Privacy Fears As Fast-Growing Genealogy Firms Attract Big Money
By Jackson Chen
Millions of people curious about their family trees are driving a fast-growing consumer genealogy industry that is drawing privacy concerns over its increasing ties to private equity firms, investors and wealthy corporations.
Rapid changes in the mass ancestry sector, which includes home DNA tests, have experts concerned about the handling and storage of consumers’ sensitive family data.
“It’s important to think about how the corporate changing of the guard here might impact people’s really personal information,” Vera Eidelman, a staff attorney for the Speech, Privacy and Technology Project of the American Civil Liberties Union, told Digital Privacy News.
“Consumers should be really wary of attempts to monetize their highly-sensitive genetic data in unexpected ways.”
The urgency of the issue has been underscored by a string of major deals in the past six months in which genealogy companies were acquired or merged with outside capital.
In December, the global investment company Blackstone paid $4.7 billion for Ancestry, a DNA testing service with more than 18 million people in its database.
Two months later, 23andMe, which specializes in direct-to-consumer genetic testing, announced plans to merge with VG Acquisition Corp., in June in a special purpose company sponsored by Virgin Group, the British venture capital conglomerate.
In April, global investment firm Francisco Partners completed its acquisition of MyHeritage for a reported $600 million.
The companies involved shared a similar sentiment when announcing the deals: accelerate growth across the industry.
Gilad Japhet, the founder and CEO of MyHeritage, said the Francisco Partners’ acquisition would allow the company “to reach new heights, invest more resources in creating greater value for our users and to reach a larger audience,” according to a media statement.
Eidelman said outside investors were not only interested in the growth potential of genealogy companies, but also in how they mine additional information from consumers’ genes. She said there were also attractive opportunities for attracting big clients, including governments and law enforcement services.
“Growth potential is fine, if that’s what the customer or consumer wants to know about themselves,” Eidelman said.
“But it raises a lot of alarm bells for me if the government then seeks to gain access to that same information, particularly without a warrant.”
Jennifer Lynch, the surveillance litigation director at the Electronic Frontier Foundation, said she was wary of sudden changes to the privacy policies of popular family-tree companies, like MyHeritage and 23and Me, as new owners search for new ways to capitalize on the industry’s consumer data.
“What we do see, in general, when companies get acquired is that eventually the original founders and folks who run the company get pushed out and that’s when data practices tend to change.”
Eidelman said private companies tend to move quickly, altering privacy policies quickly sometimes without notice, or principles. The new role of private equity stakes, she said, would influence how genealogy companies do business.
“A lot of these companies have historically believed that strong privacy guarantees were critical to attracting customers,” Eidelman said.
“But the incentives may very well shift for private equity firms that are more likely to want to squeeze every last cent out of these businesses.”
Matt Anderson, the spokesman for Blackstone, dismissed any notions of improper data usage. He said Ancestry was in a strong market position and his company simply wanted to provide capital for further growth.
“As we’ve said repeatedly, Blackstone has not and will not access user DNA and family tree data, and we will not be sharing this data with our other companies,” Anderson said in a press statement.
“To be crystal clear, doing so was never part of our investment thesis — period.”
Ancestry followed suit, assuring customers they always maintain ownership and control over their data. The company said it does not share customer data with insurers, employers, third-party marketers or law enforcement unless compelled by a valid legal process.
Andy Kill, a spokesperson for 23andMe, told the press the company’s top priority was providing a secure, private environment for its customers.
“We do not sell individual customers’ information, and no investors or other collaborators have access to the 23andMe database,” Kill said in a statement. He said customer information was also encrypted at rest and in transit.
Despite the assurances of ancestry companies and their new corporate suitors, the EFF’s Lynch said genetic data was a high-stakes sector, citing the extreme sensitivity of the information contained in consumer DNA.
Lynch said the genetic databases include specific indicators that can identify individuals, their relationships with other people, their ancestry, and in some cases produce images to predict what someone looks like.
“It’s one thing for a press release to say that the company is committed to privacy,” Lynch said. “It’s another thing to see how the company acts going forward.”
Lynch said this genetic information could be used to target people across the world and lead to misidentifications during investigations.
Forensic genetic genealogy cracked the decades-cold Golden State Killer case, but an attempt of the same methodology in 2017 misidentified an Oregon man who shared a rare genetic marker with the actual killer.
The application of forensic genetic data techniques by law enforcement and government security agencies is starting to come under legal regulations on the state level.
In recent months, Montana and Maryland passed the country’s first laws to restrict how law enforcement agencies use DNA databases for investigations.
Maryland’s new law requires police to get permission from a judge before a DNA database can be searched, while Montana’s version requires a warrant. Utah has also passed a law protecting genetic data.
With no federal law in place, the U.S. operates off a 2019 interim policy for forensic genetic genealogy instituted for law enforcement agencies by the Department of Justice.
The policy reserves forensic genealogy for unsolved violent crimes and only after other options, like the FBI’s Combined DNA Index System, had been exhausted.
Experts are worried about the lightly-regulated future of genetic data. Lynch and Eidelman said state laws were a step in the right direction, but do not go far enough to protect genealogical data.
Eidelman said the revealing details stored in genealogical databases were a prime target for misuse.
“Our DNA and genetic blueprint is some of our most personal and sensitive information,” Eidelman said.
“It can reveal information about our ancestry, our family relationships, and sensitive medical information. When networked with family history information, it only increases the potential privacy implications.
“It really is a potential treasure trove of information.”