Editor’s note: We do not support the upload of DNA data obtained from other testing services to 23andMe. This article explains the risks of uploading your DNA data to third party services.
At 23andMe, you’re in charge of your genetic data. That means we put you in control of deciding what information you want to learn and what information you want to share. But it’s important for you to be informed about the risks of sharing your genetic data with other services.
After receiving personalized genetic reports from 23andMe, customers can choose to download their raw DNA data. Some customers may do this in order to upload their data to third-party services, which offer to interpret their raw DNA data to find new genetic relatives or get additional genetic reports. However, 23andMe cannot vouch for the scientific validity or accuracy, or clarity in communication of results of any such third-party services. In fact, only 23andMe offers a consumer genetic test with health reports that have FDA’s independent assurance of validity and clear results (without requiring a prescription).
Beyond concerns about scientific validity, uploading your raw DNA data to a third-party service can also put your data privacy at risk. In part, this is why 23andMe provides important warnings to its customers before they choose to download.
What are some of the risks of uploading your DNA data to a third-party website?
At 23andMe, we’re clear with our users about the risks of using third-party services that provide additional health, wellness or trait insights. This is because only select genotype data used specifically in our Health reports have been individually validated for accuracy. While the rest of your data has undergone a general quality review, it has not been validated to the extent of the data underlying our official 23andMe reports. As a result, raw DNA data should not be used for medical purposes and we do not recommend the use of third-party services that claim to interpret raw DNA data to provide health information.
Consumers also cite concerns about law enforcement uploading crime-scene DNA data to third-party services to crack a cold case. Simply put, uploading crime-scene DNA data into the 23andMe environment is not possible because we do not support the upload of DNA data that has been processed by a third-party laboratory.
Further, 23andMe’s Transparency Report details our policy against releasing customer’s individual DNA data to any third party – including law enforcement – without receiving the customer’s explicit consent, unless required by law.
However, this concern about law enforcement upload of crime scene DNA data is a real one that we warn customers about should they choose to upload their DNA data to other third party platforms, including public genealogy services or other third party services that facilitate DNA data upload.
But there’s another form of vulnerability that’s less well-understood: Within databases that allow for raw DNA data uploads with access to relative matching features, people with malicious intent can upload real or fake “Trojan Horse” genetic profiles for access to your personal identifying information. They could even infer your specific DNA variants—such as information about any disease risk variants you might carry.
How can that happen?
- Many relative-matching services allow you to see the exact section or sections of DNA you share with each relative.*
- If uploading DNA data is allowed, it means you no longer know for sure that your relative’s profile is actually controlled by your relative, and a malicious actor could upload real or fake DNA data to deduce information about you based on sections of matching DNA, including any disease risk variants you might have.
- Even if shared segments aren’t shown, there are still ways that people with malicious intent can deduce some of your DNA variants.
This vulnerability was recently described in two reports: One at the University of Washington and another at the University of California, Davis. The authors of these reports explain several ways an “adversary” can deduce the genotypes of people “either at key positions or at many sites genome-wide” in databases that allow DNA data uploads with relative matching.
Both reports outline specific ways for services to mitigate risk, such as limiting the information displayed in relative-matching features.
While these practices may reduce risk, we believe the simplest and most effective defense is to not allow individuals genotyped through other testing services to upload their DNA data to 23andMe for the purpose of discovering genetic relatives.
In the past, 23andMe has allowed DNA uploads from other consumer genetic testing services in very specific circumstances. Specifically, on DNA Day in April 2018, 23andMe allowed individuals who tested at other companies to upload their results to access a subset of our trait reports, but 23andMe has not enabled the discovery of new relatives for these accounts.
How does 23andMe ensure that only real, consenting individuals participate in our service?
In a word, spit.
When you spit into the tube, you’re embarking on the adventure of a lifetime. You’re also trusting 23andMe with some of your most personal information.
Requiring a saliva sample is how 23andMe is able to verify that you’re a real person who chose to participate in the service. While it might be easy to upload fake DNA data, it’s another matter entirely to fake a spit sample, which requires filling a tube with more than two milliliters of spit. It’s how you know that “Linda-your-4th-cousin-who-you-didn’t-know-existed” is a real person who chose to do 23andMe. Linda had to spit in a tube, too.
What are some key questions you should ask?
When considering whether or not to upload your raw DNA data to another website, we encourage you to familiarize yourself with their privacy and security policies before you upload your raw DNA data.
Make sure to consider the following questions:
- Before you upload your DNA data, ask yourself: do I really need to do this? Am I willing to risk the security and privacy of my DNA data by uploading it to a third-party service?
- Do your research! Does the third-party service have a track record of strong privacy and data security?
- How will the third-party service use your information? How can your information be further shared with other third parties?
- If you are not interested in discovering new relatives but you want additional DNA insights, does the other service explicitly exclude features relating to discovering genetic relatives?
An earlier article detailing our stance on protecting customers’ data is available here.
*By default, 23andMe does not display your ancestry information or DNA segment information to relatives or connections until you decide to share it with them.