Ethics & DNA (Honors)

Privacy Concerns with Using DNA Services

In this day and age of technology and having access to everything at all times, people hardly consider what digital privacy in all forms means. With all these services at our fingertips, there is not nearly enough privacy and regulations. In this essay, we will explore instances and question what consequences could or should be put in place to protect people and their right to privacy. Should these services be widely available to all without regulation or consequence? Special attention will be given to DNA testing services like 23andMe, Ancestry, and FamilySearch, which pose significant privacy concerns.

Digital privacy is keeping your information safe from the online world. This includes not giving out your personal information such as your name, birthday, and location. This also includes the protection of other sensitive personal information, like your genetic information and health information. It has been told to us over and over since we were children. Do not tell strangers your information. But now in the year of 2024, it is like second nature to talk about all that personal information. Getting into DNA services in specific is another breed of questions. Services such as 23andMe, Ancestry, and FamilySearch all have one thing in common. Your genetic information. If it tests your ancestral genetic inheritance, as 23andMe and Ancestry do, or if it finds relatives and creates a family tree alongside mass amounts of personal documents, such as FamilySearch and Ancestry do, they all have the same risks of exposing your data. They actively collect your personal data and store it away in their systems, leaving your information in their hands, and continue to share all of it as well. One of their biggest offenses is sharing your data, often without your explicit consent, with third parties for a multitude of reasons like research, or even commercial use. In their bid to do this, they expressly violate your privacy and right to keep your data secured and out of strangers' hands. The second you give them your genetic information, it is no longer yours. This poses the risk of your data being stolen or exposed. It has been before. Do you remember the big news about 23andMe being hacked? Yeah, any data you had on there was stolen. It was a massive data breach and all it did was expose how these companies do not have the technology to properly protect and store your data. And they sure are not transparent about that fact. Millions of people have data on there. You run that risk just being on the internet in general. But you aren’t running the risk of your genetic data being stolen in those instances, are you? Imagine this. You find something that accidentally exposes a family member. They may not have done anything wrong! But it is still yours and their genetic privacy being used and disregarded. The longer we let these companies continue to get away with giving away our data and/or not protecting it well enough, the closer we get to some future where we genuinely have no privacy or freedoms.

My biggest gripe with all of this comes down to giving away your personal data without your consent. Like for example, the police using your genetic data without your explicit consent to solve cold cases. We want crimes solved, of course. But me personally? I do not want them solved using my data without asking me. The fight doesn’t end there, with the police practically begging people to put their data on free genetic sites so that they can use it to help find criminals. But even this poses a big question. When is it too far? Is this the end of public privacy? That isn’t to say that getting criminals off the streets isn’t important, but at what cost? There is very few things we can keep private at this point in time. Why give up more of your privacy? “Police really want to do their job. They’re not after you. They just want to make you safe.” This is a quote from Colleen Fitzpatrick, a genetic genealogist. I get her point, but you just have to question things. The police are not exactly known for playing nice in the sandbox, and at what point does the power trip that historically happens to people in positions of power, take over and leave us all at their mercy, praying to not be targeted with something that we did not do? I bring to mind for you the case of the Golden State Killer. The police used GEDmatch, which is public data, to find the killer. And as important as this was, it also highlights my point again about privacy. We need clear informed consent and the policies for it. And then there are situations such as a child finding their biological parents who did not want to be found. That has been a thing for decades, but genetic testing makes it easier. But sometimes, it ends poorly for the child. Such as in this case for a woman named Shona Hendley, who found her father and he rejected her, “My biological father refused to have a relationship with me. He deleted his email address and cut off all avenues of communication without any explanation. This rejection was utterly devastating for me because it was rejection of the most personal kind. From the man who helped create me, whose blood I share, who my identity is linked to, who I desperately wanted to be accepted by.” No one in this situation is wrong, nor should any of them feel guilty. However, genetic testing continues to make this type of situation more and more common. This article is not about an American woman, but it does highlight a worldwide issue. Now, don’t get me wrong, I am not saying that people should not try to find their parents. And I am also not saying that bio parents should have to welcome them with open arms. I am just here to show the risks of using DNA tests for this sort of thing. This isn’t the only sort of thing explaining being rejected by their biological parents that I could find. Take this post from Reddit user throwitaway93274, for example, “I recently found my birth mother and her side of my family through DNA testing and research. I contacted her a total of two times over several months, each message introducing myself and making note that if she didn't want communication, to go ahead and let me know. I received no response from those two messages. I decided to go ahead and contact siblings. My birth mother then contacted me, furious, demanding that I never speak to her children again.”  It happens time and time again. And with all of these issues, we still come to yet another issue! The lack of transparency from these companies on how they handle your genetic data. For example, from this article from The Atlantic about the potential sale of 23andMe says, “... the company’s privacy policies make clear that in the event of a merger or an acquisition, customer information is a salable asset. 23andMe promises to ask its customers’ permission before using their data for research or targeted advertising, but that doesn’t mean the next boss will do the same. It says so right there in the fine print: The company reserves the right to update its policies at any time.” Your privacy on these servers is never guaranteed. Do you think some corporation cares about you and your privacy? It doesn’t. And to make matters worse, they do not have to abide by HIPAA, despite having all that genetic information. HIPAA is something people often take for granted, but wow is it so incredibly important. I am not here to fear monger you and tell you that the world is ending and the media is controlled by the birds or anything like that. I am trying to drive home how incredibly dangerous the way they use us and our data is. For a country that loves to go on about freedom, it sure is bad at letting us keep our freedoms. And this just makes it worse. Imagine waking one morning to someone you never wanted to meet, being at your door because they found you through those sites. Imagine being charged for a crime you did not do because your genetics were a close enough match. And let us talk about companies profitting from the collection and sale of genetic data, something they often do without fully disclosing these practices to consumers. If my consent was not informed, then it was not consent. Plain and simple. This raises, again, questions about whether individuals should have greater control over their genetic information (the answer is yes.) and whether companies should face stricter accountability for how they use this data. (The answer is also yes for this.) The lack of enforcement for existing regulations further exposes these challenges, leaving the average person to understand the risks associated with these services.

