10 Years Ago, DNA Tests Were The Future Of Medicine. Now They’re A Social Network — And A Data Privacy Mess.

We were offered personalized medicine. Instead, we got Facebook for our DNA.

“Genetics just got personal.” So boasted the website of 23andMe in 2008, just after launching its DNA testing service.

As we entered this decade, a small cohort of companies — 23andMe, its Silicon Valley neighbor Navigenics, and Icelandic competitor deCODE Genetics — were selling a future of personalized medicine: Patients would hold the keys to longer and healthier lives by understanding the risks written into their DNA and working with their doctors to reduce them.

“We all carry this information, and if we bring it together and democratize it, we could really change health care,” 23andMe cofounder Anne Wojcicki told Time magazine when it dubbed the company’s DNA test 2008’s “invention of the year,” beating out Elon Musk’s Tesla Roadster.

But in reality, the 2010s would be when genetics got social. As the decade comes to a close, few of us have discussed our genes with our doctors, but millions of us have uploaded our DNA profiles to online databases to fill in the details of our family trees, explore our ethnic roots, and find people who share overlapping sequences of DNA.

It’s become like Facebook for genes, driven by the same fundamental human desire to connect. And, as with Mark Zuckerberg’s social media behemoth, this is the decade we reckoned with what it really means to hand over some of our most personal data in the process.

It all panned out differently from the way I imagined in 2009, when I paid $985 to deCODE and $399 to 23andMe to put my DNA into the service of science journalism. (I spared my then-employer, New Scientist magazine, the $2,500 charge for the boutique service offered by Navigenics.)

I was intrigued by the potential of DNA testing for personalized medicine, but from the beginning, I was also concerned about privacy. I imagined a future in which people could steal our medical secrets by testing the DNA we leave lying around on discarded tissues and coffee cups. In 2009, a colleague and I showed that all it took to “hack” my genome in this way was a credit card, a private email account, a mailing address, and DNA testing companies willing to do business without asking questions.

Much of the rest of what I wrote about DNA testing back then reflected pushback from leading geneticists who argued that the companies’ visions of personalized medicine weren’t ready for primetime.

As I explored the reports offered by 23andMe and deCODE, I couldn’t help but agree — especially when deCODE wrongly concluded that I carry two copies of a variant of a gene that would give me a 40% lifetime chance of developing Alzheimer’s. (Luckily, it wasn’t cause for panic. I’d pored over my DNA in enough detail by then to know that I carry only one copy, giving me a still-elevated but much less scary lifetime risk of about 13%.)

Despite such glitches, it still seemed that medicine was where the payoffs of mainstream genetic testing were going to be. As costs to sequence the entire genome plummeted, I expected gene-testing firms to switch from using “gene chips” that scan hundreds of thousands of genetic markers to new sequencing technology that would allow them to record all 3 billion letters of our DNA.

So in 2012, eager to provide our readers with a preview of what was to come, New Scientist paid $999 for me to have my “exome” sequenced in a pilot project offered by 23andMe. This is the 1.5% of the genome that is “read” to make proteins — and is where the variants that affect our health are most likely to lurk.

Experts at the Medical College of Wisconsin in Milwaukee analyzed my exome. While they weren’t at that point able to tell me much of medical significance that I didn’t already know, the article I wrote from the experience in 2013 predicted a future in which doctors would routinely scour their patients’ genomes for potential health problems and “prescribe drugs that have been specifically designed to correct the biochemical pathways concerned.”

I’m glad I included an important caveat: “This may take several decades.”

By then, the revolution promised by 23andMe and its competitors was faltering. Navigenics and deCODE had both been acquired by bigger companies and stopped selling DNA tests directly to the public.

23andMe, backed by the deep pockets of Google and other Silicon Valley investors, had enough cash to continue. But it fell foul of the FDA, which had decided that the company was selling “medical devices” that needed official approval to be put on the market. In a 2013 warning letter, the FDA said that 23andMe had failed to provide adequate evidence that its tests produced accurate results. By the end of 2013, 23andMe had stopped offering assessments of health risks to new customers.

Since then, the company has slowly clawed its way back into the business of health. In 2015, it was given FDA approval to tell customers whether they were carriers for a number of inherited diseases; in 2017, it started providing new customers with assessments of health risks once more.

