Concerned about your privacy while using a DNA test from Ancestry DNA, 23andMe, or other DNA testing company? You should be. Use this guide to stay private while using at-home DNA test kits.
DNA Testing Can Seriously Compromise Your Privacy
This holiday season, at-home DNA test kits were once again one of the most popular gifts. If you’ve received one, have already taken one, or know a family member who took one, you may be wondering what the test might mean for your privacy.
Using an at-home DNA test means sending your most personal identifier away to a for-profit company, and isn’t something to be taken lightly. As Peter Pitts, president of the Center for Medicine in the Public Interest Forensic Genetics Policy Initiative, explains, “The DNA kits are being viewed as stocking stuffers or cocktail party conversation. People don’t think about the security of their DNA as they don’t realize its value.”
Giving Up Your Most Personal Information: How Ancestry, 23andMe, and Other Companies are Using Your Data
When you send your saliva sample to a company to be tested, you are giving them your most personal information: your entire genome, your browsing activity on their website, the information you provide when making an account (like your name and email), your sex/gender, date of birth, credit card number, answers to any health or behavior-related surveys on their site (which can include disease conditions, ethnicity, and other health info), and more.
In addition to providing you with the service you expect, i.e. information about your ancestry and genetic health, they share your personal information with third parties, just like any other online service.
And I don’t just mean the information they have to share with the lab to provide their service. Companies also sell their data to research partners, marketers, and others. For example, Ancestry DNA’s Terms and Conditions state that by sending them your DNA, “you grant Ancestry and the Ancestry Group Companies a royalty-free, worldwide, sublicensable, transferable license to host, transfer, process, analyze, distribute and communicate your genetic information for the purposes of providing products and services.”
This is pretty scary: it shows that the firms are monetizing your DNA, and it’s so vague that you don’t really know to whom or for what reason your data is sold or used.
This is the exact reason why Senator Chuck Schumer has called for a Federal Trade Commission investigation of DNA test companies.
One of the most obvious examples of these companies sharing data is with research partners: Between 2006 and 2016, 23andMe sold its database to at least 13 different drug companies, most recently making a four-year deal with pharmaceutical giant GlaxoSmithKline, allowing them to exclusively mine 23andMe’s customer data to develop drugs.
Every time your information changes hands, it becomes less safe. And, just like any other company, DNA testing companies are susceptible to data breaches. Even if it is not sold by the DNA company itself, it could end up in the hands of data brokers (especially if you’ve used Ancestry, which owns it own DNA broker site, Archives.com.) This can leave you open to:
- Financial fraud, stalking, identity theft, and more: if somebody is able to get a hold of your personal information–such as your date of birth, address, or credit card number–they can take advantage of you with these pieces of data.
- Genetic discrimination: although the Genetic Information Nondiscrimination Act protects Americans from this kind of sharing, there are gaps in the law that allow insurance providers and the military to make decisions based on DNA results. For example, while health insurance companies cannot access the direct test results that you receive from the DNA test kit, you are required to tell them if you know about certain health risks, and this will affect your insurance premiums.
We took the time to rate the differences in privacy of the five biggest DNA testing companies: Ancestry DNA, 23andMe, MyHeritage, Helix, and Family Tree DNA. Compare privacy scores of these companies here.
How to Use DNA Tests While Maintaining Your Privacy
While Buying Your Test:
- When accessing the website to order your test kit, use a VPN to make sure that your connection is secure and that your Internet Service Provider or Wifi Provider can’t view your browsing activities. Then, use Blur’s Tracker Blocker to ensure that data collection companies aren’t recording your activity.
Here, you can compare the number of trackers used by each site:
- Use Masked Info with Blur to stay as private as possible. First, use a Masked Card to buy your kit. This will allow you to create a “virtual credit card”, so that the company will not have your real credit card number. If there is a hack or a breach, your real credit card information stays safe because they don’t have it. You can also use any name you want while using the Blur Masked Card billing address – keeping your billing information private. You’ll still need to use your real shipping address in order to receive your kit in the mail.
- While ordering your kit, you can also use Blur to mask your email address and phone number. This information will still work–emails will be forwarded to your regular email, but the company will not have your real email address and be able to sell it, and thus marketers will not be able to link your account to your other online accounts to build your ‘online profile’. Then, if Ancestry is sending you spam, you can turn off email forwarding, or just delete the email address altogether.
While Taking Your Test, or if You Have Already Taken Your Test:
- Once your test comes in the mail, you will have to register your kit online. Use your masked email from Blur to login to your account. If you have already registered your kit, you can change any information that is in your profile to masked information.
- Skip any survey questions about your health information; this is personal information they use to build your online profile.
- Take your saliva sample and send it back to the company. If you are using 23andMe, you can request that your spit is disposed of after they have gotten the lab results. If you are using another company, you will have to contact the company to make this request after you’ve received your results.
- Opt-out of any consent for research, or profile sharing (such as a public family tree). Make sure any information in your profile is private, and only put information that is strictly necessary. It’s okay to put false information.
- Even with all of these steps, remember: when giving away your DNA, you are giving away your most sensitive personal identifier. You can change your credit card number, or even your social security number, but you can’t change your DNA.
After You’ve Received DNA Test Results:
- If you haven’t yet, request that your saliva sample is discarded and that you have opted out of research and data sharing, as explained above.
- Be cautious if your DNA service offers to tell you about risks for disease. If you are aware of certain risks, such as for Alzheimer’s and Parkinson’s, your insurance company might require you to disclose what you know about your genetic health. Be aware of what you are getting into when taking these tests.
- Use DeleteMe to stay safe from data brokers. Although you have put masked information in your account, you will want to make sure that none of your real data has gotten into the wrong hands. Data brokers–such as Whitepages, BeenVerified, and Spokeo–crawl the web for the kind of personal information used when creating new accounts, and post that information on their sites. It’s likely that you they have already created a listing for you–just a quick Google search can reveal which sites have created a listing for you.
This step is especially important if you have used Ancestry DNA. Since part of Ancestry’s service is learning about your heritage through public records, there is a great deal of personal information about you and your family that can be found on their site. In fact, Ancestry owns its own data broker, Archives.com. Read more about Ancestry’s use of personal information here.
If You Haven’t Taken a Test, But a Family Member Has:
As of October 2018, 60% of Americans of Northern European descent can be identified through the companies’ databases, whether or not they’ve joined one themselves. Within two or three years, this will become 90%. The same study also showed how genetic profiles that DNA companies supposedly “anonymized” could be positively identified. This means that even if you haven’t personally taken a DNA test, it is likely that you are still able to be identified through a DNA company’s database.
It’s never too late to take control of your online privacy.
You can reduce your online footprint by using Blur and DeleteMe. Blur helps you to keep your information private, by allowing you to create accounts and shop online without giving away your contact and financial information. DeleteMe helps you to get rid of what’s already out there, preventing strangers, thieves, hackers, and cyber criminals from taking advantage of you.
Abine, Inc. is The Online Privacy Company. Founded in 2009 by MIT engineers and financial experts, Abine’s mission is to provide easy-to-use online privacy tools and services to everybody who wants them. Abine’s tools are built for consumers to help them control the personal information companies, third parties, and other people see about them online.
DeleteMe by Abine is a hands-free subscription service that removes personal information from public online databases, data brokers, and people search websites.
Blur by Abine is the only password manager and digital wallet that also blocks trackers, and helps users remain private online by providing ‘Masked’ information whenever companies are asking for personal information.
Abine’s solutions have been trusted by over 25 million people worldwide.