Annual Reminder: 23andMe Is a Dangerous Christmas Gift That Could Have Unforeseen Impacts on Your Entire Family, Your Children, Etc.

The ever-worsening 23andMe hack shows the inherent vulnerability of genetic databases designed to show connections between people.
Annual Reminder: 23andMe Is a Dangerous Christmas Gift That Could Have Unforeseen Impacts on Your Entire Family, Your Children, Etc.

Every few years, I write an article about how it is generally not a good idea to voluntarily give your immutable genetic code to a for-profit company (or any other genetic database, for that matter), and how it is an even worse deal to pay money to do so. It is also not wise or ethical to gift a 23andMe Saliva Collection Kit to your loved ones for Christmas, their birthday, or any other reason.

Because our respective genetic code and the underlying business models of companies like 23andMe have not changed since I first wrote a version of this article in 2018, this article will be similar to those, but the message remains as important now as it does then: Doing 23andMe is an unretractable action that could have unforeseen ramifications not just for yourself but for your family or your possible offspring. 

First, let’s address the fact that hackers recently accessed the personal data of about 14,000 23andMe customers. Because of how 23andMe works—it has a “DNA Relatives” feature that lets users find people they are probably related to—this breach created 6.9 million “other users” who had data stolen in the breach, according to reporting by TechCrunch. This data included people’s names, birth year, relationships, percentage of DNA shared with other 23andMe users, and ancestry reports. 

The hackers had previously shown how dangerous this type of data could be by publishing apparent data on 23andMe customers of Jewish Ashkenazi descent, and had advertised specific parts of the data for sale. 

The hack highlights both the vulnerability of services like 23andMe as well as the network effects associated with genetic databases: Human beings are related, those relations can be shown in our DNA, and 23andMe and sites like Ancestry are designed to show these relations. 

Getting your DNA or your loved ones’ DNA sequenced means you are potentially putting people who are related to those people at risk in ways that are easily predictable, but also in ways we cannot yet predict because these databases are still relatively new. I am writing this article right now because of the hack, but my stance on this issue has been the same for years, for reasons outside of the hack.

In 2016, I moderated a panel at SXSW called “Is Your Biological Data Safe?,” which was broadly about the privacy implications of companies and other entities creating gigantic databases of people’s genetic code. This panel’s experts included a 23andMe executive as well as an FBI field agent. Everyone on the panel and everyone in the industry agrees that genetic information is potentially very sensitive, and the use of DNA to solve crimes is obviously well established. 

At the time, many of the possible dangers of providing your genome to a DNA sequencing company were hypothetical. Since then, many of the hypothetical issues we discussed have become a reality in one way or another. For example, on that panel, we discussed the work of an artist who was turning lost strands of hair, wads of chewing gum, and other found DNA into visual genetic “portraits” of people. Last year, the Edmonton Police Service, using a company called Parabon, used a similar process to create 3D images of crime suspects using DNA from the case. The police had no idea if the portrait they generated actually looked like the suspect they wanted, and the practice is incredibly concerning.

To its credit, 23andMe itself has steadfastly resisted law enforcement requests for information, but other large databases of genetic information have been used to solve crimes. Both 23andMe and Ancestry are regularly the recipients of law enforcement requests for data, meaning police do see these companies as potentially valuable data mines. 

The risks of putting yourself into a genetic database became very clear after police solved the case of the Golden State Killer, a serial killer named Joseph James DeAngelo who committed at least 13 murders and 51 rapes over the course of the 1970s and 80s, using genetic matches from the killer’s relatives found in a volunteer-run genetic database called GED Match.

This case was the exception that proves the rule. Many will argue that, if you do not plan on being a serial killer, you have nothing to fear. But this extreme example demonstrated the potential power of genetic-database-as-law-enforcement-data-mine, and now, the use of genetic databases to catch criminals for much smaller offenses is far more common, and we have absolutely no idea how these databases will be used in the future.

The story arc of GED Match is a useful one when considering whether it is a good idea to give your genome to any genetic database. It was started as a genetic database by two people, run out of a Florida basement, as a tool for “amateur and professional researchers and genealogists” in 2010. Its website looked like this, and its privacy policy stated “we will never sell your information.” In 2018, it helped cops crack the Golden State Killer case. It then began helping cops in other cases. The site then broke its own terms of service to help police in a case in Utah, and, later, a judge ruled cops had wide latitude to search its database. GED Match was then sold in 2019 to a for-profit company called Verogen that had FBI contracts and was specifically interested in using genomic databases for law enforcement. GEDMatch was hacked in 2020, and 1 million records were exposed. GEDMatch also began to work with Parabon, the aforementioned company doing DNA portraits for cops, and also began to work directly with Florida state police’s “Genetic Genealogy Investigations program.” Verogen itself was sold to a Dutch conglomerate called QIAGEN, which has forensics, healthcare, biotech, and pharma arms. 

All of this happened in 13 years, to a nonprofit project created for amateur genealogists. Nearly everything about its business model and its purpose changed entirely. The thing that did not change was the DNA of the people who had given their genetic code to this DIY project, which is now owned by a Dutch megacorporation.

This is how a giant genetic database owned by a Dutch conglomerate started

This brings me to my broader point, and one that I think is made very well in the Mastodon post I embedded at the top of this article. Your DNA does not change. It connects you to your relatives, and will connect you to your children, their children, so on and so forth. That’s how DNA works.

I do think there is potential in genomic and personalized medicine, and I do not dismiss the idea that people have learned specific actionable advice by sequencing their genomes. But there are safer (and unfortunately, more expensive) ways of doing this through health care providers.

Even if you are aware of exactly how 23andMe is using your genome, even if you know the ins-and-outs of its privacy practices and terms of service, security practices and policies, its business model, its advertising model, its agreements with big pharma companies, and everything else you could possibly want to know before using a product like this and still want to opt-in to using their services, that does not mean that everyone you know or will ever know also wants the DNA they share with you shared into these DNA databases.

23andMe's updated terms of service

More importantly, 23andMe’s current privacy practices, security practices and policies, business models, advertising models, research practices, big Pharma data sharing agreements, and everything else are not guaranteed to stay as they are forever. Consider, for example, that 23andMe suddenly changed its terms of service in the aftermath of the hack to include a mandatory arbitration provision to prevent class action lawsuits. 23andMe has already been subject to a SPAC, while Ancestry was purchased by Blackstone, a gigantic private equity firm. We have no idea what 23andMe will be doing in one, 10, or 100 years, who will own it, what will happen to its databases, and who will have direct or indirect access to your DNA.

Business models change, companies are sold, strategies change, promises can be broken, privacy policies can be updated. These things are impermanent. But your DNA is forever.