Privacy Violating COVID Tests

A good lesson in reading the fine print:

Cignpost Diagnostics, which trades as ExpressTest and offers £35 tests for holidaymakers, said it holds the right to analyse samples from seals to “learn more about human health”—and sell information on to third parties.

Individuals are required to give informed consent for their sensitive medical data to be used ­ but customers’ consent for their DNA to be sold now as buried in Cignpost’s online documents.

Of course, no one ever reads the fine print.

EDITED TO ADD (3/12): The original story.

Posted on February 25, 2022 at 6:15 AM18 Comments


Winter February 25, 2022 7:31 AM

It would be nice if there would be a law that required meaningful informed consent and that would also mandate data protection.

But then, who heard about meaningful USA consumer protection laws?
[/rhetorical question]

Ted February 25, 2022 9:24 AM

This is so uncomfortable. Are the ExpressTests primarily used for flight travel into and out of the UK?

The FAQ – on what must be an updated ExpressTest website – has the question: “Will my DNA be stored and used?” They now answer: “Cignpost Diagnostics does not process or store customers’ DNA for any purpose…”

But I’d like to see the original documents and the results of any investigation. Wouldn’t people have a right to request the data the company collected on them? Would they also have a right to know the third parties it was sold to? This is scary and underhanded, as most people would not knowingly consent to this.

TimH February 25, 2022 9:27 AM

The scandal is their 24-lane testing site at Heathrow airport, for mandatory arrival and departure testing.

Not a valid scenario to give meaningful consent under GDPR.

bcs February 25, 2022 10:32 AM

Something that unexpected hidden in 200 pages of legal documents should not generally count as legal informed consent. I don’t understand why that’s still allowed.

Q February 25, 2022 10:41 AM

“Cignpost Diagnostics does not process or store customers’ DNA for any purpose…”

Which might be true, and still invade your privacy. It doesn’t say they don’t give it, or sell it, to anyone. It doesn’t say they don’t ask someone else to process or store it.

It says only what the words say, nothing else.

Chuck Pergiel February 25, 2022 11:53 AM

WTF is a ‘holidaymaker’? A person on holiday? A government official declaring a new holiday? Someone having a drink at noon? And what does it have to do with anything?

Lil Mouse February 25, 2022 12:54 PM

@Chuck Pergiel

A holiday maker is someone that leaves their house for an extended period of time. The point being, if you want to go on holiday, you better make sure you are tested and are covid free. If not, you are going to be stopped in your travels, at the multitude of testing places required to get into and out of a country or territory. And being stopped means quarantine for any number of days, probably missing flights and or connections.

Clive Robinson February 25, 2022 1:01 PM

@ Bruce,

I would not advise anyone to use the link you provided, it’s bad news privacy wise…

The original story in the Sunday Times can be found at,

It would appear that Cignpost Diagnostics is taking legal action against the newspaper…

They are a contemptible organisation which should not surprise people, and there are quite a few stories circulating about how employees have been treated.

Steve Friedl February 25, 2022 7:44 PM

“Cignpost Diagnostics does not process or store customers’ DNA for any purpose…”

If they sell the swabs unprocessed to a third party who does, their statement is correct but shameful.

doh6Eiga February 26, 2022 10:06 AM


“Cignpost Diagnostics does not process or store customers’ DNA for any purpose…”

Placing the DNA laden swabs in a garbage bag for “disposal” at a location of their choosing (such as a lab that pays a finders fee) technically complies with their “not process or store” comment. They do not process the DNA themselves, and they do not store it for any purpose (effectively trash). Just like dropping a plastic bottle off at a recycler and getting paid for it. Except in this case a DNA recycler.

They also state that “All samples collected as part of the COVID-19 testing process are destroyed….”, but state “DNA is collected incidentally… and is not used for COVID-19 testing”, so is the DNA part of the “sample” that is considered collected and subsequently destroyed? Seems like a pretty big loophole.

Ted February 26, 2022 11:58 AM

@doh6Eiga, ALL

Seems like a pretty big loophole.

Yes, hearing you all bring this up, I’m inclined to wonder now myself. The article said the UK’s data watchdog, the ICO, would look “carefully” at the firm. However, I was hoping for stronger language and even outrage.

You would think any meaningful investigation would conduct a very critical analysis of the company – including its partners and any ‘dark’ practices.

