DNA Testing Kits: Does Privacy Matter to Ancestry DNA and 23andMe?

DNA Testing companies like Ancestry DNA, 23andMe, MyHeritage, Helix, and FamilyTreeDNA might be using your private information in ways that you don’t understand, and that puts your privacy at risk. If you haven’t used a DNA testing kit yourself, you probably know somebody who has. Companies like AncestryDNA, 23andMe, and MyHeritage promise to help you uncover the secrets hiding in your saliva. Most who sign up simply want to learn about their regional and ethnic origins, but some DNA testing kits are now uncovering genetic health risks, personal traits, and carrier statuses. These services have even found their way into current events: 23andMe offered to help reunite families separated at the border, and the formerly ‘cold cases’ of the Golden State Killer and the murder of April Tinsley were solved using the services of similar DNA testing companies. The market for these services is thriving. In 2017, the industry was worth about $99 million, and is expected to be worth $310 million by 2022. AncestryDNA, the largest DNA testing company, has performed millions of tests in the last 7 years, amassing hundreds of gallons of saliva. Issues have been raised regarding the accuracy of these tests and, of course, the issue of privacy. Is it safe to hand over your most sensitive personal information to these private companies?

Privacy Comparison: Ancestry, 23andMe, My Heritage, Helix, and Family Tree DNA

Ancestry DNA

Privacy Score: 2/5

Review:

AncestryDNA is the most popular DNA testing kit based on their stated number of 10 Million+ customers, with DNA testing kits starting at $99. RootsWeb, a site run by Ancestry, experienced a data breach in 2017 where they were forced to turn off the site. A file was acquired containing the log-in information of around 300,000 accounts; of those customers, 55,000 used the same log-in information for their Ancestry account, and 7,000 were active users. Since the breach, Ancestry has taken precautions on their site, adding a detailed Privacy Center breaking down their privacy policy in simpler language. In general, their privacy policy and practices seem to be average compared to other DNA testing companies. Ancestry will keep your saliva sample indefinitely, but they will dispose it if you make a request over the phone with their customer service team. We appreciate that Ancestry provides a Live Chat support option, so it’s easy to get answers to privacy questions. However, the strangely secretive nature of their collaboration with Calico labs could raise concerns for many users. What is most concerning to us is their historical record and people search service, which makes it easy to find anyone’s personal information. For these reasons, they receive a privacy score of 2 out of 5. Read more about Ancestry DNA and privacy here.

23andMe

Privacy Score: 2/5

Review:

23andMe is the second most popular DNA testing kit, claiming over 1 million customers. Their pricing ranges from $99 to $199 depending on which services you choose. Like Ancestry, they have a detailed Privacy Center, but they do not offer a chat service. When I emailed in privacy questions, it took them a little over 24 hours to respond, but their response was thorough. 23andMe does give you the option to have your saliva disposed after testing; they will otherwise keep it for up to 10 years. Finally, their focus on the health data market and their partnership with GlaxoSmithKline has raised serious concerns about the monetization of consumer data, so they also receive a privacy score of 2 out of 5.

My Heritage

Privacy Score: 2/5

Review:

MyHeritage started as a genealogy website and began offering DNA tests in 2016. In June 2018, hackers breached 92 million MyHeritage accounts but only gained access to encrypted emails and passwords, rather than genetic data. Still, MyHeritage has taken steps to improve its security, such as implementing two-factor authentication. Unlike 23andMe and Ancestry, MyHeritage does not have a simplified privacy guide; their privacy policy is long and difficult to read, like most privacy policies these days. They store your saliva sample until it is no longer usable, and they do not outline a procedure for having it disposed. Based on these findings, privacy does not seem to be a priority for MyHeritage, so they received a privacy score of 2 out of 5.

Helix

Privacy Rating: 1/5

Review:

Helix offers an ‘à-la-carte’ DNA testing service, so users can choose the exact kind of analyses they’d like done with their  DNA testing kit. For these analyses, Helix has many partners with whom they share your data. As a result, you need to be proactive about checking each partner’s privacy policy before agreeing to share your data with them. On its own, Helix would have an average privacy rating. Their Privacy Highlights page is easy to read, but their policies are complicated by the partnership aspect of the service. Helix’s privacy policy is only part of the picture: if you want to really know what is happening with your data, you must also read the privacy policies of each of their partners. For this reason, we give Helix a 1 out of 5 for their privacy score: while their ‘pick-and-choose’ approach to testing might be compelling for some customers, it also makes it more difficult for people to have a full understanding of what is happening with their personal data.

Family Tree DNA

Privacy Rating: 4/5

Review:

Similar to Helix, FamilyTreeDNA allows users to choose different kinds of tests they would like performed on their DNA. They’re not partnered with any third-party research companies, and unlike many DNA testing services, they have their own in-house lab. With all of your data ‘under one roof’ it’s only subject to one privacy policy, rather than the privacy policy of each party. FamilyTreeDNA does not have a privacy center with a simplified version of their privacy policy, but the policy itself is not overly difficult to read. They also have a chat feature for quick questions. For these reasons, we give FamilyTreeDNA a rating of 4 out of 5: there are certain things that it does better than other DNA companies, but some of the risks inherent in DNA testing are still there.

How are DNA Testing Companies Using Your DNA?

