By Helen Wallace

from GeneWatch 31-1 | Jan-July 2018

If you send your DNA to a company to test it and provide you with information on your ancestry, could this information ever be used in ways that harm you or your family?

The short answer: Yes.

Your DNA acts like a genetic fingerprint which can be used to identify you and members of your family. If your genetic information is stored on a database alongside your personal details, anyone with access to that database could track you down using your DNA. For example, by collecting your DNA from a coffee cup, sequencing it, and matching the genetic information it contains to that stored on the computer database, someone could find out your name and where you lived.

Because half your DNA comes from your mother and half from your father, DNA can also be used to identify your biological relatives, including your parents, siblings, children and cousins. This means that anyone who can track you down can also find your children. Or, if you are not in a DNA database, you might be tracked down via a relative whose DNA is in a database.

DNA can also reveal non-paternity, sometimes exposing family secrets that have been kept for a lifetime or even several generations. Revealing such secrets is sometimes beneficial, but it can also drive families apart, and perhaps expose women to domestic violence. In some countries, sex outside marriage is illegal and revealing non-paternity can lead to the mother's imprisonment or even death.

For all these reasons, it is widely agreed that genetic information is personal and private. So, how safe is it when you send it to a private company?

There are four primary issues here. Firstly, what are the company's policies on privacy, are those policies legally enforceable, and can you really trust them? Secondly, could the police, security services or others lawfully obtain your genetic information from the company as part of a criminal investigation? Thirdly, how easy is it for someone to access your genetic information unlawfully or deduce your identity even when they are not supposed to? And finally, what are the implications for your family when you decide to use a genetic testing service?

Genetic testing companies' privacy policies vary widely and few people read the small print. In some cases they will allow samples to be stored and genetic information to be shared with third parties.[1][2] Unforeseen circumstances, such as bankruptcy, can introduce additional uncertainty about where samples and data might end up. However, even if we accept that such databases are meant to be secure, this doesn't mean they can't be used to identify you or track down members of your family.

There are already examples of genetic ancestry data being used by law enforcement in the U.S. Although commercial companies often refuse police requests, aware that they may not be popular with customers, the police may not always be open about their use of such databases, or may obtain a warrant to access information.

In the summer of 2014, the Idaho Falls Police Department obtained a warrant to seize genetic information from in connection with a 1996 rape and murder. According to press reports, the police sent the crime scene DNA sample to and the company emailed them the results of a close but not exact match, without naming anyone in the company's database.[3] Police then obtained a warrant to force the company to turn over the donor's name. This individual, Michael Usry Sr., had donated his DNA to a non-profit scientific organization conducting genetic research, which was later bought up by As a result of the partial match, his son, Michael Usry Jr., who was of about the right age and had connections to the Idaho Falls area, was believed to be a suspect by the police. They got a warrant for collection of his DNA and interrogated him for six hours. He remained under suspicion for a month, until his DNA was found not to match the samples taken from the crime scene.

In a more recent case, police arrested a suspect in the so-called Golden State killings, who they identified using genealogy databases.[4] The police used a public site called GEDmatch, where members can upload their family tree DNA results from any commercial company.  Police set up a fake account and uploaded the crime scene DNA to obtain partial matches. Reportedly, 10-20 distant relatives (third cousins) were identified and the police then used those relatives' genetic profiles to construct 25 distinct family trees in an graphing tool.[5] They relied on other publicly available data sources, and information about the crimes (such as their location and the likely age of the suspect) to narrow the suspects down to two. They eliminated one through the DNA test of a relative and confirmed the suspect through analysis of DNA on an item he had discarded.

Whilst some people were simply glad that a suspect was identified, others were concerned about the broader implications. Could police track down any individual simply through their DNA? What if errors in crime scene examination or the lab led to misidentification (as has happened in past cases using police forensic databases)? What if a surveillance state misused such databases, not to track down criminals, but to identify political dissidents (tracked through DNA left on coffee cups at a political meeting, for example)?

This method of deductive identification could also be used by people other than the police. Criminal gangs trying to identify a witness who is in hiding, or an abuser trying to track down his own wife or child, are examples of people who might try to do so. They could use stolen DNA (from a toothbrush or piece of chewing gum, for example, or taken by force from a relative) or even their own DNA (if they are trying to track down a relative) to submit to a commercial service or online database, looking for a partial match.

Are you now hesitating about sending your DNA for genetic testing? Unfortunately, your own privacy also depends on what your relatives decide to do. Australian experts recently warned: "The use of forensic genealogy brings us closer to a point where it may be possible - given enough data and resources - to identify any genetic sample."[6] It is particularly important to think about the impact of these "genetic services" on children and future generations. How will they feel if they can all be identified and tracked, using a DNA surveillance system inadvertently created by their parents? In our curiosity about genetic relatives from the past, will we jeopardize our living and future relatives - and ourselves?

Helen Wallace, PhD, is Director of GeneWatch UK.



1. Christofides E, O'Doherty K (2016). Company disclosure and consumer perceptions of the privacy implications of direct-to-consumer genetic testing. New Genetics and Society, 35(2), 101-123.

2. Niemiec E, Howard HC, 2016. Ethical issues in consumer genome sequencing: Use of consumers' samples and data. Applied & Translational Genomics, 8, 23-30.

3. Ancestory firms' DNA database use suspect. The Clarion-Ledger. 27th March 2016.

4. The Golden State Killer Is Tracked Through a Thicket of DNA, and Experts Shudder. New York Times. 27th April 2018.

5. Graphing the sensitive boundary between personally identifiable information and publicly inferable insights. SiliconANGLE. 1st May 2018.

6. Scudder N, McNevin D (2018) Is your genome really your own? The public and forensic value of DNA. The Conversation. May 1, 2018.

Search: GeneWatch
Created in 1999 by the Council for Responsible Genetics, the Safe Seed Pledge helps to connect non-GM seed sellers,distributors and traders to the growing market of concerned gardeners and agricultural consumers. The Pledge allows businesses and individuals to declare that they "do not knowingly buy, sell or trade genetically engineered seeds," thus assuring consumers of their commitment.
View Project
CRG has investigated and reported on the commercial claims made about genetically modified crops and transgenic animals introduced into the food supply.
View Project