DNA security: my thoughts in the wake of the Golden State Killer case development

The use of the genealogical DNA website called GEDmatch to solve a long history of crimes perpetrated by the Golden State Killer has a lot of people wondering, “Should I be concerned about the privacy and security of my DNA?” There is nuance to this question. One person who asks it might be asking whether a company might give away their information without permission. Another one might be more concerned about whether someone with ulterior motives could 'hack' the system at a company (or at an independent DNA sharing site) and take data not approved by customers or users.

Without getting into the weeds too deeply, my opinion on this in a nutshell is this:

Think of DNA security the way you think about credit cards. 

Some people opt out of using credit cards because they know of theft; it’s happened to them or someone they know. Or they are generally worried about it even if they've not yet been affected personally. Other people may weigh the risks of private information being stolen if they use a credit card (or other digital payment system like PayPal), but then decide the ease of using them is worth the risk. It has become culturally normal to use credit cards and online payment systems, and the risks are understood and accepted. 

It almost seems as if no one expects perfection in credit card security. So it is becoming for DNA testing as well.

There will always be a spectrum of how much risk people are willing to take, and that’s ok. We all are different and have had different experiences that attune us to what ought to be cause for worry. What concerns us is not the same as what concerns others. 

The reports of genetic information being 'stolen by bad guys' are non-existent at this point; however, law enforcement has tried to get genomics companies to turn over information, mostly unsuccessfully. The Golden State Killer case recently in the news was a situation in which the absence of laws and regulations around publicly-shared information about DNA matches meant law enforcement was free to use it in a way that helped them solve their case. This wasn't stolen information, per se, but few people who had uploaded their computerized DNA information to GEDmatch seem to have anticipated this use. Some are okay with it, some are not (and have reached out to request their data be deleted).

Are you okay with the use of DNA from family members by law enforcement to solve cases of murder and rape? There isn’t a right answer to this one, but we should still be asking it and discussing it.

What about DNA being held by private companies, like 23andMe and Ancestry.com? In comparison to third-party DNA sharing sites where 'user beware' is the expectation, genomics companies have it in their interest to keep your information as secure as they can -- their reputation hinges on it, in a way.

So they are trying, but in spite of all efforts including the employment of folks with titles like "Chief Security Officer", it might be possible in the future that their security fails. Or that they slip in some language into the terms of service agreement that gives them more freedom to use and share your DNA information than you fully understand.

So bottom line, do I think you should take a DNA test? 

You probably aren't surprised that my answer is the decision falls right back on you.

If you’re ok with the chance of your DNA being used in unique ways or in going farther than you imagined it would in order to answer other people’s questions, take the test. If not, testing might not be right for you. 

-Brianne

Interested in reading more about the Golden State Killer case and how genetic genealogy was involved? This blog post by genetic genealogy blogger Debbie Kennett compiles many relevant articles related to the case.

Want help in understanding the terms of service before you send in your DNA sample or share your computerized DNA file with a third-party website? I'm a licensed and certified genetic counselor, and "seek informed consent" is one of my mantras. Schedule a one-time session with me, and I'll be happy to help you go through the terms you're being asked to agree to.