Your DNA is your most sensitive information, even more personal than your social security number or your fingerprint. It’s frightening to think that these private companies are storing that away, and could one day profit from it in ways you never actively agreed to. Many customers don’t think about what happens to their DNA sample after they receive the results of their tests. Both Ancestry and 23andMe use the data they have acquired for research projects. Most AncestryDNA customers consent to have their de-identified DNA results shared with research partners to improve health sciences, such as curing diseases. Similarly, 23andMe says that it will not share your information with third parties unless you opt in, which about 80% of users do. The research goals of these companies, however, are not made clear. While customers might believe they are participating in altruistic research, they will not know exactly what kind of research their data is involved in. Ancestry’s main research partner is Calico Life Sciences, a Google subsidiary whose focus is on extending human lifespans. Calico does not reveal much about their research, and has been criticized and called the “vanity project” of a few Silicon Valley billionaires. 23andMe partnered with drug giant GlaxoSmithKline to develop drugs for treating Parkinson’s disease. President of the Center for Medicine in the Public Interest, Peter Pitts, has raised concerns over people paying to give their DNA to for-profit companies.

Your DNA Could be Used Without Your Knowledge- Are You “Giving Away” Your DNA?

New York Senator Chuck Schumer, who has called for a Federal Trade Commission investigation of DNA test companies, criticized the Terms of Service agreements used to get this consent from consumers. A press release on his website argues that the language used, “clearly suggests a desire for firms to monetize the DNA data they receive. At the same time, it is so vague that consumers do not have any concrete understanding of to whom and for what purposes their data might be sold or used.” In the past, the FTC has warned consumers of the privacy risks in using a DNA testing service, and is now investigating DNA testing companies over the way they handle private information and genetic data.

Companies like Ancestry maintain that they do not have any ownership over an individual’s DNA, and everything they do with it is consensual. But, this does not stop them from using it in ways that might not have been made clear to the consumer when they agreed to the Terms of Service. As privacy lawyer Joel Winston explains, “They make a big deal of stating that you own your DNA. But they are taking a worldwide, perpetual, royalty-free license to do what they want with your DNA and your actual genetic sample that they keep in storage.”

DNA Testing: Privacy Implications

It’s unclear whether these DNA testing companies might one day share individuals’ DNA data with employers or insurance companies. Your DNA reveals things like your skin color and propensity for inherited diseases. While the Genetic Information Nondiscrimination Act protects Americans from this kind of sharing, there are gaps in the law that allow insurance providers and the military to make decisions based on DNA results. For example, while health insurance companies cannot access the direct test results that you receive from the DNA test kit, they can ask you about your knowledge of any genetic predispositions–and take those into account when setting your rate. If you don’t tell them about this ‘knowledge’, they can decline or rescind your insurance application if they find out about it in the future. Sharing this information is compromising your privacy and that of your family. According to Laura Hercher, director of genetics research at Sarah Lawrence College, “In this field, privacy is a uniquely challenging problem because DNA is familial. When you put it out there, you are putting it out there on behalf of your family.” These sites claim that the DNA data and sample they hold is completely safe. They claim to depersonalize the DNA that they acquire, which only they can re-personalize to send consumers their results. Yet, researchers were able to find out the last names of several men using short repeats on the Y chromosome and a DNA service. Once genetic information is shared with partner companies, each company is no longer responsible for the security protocols of the other parties. While some of the practices of these DNA testing companies are unclear, it is clear that they do not prioritize user privacy.

How Can You Stay Safe?

Using DNA testing kits presents many worrisome implications for your personal information. If you still want to use a DNA testing service (or already have), we have some recommendations for maintaining your privacy. 1. Do not share your information with other users. For sites that offer family tree services, keep your tree private. Be cautious of these kinds of services. Many of these companies have services to match you with people to whom you may be related, but these people may still be strangers who you do not know, and so you should be careful. 2. Go over privacy policies and terms and conditions carefully and skeptically, and be aware of the information that is shared with third parties. If any partners have access to your data, you should read their Privacy Policies as well. Go over your privacy settings in your account. The default settings are usually best for the company, not necessarily for your privacy. Finally, when signing up, be careful about what kinds of services to which you are consenting: Who is doing the testing? What will opting-in mean for your privacy? How will this affect who has access to your data? 3. You can have your personal information erased, and even have your saliva sample destroyed after receiving your results. Download your information if you think you will want to save it for later. Call the customer service department of the company and request that your saliva sample is destroyed. Make sure that they aren’t just storing it away to be monetized later. We’ll have more on this in future posts. 4. Use Abine to protect your accounts on these sites, and all of your other online accounts. Blur can help protect you from breaches and hacks by giving you a masked email and unique password for each site. Blur’s Masked Cards can help you purchase kits securely and anonymously, so that your credit card information stays safe.

About Abine

Abine, Inc. is The Online Privacy Company. Founded in 2009 by MIT engineers and financial experts, Abine’s mission is to provide easy-to-use online privacy tools and services to everybody who wants them. Abine’s tools are built for consumers to help them control the personal information companies, third parties, and other people see about them online. DeleteMe by Abine is a hands-free subscription service that removes personal information from public online databases, data brokers, and people search websites. Blur by Abine is the only password manager and digital wallet that also blocks trackers, and helps users remain private online by providing ‘Masked’ information whenever companies are asking for personal information. Abine’s solutions have been trusted by over 25 million people worldwide.