There are lots of incidental stories around DNA collection that raise so many questions about how this data could be used or abused. And, as you all so adeptly point out, there are a lot of ways that highly material info can be obfuscated.

Didn’t the CIA setup a fake vaccination drive to try to get the DNA of Osama bin Laden’s family? Also there’s the very strange case of Ike Perlmutter and his wife, whose DNA was secretly collected during a deposition. Testing was run on the DNA to try to link them to a crime. They’ve since sued. But whose to say collected DNA couldn’t also be planted?

I agree. We really need some good follow-up.

pup vas February 26, 2022 12:58 PM

Privacy related
Filter out ‘unverified’ accounts, tech giants told

=Social networks should let people hide posts and messages from accounts without a verified owner, the government has proposed.

If passed, the government’s online safety bill would force large social networks such as Facebook to let people filter out unverified accounts.
While the proposed law would not stop people making anonymous accounts and posting abuse, social networks would be forced to give their users the option to “opt out” of seeing any posts from unverified accounts.

The DCMS acknowledged that people use anonymous accounts for a variety of reasons, including whistle-blowing, exploring their sexuality or sharing their experience in an authoritarian company.

However, it said users should be given tools to “control who can interact with them”.

In addition, social networks would also be required to let people filter out “legal but harmful” content.

!!!It said promotion of eating disorders and dangerous vaccine disinformation was “toxic”, but fell below the threshold of a criminal offense.=

I do not agree with the last paragraph altogether. Rather platform should provide link to true information in such cases and let folks to decide.

RealFakeNews March 3, 2022 7:15 PM


I cited legitimate scientific research papers.

You are not aware of what the BMJ is? Seriously? British Medical Journal. Only the most authoritative medical journal in the United Kingdom.

None of it is “disinformation”. It’s fact. Please, stop being ignorant, and do some research.

RealFakeNews March 3, 2022 7:29 PM

May 2021. Researchers from MIT “double down” on their assertion that mRNA can reverse-transcribe into DNA:

Feb 2022. Swedish researchers prove definitively that it does so.

No doubt those who wish to deny reality will attack the sources, but seeing as this is heavily censored in Western media, this is the best I could do.

I did link to the actual research paper and the actual journal that published it. Please note, it is PEER REVIEWED. It is NOT a pre-print!

(I wish we could edit existing posts to add information).

Buggy April 7, 2022 11:47 AM

@Ted: or the case in San Francisco recently of a woman convicted of a crime via DNA evidence in her rape kit; that has such a chilling effect on reporting rape, that it would seem to be the point. Or the rash of convictions in the US recently based on DNA of relatives, rather than the perp. Or the fact that in general, just because you or I can’t see how the data can be abused, it can be, and DNA is such personal data, that this should totally be a no-fly zone.

Ted April 7, 2022 12:32 PM


the case in San Francisco recently of a woman convicted of a crime via DNA evidence in her rape kit

Oh wow. Thank god the charges were dismissed. It’s interesting that the SFPD would submit this evidence. In my mind, this is just the kind of case that would elicit a backlash.

The SFPD chief said he’s committed to ending this practice, if in fact it’s happening. But he said this in reference to rape test kits. So who knows where else DNA is being collected and put into a database.

Amazing that we might still need legislation to deal with this.

Buggy April 7, 2022 4:22 PM

@Ted: yes, this may not be used in the future for direct prosecution … but I’ve read enough here about parallel construction to believe that if the data to convict is available (even if not legal), a means of conviction will be obtained. I’m more disturbed by the conviction-by-inference cases in stories like these:

Even if you lived a paranoid, air-gapped existence, there’s no opting out of having DNA. Am I supposed to vacuum up my data wherever I go in public? “When bunny suits are outlawed, only outlaws will wear bunny suits.”

Ted April 7, 2022 5:19 PM


That is quite a comprehensive and well-researched article. Yes, the “networked privacy” issue – or rather to say the networked lack of privacy issue – does raise A LOT of questions.

I’m not very familiar with a lot of legal proceedings on this issue. But any court cases or headlines regarding the use or misuse of DNA databases would be quite interesting. You’re keen to anticipate the use of parallel construction – ugh. I’d like to know who would act as a regulator here. DNA certainly has a unique subset of issues.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.