out rights after you submit your sample, and whether you have the right to remove your DNA data from the company's records.

If some of the wording makes you uncomfortable, then consider whether it's worth it, especially if you're just getting an ancestry test. But if your family has a history of genetically related disease, it may well be worth the trouble to learn if you or your children might carry risky genes.

As a courtesy, you might want to speak to your close relatives about whether they consent to having your DNA, which is also their DNA, tested and analyzed for years to come.

Ancestry.com and 23andMe respond [updated]

Tom's Guide reached out to both Ancestry.com and 23andMe for comment. 23andMe referred us to comments made be CEO Anne Wojcicki on the air and in a "60 Minutes Overtime" online addition. 

Ancestry.com provided us with this statement:

"We fundamentally disagree with any such allegation as applied to Ancestry. Protecting our customers’ privacy is Ancestry's top priority. Our customers maintain ownership and control over their own data at all times, and can, upon request, choose to have it deleted at any time. 

Furthermore, we do not sell consumer DNA data. Our revenue comes solely from the sale of our products and services to consumers, not our customer's data. We have put in place industry-leading privacy protections and policies that are outlined in clear, simple, easy-to-understand language on our website."

After this story was initially posted, 23andMe provided us with this statement:

"Our research program is opt-in, meaning customers must read and complete a separate research consent document — beyond our terms of service — as research participation is not required to join 23andMe. This informed consent process is overseen by a third party Institutional Review Board (IRB), which ensures we comply with all legal and ethical guidelines in our research. 

We do not sell individual customer information nor do we include any customer data in our research program without an individual’s voluntary and informed consent."

Update: 23andMe goes public with help from Virgin Group

On Thursday, Feb. 4, 23andMe announced that it was merging with VG Acquisition Corp., a special-purpose acquisition company (SPAC) that's part of Richard Branson's Virgin Group. 

The deal values 23andMe at $3.5 billion. In an investor presentation prepared by 23andMe and posted online, 23andMe says that one of its most valuable assets is "the world's premier re-contactable genetic database."

The slideshow characterizes the database as "a vast proprietary dataset rich with both genotypic and phenotypic information [that] allows insights that unlock revenue streams across digital health, therapeutics, and much more."

The spreadsheet also cites that 23andMe now has 9.8 million "cumulative genotyped customers" and is on track to have 16.4 million by the end of 2024. 23andMe's ancestry service is described as "a mass entry point to building a revolutionary database." 

SPACs are shell corporations designed to invest in privately-held companies and take them public without going through an initial public offering. The new company's stock symbol will be "ME" and it will trade on the New York Stock Exchange.

The existing private shareholders in 23andMe will own 81% of the public company. VGAC will own 11% and other investors will own 8%.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.