DNA testing: Americans sign away their rights

Want to know where your ancestors hail from? Or which diseases run in your family? Dozens of genetic testing firms are happy to tell you.

But they're less eager to divulge a different secret — how they share or sell your DNA samples. Testing companies write dense, confusing privacy policies that make it easy for consumers to unwittingly sign away the rights to their own genetic data.

Genetic data sharing entails serious risks. Privacy policies ought to clearly spell them out so that consumers can make educated choices.

The language used by testing firms such as Invitae, 23andMe and AncestryDNA can mislead customers. For example, AncestryDNA's terms and conditions state that "You own your Personal Information, Additional User Information, and User Provided Content."

But it also states that by handing over your data, "you grant Ancestry a sublicensable, worldwide, royalty-free license to host, store, copy, publish, distribute, provide access to, create derivative works of, and otherwise use such User Provided Content."

In other words, you might "own" your data — but Ancestry reserves the right to share and sell the data as it sees fit.

23andMe's policies are similarly opaque. The firm pledges it won't share individuals' identifiable test results unless people sign a 2,629-word "research consent document."

If people do take the time to read the nearly 10-page consent form and the 22-page privacy policy, they'll see anonymized information can be shared without consent and "it is possible that a third party that has obtained some of your genetic data could compare that partial data to the published results and infer some of your other personal information."

In plain English, that means someone could re-identify the test results and specific individuals. The document tries to reassure customers that such re-identification would be "extremely difficult."

Actually, it'd be quite easy, as a study in the journal Science recently proved.

One MIT researcher identified individuals and their extended families by using only anonymous DNA samples and public records of people's ages and addresses. Someone's DNA sample can reveal information that she might not want publicly revealed.

For instance, 23andMe says its tests can clue people in to whether they have a genetic variation that could increase their risk of developing a health condition or whether they're carriers for certain diseases. Furthermore, its privacy policy warns that it will store and process your information in countries that "may have laws that are different from those of your country of residence." In other words, less protective laws.

Just look at their Flesch-Kincaid grade-level scores, which measure how easy documents are to read. The privacy policy of Invitae is 14.4, or about the same as the Declaration of Independence. 23andMe's privacy policy holds a 14.9, which is more challenging than the New York Times. Its research consent form comes in at 12.4 — slightly clearer, but still more challenging than Abraham Lincoln's Gettysburg Address.

Testing firms deliberately downplay the risks of data sharing. They would lose much of their revenue if customers opted to keep their data private — or not use their service.

Nearly half of all ancestry-determination firms sell customers' DNA to pharmaceutical companies and other third parties, according to Tufts University professor Sheldon Krimsky. 23andMe has agreed to sell genetic data to pharmaceutical firm Genentech for up to $60 million. AncestryDNA partners with Calico, a research company owned by Google.

There's no telling what these third parties will do with the data in the future. And there's no way for consumers to know if the data are secure.

That's troubling. Unlike passwords, DNA can't be canceled or changed. With biometric IDs looming, all it takes is one data breach to leave a person — and his family — vulnerable to fraud or discrimination.