This is not to say that we do not have supposed “protections”. We do. In a way. We have The Genetic Information Nondiscrimination Act (GINA) which was established in 2008. It protects from discrimination. But that is almost entirely where its usefulness ends. Aside from its other unfortunate downsides, looking at the lack of protection for those with disabilities yet again, it also does not adequately address how genetic data can be shared, leading to potential privacy concerns. Actually, definite privacy concerns. I for one am tired of how flippant they are with our genetic data. Whether this is from those DNA sites, or it is from the government, the American people deserve better on all fronts of this. We should be guaranteed basic rights when it comes to our genetic data. Do not sell it without explicit consent from the person it belongs to. In fact, if we submit our genetic data to anything, we should remain the owners. Otherwise, it just brings to mind another debate going on that peeves me. If organ donation should be required. But alas, I will not get into that or else my essay will take a swift turn to another thing to anger me.

When I think of what consequences should be implemented for privacy violations by DNA sites, I immediately think of the usual ones. Massive fines. But those never really stop huge corporations, do they? No. Now, I’m not saying I condone what Luigi Mangione did, but I understand it. Corporations get away with almost literally bloody murder, and it is time to put a stop to it. Give them actual, honest to God sentencing. I’m talking about putting them away for decades without chance to get out early. I’m talking about not giving bail. It is time for the American people to stand against what we have tolerated for decades. Not only that, but there should just be the straight up threat of shutting them down. I do not have the time or energy anymore to sit here and believe that things will improve without massive repercussions. I don’t know about you, but I do not want my data out there for all to steal at all times. And we need actual regulations. Time limits to keep the data before erasing it. There is more and more of a need for legislation that enforces strict data deletion policies. Companies should be required to erase genetic data after a specified period unless explicit consent for extended storage is obtained. Beyond penalties and fulfilled threats, we can and should empower the people to make informed decisions about sharing their genetic data. Public initiatives should focus on explaining the risks associated with genetic testing services and encouraging people to read and understand privacy agreements before consenting. Because getting full informed consent of anyone who gives their data, is so incredibly important and I cannot stress it enough. We need laws on how it has to be kept. No more letting them get away with this flagrant disregard for the privacy of the people. We The People want privacy and respect. And that Austrailian paper I quoted earlier? That was not by accident. We need an international bid for the protection of our privacy. Make it the new privacy standard for genetic information.

