I recently spat in a pot and sent my saliva off in an envelope for analysis. A growing number of people are willingly handing over their DNA to corporations in return for learning about their ancestry or to get health reports.
Why are we prepared to make this trade with our most intimate of data and what are we getting in return?
And what happens if you want your data back?
Interest in off-the-shelf DNA tests has exploded in recent years.
It is estimated that by the start of 2019, 26 million people had added their DNA to four leading databases, operated by Ancestry, 23andMe, MyHeritage and Gene by Gene.
In 2016, 23andme began selling access to anonymised data to more than 13 drug firms. Genentech reportedly paid $10m (£8.3m) to look at the genes of people with Parkinson’s disease, while GlaxoSmithKline has reportedly paid $300m for access to the database.
But Tim Caulfield, research director at the health law institute at the University of Alberta, is not sure that people realise what they are signing up for when they answer the lengthy questionnaires about their health and heritage.
And while most of the firms – including 23andMe – operate on the basis that users can withdraw consent to use their genetic information at any time, it can be more complicated than that.
“Once it has been aggregated and data is out there, it becomes difficult to get it back. And what happens if the firm goes bankrupt, what happens to all the DNA then?”
Bankruptcy is not the only thing that can go wrong.
And it is not the first time police have used the vast DNA databases which firms such as 23andme are amassing.
From this, police were able to create a complex family tree with the details of around 1,000 people, which led eventually to the third and fourth cousins of Joseph James DeAngelo, who was arrested and charged with the crimes.
None of those whose data was compiled had given prior consent for their data to be used in a murder enquiry.
Dr Emiliano Cristofaro, head of the information security research group at University College London (UCL), said: “These firms like 23andMe and Ancestry DNA do the bare minimum to be GDPR-compliant (General Data Protection Regulation) but they don’t always have the users’ best interests at heart,” he said.
In response, 23andMe explained that there were different thresholds within the tests, one with 90% confidence levels and one with just 50% accuracy.
“The difference on the Speculative threshold are due to how our system is trained to label stretches of DNA at that confidence level. The system is essentially forced to make choices between two very similar regions of ancestry, instead of classifying them more generally as “Broadly European” or “Unassigned.”