People don’t think much about private databases, but they’ve transformed almost every aspect of our lives. Private databases have become so common that we regularly just sign the terms and conditions to be part of them without really considering the full implications. When they are working, they tend to fade into the background. They feel like no one can see them. Easy to use. Even permanent. People give out their personal information, think it will be safe, and then go about their business. But a private database isn't a public trust. It is an asset for the business. That difference is more important than most people think.
Government databases are usually regulated by laws that define who can be a part of them, how long they will remain included and who can access them.
Brian Gestring knows. He managed the New York State’s DNA database, one of the largest state DNA databases in the nation. DNA databases can be very effective and not just for looking at people that directly contributed to them.
Brian testified to the first case where a serial killer was caught because his brother was in the state DNA database, but the brothers DNA was so similar to the evidence in the two rape and murder cases, that it led investigators to him. Brian also helped develop and implement New York’s familial DNA searching program which has dramatically increased the efficacy of the State DNA database and has already resulted in convictions on cases that had long gone cold.
That experience offers a useful contrast. Public forensic databases are built around accreditation, documentation, chain of custody, standardized reporting, and legal oversight. They are expected to hold up under scrutiny. They are supposed to be durable, auditable, and accountable.
Private databases often store equally sensitive information but lack the same level of organization.
Companies that don't have to put the public first now keep consumer DNA, genealogy records, health information, biometric data, location histories, and other very private information in their own private systems. Their first responsibility is to ownership, income, and survival. That doesn't mean that all private businesses are dishonest or careless. It does mean that the rewards are different. The database is not immune to those choices when money is tight, leadership changes, or a company is sold.
That is where the risk becomes real.
A private database can be sold to new owners with different values. It can be repurposed in ways users never pictured when they first signed up. It can be folded into another business. It can be exposed in a breach, neglected through weak security, or quietly shut down. People tend to assume their data remains theirs in some meaningful way. Often, that confidence is far stronger than the protections behind it.
And once the information is out, the damage is not always reversible.
A credit card can be canceled. A password can be reset. But some forms of data do not work that way. DNA is the clearest example. It does not just identify one person. It can reveal family connections, biological traits, and information that reaches far beyond the original user. That is not ordinary consumer data. It is intimate, lasting, and unusually hard to contain once it leaves the box people thought it was stored in.
People have been taught to think of private databases as stable parts of the infrastructure. No, they aren't. They are products made by companies that can quickly change direction. A new CEO can change the rules. A buyer can change what they want. Investors can change the whole future of a platform without ever asking the people whose data made it valuable in the first place.
That's what people miss. The database may seem personal, but it usually isn't.
Gestring's broader warning is important: when important information about a person's identity is in private hands, people often don't have as much control as they think they do. The risk is not just abuse. It is fragile. It is a false sense of security to think that something is permanent just because it is digital. The idea is that a clean interface and a promise of privacy will lead to long-term responsibility.
They don't.
If private companies want people to trust them, they should have to do more than just market themselves. Sensitive databases should have clear rules for continuity, stronger oversight, meaningful transparency, and real limits on what happens when ownership changes. People should be a lot more skeptical until then.
Safety and convenience are not the same thing. A private database is only as good as the business that runs it.
