Is using DNA for ancestry a biometric security risk ?

Mark Cutting Analysis, Governance, Investigation, Management, Risk, Security, Testing 2 Comments

This article is number two in a series of three that I’ve been asked to write by one of my followers. The first article in the series can be found here. As always, feel free to ask me any questions !

It’s bizarre how some ideas for articles come from the most unlikely of sources. On one of the rare occasions where I spent some time watching TV, an advert for appeared during a commercial break. So what’s the big deal with that ? Well, a service being offered since 2013 is the ability to track your ancestors using a sample of your DNA. I nearly choked on my coffee after considering the potential impact to privacy.

DNA Screening

DNA screening is revolutionary. It’s deployment in law enforcement, court cases, and paternity rulings demonstrate just how powerful an information and identity source it is. But what happens if your sample finds its way into the wrong hands, or is used for purposes not considered ethical or legal ? How do you know that such personal information is being stored in a secure manner, and is safe from unauthorised access ? The answer is chillingly simple – you don’t. You only have the promise of a privacy policy approved by a legal entity. This alone is not a guarantee that your DNA will not fall victim to identify theft, or worse still, provide an unauthorised and unknown entity with the ability to assume your identity at a level that could literally force you as the originator off the map.

If this sounds a bit far fetched and like something out of a movie, I’d suggest you stop and think about the endless possibilities your DNA profile presents to a criminal. How can you realistically prevent misuse of this data if you do not store it directly, and can be sure you have the only copy ? There has been a recent government petition in the UK requesting that mandatory DNA screening be carried out to assist in the fight against crime. With a “massive” 37 signatures obtained out of the 10,000 needed for the government to respond, and 100,000 for it to be heard by parliament, it seems as though few actually agree (for the UK anyway). However, the petition is clearly not without substance, as evidenced here.


Submission and privacy

Surely, nobody would actually consider submitting a sample of their own DNA voluntarily, would they ? If you look at some of the related advertising around this new service, it would appear the popularity of such a trend is increasing rapidly – and that uptake is obviously positive from a commercial standpoint. But what about privacy ? DNA, as we all know, is a unique road map (unless you have an identical twin and share DNA – in this case, the results are not absolute with a standard test) of you as an individual, provides a complete genetic analysis of your distinctive fundamental characteristics and is capable of distinguishing you from millions of other people.

The DNA database could go from an extremely effective weapon in the fight against crime to a platform that contained information about ordinary law abiding citizens who have never committed a recordable offence. Putting data concerning criminals and innocent people together in the same pot isn’t a concept that would go down well with people in my view, and could also be subject to misuse. Let’s say that your DNA profile could be linked to that of a convicted serial killer, or worse still, accidentally forming a case of mistaken identity if your profile gets mixed up with someone else ?

Another possible outcome of DNA screening is being wrongfully accused of a crime that you did not commit. DNA evidence collected in the event of a legal process is usually always tested against other previously obtained samples to determine if a possible match exists. Can you imagine your response if your DNA sample matched one that was taken from a murder investigation ? If you have previously had a DNA sample request, and in the event that you are eliminated from any inquiry, your DNA profile should then be destroyed for privacy reasons alone – but this process isn’t automatic. In the UK, you have to apply to have the data and any other associated information destroyed, and there is no guarantee that the enforcing agency / data custodian will comply with the request . Retention of data by police forces is a subject that had been under close scrutiny and strong criticism from privacy pressure groups, and fingerprinting records, convictions, along with other information pertaining to an investigation are retained until the recipient of such proceeds reaches 100 years of age, or is declared deceased – whichever arrives sooner. Once this point is reached, the retained information is flagged to be destroyed.

Then there’s the issue of your personal information being shared with other entities for marketing purposes. The privacy policies that govern the use and disclosure of this information can be misleading, and if not read fully could have a negative impact on the individual. Think “tl;dr” here – you’d be amazed at the amount of people who won’t read something in full and just glaze over what they consider to be the important pieces.

