Want to know where your ancestors hail from? Or which diseases run in your family? Dozens of genetic testing firms are happy to tell you.
But they’re less eager to divulge a different secret — how they share or sell your DNA samples. Testing companies write dense, confusing privacy policies that make it easy for consumers to unwittingly sign away the rights to their own genetic data.
Genetic data sharing entails serious risks. Privacy policies ought to clearly spell them out so that consumers can make educated choices.
The language used by testing firms such as Invitae, 23andMe and AncestryDNA can mislead customers. For example, AncestryDNA’s terms and conditions state that “You own your Personal Information, Additional User Information, and User Provided Content.”
But it also states that by handing over your data, “you grant Ancestry a sublicensable, worldwide, royalty-free license to host, store, copy, publish, distribute, provide access to, create derivative works of, and otherwise use such User Provided Content.”
In other words, you might “own” your data — but Ancestry reserves the right to share and sell the data as it sees fit.
23andMe’s policies are similarly opaque. The firm pledges it won’t share individuals’ identifiable test results unless people sign a 2,629-word “research consent document.”
About 80 percent of 23andMe’s 2 million customers sign the document. Many people may miss the important details.
In plain English, that means someone could re-identify the test results and specific individuals. The document tries to reassure customers that such re-identification would be “extremely difficult.”
Actually, it’d be quite easy, as a study in the journal Science recently proved.
One MIT researcher identified individuals and their extended families by using only anonymous DNA samples and public records of people’s ages and addresses. Someone’s DNA sample can reveal information that she might not want publicly revealed.
Very few consumers know these risks. And the lengthy terms of service, privacy and consent documents are not only difficult to understand, they are difficult to coalesce into a simple understanding of the various risks.
Testing firms deliberately downplay the risks of data sharing. They would lose much of their revenue if customers opted to keep their data private — or not use their service.
Nearly half of all ancestry-determination firms sell customers’ DNA to pharmaceutical companies and other third parties, according to Tufts University professor Sheldon Krimsky. 23andMe has agreed to sell genetic data to pharmaceutical firm Genentech for up to $60 million. AncestryDNA partners with Calico, a research company owned by Google.
There’s no telling what these third parties will do with the data in the future. And there’s no way for consumers to know if the data are secure.
That’s troubling. Unlike passwords, DNA can’t be canceled or changed. With biometric IDs looming, all it takes is one data breach to leave a person — and his family — vulnerable to fraud or discrimination.
Genetic testing can be extraordinarily useful for those dealing with difficult diseases. But the testing isn’t risk-free. Firms owe it to their customers to clearly disclose those risks.
Twila Brase is president and cofounder of the Minnesota-based Citizens’ Council for Health Freedom.