The Worry about DNA privacy and GEDmatch

Many of my matches at ancestry.com are afraid to upload their raw data to GEDmatch because of their fears about DNA privacy. Here is what I want to say to all of them.

DNA imageThese personal genome tests are not your full genome, just a sampling of the places you are likely to be different from the next person. Remember that we all share 98-99% of our DNA with every other human being.

There is not enough information in these tests for some future mad scientist to make a clone of you.

The GINA law protects you from insurance companies or employers using your DNA information to discriminate against you or deny you health coverage.

So are you afraid that someone will know your blood type or eye color? What about unusual medical conditions? They can only figure something out about you if they know the kit number of someone with your same traits. All they get to see is where the DNA overlaps with another kit, not the raw data itself. And they would need far more knowledge about DNA than the average tester has, to use those overlaps to figure out anything about you.

A prominent genetic genealogist with a PhD in biology, Blaine Bettinger, has so little fear about people seeing his DNA data that he posted it all online for anyone to download and look at!

Your identity cannot be stolen from this data sampling of your DNA. It is like a giant fingerprint not a credit card number.

On the other hand, if you have any criminals in your family it is just barely possible that your DNA could help track them down. Not a good idea to do DNA testing if you are a criminal yourself, although the FBI uses different markers than what these tests look at.

Remember, no one can see your raw data over at GEDmatch except the site administrators who are straight arrows. People who have your kit number can only see where you match other kits and can look at your ancestry composition. You can choose to stay pretty anonymous.

To stay private, you can have your public name be a pseudonym and you do not have to show your email. Although showing an email address is nice because then new cousins can contact you. A number of people seem to have made special email addresses for just their DNA/genealogy emails (you can always make a new gmail or yahoo or hotmail account) to further conceal their true identity.

As it is a member only site, I have never gotten spam or any unpleasant email from my many DNA kit listings at GEDmatch.com
Here are some good articles for further reading on DNA privacy:

44 thoughts on “The Worry about DNA privacy and GEDmatch

Click here to add your thoughts at the end of the comments
  1. You may wish to amend this to tell your readers about Blaine’s credentials as a scientist as he is not just a genetic genealogists. This would give more credibility to his sharing his data. Many, many people consider themselves “genetic genealogists” but do not have his background.

  2. Wonderful post Kitty. I find the fears about privacy and genetic testing for genealogy to be ridiculous frankly. It is a fear that has resembles the hysteria which occurred in Salem back in 1692 & 1693. A few bad characters have stoked the fears of the imaginary demons of identity thievery grabbing your dna data and destroying your life. Sadly some of those fear-mongers have credentials in science, and know better than what they are pushing but continue to do it anyway.

    I put my dna out on any website I can find and have it as visible as the sites allow. I do the same with my mother’s and my uncle’s, both of whom’s kits I manage and have full blessing from them to do so. I have explained the fears some people have concerning privacy to them and they are comfortable with what I have done. To date nothing unfavorable has happened as a result, quite the contrary in fact. Because of my openness previously unknown members of my family have discovered me, which was the whole idea after all.

    “We have nothing to fear, but fear itself.” A great man said that not so long ago . . . . . it is just as appropriate today as it was then. We need more people like you Kitty, who have standing and respect in this exciting new field of genetic genealogy, to shine lights into the dark corners and reveal that the bogey men have less substance than shadows.

    • Thanks John. I am so glad to find fearless folk like you. I am genuinely puzzled by what these worries are based on.

      My son mentioned a movie called GATTACA which is why the mad scientist comment. Perhaps it is a fear of what the future will discover in this very limited data.

      I think the muckrakers have discovered that stirring up fears sells copy!

      One valid concern pointed out to me on facebook is that a man might discover a previously unknown child. This sounds wonderful to me but I had not considered the fear of paying back child support. My childless 2nd husband has a great fantasy that the doorbell rings, “Hi I am your son and I am head of Gerontology at …”

      • I’m not sure that I fully understand this ? If others state that it is not in depth enough to tell markers between father and son , nor mother and daughter , but rather is an overall dna testing that focuses on a broader perspective of a connection with persons such as cousins , or uncles , or in my understanding a link to the multitude of simply close relationships that are in common for us all ??

