Our findings fall into three main categories: wide-ranging approvals for businesses of DNA (and non-DNA) data when consumers choose to research, over-collection of non-DNA data, and excessive disclosure of non-DNA data. Data.
Extensive research authorizations
The five companies whose apps we evaluated state that they offer their customers the option to choose “research” that is conducted using anonymized or aggregated DNA and other customer data. However, our experts say that in some cases this research may not be the kind of altruistic research clients imagine and that consent can result in more than just your anonymized DNA being shared with third parties. While our analysis found that the protection of an individual’s DNA data appeared relatively solid for the most part, choosing to conduct research opens up potential vulnerabilities.
We carefully evaluated the research guidelines and informed consent forms for four of the five companies in our study: 23andMe, Ancestry, GenoPalate, and MyHeritage. (We excluded CircleDNA from this part of the analysis because its platform does not allow access to the full user interface without valid DNA test results; therefore, we were unable to see the company’s research informed consent form or evaluate a typical customer’s user experience.)
23andMe told CR that more than 80 percent of its customers choose to use their data for research purposes. “While customers have different reasons for choosing research, many do so out of a desire to contribute and accelerate scientific and medical discovery,” said Jacquie Haggarty, vice president, deputy general counsel and privacy officer, 23andMe.
All four companies urge their customers to proactively choose to do such research, rather than standardly engaging and disapproving of research from them, which is beneficial for consumers. However, it is not always clear what consumers choose, says Fitzgerald of CR. “Research” can be understood to mean, for example, scientific studies that are carried out by third-party academic institutions and that can be viewed as contributing to the common good. “They understand the advances that can be made in science by sharing genetic information. And people want to help, ”said Jennifer Lynch, director of surveillance at the Electronic Frontier Foundation (EFF), who was not involved in our study.
Our experts say the permissions consumers will be given if they choose to do the research are likely to be more extensive than consumers might assume, as they often include permission for third party researchers to not only get anonymized DNA information, but any other information you share or that the company collects about you, which may include self-reported health information and information about relatives. Ancestry’s research approvals cover the use of all data disclosed to the company, including future data. 23andMe advises that an ongoing analysis can be carried out with your data.
As specifically pointed out in the MyHeritage Research informed consent form, due to the uniqueness of the information you share, there is always a risk that the DNA information you provide could re-identify you – even if it is anonymized.
While consumers enjoy sharing a lot of information with these companies, we’ve found that the companies also collect additional data and, in some cases, give them a detailed profile of individual users that goes well beyond their DNA.
During our tests in 2021, the Android apps evaluated all declared general permissions that could support data overcollection. Specific permissions included the ability to read contacts, track a person’s exact location, and collect accurate information about a person’s phone.
Taken alone, any of these permissions are not a sign that a company is doing something nefarious. For example, when we asked 23andMe why their Android app is requesting the use of your biometric data, the company told us that this would allow consumers to unlock the app using the fingerprint stored on their phone and that 23andMe would never access the actual fingerprint .
And some apps can contain permissions that are never actually used. For example, GenoPalate told us that various permissions we asked for, including using fingerprint and biometric data and accessing a user’s contacts, are never actually requested from the user. “Some software libraries we use declare these permissions by default, but they are neither requested nor used,” GenoPalate CEO Sherry Zhang, PhD told us.
However, the experts at CR say that customer privacy would be better protected if permissions that were never used by an app were not declared in advance. “Taken together, when you look at the sum of what these permissions allow and the way data is handled in accordance with data protection guidelines, overly broad permissions create the potential for data collection that does not directly benefit consumers and is not required for the service. “Says Fitzgerald from CR.
In the privacy policies that we evaluated for these services, the data sources listed are broad and in some cases include newspapers, birth registers, marriage registers, third-party advertising companies, census registers, immigration lists, and social media sites. For websites like Ancestry, MyHeritage, and 23andMe that also provide family history information, some of these larger data extensions make sense. However, the language of the data protection guidelines that enable this data expansion can be very broad. For example, MyHeritage also includes a generic category of “other records,” which makes it difficult to imagine a data source that does not fit this broad definition. MyHeritage did not respond to any of our requests for comment.
We asked the companies we rated to let us know what sources they use to augment customer data. Ancestry has notified us that they are using demographics from the credit reporting company Experian. The purpose, a spokesperson told us, is “to analyze and understand purchase and usage trends that will help Ancestry improve our product and marketing. Ancestry does not use Experian data to target individual users across the web. “
23andMe informed us that while they may receive data from users’ social media accounts, “in a spirit of data minimization and purpose limitation principles, they limit the use and storage of such data.”
Both Ancestry and 23andMe indicated that customers can download whatever data any company has about them, including from data extension sources. CircleDNA and GenoPalate advised CR that users can request records of the personal information collected about them, although this is not specified in the companies’ privacy policies (except in the case of GenoPalate, which describes the ability to request information for California residents only).