By submitting a sample of your DNA to Ancestry, you are effectively authorising a third party to utilise the sample itself, and the data collected from it. The third party then becomes the official custodian of this data. The below is taken from the AncestryDNA Privacy Statement

By submitting DNA to AncestryDNA, you grant AncestryDNA and the Ancestry Group Companies a perpetual, royalty-free, world-wide, transferable license to use your DNA, and any DNA you submit for any person from whom you obtained legal authorization as described in this Agreement, and to use, host, sublicense and distribute the resulting analysis to the extent and in the form or context we deem appropriate on or through any media or medium and with any technology or devices now known or hereafter developed or discovered subject to the terms and conditions of this Agreement and the Privacy Statement. You hereby release AncestryDNA from any and all claims, liens, demands, actions or suits in connection with the DNA sample, the test or results thereof, including, without limitation, errors, omissions, claims for defamation, invasion of privacy, right of publicity, emotional distress or economic loss. This license continues even if you stop using the Website or the Services.

Now that, you have to admit, is pretty scary stuff. Even when you decide you no longer require the service, your DNA profile remains their property, and at their disposal to use as they see fit – most importantly, you effectively waive all legal rights in doing so. It’s essentially allowing the custodian to have complete control over your personal information, and indirectly / involuntarily granting them permission to partially or fully share this information.

Biometric data theft and misuse

Misuse of personally identifiable data is certainly not a new concept, but with DNA data forming the complete picture in terms of a biological identity, the risk of this information being utilised intentionally to create a false identity or to create agents that affect the human body in various ways is extremely high. Based on the text from the paragraph above concerning revoking all legal rights to the data that is held about you, the possibility of your identity being stolen and used for nefarious activities becomes a very realistic prospect. The stolen information could lead to a variety of scenarios ranging from relatively harmless to serious, such as

  • Life and health insurance premiums being increased as a result of information shared with third parties. Ancestry claim to not perform a full DNA profile, although sites such as 23andme specifically state that they collect data relating to the analysis various health conditions.
  • Marketing campaigns specifically tailored to your profile, and an increase in unwanted attention from a variety of sources now armed with additional information that they were not in possession of before.
  • Your profile information and any medical findings being shared with third parties for the purposes of research in terms of clinical trials (for example, drug development).
  • Submission of your DNA information to enforcement agencies that may subpoena the custodian as a result of a criminal investigation as required by law. This could then equate to having your DNA profile stored on a foreign system without your knowledge
  • Information relating to or identifying you directly could be inadvertently leaked by the custodian or an affiliated third party
  • Your personal information could fall into the hands of unauthorised parties if the custodian or approved affiliate became the victim of a data breach. This information is invaluable to a criminal, as it provides a mechanism to commit identity theft, medical insurance fraud, and an opportunity to sell on the black market – typically attracting counterfeit traffickers with drug development data. This is a booming industry, reputedly worth an estimated USD 75bn annually.
  • Stolen DNA profiles would contain sensitive information possibly allowing for the mass production of biological agents that could be used in terrorist attacks.

Given the seemingly endless list of possibilities that DNA information is able to provide, the theft of your password or credit card seems relatively minor by comparison. The point you have to remember here is that data and associated information is stored in databases. Databases by definition can be hacked, and their contents leaked or stolen. Judging by this article, criminals are set to cash in using stolen DNA samples and profiles !

The theft of DNA / biological data that could be used against us in so many ways is a serious cause for concern, and could present a very realistic situation where our own identities are bought into question. What’s your view ? Would you permit your DNA to be shared or divulged in any way ? I’d love to hear your thoughts and concerns around this topic.

About the Author
Mark Cutting

Mark Cutting

Facebook Twitter Google+

Mark Cutting is the founder of and He is a network, security and infrastructure expert with more than 27 years service in the Information Technology sector. Mark has a significant eye for detail, coupled with an extensive skill set. Having worked in numerous industries including trading, finance, hedge funds, marketing, manufacturing and distribution, he has been exposed to a wide variety of environments and technologies alike.

Leave a Reply

1 Comment threads
1 Thread replies
Most reacted comment
Hottest comment thread
2 Comment authors
Mark CuttingMark Honeycutt Recent comment authors
newest oldest most voted
Notify of
Mark Honeycutt
Mark Honeycutt

The emerging trend in this field seems to be people who want to put microchips inside their hands as a one-stop-service for all their needs including banking info, medical, and all sorts of personal info. As this becomes more than just a fad (which it will), I see the term “Human Hacking” morphing into something right out of “Ghost in the Shell.” I’m thinking that if I’m ever going total black hat, that’s where I’ll make my move. 🙂