Millions of semi-conscious consumers, most of whom were probably outraged and appalled by recent privacy scandal outbreaks involving companies like Facebook and Equifax, have been casually shipping away the most precious keys to their genetic code and helping ancestry.com compile the worlds largest DNA database. More than 5 million people have already "spit into tubes" and mailed it into ancestry.com's database, according a recent report by the Tampa Bay Times.
These 5 million people were the basis of a brand new investigative report published by the Tampa Bay Times, which detailed how ancestry.com, marketing itself as a family friendly and wholesome way to discover ones ethnicity, is actually possibly setting itself up for the largest and most complex security breach of all time.
That’s because ancestry.com is compiling a database, not just of personal information like your Social Security number or date of birth, but also of your DNA. As the report notes, your DNA is arguably the most complex and sensitive form of identification that you can have as a human being.
If Cambridge Analytica would pay top dollar to see what TV shows and books you frequent from your Facebook account, we’re guessing that ancestry.com's database could be targeted for top dollar and potentially used nefariously, if sold.
But even if the database isn’t sold, that doesn’t mean that your data is 100% going to go uncompromised. As the article notes, ancestry.com has already dealt with its share of security breaches in recent history, including a breach of 55,000 Ancestry customers and reports of the company changing the terms of its agreements with customers on the fly:
Unidentified hackers last year accessed an Ancestry website, RootsWeb, compromising the sign-ins of 55,000 Ancestry customers who had the same log-in credentials with RootsWeb. The site has since been shut down. The incident received little attention, but revealed how customers’ personal information could be accessed and exploited through Ancestry’s partnerships and acquisitions.
AncestryDNA, a subsidiary of Ancestry LLC that markets genetic testing, pledges to safeguard people’s private data. But the company has a history of changing the terms of its agreements with customers. In the most high-profile example, Ancestry in 2014 shut down MyFamily.com, a social networking site where more than 1.5 million users had posted family memories, photos and conversations. Numerous customers said they lost treasured family history because of inadequate notification from the company, which decided not to back up the data.
The company assures that the data is being held securely because when it ships to have your DNA processed by a third-party, they use barcodes instead of names. Then, not unlike the NOC list from the first Mission:Impossible movie, it matches the barcodes back up with the names once the genetic testing results are provided back to the company. From there, it delivers the results to the customer. But those results aren't just the customers; they also contain data on the customer's family.
Additionally, customers may not even understand the severity of handing over their DNA to a third party, as opposed to providing an email address or other types of less intense personal information:
Many consumers, he said, have a limited understanding of how DNA is such a unique personal identifier, even more than a fingerprint or social security number. DNA determines the color of a person’s hair and eyes, their skin color and propensity to inherited diseases - information that employers or insurers might want to obtain.
And when someone takes a DNA test, the results not only provide information about that individual, but close relatives as well, said Marcy Darnovsky, director of the Center for Genetics and Society, a biotech watchdog group based in Berkeley, Calif. "You are not just taking the test for you. You are taking it for the whole family," she said.
For this risk, consumers don't even seem to be getting a quality product/analysis in return:
Ancestry claims to beat its competitors in accurate analysis of a person’s ethnicity. But interviews with company officials reveal that Ancestry has wide gaps in its ethnic markers for Asia and other sections of the world. Outside geneticists and anthropologists say that Ancestry and other companies are making misleading claims about the accuracy of their ethnic analyses.
And the rights that consumers may ultimately be giving up could be alarming. Ancestry acknowledges the obvious in one of its disclaimers, that "that customers could face various risks if their DNA data and other personal information is made public or somehow obtained by third parties." The article notes that law enforcement and insurance companies could both theoretically have access to these DNA sample databases:
Law enforcement also has various ways to access people’s DNA data.
To make an arrest in the East Area Rapist case, Sacramento investigators created a bogus account on a open-access DNA database, GEDmatch, and then found a lucky match to DNA taken from a crime scene.
Officials for Ancestry, 23andMe and other leading DNA-testing companies say it would be impossible for law enforcement to use similar surreptitious methods to find suspects on their sites, which only allow customers to send in saliva, not DNA results from an outside testing service. But DNA-testing companies could be forced to hand over genetic data in response to a court warrant or subpoena, as they generally disclose.
"It may be used to identify you, and may negatively impact your ability to obtain certain types of insurance coverage, or used by law enforcement agencies to identify you if they have additional DNA data to compare to your Data," the company notes its informed consent clause, which testing companies use to shield themselves from future liability.
But you have to hand it to the marketing team at ancestry.com - they've done a tremendous job. As the article notes, it has basically convinced consumers to entertain its DNA testing services as a fun and safe way to learn about your ethnic history. Surely, you have met someone or are related to somebody who has used such a service and willingly share the results with you, excited to learn about their potential background.
However the other side to the story needs to be looked at very closely. Not only should it be alarming that ancestry.com is creating a database of people's most sensitive genetic information, but the company’s history of security breaches should leave investors cautious about who and why they willingly provide their DNA to.
All the while outrage about privacy has been the mainstream media's focus for the better part of the last couple of months. However, ancestry.com has slipped slipped through the cracks and could arguably be setting itself up to set a new standard - not only for willing invasion of privacy, but the potential for a serious identity breach on a scale of severity we have yet to see.