        • These personal DNA testes use about 700,000 markers and are very accurate for close family our to 2nd cousins. Parent/child relationships are very clear from these tests/

  3. I’m kind of getting off the subject here but I have a question. I’m new to Gedmatch.com, what does it mean when a kit number matches your kit number and it have some weird numbers/letters under Mt or Y Haplogroup or both?

      • Thanks for your response Kitty, your blog is very helpful. I’m trying to find cousin’s on my paternal side in Gedmatch but I’m quite confuse and wonder if that’s possible. I see kit numbers starting with A.. M.. and F, does that mean anything? In other words, how would I know if a kit number is from my paternal side without sending tons of emails? Is that possible?

        Thanks

        • Ann –
          Sorry, GEDmatch does not do the work for you. Those letters just indicate which company was tested with (A ancestry, F family tree DNA, and M 23andMe). So yes you have to email your close matches and compare trees to figure out the relationship.
          The easiest way to know if someone is a paternal match would be if your mother is tested and they do not match her. Failing that, get as many maternal side relatives to test as possible so that when someone matches them, they are usually not paternal.
          There are lots of posts here about methodology, click on spreadsheets in the tag cloud or try this post first http://blog.kittycooper.com/2013/01/finding-distant-relatives-with-autosomal-dna-testing/
          Also the site DNAadoption.com has a methodology that helps adoptees which is useful to the rest of us too.

  4. Kitty, your blog is brilliant; just brilliance! 🙂
    Question: Do you know how I can transfer my data from ftdna to the Genographic Project or is it not possible?

  5. Hans – thank you so much for the compliment!

    My understanding is that the Genographic Project tests many more SNPs than Family Tree DNA so you can transfer from Genographic to ftDNA but not the other way around. On the genographic web site at https://genographic.nationalgeographic.com/faq/about-project/#other-genetic-testing-site-differences they say “The genetic technology we use for our testing is a custom-designed genotyping chip optimized for the study of ancestry, with far more Y-chromosome and mtDNA markers than are available with any other test. “

  6. Thanks! I had thought about posting something similar on my blog. So many testers stay anonymous at 23andme and are afraid to share from fears that just aren’t based in reality.

  7. Thumbs up, Kitty Cooper! I’ll be directing my DNA matches to your blog post when I suggest Gedmatch to them. I almost always tell my matches about Gedmatch now, and I’ve had some luck getting a few to upload there. I don’t know what I’d do without Gedmatch! Thanks for your dedication to the cause.

  8. Allow me to voice my concerns. First, you’re all stating the “reality” when, in fact, you also have no idea what the “reality” might be. “Remember, no one can see your raw data over at GEDmatch except the site administrators who are straight arrows.” Right, and I can safely hand out the keys to your house to all of my neighbors, because they’re also straight arrows, right? In reality, I completely don’t believe that you know them that well, or have done the necessary background checks to verify that.

    Go and look up GINA again. It doesn’t apply for life insurance, just health insurance. The one person who rejected the bill was Ron Paul, who is now every influential with the Tea Party, which is overthrowing moderate Republicans in surprising numbers. The Supreme Court has ruled that business have first amendment rights, which in two cases superseded other federal laws.

    But by far the biggest reason for people to refuse to “share” their genetic information is that we are rightly being trained to guard information in the electronic age. This is just more information about you that you should question the need to release to others. You all feel free to “share” your social security numbers online, and let the cautious people know how that goes.

    And the websites that analyze this information are absolutely not helping. They do a poor job of providing tutorials that tell you precisely what you’re handing over and how it will be used. The descriptions tend to be vague. If you want people to share more at ancestry, why don’t you put a more useful picture on your blog entry, showing some screen shots of what happens and explaining it, instead of a generic picture of a double helix?

    • Correct. I was sympathetic to the goals of the site and am not really that big on privacy.

      But objectively, I have never seen a more misguided and naiive privacy statement than what appears today on gedmatch.com. It’s sad because in this day and age it’s not as hard you think to encrypt data at rest and make legally verifiable statements about what can be done with the info you give a company.

      I know because we were required to get our act back inline with what’s expected at our own online service.

    • My concern is the prosecution and genocide of certain ethnic groups that have in the past become the focus of political leaders. As this has happened in the past say the Jews in WWII, who can say this cannot happen again….

  9. Dear KJM –
    You make some useful and interesting points but then you take a pot shot at my use of a generic image. This seems designed to anger me rather than to be useful.

