How flawed genetic testing could be used for more than screwing up your race.

Uncovering and explaining how our digital world is changing — and changing us.

Three years ago, I put my faith in a 23andMe DNA test and got burned.

While most of my results initially checked out — about 50 percent South Asian and what looked like a 50 percent hodgepodge of European — there was one glaring surprise. Where roughly 25 percent Italian was supposed to be, Middle Eastern stood in its place. The results shocked me.

Over the years, I had made a lot of the Italian portion of my heritage; I had learned the language, majored in Latin in college, and lived in Rome, Italy, for my semester abroad. Still, as a rational person, I believed the science. But my grandmother, whose parents moved from Sicily to Brooklyn, where she was born and grew up speaking Italian, refused to accept the findings.

Fast forward to this summer, when I got an email about new DNA relations on 23andMe and revisited my updated genetic results, only to find out that I am, in fact, about a quarter Italian (and generally southern European). But it was too late to tell my grandma. She’s dead now and I’m a liar.

This sort of thing happens a lot because ancestry DNA testing — and genetic testing in general — is an inexact science that’s prone to errors throughout almost every step of the process. As my Vox colleague Brian Resnick has explained, some small amount of error is unavoidable within the technical portion of analyzing your DNA.

Making the results of these tests even more unreliable is the fact that their whole ancestry component is based on self-reported surveys from people who say they belong to one ancestry or another — an inherently flawed practice. Sample sizes vary by location and by testing company, so there’s a big disparity in data quality, especially if you happen to not be white. That’s because Europeans are much more represented in DNA databases and therefore, much more exact information can be gleaned about their DNA.

The writer’s grandma Jo in the hospital in 2017.

Courtesy of Rani Molla

The writer (left), her sister, and a dog.

Courtesy of Rani Molla

Of course, what would be much more troubling than getting someone’s heritage or hair color wrong is using that information to inform decisions made about that person. And as more people submit their DNA to genetic testing companies, and more law enforcement and government agencies figure out ways to use this deeply personal genetic information, it could be used against us. Making matters more concerning is that there are very few legal safeguards on what companies and governments can and can’t do with data gleaned from direct-to-consumer genetic tests.

“Under existing law it would be legal to very broadly share consumer information if you disclose that that was happening in the privacy policy and terms of service with the customer,” James Hazel, a research fellow at Vanderbilt University Medical Center, who has done research on genetics test privacy policies, told Recode. And companies don’t have to stick with existing privacy policies, either. “Nearly every company reserves the right to change their privacy policies at any time.”

Of course, few people read privacy policies in the first place (under 10 percent always do so, according to a new Pew Research study). And the existing privacy policies for genetic testing aren’t necessarily clear or forthcoming. Hazel found that 39 percent of the 90 genetics testing companies he researched had “no readily accessible policy applicable to genetic data on their website.”

Hazel says some of the biggest genetics testing companies, like 23andMe and Ancestry, have signed on to a list of best practices, a policy framework created by the Future of Privacy Forum, which includes both consumer and industry advocacy groups. The practices include agreements to be transparent around data collection, to take strong security measures, and to use valid legal processes when working with law enforcement. While signing a pledge with these well-intentioned ideas is comforting, they’re ultimately vague and not legally mandated. Failing to live up to these tenets is a PR flub, rather than a legal burden.

Join the Open Sourced Reporting Network Christina Animashaun/Vox Open Sourced is Recode by Vox’s year-long reporting project to demystify the world of data, personal privacy, algorithms, and artificial intelligence. And we need your help. Fill out this form to contribute to our reporting.

He also warned that while large companies might be motivated by public opinion, consumer feedback, and media scrutiny, smaller companies tend to be overlooked and left to do what they want, under the radar.

“Just like the industry is very diverse in terms of tests offered, also the information and the quality of the privacy policies are all over the map,” he told Recode.

What genetic testing is already — and could someday be — used for

Law enforcement has long used DNA testing in police investigations, but these consumer tests give authorities an exponentially bigger potential pool — more than 26 million people have taken at-home ancestry tests. These tests compromise the genetic privacy not just of people who choose to take the tests, but also their distant relatives who haven’t consented to anything.

In one recent high-profile case, authorities were able to track down the Golden State serial killer after four decades by using DNA from his third cousin and fourth cousins, who had voluntarily uploaded their DNA test results to GEDMatch, a public site where people go to find long-lost relatives — and a resource that police rely on to help investigate crimes. This year, GEDMatch changed its settings so that users have to opt in to law enforcement searches, which has shrunk the available database from over a million to just 180,000 profiles.

It’s notable that DNA testing accuracy varies a lot by application, with finding a DNA relative being a lot more reliable than determining ancestry, and loads more accurate than, say, finding your ideal diet for your DNA.

Authorities can, in some cases, go directly to the DNA testing sites to access people’s genetic information. Earlier this year, BuzzFeed News reported that FamilyTreeDNA, one of the biggest direct-to-consumer testing sites, was working directly with the FBI to browse their database for matches — and relatives of matches — of people suspected of violent crimes. The report got FamilyTreeDNA kicked off the list of the aforementioned best practices supporters.

