Aktuelles
Are There Better Alternatives to 23andMe? DNA Testing Privacy Concerns from Incogni Research
December 2024 by Incogni
Incogni’s research team has extensively analyzed the health data privacy policies of the 10 leading DNA testing services, investigating potential areas that could compromise users’ most sensitive personal information—their genetic data. Several services have been proven to have cryptic policies about sharing data with law enforcement, disposing of genetic data, and determining which legislative acts apply to their genetic databases. Half of the services also lack a clear Health Data Privacy Policy, such as those required by Washington state law.
This research comes at the peak of the 2024 holiday season, when genetic testing kits like those from 23andMe and Ancestry make popular gifts. Recipients of these gifts are unaware of how their genetic data might be used and the privacy risks involved—especially when companies like 23andMe are embroiled in scandals, ranging from data breaches and bankruptcy proceedings.
Incogni researchers assessed the top 10 commercial DNA testing companies and how they handle personally identifiable information (PII) and technically identifiable information—in conjunction with handling their customers’ genetic data. The study analyzed 23andMe, Ancestry, MyHeritage, Living DNA, FamilyTreeDNA, DNA Complete (formerly Nebula Genomics), SelfDecode, LetsGetChecked, Toolbox Genomics, and EverlyWell.
The research highlights multiple risks associated with genetic data sharing and personal privacy. DNA testing companies claim that genetic data tests are anonymized. However, genetic data can be combined with other technically identifiable information, making it possible to re-identify the individual even when anonymized. These vulnerabilities can expose users to misuse, intentional or otherwise, and even targeted attacks, as seen in the 23andMe data breach that singled out Jewish and Chinese users.
Incogni researchers also uncovered that four investigated services, SelfDecode, LetsGetChecked, Toolbox Genomics, and Everlywell, state they comply with law enforcement when “legally compelled only” or under a “good faith belief” that disclosure is necessary. These terms use ambiguous legal language that could allow information sharing without a warrant or a court order.
Among the services we analyzed, 4 out of 10 did not specify where physical samples are stored. The remaining services vaguely reference storage locations like a “secure facility” (Ancestry), “Biobank” (23andMe), or a “lab in Houston” (FamilyTreeDNA). All services retain physical samples for extended periods.
Additionally, half of the services (Living DNA, FamilyTreeDNA, DNA Complete, SelfDecode, and Toolbox Genomics) lack a clear Health Data Privacy Policy as required by Washington’s My Health My Data Act, which mandates transparency in handling state residents’ health data.
"The convenience and curiosity from DNA testing services comes with significant privacy trade-offs that many users may not fully understand," says Darius Belejevas, CEO of Incogni. "From risks around data breaches to company acquisitions and potential law enforcement interactions, genetic data connected to personally identifiable information is far more vulnerable than one might expect."
Methodology
Incogni’s research team, collaborating with legal experts, analyzed the general privacy policies, terms of services, and health data privacy policies of 10 DNA testing services between October 30 and November 14th, 2024. The privacy-related topics we found particularly interesting are presented above, with findings across services standardized and their implications analyzed.
