The curiosity of where we come from is the basis for research in many fields. DNA testing is thriving on it. However, where is all the DNA ending up? Who has access to our genetic data?

According to an MIT Technology Review estimate, over 26 million consumers have added their DNA to leading commercial ancestry and health databases. Going by this rate, in the next 24 months, databases could be burgeoning with genetic data of over 100 million people.

If we have learnt anything from Facebook, Cambridge Analytica, British Airways, Aadhaar, and Google+, it is that databases are the favourite playing grounds of hackers. What could a data breach in a genetic database mean for people who use DNA testing services?

Read More: UW research into DNA storage backs up ancient shamanic knowledge

Last year, the genealogy and DNA testing service MyHeritage was hacked. Data belonging to 92 million users were found on the private server of a third-party in a breach that exposed usernames and passwords. While DNA data was not exposed, concern regarding data security in this area remains high.

Genetic Privacy Issues On the Rise

Two giants in the ancestry testing arena are Ancestry of Lehi, Utah, and 23andMe of Mountain View, California. Both companies have created a sizeable database of human DNA. While both these companies are making DNA testing more popular than ever, genetic privacy issues are on the rise.

Read More: ‘Privacy is a myth’: AI for surveillance startup Wobot CPO

While a user of these websites has the option of sharing their DNA information, there is no process that can protect the genetic privacy of relatives. That means if a person opts to publicize their own data, they are unknowingly going to publicize their relatives’ data as well. The reason being that parts of genetic code are shared by related individuals. Even third cousin-related data can be used to identify individuals.

As The Atlantic says, “Relatives you’ve never met can take DNA tests that affect you. And the actions you take can affect relatives you don’t even know.”

Currently, 60% of Americans with Northern European heritage can be identified by data a relative uploaded to a public database, a number that is projected to increase to over 90% in the next couple of years.

Third Party Research

Most users who go for DNA testing with genealogy companies allow their DNA to be shared with third parties for research purposes. In fact, this is one of the popular reasons for getting DNA testing done. People feel a sense of altruism in the knowledge that their DNA could help create a disease-curing drug or some other noble purpose.

However, there is no way of finding out whether these third parties are actually using the DNA samples for drug testing, or whether the drug they create is not going to be used to just rake in profits. Also, in such processes, the samples may have to be passed around several parties. How can users trust these third parties?

For example, Drug giant GlaxoSmithKline (GSK) invested $300 million in a deal with 23andMe, according to which, GSK gets exclusive rights for four years to use 23andMe’s DNA database to develop new medicines using human genetics. The funding and proceeds are to be split equally.

While users do have an option to revoke a decision of allowing the use of their DNA for research or to delete their profile, there is again no way to ensure that a genetic profile is erased and the DNA sample destroyed.

Law Enforcement Requests

A genetic test reveals an individual’s ancestors, how closely they may be related to another member in the database, and if they have any vulnerabilities for diseases in their genes.

While finding a relative via such a database could make a touching movie story, it could also make a thrilling crime whodunnit, where the police zero-in on a perpetrator through an oblivious citizen’s DNA.

While the former is definitely happening, so is the latter. The police used data from GEDMatch, a genealogy research site, to nab the long pending cold case of the Golden State Killer. Since then, using DNA testing to catch criminals has become the norm among law enforcement agencies and GEDMatch has become their favorite source.

The incident; however, does raise questions about the security of user information on such websites. Roger Curtis, Co-Founder of the website told The Atlantic, “My initial reaction was I was upset. I didn’t like this use of our website.”

The terms of service of the website now clearly inform users that “DNA obtained and authorized by law enforcement” can be uploaded to identify a perpetrator of a “violent crime.”

The fact remains that if law enforcement and courts request for user data complete with subpoenas and warrants, these companies can hardly say no.

Laws on DNA Testing

Thankfully, the companies thriving in this space will always be motivated to protect user data, since consumer trust is food for such companies. However, the legislature surrounding genetic privacy are not well defined yet.

The only law in existence for the protection of genetic data in the US is the Genetic Information Non-discrimination Act (GINA). Experts are not convinced that this Act is fulfilling its intended aim of protecting US citizens from discrimination based on their genetic data.

How these companies protect this data, how they share it with third parties, and then, how that third party uses it can be cause for concern. 23andMe and Ancestry both were under investigation last year by the Federal Trade Commission regarding their personal information and genetic data handling policies.

Many Vulnerabilities

The fact that these tests cost as less as $59 is driving sales in the millions. However, the family secrets they reveal can be vulnerable to exposure to several elements, starting from law enforcement agencies to life insurance organizations, to our employers. What if terrorists get hold of this data and target specific individuals or groups with bio-weapons?

While user data is currently a hot topic in many industries, when it comes to genetic information, the cringe factor is deeper than usual. After all, it can’t get more personal than information about our ethnicity, race, and health.