Edward C. Baig

USA TODAY

Published 4:01 PM EDT Jul 5, 2019

DNA testing is all about unlocking secrets. But sometimes surrendering your saliva may also mean surrendering a bit of privacy – yours or someone else's.

“I think people need to be prepared and warned that they might find out something that could make them very uncomfortable," said Jeff Hettinger, one of the growing number of people who submitted a sample and discovered a sibling he never knew existed. His dad had never told him.

DNA testing from the likes of leading services 23andMe and Ancestry, among others, has always boiled down to risk and reward, a fascination and curiosity about ones roots and/or predispositions to disease, balanced against trepidations around privacy, security, and, for sure, the possibility of an awkward or identity-altering discovery.

And yet rising concerns of data breaches or an overreach by law enforcement have made some people reticent about voluntarily spitting into a tube or taking a swab of the cheek, even as this popular pastime continues to grow.

It also has some of the top DNA testing companies in the industry banding together to put privacy front and center.

MIT Technology Review estimates more than 26 million people have taken an in-home ancestry test.

The DNA risks to uncovering secrets

But experts counsel DNA newbies to consider what for some could turn into an unpleasant flip side.

“Are there secrets in the family?” asks Whitney Ducaine, director of cancer genetics services at InformedDNA in St. Petersburg, Florida, who knows of cases where individuals found out they had no biological connection to people they had believed were blood relatives.

James Hazel, research fellow at Vanderbilt University Medical Center, raises another issue that may cut both ways: “The ability of people to readily identify anonymous sperm donors who wished to remain anonymous when they provided that sample.”

Amazon privacy: Amazon is watching, listening and tracking you. How to stop it

Target teacher discount: It's coming back with more ways to save

On the health front, 23andMe asks customers to affirmatively “opt-in” before receiving sensitive reports that may show a genetic predisposition for BRCA variants, which may indicate an increased cancer risk, or late-onset Alzheimers Disease, says Adriana Beach, the companys corporate counsel for privacy.

Could someone steal my identity from DNA details?

Meanwhile, frequent reports of database ruptures in all areas of tech and business are likely to give pause to people wondering about genealogy data landing in the hands of identify thieves and scam artists. Seeking out distant relatives also means you, or your data, may have to be exposed to some degree, so that you, in turn, can be found.

A year ago, the MyHeritage testing service, acknowledged a breach of email addresses and “hashed,” or scrambled, passwords of more than 92 million users that turned up on a private server the previous October.

The companys then-chief information security officer Omer Deutsch said that no other sensitive data, including family trees and DNA, was compromised since such data is stored on separate systems.

Still, the episode sounded alarm bells.

“We havent really seen any reporting surrounding a security breach involving the genetic data of customers in the United States with any of these large ancestry or health-testing companies,” Hazel says. But “as the databases grow in size, they represent an increasingly valuable target to potential hackers or others who may wish to gain access to that info.”

Even so Hazel and others think the greater risk to privacy and security is more likely to come not from genetics data, but from all the other information that can be found on the internet, including social security numbers, passport information, financial records.

“If someone wanted to work with you on identify theft, there are a lot of easier ways to do it then to try to figure out your great-grandparents,” agrees David Nicholson, co-founder of the Living DNA testing service in the U.K.

When police use these DNA databases

Privacy advocates have also flagged major concerns around the use of DNA by law enforcement.

DNA forensics have helped solve decades-old cold cases, leading notably to the arrest of the suspected “Golden State Killer” in California.

Investigators were able to uncover clues via the public database GEDMatch, which hosts data people voluntarily upload from private testing services as a way to find matches with potential relatives who tested their DNA elsewhere.

The worry, though, is that by permitting law enforcement to poke around such DNA databases, a legal shadow may be cast over innocent family members, some of whom never even submitted their DNA anywhere, much less gave their blessing to be searched by the police.

“You decide to contribute your DNA to one of these services and you have by default included your parents, your siblings if you have any, your kids if you have any or your future kids, and future nieces, nephews and everybody else,” says Jen King, director of consumer privacy at Stanford Law Schools Center for Internet and Society.

DNA testing: The top companies offering testing to learn about your family

Family TreeDNA faced a backlash earlier this year after acknowledging that it cooperated with the FBI on crime solving. The authorities were able to set up profiles on the site hoping to match DNA samples collected from crime scenes.

But I didn't sign up for this…

Family TreeDNA subsequently changed its privacy policy allowing users to opt out so that their DNA could not be matched up against such profiles.

GEDMatch also recently changed its policy. It now requires people to specifically state if theyll allow their information to be shared with law enforcement.

“Prior to that time, we had always warned our users in our terms of service that our site might be used by some for purposes other than genealogy,” says co-creator Curtis Rogers, who insists there are many misconceptions about GEDMatch.

“Criminal suspects are not identified on our database,” Rogers says. Rather, “genetic genealogy is only the beginning of a long-complicated process that if ultimately successful will lead to a person or persons of interest. Law enforcement still have to do a complete investigation, often including getting a traditional DNA sample, before they can name a suspect and make an arrest.”

Such investigations may involve social media, census data, family trees, newspaper articles, cemetery records, and courthouse records.

Rogers adds that the family history site surfaces matches, not the DNA itself, the raw data of which is encrypted and used to determine those matches.

For its part, Ancestry, which has sold more than 15 million DNA kits, insists on a search warrant or court order if investigators request DNA data on a customer, says chief privacy officer Eric Heath. Even then the company may challenge the order. Were that to happen, Heath says, it will notify the customer in question, unless ordered otherwise by the courts.

The reality is such requests are rare.

In its 2018 transparency report, Ancestry says it received just 10 “valid” requests from law enforcement for user information. It provided information on 7 of those requests, all related to investigations involving credit card misuse, fraud, and identity theft. The report indicated that Ancestry received no valid requests for information related to genetic information of any member and the company did not disclose any such information to law enforcement.

It added that as of the end of last year, Ancestry has never received a classified request related to t