Spittle and Swabs: How DNA Testing Puts You at Risk

By Cynthia Hetherington, MLS, MSM, CFE

Online DNA and genealogy databases are multi-billion dollar industries offering a glimpse into one’s ancestry and heritage. GEDmatch, for example, provides search capabilities for ancestry, lost family members, and cold cases. It’s little wonder that armchair detectives eagerly attempt to solve crimes with open source DNA. GEDmatch is owned by Verogen, Inc., a forensic science sequencing company—making the game all that more interesting. Genetic detectives are popping up everywhere, even on the ABC television network.

Spit into a tube and solve a crime, right? Well, perhaps.

In my intelligence gathering career, technology has simplified daunting tasks and made for more efficient workflow. Artificial intelligence in cyber investigations has developed at a quick clip in the past decade. In the 1990s, an onsite specialist examiner would conduct manual computer forensics with less than a gigabyte of data to examine. Today, that examination is conducted by software platforms that access the data remotely and capture a court-worthy batch of evidence.

Yes, technology does create the path, but it is the professional examiner—the investigator—who should forge the way. DNA material handled with the oversight of established protocols, rules of evidence, and ethical guidelines can be properly managed. In the hands of the possibly amateur public, however, DNA can lead to incredibly dangerous confrontations—perhaps well-intentioned but equally misled.

This new 3-part blog series focuses on the DNA testing industry and the potential risks of offering up too much personally identifiable information to corporate databases.

The DNA Testing Options are Bountiful

DNA testing is alluringly attractive, because it promises to reveal hidden secrets about you. Perhaps a pedigree that has gone unnoticed, a fitness capability you have yet to try, or a predisposition for a life-threatening disease. Nothing gets closer to the core of what you are than DNA, and as luck would have it, you can access this data for $100 or less by the mail.

MyHeritage, Ancestry, Fitnessgenes, and 23andMe are ready to analyze your swab to tell you more about yourself. Genopalate will tell you what foods you should eat, not to be outdone by Viome and Vitagene. If finding the perfect mate is your query, Instantchemistry and Geneticsdigest will locate your true love. If this is all just too overwhelming for you, you can pop into the parody site, DNAfriend, to see if you are a candidate for Dutch Elm disease, reverse balding, or bad intentions.

According to BIS Research, curiosity and quest have catapulted these services into billion-dollar industry. Despite global government concerns about privacy and the overexposure of personally identifiable information (PII), plenty of individuals are spitting into tubes and waiting on results.

DNA Data for Sale

As privacy professionals and opt out specialists, Hg sees the inherent risk to our clients who choose to swab their cheeks and send it off for analysis. Yet, an informed customer who opts not to submit his or her DNA can be exposed by a brother, cousin, or other blood relative who submits DNA. Shared DNA amongst family members creates leads and connections no one thought possible ten years ago: Today, law enforcement, genealogists, and private investigators use open source sites such as GEDmatch to track and trace volunteered DNA to close cold cases and find lost relatives.

It is a multi-billion-dollar industry that is growing.

DNA is the latest commodity sold to companies specializing in market and product development. GlaxoSmithKline paid $300 million to 23andMe for access to the data they collected. AncestryDNA sells DNA data to Calico, a Google spinoff to “Research the Genetics of Human Lifespan.” AncestryDNA is also the data warehouse of addresses, personal identifiers, and other key information on persons since they purchased the U.S. Social Security death index in the late 1980s. Connecting the dots between personally identifiable information and DNA has never been easier.

Some companies only had policies governing use of their website, while others failed to indicate whether they strip away personally identifiable information from a sample before sending it off for testing. ~Dr. James Hazel & Dr. Christopher Slobogin

In a 2018 survey, James Hazel and Christopher Slobogin of the Center for Genetic Privacy & Identity in Community Settings at Vanderbilt University Medical Center studied 90 DNA testing companies and found most of their privacy policies lack controls. Some companies only had policies governing use of their website, while others failed to indicate whether they strip away personally identifiable information from a sample before sending it off for testing. While a few of the larger companies may have acceptable policies, Hazel and Slobogin recommended avoiding smaller, unknown testing companies, as their privacy policies were minor to non-existent:

We found that over 40% of companies either had no readily accessible policy documents or had policies that did not appear to govern genetic data. These “web-only” policies resembled those that might be found on any website. We saw these smaller companies that you might not have heard of had privacy policies that were a paragraph long, a couple paragraphs long, and really didn’t provide any information whatsoever.

The researchers also noted that the larger, more popular, and more visible companies, such as 23andMe, Ancestry.com, and MyHeritage, had stronger opt out policies in place. In comparison, however, the smaller companies could not be relied on to remove your data once in their database.

Next week, we will discuss identified and de-identified data and what it means for DNA testing consumers.

Are you an analyst or investigator looking for advanced OSINT training on risk assessment and risk monitoring? If so, check out Hg’s webinar series, where you can attend live sessions and receive CEUs or watch previously recorded sessions to beef up your investigative skills.

Are you concerned about your company’s or employees’ points of vulnerability through online and open sources? Our skilled analysts are experts at removing personal information that puts you, your business partners, and your family at risk. Learn how our team can assist you in assessing and monitoring your risks. 

Cynthia Hetherington, MLS, MSM, CFE, CII is the founder and president of Hetherington Group, a consulting, publishing, and training firm that leads in due diligence, corporate intelligence, and cyber investigations by keeping pace with the latest security threats and assessments. She has authored three books on how to conduct investigations, is the publisher of the newsletter, Data2know: Internet and Online Intelligence, and annually trains thousands of investigators, security professionals, attorneys, accountants, auditors, military intelligence professionals, and federal, state, and local agencies on best practices in the public and private sectors.