Killer Spittle: How DNA Testing Puts You at Risk

By Cynthia Hetherington, MLS, MSM, CFE

Online DNA and genealogy databases are multi-billion dollar industries offering a glimpse into one’s ancestry and heritage. GEDmatch, for example, provides search capabilities for ancestry, lost family members, and cold cases. It’s little wonder that armchair detectives eagerly attempt to solve crimes with open source DNA. GEDmatch is owned by Verogen, Inc., a forensic science sequencing company—making the game all that more interesting. Genetic detectives are popping up everywhere, even on the ABC television network.

Spit into a tube and solve a crime, right? Well, perhaps.

In my intelligence gathering career, technology has simplified daunting tasks and made for more efficient workflow. Artificial intelligence in cyber investigations has developed at a quick clip in the past decade. In the 1990s, an onsite specialist examiner would conduct manual computer forensics with less than a gigabyte of data to examine. Today, that examination is conducted by software platforms that access the data remotely and capture a court-worthy batch of evidence.

Yes, technology does create the path, but it is the professional examiner—the investigator—who should forge the way. DNA material handled with the oversight of established protocols, rules of evidence, and ethical guidelines can be properly managed. In the hands of the possibly amateur public, however, DNA can lead to incredibly dangerous confrontations—perhaps well-intentioned but equally misled.

This new 3-part blog series focuses on the DNA testing industry and the potential risks of offering up too much personally identifiable information to corporate databases.

Be Wary of Swabbing and Sending

The experience of taking part in a DNA testing kit is advertised as exciting and fun, easy to process, and full of interesting information you may not know about yourself. The darker side of this activity is rarely discussed: You may learn things about yourself and your family you were not necessarily prepared to learn. Hg investigators have seen numerous cases of paternity questioned, familial relations discovered, and heritage probed.

Starting the process is rather pedestrian, as DNA testing companies ask a lot of questions that may strike you as boring. However, in order to protect your data, you need to read them carefully.

As a consumer, you will want to opt out of every option that is not specifically focused on your objective such as locating your heritage. Companies like 23andMe have a separate agreement asking permission to use your DNA data in research studies. This data is stripped of identifying labels like your name or address that tie the sample to you specifically, but that is not always guaranteed to protect your privacy. Sites such as Family Tree DNA allow you to bring your results into their service for the purpose of locating more familial results. Unlike Facebook, where you look for people with the same last name and stalk them from afar, DNA is going to pattern match you to strangers you wish you never met, never mind that they are a distant relation.

Unlike Facebook you cannot unfriend them.

In their defense DNA companies, like marketing companies, strip out much of the identifying information and resell it to other marketing companies for market analytics and statistical surveys. Stripped DNA, known as de-identified aggregate data, is relatively safe. It identifies your characteristics but does not give your name or personal identifiers. All the data knows is that you are a male of Eastern European heritage with lupus indicators. This kind of data may include summaries that do not specifically call out individuals such as what percentage of people have a certain ancestry.

There have been cases where de-identified data was re-identified to the individual and used for locating specific individuals. James DeAngelo, the Golden State Killer, was identified through an open source DNA database via his relatives’ DNA, as it was re-identified to DeAngelo’s kin. Once investigators had their names, they looked for family relations of the specific age and characteristics of the killer and found DeAngelo’s blood relatives—even though he had never used a DNA test himself. A very public demonstration that even anonymized data can be used to identify people.

If you give a company permission to share your data with another research organization, you can revoke that permission later. However, it will be difficult or impossible to delete your data from third parties that have already received it. It is also hard to guarantee that those third parties will not also share your data with yet another company or research organization down the road.

The DNA testing company may also ask your permission to store your sample, allowing them to retest it again with future, advanced techniques. Some sites also offer a family finder feature that lets potential relatives contact you if your DNA matches. Reputable companies will make sure to inform you as much as possible but be sure to read everything before you click “Agree.”

Be sure to check back next week, when we share tips on how to remove your personal DNA data from the Big Three!

Are you an analyst or investigator looking for advanced OSINT training on risk assessment and risk monitoring? If so, check out Hg’s webinar series, where you can attend live sessions and receive CEUs or watch previously recorded sessions to beef up your investigative skills.

Are you concerned about your company’s or employees’ points of vulnerability through online and open sources? Our skilled analysts are experts at removing personal information that puts you, your business partners, and your family at risk. Learn how our team can assist you in assessing and monitoring your risks. 

Cynthia Hetherington, MLS, MSM, CFE, CII is the founder and president of Hetherington Group, a consulting, publishing, and training firm that leads in due diligence, corporate intelligence, and cyber investigations by keeping pace with the latest security threats and assessments. She has authored three books on how to conduct investigations, is the publisher of the newsletter, Data2know: Internet and Online Intelligence, and annually trains thousands of investigators, security professionals, attorneys, accountants, auditors, military intelligence professionals, and federal, state, and local agencies on best practices in the public and private sectors.