I recently updated my 23andMe account, getting tested on the latest version of its chip. My results included reports on my genetic risk of experiencing 13 medical conditions. Back in 2013, there were more than 100 such reports, plus assessments of my likely responses to a couple dozen drugs.

In the lab, discovery has continued at a pace, but relatively few findings have found their way into the clinic.

“We have all these naysayers and an immense body of research that is not being used to help patients.”

If you’ve recently been pregnant, you were probably offered blood tests to tell whether your fetus had a serious genetic abnormality. And if you’ve been diagnosed with cancer, a biopsy may have been sequenced to look for mutations that make some drugs a good bet and other ones a bust. Neither would have been common a decade ago.

But the wider health care revolution envisaged by Wojcicki remains far off.

A few weeks ago, I saw my doctor to discuss my moderately high blood cholesterol and had a conversation that I’d once predicted would be common by now. I had signed up for a project called MyGeneRank, which took my 23andMe data and calculated my genetic risk of experiencing coronary artery disease based on 57 genetic markers, identified in a 2015 study involving more than 180,000 people.

My genetic risk turns out to be fairly low. After I pulled out my phone and showed my doctor the app detailing my results, we decided to hold off on taking a statin for now, while I make an effort to improve my diet and exercise more. But it was clear from her reaction that patients don’t usually show up wanting to talk about their DNA.

“We have all these naysayers and an immense body of research that is not being used to help patients,” said Eric Topol, director of the Scripps Research Translational Institute in La Jolla, California, which runs the MyGeneRank project.

23andMe’s collision with the FDA wound up being a turning point in ways I didn’t anticipate at the time. From the start, the company included an assessment of customers’ ancestries as part of the package. But after the FDA cracked down, it pivoted to make ancestry and finding genetic relatives its main focus. Offering the test at just $99, 23andMe went on a marketing blitz to expand its customer base — competing with a new rival.

Ancestry.com launched its genome-scanning service in May 2012 and has since gone head-to-head with 23andMe through dueling TV ads and Black Friday discount deals.

DNA tests became an affordable stocking filler, as millions of customers were sold a journey of self-discovery and human connection. We were introduced to new genetic relatives. And we were told that the results might make us want to trade in “our lederhosen for a kilt” or connect us to distant African ancestors.

Today, Ancestry’s database contains some 15 million DNA profiles; 23andMe’s more than 10 million. Family Tree DNA and MyHeritage, the two other main players, have about 3.5 million DNA profiles between them. And for the most dedicated family history enthusiasts, there is GEDmatch, where customers can upload DNA profiles from any of the main testing companies and look for potential relatives. It contains about 1.2 million DNA profiles.

Millions of customers were sold a journey of self-discovery and human connection. 

So far, so much fun. But DNA testing can reveal uncomfortable truths, too. Families have been torn apart by the discovery that the man they call “Dad” is not the biological father of his children. Home DNA tests can also be used to show that a relative is a rapist or a killer.

That possibility burst into the public consciousness in April 2018, with the arrest of Joseph James DeAngelo, alleged to be the Golden State Killer responsible for at least 13 killings and more than 50 rapes in the 1970s and 1980s. DeAngelo was finally tracked down after DNA left at the scene of a 1980 double murder was matched to people in GEDmatch who were the killer's third or fourth cousins. Through months of painstaking work, investigators working with the genealogist Barbara Rae-Venter built family trees that converged on DeAngelo.

Genealogists had long realized that databases like GEDmatch could be used in this way, but had been wary of working with law enforcement — fearing that DNA test customers would object to the idea of cops searching their DNA profiles and rummaging around in their family trees.

But the Golden State Killer’s crimes were so heinous that the anticipated backlash initially failed to materialize. Indeed, a May 2018 survey of more than 1,500 US adults found that 80% backed police using public genealogy databases to solve violent crimes.

“I was very surprised with the Golden State Killer case how positive the reaction was across the board,” CeCe Moore, a genealogist known for her appearances on TV, told BuzzFeed News a couple of months after DeAngelo’s arrest.

The new science of forensic genetic genealogy quickly became a burgeoning business, as a company in Virginia called Parabon NanoLabs, which already had access to more than 100 crime scene samples through its efforts to produce facial reconstructions from DNA, teamed up with Moore to work cold cases through genealogy.