Both 23andMe and Ancestry say they don’t willingly share information with law enforcement, unless compelled by a valid legal process like a court order. A 23andMe spokesperson added, “We use all legal measures to challenge any and all requests in order to protect our customer’s privacy. To date, we have successfully challenged these requests and have not released any information to law enforcement.”

Beyond policing, it’s possible DNA test results could be used against you or your relatives in other ways. The Genetic Information Nondiscrimination Act prevents health care companies and employers from using genetic data to deny you employment or coverage.

The intention is to prevent employers and insurance companies from denying coverage or discriminating against people based on, say, their having a cancer-correlated genetic variant. But companies with fewer than 15 people are exempt from this rule, as are life insurance, disability insurance, and long-term care insurance companies — all of which can request genetic testing as part of their application process.

And in other countries without laws protecting citizens from genetic discrimination, the stakes are even higher. China is using DNA samples — as well as genetic research from a Yale geneticist — to track and oppress Uighurs, a mostly Muslim ethnic group that the country’s government has forced into “reeducation” camps.

Reagents for forensic DNA fingerprinting and relationship testing produced by Nearmedic Pharma in Obninsk, Russia, on October 28, 2018.

Anton Novoderezhkin/TASS via Getty Images

Consumer genetics testing companies also sell your data to third parties like pharmaceutical companies, making what ultimately happens with this sensitive information more difficult for consumers to track. They also make genetic data available to academic researchers in human biology who use it for legitimate studies.

And companies are popping up every day, promising to use your DNA for everything from figuring out what wine or marijuana varietals your genetics predispose you to, to what skin care regimen is best for you, according to Jennifer King, director of consumer privacy at Stanford Law School’s Center for Internet and Society.

“The science across all that is probably total junk,” she told Recode.

Still the most troubling potential consequences of imperfect genetic testing and a lack of regulation on how this data can be used may not have even happened yet — or we may just not yet be aware of them.

An FBI agent who works on biological countermeasures, Edward You, thinks hacking genetic data could be a national cybersecurity threat that makes the US vulnerable to biological attacks.

“When you make the decision to give away your DNA data, that choice affects you and everybody related to you. It’s not necessarily where it goes right now, but where it goes in the future.”

Advertising is also a natural, though troubling, future use case for your genetic data.

“23andMe could decide that they want to use genetic data for ad targeting. They could potentially give a list of customers to Johnson & Johnson,” King told Recode. “It would be a change, but they could do it.”

More likely, these companies could sell advertisers access to you on their website. So, allowing advertisers to place ads in front of certain demographics when they visit their DNA results, but not telling advertisers which individuals they’re reaching.

“They could decide, ‘Hey we’re gonna follow the Google or Facebook model and allow advertisers to target customers through our platform,’” King said.

23andMe doesn’t currently allow companies to advertise to 23andMe customers, nor do they allow advertising on the 23andMe website. As to what the future holds, a spokesperson said, “We can only comment on what we’re doing today. However, before making any changes to how a customer’s data is being used or shared, we ask that customer for their explicit consent.” Without that approval, the spokesperson said, nothing will change in how a person’s info is shared.

The larger point is that giving access to our DNA data now might have larger consequences than we realize when we first decided to spit in a tube and find out if we’re really a quarter Italian.

“When you make the decision to give away your DNA data, that choice affects you and everybody related to you,” King said. “It’s not necessarily where it goes right now, but where it goes in the future.”

What’s next

At the federal level, there’s limited regulation overseeing how companies can share consumer DNA test data at the federal level, but some states have put forth various bills on the matter. The Federal Trade Commission can step in, and has done so for especially egregious cases when companies run afoul of their own privacy policies. But it’s most likely that legislation will come in the form of data privacy laws more generally, Hazel said.

“Rather than genetic privacy specific legislation, I think we will see data privacy legislation that has an impact on companies that offer these services,” he said.

Internationally, the European Union’s General Data Protection Regulation (GDPR) explicitly classifies genetic data as a special category of personal data, meaning it has enhanced protections over regular personal data. Currently in the US, competing Republican and Democratic data privacy bills are circulating in the Senate, though either will need elusive bipartisan support to become law. It’s also unclear how these would deal with genetic privacy.

“There appears to be a growing push for federal data privacy regulation given the challenges created by a non-uniform system in which various states each enact their own laws with varying requirements,” Hazel said.

For now, consumers can, of course, choose not to take consumer DNA tests. Or, King suggests, they can take the tests under a fake name, review them, then ask the testing company to delete their account.

Consumers can also take a long hard look at the privacy policies they’re not reading. For those who already have taken the tests, there’s the option to delete your profile and take the results with a grain of salt. As for me, it’s too late to apologize to my grandma for believing in a flawed genetics report rather than her.

Open Sourced is made possible by the Omidyar Network. All Open Sourced content is editorially independent and produced by our journalists.