(CNN) — Fears about the privacy of our data have become commonplace amid credit monitoring hacks and a political firm accessing Facebook users’ information. A recent arrest takes it one step further, raising questions about how our genetic information is being used and who has access to it.
Nearly 32 years after the the Golden State Killer’s rampage ended, police arrested Joseph James DeAngelo, 72, on Tuesday in a Sacramento, California, suburb. Police allege that he is the killer who is believed to be behind 12 deaths and at least 50 rapes in at least 10 counties in California from 1974 through 1986.
The arrest was made on the basis of genetic information, with detectives matching a discarded DNA sample from his home to evidence from the investigation, law enforcement officials said. DNA evidence is used to implicate criminals every day, but the method used in this case was new.
The investigators used an open-source genetic database, GEDmatch, to explore family trees and see whether any contained matches to DNA samples from the crime scenes, according to Paul Holes, a retired cold case investigator who briefed the Sacramento County sheriff throughout the final stages of the investigation.
Once a family profile was created, the investigators could find feasible “suspects” within a family.
If you or a relative have dipped into genetic research, should you be worried about your own privacy?
Laws have not caught up
Anyone can use GEDMatch, a website for amateur and professional researchers and genealogists. The site’s free tools allow people to enter their DNA profiles or genealogical data — the information received from commercial genetic testing companies such as 23andMe or Ancestry.com — so they can find familial matches with other users.
Though the investigation for the Golden State Killer lasted decades, the DNA testing and matching took “only four months to get to the right pool of people,” Holes told CNN. “With DeAngelo, there were over 100 distant relatives listed with some percentage of DNA match, so we looked at just how much DNA was shared. … We only had to contact one or two people once we had all this information from GEDMatch.”
In short, the investigators tracked down DeAngelo based on genetic information provided not by him but by one of his relatives.
“It is important that GEDmatch participants understand the possible uses of their DNA, including identification of relatives that have committed crimes or were victims of crimes,” Curtis Rogers, co-founder of GEDmatch, said in a statement.
In fact, the company’s website states, “We take measures to ensure that only registered users have access to your results, but those measures have not been and never will be perfect. Direct access to your data is available to GEDmatch personnel, including volunteers, on a need to know basis.”
Jeremy Gruber, former president of the nonprofit Council for Responsible Genetics, whose books include “Genetic Explanations: Sense and Nonsense,” said people who use commercial genetic testing companies to determine ancestry or genealogy are “oftentimes sacrificing their privacy.”
“It’s no different than what we’re finding with general internet privacy,” Gruber said, adding that a lot of companies “are using information in a way that was not anticipated a decade ago. The laws have simply not caught up with some of the new uses of personal information.”
You are the product
Genetic testing appears to be an evolution in the “when the product is surprisingly cheap, you are the product” ethos: You are very much the product of commercial genetic testing companies while footing the bill, as reported by the authors of a 2014 article in The New England Journal of Medicine.
“23andMe has … suggested that its longer-range goal is to collect a massive biobank of genetic information that can be used and sold for medical research and could also lead to patentable discoveries,” wrote George J. Annas, a legal scholar at Boston University School of Public Health, and Dr. Sherman Elias of the Department of Obstetrics and Gynecology at Feinberg School of Medicine at Northwestern University.
23andMe allows people, for a fee, to send in saliva samples that are used to generate selected genetic reports available for viewing online. It is one of the forerunners in the field of commercial genetic testing, as it is the first to provide genetic reports that meet Food and Drug Administration standards.
In a statement, 23andMe said that “it’s our policy to resist law enforcement inquiries to protect customer privacy.” The statement also notes that “we have never given customer information to law enforcement officials.”
However, 23andMe’s “transparency report” reads, “Under certain circumstances Personal Information may be subject to disclosure pursuant to judicial or other government subpoenas, warrants, or orders, or in coordination with regulatory authorities.”
Commercial genetic testing companies are governed by the “same privacy laws applicable to any consumer product company,” Gruber said. “Your genetic information, itself, is considered information like any other type of information about you. It doesn’t have any additional levels of safety or security.”
The 2013 Supreme Court case Association for Molecular Pathology v. Myriad Genetics Inc. found that DNA is not property, Gruber explained.
Yet your genetic information contains a treasure trove of health and ancestry information about you and your family.
If genetic information is shared with your physician or your health insurance company, there are “very robust protections” to safeguard it, Gruber said.
Specifically, 2008’s Genetic Information and Non-Discrimination Act prohibits health insurance companies from using genetic information to make eligibility, coverage or premium-setting decisions. It also prevents employers from including genetic data in their decisions about hiring, firing and promotions.
“GINA was designed to cover employment and health insurance,” Gruber said. However, the act does not apply to companies with fewer than 15 employees, and “other forms of insurance including life, disability and long-term care are not covered by GINA, though some (certainly a minority) of states do have limited protections for genetic information in these areas,” he said.
Unlike the protections offered by the act, legally, it’s the Wild West when it comes to commercial genetic testing companies, Gruber said.
Many commercial genetic testing company contracts with participants “have clauses that allow them to change their policy as they choose,” he said. “So not only are you oftentimes signing away your information, but you oftentimes are doing so in an environment where you’re not fully confident that the company will not choose to make future decisions with that information.”
GEDmatch takes transparency one step further.
“We cannot predict what the future will be for GEDmatch. It is possible that, in the future, GEDmatch will merge with, or operations will be transferred to other individuals or entities,” the company states on its website. “That event would provide access to your data by people not currently involved in GEDmatch operations.”
When you give your genetic information to a commercial genetic testing company, you’re not only selling your own privacy but also that of others — “even unknown family members that are connected to that individual,” Gruber said.
“There have been cases with commercial genetic testing companies where individuals have discovered that who they thought were their parents weren’t their parents,” he said. “And things like infidelity and missing family members who may not have wanted to be contacted are found through the use of these types of services.”
When collaborating on medical research, 23andMe shares with academic and industry partners genetic information from consenting customers that has been de-identified — stripped of identifying information — and bundled with data from other consenting customers.
All partners involved adhere to rigorous privacy and security standards, according to the company.
Yet when it comes to “anonymizing” DNA, it is so far impossible to truly do so, according to Yaniv Ehrlich, a core member at the New York Genome Center and assistant professor of computer science and computational biology at Columbia University.
“If your genome is out in a public database, then it is technically reasonable to re-ID you,” said Erlich, who, with colleagues, published a paper in which “de-identified” genetic information was re-identified through cross-references to publicly available information.
GEDmatch is “a public database that allows searches to anyone with an internet connection,” Erlich said, adding that “most genetic genealogy companies will not allow this type of search.”
When a company shares de-dentified and aggregated data with partners they cannot guarantee what will happen to the information once it leaves their hands. Echoes of Facebook notwithstanding, one thing is clear when it comes to commercial genetic testing companies, Gruber said. People who use their products “don’t usually have a full understanding and appreciation for what type of information they’re giving those companies,” and they don’t understand that they’ve given up “any future control” over their information.
“Be cautious and fully informed,” he said.