Pressure is growing on direct-to-consumer genealogy and genetic testing companies to be more transparent about their privacy policies, after the arrest of the notorious Golden State Killer using publicly available data from one of the websites.
In a letter sent this week — and shared with STAT — Reps. Dave Loebsack of Iowa and Frank Pallone Jr. of New Jersey peppered four of the platforms with questions about their security systems and customer privacy. The Democratic lawmakers are hoping to work with the companies — 23andMe, AncestryDNA, Family Tree DNA, and National Geographic Geno — to identify and resolve any privacy and security issues. And they’re in a prime position to do so: They sit on the Energy and Commerce committee, which handles both health care and privacy issues in technology.
“Much more often than not, Congress acts after the horse is out of the barn,” Loebsack said. “I want to try to partner with genetic testing services to address any potential challenges before there are actually breaches of trust.”
Genetic testing and genealogy platforms have come under fresh scrutiny after it was reported in April that law enforcement investigating the Golden State Killer case tracked down their suspect by submitting old crime scene data to a commercial genealogy website. In the weeks since, there’s been a heated debate about the ethics of using consumer DNA data to solve crimes — and whether consumers understand how their data can be used.
There are also concerns about whether that information is completely secure. Earlier this month, MyHeritage, one of the nation’s most popular online genealogy sites, said a security breach had affected the email addresses and hashed passwords of 92 million users, sparking concern about the security of more sensitive data that the company collects.
It’s not the first time lawmakers have turned their attention to the issue. In November, Senate Minority Leader Chuck Schumer sounded an alarm about privacy policies around at-home DNA testing kits. The New York Democrat called on the Federal Trade Commission to investigate privacy policies and make sure that they’re “clear, transparent, and fair to consumers.” In December, the FTC published a blog post cautioning consumers to consider the privacy implications of direct-to-consumer genetic tests.
The new letter asks for more detail directly from the companies, including information about how their customers’ data is stored, used, and deleted upon request. Specifically, the lawmakers want to know what personal information is collected from customers, which employees of the companies can see that information, and which third parties can buy or access the data. They also have questions about the security systems in place to make sure that the information is secure.
And the lawmakers asked for details on how customers are informed about their rights, what they’re told about opting out of certain features or deleting their data, and how they’re notified about changes to the companies’ privacy policies.
“Customers have to be assured that their data is being protected,” Loebsack said.
Genetic testing and genealogy companies have said they prioritize customer privacy and keep consumer data safe. Both MyHeritage and 23andMe have said they store genetic information on separate systems from the servers that house user names and email addresses. After its security breach, MyHeritage said it would speed up a two-step verification system for users to log in to the site.
Loebsack wants to help identify any potential problems with their security systems and any gaps in their privacy policies. Experts have echoed that request, saying they’d to see commercial genetic testing and genealogy companies be more upfront with customers about how their data is stored and used.
“They should think about ways of being more transparent about the ways this information can be used … and straightforward about who can have access to this information,” said Thomas May, a researcher at the HudsonAlpha Institute for Biotechnology, who studies how adoptees and other groups without a family medical history use such sites.
In a paper published Wednesday in the New England Journal of Medicine, May laid out out the need for better privacy protections and more regulation of commercial genealogy sites. May said there are rules such as HIPAA in place to protect the privacy of patients in medical settings and clinical trials. But there aren’t similar regulations in place for direct-to-consumer companies.
“Our current regulatory approach to privacy in direct-to-consumer genealogy testing has permitted the creation of a Wild West environment,” May wrote. He added that the Golden State Killer case illustrates that it’s possible to upload another person’s DNA and receive a detailed report on that person’s genetic makeup or relatives.
The lawmakers are asking the companies to respond by July 5.