Which DNA Databases Are The Best And Worst For Privacy?

Your DNA says a lot about you, and it’s likely that either you or a relative is represented in one of the DNA databases that are now being used to track down criminals.

But mailing in a vial of spit does not automatically put you in a database that law enforcement can access. Your privacy risk depends which type of company you’re working with.

23andme and Ancestry are among the least risky

So far, police aren’t usually rolling up to a DNA company and asking for the genetic data that goes with such-and-such name.

Rather, privacy concerns are greatest for databases where a person can upload DNA data and trawl for matches. That does not include the most popular companies, 23andme and Ancestry DNA.

Here’s what happens to your data at both companies:

• The company stores it

• You can view reports about the results

• You can download your raw data

• You can view relatives who match your DNA, if they have also mailed a sample to the same company

• If you also opt in to either company’s research program, your “de-identified” genetic data (not attached to your name) can be shared with companies and labs.

In theory, law enforcement could subpoena data from either company, but both publish transparency reports (23andme, Ancestry) where they state that so far — as of the end of 2018 — they have not turned over anybody’s DNA.

Both companies also allow you to request that they delete your data and/or destroy your sample. If you trust the company to follow their rules and not to get hacked, these are safe-ish places to submit your data.

(The companies’ testing protocol is also a security step, in a sense: they both require DNA to be sent in the form of two milliliters of saliva. If you’ve done one of these tests, you know that’s a lot of spit. This step ensures that nobody is sending in a sneaky swab of your discarded DNA.)

Genealogy databases that allow uploads are the ones with the major privacy concerns

Ever since the Golden State Killer suspect was identified last year, law enforcement has been turning to public DNA databases to solve cold cases. Among the dozens that have been in the news, most use GEDmatch, or occasionally FamilyTreeDNA.

Both are genealogy databases where users can upload their own DNA data. You could get your spit sequenced at Ancestry, for example, grab your raw data, and then upload it to GEDmatch.

Typically people do this because they are trying to trace their family tree, and identify people they don’t know but who are related to them.

Here’s what these databases do with your data:

• You can send in a spit sample (FamilyTreeDNA) or upload raw data (both companies)

• The company stores your data

• You can view reports about your data

• You can download your raw data (not necessary with GEDmatch because you already had it in the first place)

• You can find people whose DNA matches yours

• Other people can upload their DNA and see if it matches yours

It’s this last part that’s concerning for privacy. When law enforcement agents were looking for the Golden State Killer, the admins at GEDmatch had no idea. Anybody could upload a DNA file, no special permission needed.

GEDmatch’s privacy policy now notes that law enforcement could be on the site trying to solve crimes, and if you don’t like that, you should delete your data or not upload it in the first place.

FamilyTreeDNA has gone even further, actively working with the FBI to test forensic samples and run them against the data that the company has stored.

(If you’re a FamilyTreeDNA user, you can opt out.)

It’s a personal decision

I lurk in a few Facebook groups for people who are into genetic genealogy. They share tearful stories about finally connecting with their birth parents and other long-lost relatives. For these folks, the search for relatives is the whole point.

They want to find others, but if nobody has turned up yet, they often leave their data public and wait to be found.

If you’re excited to potentially help catch criminals or identify cold-case bodies, well, enjoy! But if you’re creeped out by being part of the surveillance state, you might want to avoid the user-upload databases.

We are also learning more and more about people from their DNA. Currently some companies “de-identify” data by dissociating it from its owner’s name and birthdate. But in many cases that information isn’t too hard to reconstruct.

Your DNA also contains clues about your ethnicity and even traits like the shape of your face. Someday we may be able to make a decent guess at the DNA owner’s personality.

And while the more privacy-oriented companies have done a good job so far at keeping data confidential, as DNA becomes more revealing, could it become more valuable? Could we expect high-profile hacks of DNA databases the way we’ve become accustomed to them for passwords and credit card data?

Ultimately, the choice to learn about your DNA is a personal one. Until in-home DNA sequencers become commonplace (not anytime soon), there’s no way to access your own DNA data without turning it over to somebody else first. We each have to decide how much privacy we’re comfortable giving up.