Wall Street has plowed billions of dollars into DNA testing companies, one of the world's fastest-growing consumer services. By contrast, lawmakers in Washington have invested little oversight in to this brave new marketplace, leaving it to U.S. consumers to navigate it alone.
Despite consumer unease about their DNA privacy, Congress has made no moves up to update the 2008 Genetic Information Nondiscrimination Act (GINA), the lone law in this field. The law prevents employers and companies from using DNA data to deny employment or health insurance coverage, but it contains numerous loopholes. It also couldn't begin to anticipate the privacy risks as corporations quietly assemble DNA databases containing millions of personal records.
"People are concerned that their Social Security number could be stolen and made public," said Peter Pitts, a former associate commissioner for the Food and Drug Administration. "But when they do these (DNA) tests, many have little awareness their genetic identity could be compromised in the same manner. We are talking about your most sensitive, personal information."
To make a match with DeAngelo, investigators analyzed DNA obtained from a crime scene, and fed those results into a free, open-access database called GEDmatch, based in Florida. After recognizing a link to one of DeAngelo's relatives, investigators used that and other evidence — including direct testing of DeAngelo's DNA — to tie him to the murders.
Joel Winston, a privacy lawyer based in Pittsburgh, said consumers take significant risks entering their genetic data into an open-access databases, such as GEDmatch. But there are also risks in using commercial testing services, such as 23andMe and Ancestry, he said.
"A lot of people will say, don’t worry, we have GINA, but there are so many holes to it," Winston said. The 2008 law, he notes, exempts life insurance and disability insurance companies, effectively allowing them to discriminate on the basis of genetic defects found through DNA tests.
"If you get one of these tests, and the tests tell you you have a propensity to one of these cancers, you basically become un-insurable," Winston said. "They will ask you about it on your policy, and if you lie about it, they will take away your policy when you really need it."
Hospitals that conduct genetic scans are obligated to keep those results private under a landmark 1996 law, the Health Insurance Portability and Accountability Act, which protects a vast range of personal medical information. But HIPAA doesn't apply to private companies that do at-home paternity tests, or to commercial outfits such as 23andMe, Ancestry and Helix, which are rapidly drawing millions of customers.
All these commercial companies issue privacy statements that promise to protect customers' personal data. But all those statements come with provisos that data could potentially be compromised by a cyber attack, security breach or compliance with a court order from investigators.
As the East Area Rapist case revealed, criminal investigators do not need to obtain a warrant or subpoena to access a DNA database. To search for a match on GEDmatch, investigators created a fake profile on the website and then uploaded a genetic profile of a DNA sample recovered from a 1980 murder.
Could investigators use similar surreptitious methods with 23andMe or Ancestry?
They could, but it would be more difficult. Both Ancestry and 23andMe require customers to send in tubes of saliva, and do not allow submission of genetic profiles created by separate services. For investigators to create a fake account and then obtain DNA results, they'd need to find enough saliva from a crime scene or suspect to partially fill one of the tubes.
Scott Hadly, a spokesman for 23andMe, said the company has seen no cases where law enforcement or others have attempted to create fake accounts to get DNA analyzed. He also reiterated the company's approach on dealing with requests from investigators.
"23andMe's policies prohibit the company from voluntarily working with law enforcement," said Hadley. "23andMe has never given customer information to law enforcement officials, and we do not share information with employers or insurance companies."
While that may be true, commercial DNA companies do share customer's genetic data — mostly with research partners and largely in aggregated, anonymous formats. As these partnerships proliferate, so does the chance that someone's DNA identity could be hacked or otherwise compromised, said Pitts, the former FDA regulator.
"Once they share people’s genetic information with partner companies, they can’t be responsible for security protocols of those partners," said Pitts, who now heads the Center for Medicine in the Public Interest.
Currently there are no federal requirements that DNA testing companies inform customers about a security breach that could expose their personal data. But social media companies could soon face that mandate. During a recent Senate hearing, Sen. Amy Klobuchar of Minnesota asked Facebook CEO Mark Zuckerberg if he'd support regulations to notify users of a data breach within 72 hours. Zuckerberg said he wouldn't be opposed.
In the current Congress, Senate Minority Leader Chuck Schumer of New York has called on the Federal Trade Commission to investigate privacy policies of DNA testing companies. But the House and Senate haven't taken up legislation, and they aren't expected to unless the next Congress is more supportive of federal regulation.
U.S. consumers may gain some protections through European Union oversight. On Monday, Ancestry updated its privacy statement. A company spokeswoman on Thursday said Ancestry did so in response to the EU's new "General Data Protection Regulation," a consumer privacy measure that is going to be enforceable on May 25.
In California during 2012 and 2013, state lawmakers twice debated measures to prohibit companies from collecting, analyzing, or sharing the genetic information of another person without written permission, with some exceptions. Hospitals and biomedical researchers opposed the bills, sponsored by former senator and current Secretary of State Alex Padilla. They failed both times.