In our interconnected world, many families are scattered across multiple countries or even continents. It is common for individuals to venture abroad in search of their ancestral roots, often investing significant amounts of money in tracing centuries-old family records.
It’s no surprise that online genealogy resources have gained immense popularity. These platforms enable users to create their family trees, upload photographs, and explore historical documents. Moreover, these services often provide DNA analysis, which offers insights into one’s origin and potential genetic health risks.
What’s even more fascinating is that shared DNA can be used to trace ancestors and distant relatives. However, concerns arise regarding the security of stored data.
Are these platforms taking adequate measures to safeguard personal information? Are there any legal regulations governing these practices? And how could blockchain technology hold the key to ensuring the protection of sensitive data?
The Growing Landscape of Direct-to-Consumer Genetic Testing
The direct-to-consumer genetic testing industry is experiencing significant growth worldwide. This type of testing offers a convenient option for individuals to conduct self-tests from the comfort of their homes. The process typically involves ordering a DNA kit, providing a saliva sample, and sending it back to the laboratory in the provided tube. Test results are then delivered via email within a few weeks.
According to Statista, the global market revenue for direct-to-consumer genetic testing (DTC-GT) reached approximately $824 million in 2018. Projections indicate that by 2028, the value of the market is expected to soar to nearly $6.4 billion.
Currently, there are more than 250 companies offering DNA testing services to customers, covering a wide range of fields, including forensics, ancestral research, health, pharmacogenomics, and nutrition.
Leading the pack in the world of DNA testing companies is 23andMe, which garnered 116 million online impressions and mentions in the first quarter of 2022. Following closely are Ancestry and MyHeritage, with around 35 million and 4.6 million online impressions, respectively.
Legal and Ethical Concerns
When individuals submit their DNA samples for analysis, they are not only providing sensitive information about themselves but also about their genetically related family members.
One concerning aspect is that the consent of these family members is not required, raising questions about the ethical implications. Digital data pertaining to individuals can potentially be stored indefinitely, potentially impacting not only the individuals themselves but also their children or unborn babies.
Caroline Rivett, Digital, Security, and Privacy Lead at U.K. KPMG, said:
“Genomic data is special since it encodes not only our blueprint but that of our family and children. The continuing privacy and the security of people’s genetic data, both immediately and into the long term, is of paramount importance.”
Therefore, safeguarding the privacy and security of people’s genetic data, both in the present and the long term, is of utmost importance. The disclosure of such data could have far-reaching negative consequences in various areas, including employment prospects, relationships, and insurance contributions.
The risks of privacy breaches are significant, including server and password hacking, theft of media storage, as well as human errors or omissions by data managers. Moreover, if the data is stored and processed by a company’s branches or service providers located in other countries, the original data protection agreement agreed upon by the customer may be subject to different legal regulations.
2017 Data Breaches: Lessons Learned
In 2017, Ancestry.com experienced a data breach that compromised approximately 300,000 records from RootsWeb, an online forum associated with the genealogy website. The breached data included email addresses, usernames, and passwords. On December 20, 2017, an external security researcher notified Ancestry about the disclosure of account information in a file on the RootsWeb server. The company subsequently confirmed the breach.
Similarly, in June 2018, MyHeritage disclosed that it had lost control over customer data from up to 92 million accounts. The Chief Information Security Officer of MyHeritage received a message from a security researcher who had discovered a file named MyHeritage containing email addresses and hashed passwords on an external private server.
After conducting further investigation, MyHeritage’s IT security team confirmed that the compromised data originated from their platform. The breached data included email addresses of users who had registered on MyHeritage up until October 26, 2017, along with their hashed passwords.
These incidents highlight the vulnerability of personal data held by genealogy websites and the importance of robust security measures to protect user information.
Gaps in Legal Protection
Data protection laws, such as the U.S. Genetic Information Non-discrimination Act (GINA) enacted in 2008, offer some reassurance to customers by prohibiting the use of genetic test results to impact health insurance policies and employment decisions. However, it’s important to note that GINA does not extend its coverage to areas such as life insurance, long-term care insurance, or disability insurance.
Similarly, in the UK, Belgium, and Italy, existing legislation falls short of providing comprehensive coverage for direct-to-consumer genetic testing (DTC-GT). In fact, Italy lacks any specific regulations addressing this area altogether.
Germany, France, and Portugal: Limited Accessibility to DNA Testing
This stands in contrast to countries like France, Germany, Portugal, and Switzerland, where genetic testing is restricted to medical professionals only.
As a result, in Germany, for example, only DNA tests for ancestral analysis are available to the public, but this does not guarantee protection against the potential misuse of genetic data.
Strengthening Genomic Data Security with Blockchain Technology
Blockchain technology offers significant advantages in enhancing the security of genomic data. It is widely recognized for its ability to facilitate secure data exchange and mitigate cybersecurity risks in various industries.
At its core, blockchain is a cryptographically secure distributed ledger that operates without a central authority. Instead, multiple computers maintain copies of the ledger within a peer-to-peer (P2P) network. Transactions undergo verification through a decentralized consensus mechanism.
Transaction data is stored in blocks with timestamps, and each block is linked to the previous one through a cryptographic hash generated from the preceding block’s content.
This hashing mechanism ensures that any attempt to modify or delete data within a block would disrupt the entire chain. Consequently, such changes trigger immediate alerts across the network, preventing unauthorized alterations.
By leveraging blockchain technology, genomic data can benefit from its inherent properties of immutability and tamper resistance. The decentralized nature of the blockchain enhances data security, providing individuals with greater control over their own data and reducing the risk of unauthorized access or manipulation.
GDPR Compliance and Blockchain
The introduction of the EU General Data Protection Regulation (GDPR) has imposed a significant obligation on companies to handle customer data with utmost care.
The legal framework within the European Union defines the collection and processing of personal data. Implemented on 25 May 2018, the GDPR applies to all organizations operating within the EU that handle personal data, as well as to organizations worldwide that process the data of EU citizens.
Blockchain technology can serve as a valuable tool for companies to demonstrate and ensure compliance with the GDPR. The concept of “off-chain storage” can be particularly beneficial in terms of aligning blockchain with regulatory requirements.
Off-chain storage involves utilizing methods such as cloud storage or decentralized file systems like IPFS (Interplanetary File System) for handling large datasets or data with strict access controls. In this approach, the actual data is stored externally, and only a small reference or hash is stored within blockchain transactions or smart contracts.
By employing off-chain storage, companies can maintain compliance with the GDPR while utilizing the transparency and security benefits of blockchain technology.
This approach ensures that personal data is not directly stored on the blockchain, addressing potential concerns regarding data protection and privacy.
The protection of personal information in DNA analysis is of utmost importance, and blockchain technology offers a suitable solution to address data protection concerns.
Blockchain operates through a network of computers, ensuring transparency in data transmission and making it increasingly difficult for the network to be hacked. The technology has already demonstrated its effectiveness in resolving privacy and information security issues across various domains, and it has the potential to become the standard for consumer data protection.
By leveraging blockchain technology, the storage and transmission of sensitive personal information can be secured more effectively. The decentralized and transparent nature of blockchain mitigates the risk of unauthorized access or manipulation of data, providing a robust framework for protecting consumer information.
As blockchain technology continues to evolve and gain adoption, it holds significant promise in establishing higher standards for data protection and privacy in DNA analysis and other domains.