Welcome to another issue of Secrets of Privacy where we discuss personal privacy related topics and provide practical tips to enhance your personal privacy.

If you’re reading this but haven’t yet signed up, join the growing Secrets of Privacy community for free and get our newsletter delivered to your inbox by subscribing here 👇

DNA testing has become increasingly popular in recent years, with many people opting to take at-home DNA tests to learn more about their ancestry and health. Popular sites are 23andMe, Ancestry.com, and MyHeritage. Those companies have sold over 40 million kits, though sales have slowed since 2018. The analysis and information provided by these sites can be entertaining, and could even be useful in filling in some ancestral gaps.

However, there are obvious privacy concerns with entrusting this type of data to a third party. And because of the sensitive and valuable information collected, these companies have big targets on their back. With the recent theft of DNA data at 23andMe (background), there’s an increased interest in deleting DNA data from these sites. We’ll walk through why you may want to do that as well as how.

Why Remove Your Data?

There are several privacy and security concerns associated with at-home DNA testing on sites like 23andMe. So much so that the Pentagon felt obligated to issue a memo back in 2020 warning service members about the “personal and operational” risks with these tests. Most of the risks and concerns are self-evident, but we’ll touch on some for the sake of completeness.

The most obvious is having a third party store your DNA data in the cloud. Entrusting sensitive data with a third party is always risky, particularly when it’s hosted in the cloud and accessible via the internet. No company will guarantee there won’t be a breach of their system. It’s not a matter of if, but when and how bad.

And in the case of 23andMe’s 2023 incident, their systems were not “breached”. The theft of data (purportedly) occurred when hackers used stolen passwords and usernames from other accounts. In other words, customers re-used the same login info on multiple sites, including 23andMe. That’s a major privacy fail, to say the least.

To illustrate the risks of having your genetic information stolen, here are some of the ways Bad Actors can use that type of data against you:

• Identify Theft. Possession of your DNA data can make a Bad Actor seem more credible. Bad Actors could then potentially use stolen DNA data in conjunction with other personal information to commit identity theft.

• Phishing and Social Engineering Schemes. A Bad Actor might use the stolen DNA data to craft convincing phishing emails or messages, posing as legitimate organizations or institutions. A recipient may be more likely to trust and engage with these communications since they contain or reference the recipient’s sensitive genetic information.

• Extortion and Blackmail. A Bad Actor may threaten to release sensitive genetic information to the public or to an employer, family, or friends unless a ransom is paid. This could lead to significant emotional distress and financial consequences for the victim.

• Pharming Attacks. A Bad Actor might use stolen genetic data to target individuals with specific medical conditions, attempting to sell them fraudulent medical products or services, or spreading false information about treatments.

In addition, there are concerns that your genetic data could be used against you by legitimate businesses. There are current laws on the books like the Genetic Information Nondiscrimination Act (GINA) that prohibit employers or health insurance companies from discriminating against a person based on their genes. This of course doesn’t mean it still can’t happen (i.e. those organizations break the law). But it’s important to note who GINA does not apply to - providers of life insurance, disability insurance, or long-term-care insurance. State laws may fill in the gap there, but theoretically, one of those types of businesses could use your genetic information for a business purpose unless prohibited by a state law.

There are also concerns that law enforcement agencies could use this data to identify suspects in criminal investigations. (source) All of these DNA testing companies will turn over your genetic information to law enforcement upon a lawful request. Some even do it with a simple, non-legally binding request. But deleting your DNA data is probably not enough to avoid this risk. If a close relative used a DNA service, that’s likely sufficient for law enforcement to narrow their pool of suspects.

But it’s not just DNA data that you need to worry about. These companies collect a wide variety of other personal data, including information you voluntarily share with them such as your name, address and email address, and, in some cases, facts about your family and your health. They also share your information with third parties for unspecified reasons. Likely for the generic catch all of “improving their products and services”. In other words, they over collect data and then overshare some of your non-DNA data. This is not unique to DNA companies, but given the sensitivity of the data they collect, it is more concerning.

Before Deleting Your Data

If you’re ready to delete your data, there are a few things to keep in mind. While not an exhaustive list, this will help you make a more informed decision. 

• You can delete your digital data. In other words, the analysis of your DNA specimen. This is the file you can download.

• You can also delete your DNA sample. This is the physical specimen you mailed back to the company.

• Consider keeping a local backup of your data. For example, you can take a screenshot or print a PDF of your lineage data and infographics (e.g. the maps showing where your ancestors came from). You can also download your actual DNA sequence.

• If you keep a copy of your DNA sequence, maintain it in secure spot. Ideally you’d encrypt it locally offline, such as putting the file on an external drive and placing it in a safe or firebox. Storing the data in the cloud is risky, especially if it’s not encrypted. You can also print a hard copy, but that’s not as useful in the future if you needed the data in a digital format for some reason (i.e. medical research).

• If you opted your DNA into a clinical research or study, that data will not be deleted, though it is usually deidentified (i.e. purportedly can’t be traced back to you). Deidentification is not perfect, and can be reverse engineered with the right data sets available.

How to Remove Your Data

If you’ve decided that you want to delete your DNA data from one of these sites, please note that the process may not be straightforward. The process can also change quickly and often, so this information may be outdated by the time you read it. And the degree to which you have control over your genetic information can vary depending on the company.

As of publication, here are general instructions on how to delete your DNA data from each of the following sites:

1. 23andMe: Sign into your account, click the “Settings” tab and scroll to the bottom. You’ll then find the option to delete your data.

2. Ancestry: Sign into your account, and navigate to this page. Follow the steps and select the options you want.

3. MyHeritage: You can email MyHeritage to discard your DNA sample (privacy@myheritage.com). To delete your digital data, sign into your account, go to the “DNA” tab on the top menu bar and select “Manage DNA Kits” to get started.

Conclusion

At-home DNA testing is a classic risk-reward decision. It can be an interesting and fun way to learn more about your ancestry and health, but it also comes with some serious privacy risks. Therefore, it is important to be aware of the reputation, privacy policies and practices of the sites that offer these tests, and to exercise your right to delete your DNA data if you no longer want it stored on their servers. In the current climate, deleting your DNA data from these sites may be a prudent, proactive move to future proof your privacy and take control of your genetic information.