We are all Henrietta Lacks. Or, according to privacy experts, we soon could be. Americans are giving their DNA to companies that research their family origins, scientists say, without thinking through the potential long-term consequences.
This week, the National Institutes of Health said it reached a landmark agreement to protect the privacy of the family of Henrietta Lacks, who died in 1951. Since her death, Lacks’s cancer cells and DNA have been used as the basis for as many as 74,000 scientific papers. For decades, the Lacks family had no idea her cells were being used in experiments around the world. Since finding out, they’ve expressed concern about what Lacks’s genes could reveal about her extended family. The new agreement acknowledges Lacks as the source of the “HeLa” cells, and restricts public access to her — and, by extension, her family’s — genetic information.
Her case provides a cautionary tale for those who willingly give up their DNA for genealogy tests, lawyers say. (Lacks’s tumor cells were taken without her permission, before federal regulations required patient consent.) With TV shows like “Who Do you Think You Are?” becoming more popular, thousands of Americans are sending swabs of their DNA to genealogy companies to find out where their ancestors came from. What they may not realize: They are potentially handing over medical secrets of their grandparents and future grandchildren, says Erin Murphy, professor of law at New York University School of Law. “These companies operate in a legal gray area,” she says. “They’re not quite doctors, and they’re not quite medical-testing facilities.”
While many genealogy companies do have privacy policies stating that they will not sell DNA or use it for research and development without the customer’s permission, Murphy says they’re still subject to court orders and subpoenas. “Let’s say somebody is in a dispute with their insurer about whether they have some health condition, or they got fired because of some medical condition, this data could become part of the court process,” she says.
In a worst-case scenario, the data could be misplaced or hacked, says Harvard Medical School genetics professor George Church, founder of the Personal Genome Project, which aims to sequence and publicize the complete genomes of 100,000 volunteers. But many companies that promise they won’t sell information to third parties can invite third parties to work on internal research — without breaking that privacy policy. “Even if they only let 50 people look at your DNA,” he says, “you still don’t know who they are.”
Several other studies have even shown that DNA itself can be used to “reverse identify” individuals. In 2008, the Translational Genomics Research Institute, a nonprofit research firm in Scottsdale, Ariz., published a study that identified owners of DNA, even if it accounted for 0.1% of a complex mixture of other people’s DNA.
Another study using software and plain old Internet searches, published in the journal Science in January, demonstrated that surnames can be recovered by matching the Y chromosome of an anonymous subject to genetic data from, say, a third cousin with a known surname. “In most western societies, you get your surname from father and you get your Y chromosome from your biological father as well,” says Yaniv Erlich, a fellow at the Whitehead Institute at the Massachusetts Institute of Technology and co-author of the study. Then, using the state of residence and age of the owner of the DNA, he was able to identify the individuals.
Companies say your DNA is safe with them. Personalized genetics company 23andMe in Silicon Valley, which has over 350,000 customers, says it won’t sell or rent personal information without customer consent. The company’s privacy policy states it won’t use customer data for scientific research in peer-reviewed scientific journals. However, they may still use data for internal R&D purposes to improve their services, “which may include disclosure of aggregated genetic and self-reported information to third-party nonprofit and/or commercial research.” If you choose to close your account, spokeswoman Catherine Afarian says, “you can take your data with you.”
Similarly, FamilyTreeDNA, a Houston-based genealogy company, does not sell or rent personal information without customer consent, but its privacy policy also states that using its services constitutes customer consent, allowing use of “your personal information for purposes of quality control and internal research and development activities.” Bennett Greenspan, founder of FamilyTreeDNA, says the company only carries out scientific research for publication with the consent of customers. “It’s your DNA,” he says, “not mine.”