I leave you with all of this to think long and hard about. This essay at the beginning of the semester was going to simply be about genetic testing and the finding biological parents. However, I did more research and realized I had more of a bone to pick with the broader topic. No, these services should not be so widely available without any regulation. They do more damage than good without it. I implore you to contact your government about changing laws. No more sitting idly by. Ultimately, as technology continues to advance and the demand for genetic testing grows, society has to deal with the ethical and practical implications of these services. Governments, companies, and individuals alike share the responsibility to safeguard genetic privacy. By implementing stronger protections, having full transparency, and promoting public awareness, we can figure out how to climb our way through all of this, all the while upholding the fundamental rights to privacy and the need of consent. Going forward, we need action on all accounts. We need the creation of a culture that values privacy and protection and less of an individualistic one. What is freedom and dignity if it is being thrown away in our faces? Technology is our future. This has been known for decades at this point. We need to finally do more to protect all of us and our data. Those of the past may have not had any idea just how much of our information would be out there. But it is known now and it is time to take a stand. I hope we can all agree that no, these companies cannot exist in a wide open market without regulation. 

Annotated Bibliography

Brown, Kristen V. “Remember That DNA You Gave 23andme?” The Atlantic, Atlantic Media Company, 12 Dec. 2024, www.theatlantic.com/health/archive/2024/09/23andme-dna-data-privacy-sale/680057/.

This article talks about 23andMe's massive data breach and the fact that they are not bound to follow the law of HIPAA. "the company’s privacy policies make clear that in the event of a merger or an acquisition, customer information is a salable asset. 23andMe promises to ask its customers’ permission before using their data for research or targeted advertising, but that doesn’t mean the next boss will do the same." This is a quote from the article, detailing how privacy policies can change and nothing is ever guaranteed by any company if it is sold. This article talks about how companies, like 23andMe, often do things under our noses without consulting us or fully informing us about just how our information will be used.

Hendley, Shona. “Finding Support When You’re Rejected by Your Biological Parent.” ABC News, ABC News, 25 June 2021, www.abc.net.au/news/2021-02-14/finding-support-when-rejected-by-biological-parent/100007854.

This article describes Shona Hendley finding her biological father and being rejected by him. She talks about how it is natural to want to connect with your biological family and talked about finding support after being rejected by said biological family. In her case, her father who cut off all contact immediately and prevented her from contacting him again. "In addition to communicating, Ms Fuller says that finding support from those you can depend on is imperative. "Identifying your role models, whether they be a family member, teacher, partner or psychologist, who can support you and who care for you is critical as they provide trust and safety which is something needed as you go through an experience like this."" She stresses how important having loved ones around you, and supporting you is. Sometimes things are not going to go your way.

“R/Adoption on Reddit: Rejected by Birth Mother.” Reddit, www.reddit.com/r/Adoption/comments/d8t6ca/rejected_by_birth_mother/.

This is simply a Reddit post in which the user describes finding their birth mother, who ignored them until they contacted their biological siblings. At which point, the mother angrily talked to them and threatened to call her lawyer if they didn't stop talking to their biological siblings. There are some comments on the post but overall, was not a massive source. It was just one to drive home yet another person being rejected by their biological parent. Sad story.

Schuppe, Jon. “Police Were Cracking Cold Cases with a DNA Website. Then the Fine Print Changed.” NBCNews.Com, NBCUniversal News Group, 29 Oct. 2019, www.nbcnews.com/news/us-news/police-were-cracking-cold-cases-dna-website-then-fine-print-n1070901.

This article talks about police use of GEDmatch to solve cold cases until they got restricted from doing that. People are asking for police to be allowed to use genetics to find criminals again and solve cold cases. The article then talks about people stating that it is a clear violation of privacy and them raising some concerns. It shows a marked slowing of police solving cold cases. The understand why GEDmatch restricted police action, but essentially say that they are letting a valuable tool slip through their hands. "There is “a genuine tension between wanting to protect consumers and be respectful of their wishes and recognizing that working with law enforcement provides a social benefit,” she said." is a quote from the article, talking about people wanting privacy, but also wanting the added benefit of police finding criminals. All in all, the article was rather in favor of police use of GEDmatch, despite it acknowledging people's displeasure.

Trujillo, Mario, et al. “Genetic Information Privacy.” Electronic Frontier Foundation, www.eff.org/issues/genetic-information-privacy.

This article talks about GINA, HIPAA, and genetic information privacy. It details what GINA and HIPAA are. "With genetic data—or any personal health information (PHI)—it’s important to remember that HIPAA only applies to an organization if it is either a "covered entity" or the business associate (BA) of one." It talks about how HIPAA isn't actually something that covers as much as you think it does. And it also talks about potential boundary crossing with things such as, "The Supreme Court held in Maryland v. King that such DNA collection, while subject to the Fourth Amendment (“using a buccal swab on the inner tissues of a person’s cheek in order to obtain DNA samples is a search”), does not require a warrant: when there is already probable cause for a valid arrest for a serious offense, collecting a DNA sample is analogous to taking fingerprints or a photo."