Before long, Parabon and Moore were identifying suspected killers and rapists at the rate of about one a week. Intrigued, my editor and I decided to see how easy it would be to identify 10 BuzzFeed employees from their DNA profiles, mimicking Parabon’s methods. In the end, I found four through matches to their relatives’ DNA profiles and another two thanks to their distinctive ancestry. It was clear that genetic genealogy was already a powerful investigative tool and would only get more so as DNA databases continued to grow.

A backlash did come, however, after two developments revealed by BuzzFeed News in 2019. In January, Family Tree DNA disclosed that it had allowed the FBI to search its database for partial matches to crime-scene samples since the previous fall — without telling its customers. “I feel they have violated my trust,” Leah Larkin, a genetic genealogist based in Livermore, California, told BuzzFeed News at the time.

Then, in May, BuzzFeed News reported that police in Centerville, Utah, had convinced Curtis Rogers, a retired Florida businessperson who cofounded GEDmatch, to breach the site’s own terms and conditions, which were supposed to restrict law enforcement use to investigations of homicides or sexual assaults. That allowed Parabon to use matches in the database to identify the perpetrator of a violent assault.

Larkin and other genealogists condemned the move, calling it the start of a “slippery slope” that would see the method being used to investigate more trivial crimes.

As barbs flew between genealogists working with law enforcement and those who advocate for genetic privacy, GEDmatch responded with new terms of service that extended the definition of violent crime, but also required users to explicitly opt in for their DNA profiles to be included in law enforcement searches.

Overnight, GEDmatch became useless for criminal investigations. Since then, the number of users opting in for matching to crime-scene samples has slowly increased, and now stands at more than 200,000. But progress in cracking criminal cases has remained slow.

Now that cops have seen the power of forensic genetic genealogy, however, they don’t want to let it go. In November, the New York Times revealed that a detective in Florida had obtained a warrant to search the entirety of GEDmatch, regardless of opt-ins. It seems only a matter of time before someone tries to serve a warrant to search the huge databases of 23andMe or Ancestry, which don’t give cops access — sparking legal battles that could go all the way to the Supreme Court.

Genetic privacy, barely mentioned as millions of us signed up to connect with family across the world and dig into our ancestral roots, is suddenly front and center.

This week, Rogers and the other cofounder of GEDmatch, John Olson, removed themselves from the heat when they sold GEDmatch to Verogen, a company in San Diego that makes equipment to sequence crime-scene DNA. Verogen CEO Brett Williams told BuzzFeed News that he sees a business opportunity in charging police for access to the database but promised to respect users’ privacy. “We’re not going to force people to opt in,” he said.

But it isn’t just whether cops can run searches against your DNA. 23andMe may not share your information with law enforcement, but customers are asked when they signed up whether if they are OK with their “de-identified” DNA being used for genetic research.

It might not be obvious when you fill in the consent form, but this lies at the heart of 23andMe’s business model. The reason the company pushed so hard to expand its database of DNA profiles is to use this data in research to develop new drugs, either by itself or by striking deals with pharmaceutical companies.

Ancestry has also asked its users to consent to participate in research, teaming up with partners that have included Calico, a Google spinoff researching ways to extend human lifespan.

There really is no such thing as “de-identified” data. 

You might be comfortable with all of this. You might not. You should definitely think about it because when the information is your own DNA, there really is no such thing as “de-identified” data.

That DNA profile is inextricably tied to your identity. It might be stripped of your name and decoupled from the credit card you used to pay for the test. But as 23andMe warns in its privacy policy: “In the event of a data breach it is possible that your data could be associated with your identity, which could be used against your interests.”

And because you share a large part of your genome with close relatives, when you put your DNA profile into a company’s database, you aren’t only making a decision for yourself: Their privacy is on the line, too.

Whether it’s due to concerns about privacy, a saturated market, or just that the novelty has worn off, sales of DNA ancestry tests are slowing. Ancestry has responded by offering a new product focused on health risks. Unlike 23andMe, it requires that tests are ordered through PWNHealth, a national network of doctors and genetic counselors.

Will this be the development that takes us back to the future I once imagined? Maybe so, but if the roller coaster of the past decade has taught me anything, it’s to be wary about making any predictions about our genetic future. ●

Skip to footer