On April 25, California law enforcement announced the possible capture of a long-sought serial killer.
Shortly after, it was reported that police had used public DNA databases to determine his identity.
This extraordinary event highlights that when you send off a cheek swab to one of the private genome companies, you may sacrifice not just your own privacy but that of your family and your ancestors.
Joseph DeAngelo (left), the man suspected of being the Golden State Killer (sketch, right), was arrested last Tuesday, after investigators used a DNA ancestry website to identify him
In a time of widespread anxiety over the misuse of social media, Americans should also be concerned over who has access to their genetic information.
For-profit genome testing companies like 23andMe make money, in part, by selling anonymized genomic data.
Many people may not realize that re-identifying genomes – that is, identifying an individual from their genetic profile – is a relatively straightforward process.
In one study, researchers could re-identify five of 10 people, as well as their families.
Humans share about 99 percent of their DNA bases with one another.
The few differences that exist are often sufficient to figure out who’s related to whom.
The genome has been something of a disappointment medically.
Physicians generally can’t do much with the information that a given patient has, say, a 3 percent greater risk of dementia.
But those data are potentially very useful to insurance companies and employerstrying lower their risk.
The Genetic Information Nondiscrimination Act, a federal law passed in 2008, prevents insurance companies and employers from forcing people to undergo genetic testing.
But it doesn’t necessarily prevent bad actors from using dark-web databases and advanced analytics to give themselves a commercial edge.
There have been no reports yet of companies doing this.
But we live in an age in which it seems the possible becomes probable on an almost daily basis.
Members of Congress have already tried to remove some of the little genetic privacy protection that already exists. And companies have begun to offer genome sequencing as an employee benefit.
GEDmatch is a free site where users who have DNA profiles from commercial companies such as Ancestry.com and 23andMe (a 23andMe DNA testing kit seen above) can upload them to expand their search for relatives
Paul Holes, the lead investigator on the case, said the team used GEDmatch, a Florida-based website that pools DNA profiles that people upload and share publicly. The site released this statement on Friday
The financial services industry offers a cautionary tale for the customers of the genome industry. Banks are highly regulated and supposed to provide state-of-the-art protection, yet they have been hacked.
Compared to financial institutions, genome companies are lightly regulated. Eventually one or more of them will be hacked or even caught selling ‘risk profiling’ services to third parties.
With respect to police and prosecutors, the situation is somewhat different.
In the end, they must submit their work to the courts.
It’s possible that setting up a fake account on an ancestor DNA website, as the California police reportedly did, constitutes unreasonable search and seizure.
Given the large financial rewards and the behavior of other industries, millions of American families should likely consider their genomic privacy as already compromised.
If the genome of one of your relatives is in one of these databases, then essentially so is yours.
WHAT DNA TESTING KIT COMPANIES HAVE TO SAY ABOUT GOLDEN STATE KILLER’S ARREST
23andMe
’23andMe chooses to use all practical legal and administrative resources to resist requests from law enforcement, and we do not share customer data with any public databases, or with entities that may increase the risk of law enforcement access.
‘In certain circumstances, however, 23andMe may be required by law to comply with a valid court order, subpoena, or search warrant for genetic or personal information.’
Ancestry.com
‘Ancestry advocates for its members’ privacy and will not share any information with law enforcement unless compelled to by valid legal process, such as a court order or search warrant.
‘Additionally, we publish law enforcement requests in our transparency report annually. It’s important to note that in all of 2015, 2016, and 2017 we received no valid legal requests for genetic information.’
Helix
‘Helix has not been contacted by law enforcement and has not received requests for information relating to the suspected ‘Golden State Killer’ or any other investigation.
‘In the event that we do receive a request, Helix limits what information and under what conditions its customers’ personal information is provided to law enforcement. Specifically, Helix operates consistently with its Privacy Policy which provides that Helix may disclose customer’s personal information, including Genetic Information: ‘to comply with law, a valid court order, a judicial proceeding, subpoenas, warrants, bankruptcy proceedings, or in connection with any legal process, provided that we will not disclose your Genetic Information without a valid subpoena or search warrant specific to your Genetic Information. If we are required to disclose your information, we will do our best to provide you with notice in advance, unless we are prohibited by law from doing so.”
FamilyTreeDNA
FamilyTreeDNA, the pioneer company in the field of genetic genealogy, was not contacted formally, by any law enforcement agency, regarding the Golden State Killer case.
While we take our customers’ privacy and confidentiality extremely seriously, we support ethically and legally justified uses of groundbreaking advancements of scientific research in genetics and genealogy.
The irony is the fact that this arrest was made on National DNA day, which should not be lost on any of us.
Living DNA
‘Living DNA is under strict English and EU laws when it comes to data security. We would resist any request to access customer data without the consent of the customer, and would only release data where legally compelled to do so, e.g by where ordered by a court having jurisdiction over us.
We have not been asked to provide, nor have we provided any customer details/data to any authority worldwide including the US authorities.’
MyHeritage
According to Motherboard reporter Sarah Emerson: ‘MyHeritage, a similar genealogy site that lets you upload raw DNA data, just confirmed that it was not involved with the case, and says it was not used by [law enforcement] as a tool to compare genetic profiles.’
In the uncommon circumstance that a whole family has not one member who has yet to send off a cheek swab, that family might want to consider opting out of this whole thing until society sorts out risks, benefits and privacy protections.
Most people, however, will have to wait and hope they will not be harmed by a genomic revolution that has provided them with little benefit.