What are the broader implications of a DNA testing company having access to both your DNA and online data?
I’m kind of a genealogy nerd. I don’t mean like a hardcore genealogy person — I’ve probably spent a total of an hour on Ancestry.com in my entire life — but I’ve spent a higher-than-average amount of time looking into my family background. I like hearing the stories when my family has them, and I like imagining all of the different situations all across the world that had to occur in order for me to come into existence.
So when at-home DNA testing became a thing, I was into it. I had a pretty good idea of what my ethnic background was (spoiler: very European) but there were a couple of gaps in the history that made me wonder. And maybe I’d find out something totally new and surprising. So I spit in a tube, popped it in the mail, and waited for my results.
Further reading: The privacy and security risks of consumer genomics kits
What I didn’t think about back in 2017 was the potential risk of sending my DNA off to a private company. And I’ll admit: That’s kind of embarrassing. Because it seems so obvious now, right? Like, maybe it’s not a great idea to send off my genetic code to anywhere, much less a private company.
The goal of What Does the Internet Know About Me? is to go deep on all of the things that might be known about me online, good and bad. So far it hasn't been as scary as I expected it to be. But I was nervous about this one. Did I make a major mistake when I spit in that tube? And if I did, could I reverse it?
Well, the first and most obvious thing is that MyHeritage knows my actual DNA. That means they know things about me that I don’t even know. For example, if I chose to pay for an upgrade, they could tell me what diseases I’m genetically predisposed to.
I’m choosing not to pay for that option, because it feels like giving them even more information about myself than I need to and like opening myself up to bigger potential privacy issues. But to be honest, that might be a false sense of security. I mean, they have the sample. Theoretically they could check it if they wanted to. (Although, to be clear, there’s no evidence that they do this.)
With that DNA sample, they can also estimate where my ancestors came from, based on genetic markers of people who currently live in those regions. As a consumer, this is probably the most interesting part. You get a cool little interactive map that shows the regions your ancestors likely came from and you can click on each one to learn more about that group.
There wasn’t anything too surprising in mine, except that they didn’t identify any non-Jewish German ancestors, despite the fact that my father’s grandmother’s last name was Schoeffel. They did, however, identify a bunch of Scandinavian lineage, which isn’t part of my family’s oral history. I was confused until my partner pointed out that Germans from a few generations ago might have looked more genetically similar to modern Scandinavians than to modern Germans. Ancestry mystery solved!
MyHeritage also knows who I’m “related to.” I’m putting that in quotes because so far it’s only connected me with estimated third to fifth cousins; people with whom I share less than 1 percent of my DNA markers. These are all people who I could theoretically have children with and have absolutely no concerns about potential genetic abnormalities, so I’m reluctant to call them relations. Of course, if someone in my more immediate family also took a test from MyHeritage, it would be a different story. But that hasn't happened so far.
MyHeritage also knows my first and last name and my email address, but no other personal info about me — because I haven’t provided it. If I wanted to take advantage of other services the site provides (or even just go more in-depth into my own genealogy), I could add my:
That’s great, but maybe even better is MyHeritage’s policy that they “will never provide data to insurance companies under any circumstances” and that they prohibit “law enforcement use of” their DNA Services.
Their policy also says that they have never sold or licensed personal data, “i.e. customer names, email addresses, residence addresses and family trees and will never do so in the future.” They do, however, have third-party marketing trackers on their website. That means users are being tracked for marketing purposes.
Finally, MyHeritage does let users delete all or some of their data — and it’s pretty easy to do so. That’s another point in the privacy checklist.
One thing that I think is important to note about MyHeritage is that they’re based in Israel. That means they’re not under the jurisdiction of American law enforcement, which has been known to subpoena DNA companies and also use them to track down criminals.
The arrest of the Golden State Killer, who was captured after decades of evading law enforcement, is probably the best known case of this. Law enforcement tracked him down by submitting his DNA profile to GEDmatch and then used a match with distant relatives to create a family tree that led to the serial rapist and murderer.
This off-label usage of corporate DNA databases means that even if you don’t put your own DNA into one, you can potentially be tracked through relatives who have — or law enforcement who get ahold of your DNA. In the case of the Golden State Killer, many people argue that the tradeoff was worth it. But others are concerned that peoples’ genetic sequencing is being used in ways that they didn’t consent to — and that we have no idea how science in the future might use it.
The other group that can potentially use your direct-to-consumer DNA test against you is insurance companies. In the United States, there’s a 2008 law called the Genetic Information Nondiscrimination Act (GINA), which says that health insurance companies can’t use genetic information to deny a person coverage or require higher premiums. However, it doesn’t apply to life insurance, disability insurance, or long-term care insurance.
So while MyHeritage says they “will never provide data to insurance companies under any circumstances,” those insurance companies have the right to ask me, the consumer, if I’ve ever taken one of these tests — and what the results are. If I did choose to “upgrade” my test with MyHeritage and then failed to disclose that information when asked, I would be committing insurance fraud. Sooo… I’m going to pass on that one.
The greater point to take away here is less about MyHeritage and what they know about me right now than it is about the potential, unknowable future. And while I feel comfortable with — even good about! — how MyHeritage seems to be handling privacy at this exact moment, other direct-to-consumer DNA companies have already demonstrated how this data could be used in ways people didn’t think about. And that makes me nervous.
So is it worth it? To be honest, I don’t know. I’m not sure I would spit in that tube if given the choice today. But I really like that little map and, like I said, I’m into this whole genealogy thing. On the other hand, I don’t like the idea that my not very well thought out choice could have unforeseen consequences for my great-grandchildren.
I’m torn. So, in conclusion, I say make your own choice on this one. If knowing your genetic history is really, really important to you, then maybe it’s worth it to take on that potential privacy risk. But if it’s not? You might want to reconsider.
Our recent research shows that there’s a lack of knowledge when it comes to third parties accessing our search history and how this information is used.
As more communities install automated license plate readers (APLRs) to monitor vehicle traffic, there are growing concerns about the privacy and efficacy of these tools.