What Can a Hacker Do with Your Genetic Information?
Genetics testing is becoming more common. That opens up a whole new kind of risk.
Image: Che Saitta-Zelterman/Motherboard
Learning about the genetic markers stored in your DNA can be an illuminating experience, even a life-altering one. Now that direct-to-consumer genetic testing companies such as 23andMe have made these tests more accessible and affordable, it's no wonder that more than 1 million people have shipped their spit off to be genotyped, and have all their genetic information catalogued (and sold) in the process.
When a massive cache of private information is all stored in one place, it will naturally be a target for hackers. Though there hasn't been a hack of any consumer genetic testing company yet, it may just a matter of time before someone breaches one of these sites and gains access to not just your credit card, but also your genetic markers.
So how concerned should we be, and what might happen if a hacker ever did get his or her hands on your DNA?
"You can imagine scenarios where unsavory people could try to use this stuff in personal ways," said Dr. Robert Green, the director of the Genomes to People research program at Brigham and Women's Hospital, Broad Institute and Harvard Medical School.
What would be more detrimental would be a targeted attack to collect your genetic information specifically, orchestrated by somebody you know.
"If there were variants that put someone at risk for Alzheimer's disease and you were vying with that person in a corporation for a job, you could somehow try to use that information to suggest that they might be unfit," Green told me over the phone. "You could be in a custody battle where DNA could suggest there's a predisposition to psychiatric illness, for example."
Green has previously studied how genetic information like this could be used in politics, citing the obsession and concern over Senator John McCain's age and vitality in the 2008 election. But if someone were targeting you specifically, there are way less complicated and risky ways of getting your genetic information than breaching the entire 23andMe database.
"There are still many areas where people are not protected."
Someone could hack into your account on a genetics site, or even just collect your DNA from a used coffee cup and send it away for analysis—something New Scientist reporters proved was remarkably simple back in 2009. Besides, the Genetic Information Nondiscrimination Act of 2008 prohibits employers and health insurance companies from discriminating against you based on your DNA.
Green also pointed out that all of these attacks are based on a belief in a certain degree of "genetic determinism," or the notion that our future is foretold in our DNA. The truth is that most disease arises as the result of a complicated interplay between lifestyle, genetics, and other factors. There's no one single gene that guarantees you'll get Alzheimer's, for example, so even these direct assaults are based on a bad understanding of what your genetic information is really saying.
If a massive data dump isn't a high risk, and you're not running for office or at risk for some kind of corporate espionage scenario, is there anything to worry about?
"There are still many areas where people are not protected," said Sheldon Krimsky, the chair of the Council for Responsible Genetics and a professor of environmental and urban policy and planning at Tufts University.
Krimsky pointed to a case last year where police used a DNA sample from a murder and genetic information owned by Ancestry.com to create a "familial link" to a filmmaker in New Orleans. Michael Usry, the filmmaker, had to provide police with a sample of his DNA, which did not match the DNA from the crime scene, but he said that becoming a suspect in a murder case he'd never even heard of was a nerve-wracking experience.
"I had lots of days sitting at the house with the dog," Usry told the New Orleans Advocate. "[I was] wondering if these guys were going to use a battering ram to bust open the door and shoot my dog after he started barking at them."
There's also the question of what consumer sequencing companies are doing with all that genetic information. 23andMe has numerous data-sharing deals with drug companies and researchers, (though the company only shares data if it has gotten consent from the user). While you might be totally cool with that, it's something to consider: Do you care what hands your genetic information lands in, even if it's anonymized?
Krimsky said his advice for people concerned about genetic privacy is to know the laws in their home states for getting DNA removed from a police database, and to actually read through the agreements before they send a sample off to a consumer site.
"Make sure your information is not going to be sold or given to someone else," Krimsky said. "If it is, then perhaps think twice about it."
Genetic research is evolving at a breakneck pace. As we gain better understanding of what different genetic markers signal, and how our genes influence our lives, keeping close tabs on who knows the secrets of your DNA will become even more critical.
Update: This story has been updated to reflect that 23andMe only sell's a user's data to a third party with the user's consent.
The Hacks We Can't See is Motherboard's theme week dedicated to the future of security and the hacks no one's talking about. Follow along here.