Skip to main content

Andray Domise is a Toronto-based writer.

Kits from genealogy companies, such as Ancestry, 23andMe and others, are often touted as holiday gifts, perfect for the person who has it all. “We all want to be able to picture where we came from, so why not give a friend a genetic test that provides some answers?” Oprah Winfrey asked in her 2017 “favourite things” guide.

But in reality, when people hand over their genetic data to private corporations, they are opening themselves up to privacy violation.

The ostensible purpose of those saliva samples might be to help identify long-lost lineages, but long after the novelty has worn off, the information finds a secondary purpose – as part of data troves that are highly desirable to police, for fishing expeditions. We hear about the successes: Last summer, the RCMP announced that “Septic Tank Sam,” a mutilated murder victim found underground in the 1970s in Lindbrook, Alta., had been identified as Gordon Sanderson. The RCMP had sent DNA extracted from his bones to Othram, a Texas-based firm that trawls databases for potential matches.

Other high-profile solved cold cases – including the conviction of Joseph James DeAngelo as the Golden State Killer after police accessed the online genealogy service GEDmatch – are touted in an effort to expand police access to these databases. But people who purposely or inadvertently contributed their DNA to these databases likely weren’t aware that by doing so, they’d enumerated themselves as potential suspects in crimes around the world.

Police efforts to access these databases occur often enough that companies feel obliged to offer disclaimers. Ancestry, for instance, states that they “do not allow law enforcement to use its services to investigate crimes or identify remains;” 23andMe says they “use all practical legal and administrative resources to resist requests from law enforcement, and we do not share customer data with any public databases, or with entities that may increase the risk of law enforcement access,” though it acknowledges that it could still be “required by law to comply.” In any event, it may only be a matter of time before courts throw the floodgates open.

In October, 2019, Orlando police obtained a warrant from the 9th Judicial Circuit Court of Florida to search the DNA database of GEDmatch, which had a user base of nearly one million people at the time – the first such warrant to be handed out. Legal experts warned that the precedent it set amid a fragile patchwork of privacy law in the field had potentially dire consequences – not only for people who had sent DNA samples to these companies, but even for their non-consenting family members. Here in Canada, the RCMP has been working with Othram and another forensic DNA analysis firm, Parabon NanoLabs, without having fulfilled its duty to provide privacy impact assessments.

Such overreach doesn’t even necessarily help police as much as advertised. In the early 2000s, police in Charlottesville, Va., enacted a “DNA dragnet” in pursuit of a serial rapist identified only as a Black man, by approaching nearly 200 Black men not suspected of any crime – they merely resembled a composite sketch of the suspect or had been reported as “acting suspiciously” – and collecting their DNA. Some claimed they were more scrutinized by police after refusing, and even mocked by officers after complaints were raised. The rapist was eventually caught, but only when he was recognized in public by one of his victims. His information was not in any database.

The frameworks around “securing” this data are also inexcusably thin. The RCMP has no formal policy on privacy and ethics regarding DNA collection; they are bound only by the policies and terms of use for the companies with which they have a contract, and since there is no broad-based legislation governing such practices, there is no clear uniformity. Some require users’ explicit approval to release information to police or other third-party organizations; some offer users an opt-out clause; some have no express restrictions at all.

That means that police, advertisers, insurers and possibly potential employers could one day glean more about users of DNA-matching services and their families than even they are aware of: medical and genetic conditions not yet diagnosed, or parentage and familial relationships. Meanwhile, there will be a persistent threat of hackers vacuuming up their data, a risk that users may not even be aware of. GEDmatch, for instance, was breached in July, 2020, which rendered all user information publicly visible.

Genealogy companies, meanwhile, squander goodwill by too often putting the bottom line ahead of their users’ privacy. 23andMe, for instance, is now pivoting to Big Pharma, exploiting its genealogical database to develop new medicines – an effort fuelled by unwitting kit-users.

Sure, you might think you have nothing to hide. Yet, while police engage in PR campaigns to soften the public to the idea of allowing them to unlock the secrets hidden in our genes, the fact remains: These are attempts to whittle down our rights.

So if you care at all about the right to privacy for yourself and your loved ones, maybe consider a box of chocolates this holiday season, instead.

Keep your Opinions sharp and informed. Get the Opinion newsletter. Sign up today.