    There are eight posts on my blog that are filed in the category GEDmatch all of which have many images and descriptions. I also have posted an online slide show at slides.com for GEDmatch. Since this post was about the concept of DNA privacy I should probably superimposed a padlock and a question mark over the double helix image that I used.

    That being said, your point that we are all trained to guarantee our online privacy is a very good one, but you seem to ignore my point which is what are you worried about? These are not your house keys or your social security number. These personal genome tests are just a sample of the interesting spots in your DNA from which much can be deduced about your heritage.

    That being said, if you have a genetic medical condition that you wish to keep private then do not upload to GEDmatch. If you are worried that your father is not really your Dad or that your out-of-wedlock child might find you, then do NOT do any DNA testing at all! Family skeletons will come out of that closet.

    And while I have not done background checks on Curtis or John, I have worked with them on a volunteer basis for a while now and am comfortable giving them my house keys 🙂 But then again there is nothing in my DNA that I am embarrassed to share. Maybe that blue/green color blindness I gave my son …

  10. I wouldn’t call it a pot-shot. I was pointing out that there an awful lot of bloggers out there chiding people for not coughing up their genetic information because they’re chickens, when what would really help is to give people information about what exactly they would actually be giving up, and some kind of information (besides you say so) that it’s actually safe to divulge that.

    Let me give you an example. I put my 23andMe results into GEDmatch. Unbeknownst to me, I have a currently unknown (to science) set of SNPs that code for likely sudden cardiac death in my late 40s. Scientists don’t find that set of SNPs until two years after I put my results into GEDmatch. A hacker breaks into GEDmatch and steals a copy of everything there over the course of a year, undetected, and starts selling that information to a life insurance actuary agency. Ten years from now, my son in his 20s tries to get life insurance, and finds out that he is completely uninsurable. No one will take the risk of insuring him unless he demonstrates that he isn’t carrying those same alleles. I’m not dead of anything yet, but he’s shut out of the life insurance market. Life insurance isn’t covered under GINA. Supposedly neither are disability insurance or long-term care insurance.

    I die a few years later, of sudden cardiac arrest, and my insurance company refuses to pay. “But Dad had a policy that was paid up!” “Sorry, but he had an undisclosed condition predisposing him to die early.” “But he didn’t know about that!” “He should have, since he had a genetic test, and was required under our policy to inform us of any change to his health information.” “But he didn’t know about that – the results finding that problem weren’t available when he had his test done.” “That’s beside the point, he had an undisclosed condition and we are not paying on that policy.” So now my family has lost me decades early, and my insurance policy that was supposed to help them in that case.

    So, are you in a position to say that GEDMatch is not hackable, that my information I put there can’t be traced to me, that there will be no future findings of things unknown now that I might be susceptible to, and that the insurance industry won’t be able to use arguments like that? If you say yes to any of those, you either don’t understand the technology being used, the laws involved, genetic science, or how corporations may use this information. I’m a computer scientist, and I’m pretty sure their system could be hacked and your information traced back to you. My wife is a cellular molecular biologist who works in genetic research. She’s already warned me about this. It sure looks to me like GINA excludes life insurance, and I’m pretty sure a life insurer would try that unless it’s made illegal.

    So please, don’t accuse people of being afraid without recognizing that there may be some basis for that. What you can do is give people as much information as possible about what using these services really means about what could be stolen, what could be gleaned by other legitimate users, and what the off-setting benefits might be. Your GEDMatch slide set is a big step. They should provide something like that so people can get some idea what they’re getting into. But in the blog posts you cite, I count only 9 screen shots. Some of them look to be duplicates, others look pretty much identical to information I can already get at 23andMe. If I search for GEDMatch, I get their login screen, with no apparent way to see anything else about their service.

    I really applaud you for trying to provide some documentation for these things – documentation is sorely needed. But even assuming GINA isn’t replaced at some point, which is possible, there are legitimate concerns out there.

    • Im not sure that most people aren’t aware that whoever wants your DNA already has it. State laws grant these labs sole right to your DNA once it’s in their lab. If you have ever had any blood draw for annual exams or routine doctr visit these labs already has your precious DNA so get over it. This info is stored in a national database. The cure for polio was found with the cells from a black woman’s uterine cancer tumor. Google Henrietta Lacks and Hela cells were named after her. Her family never saw a dime because here DNA was property of lab companies. The database is used for research because they are hoping o find people with cells with special properties like Henretta Lacks that will lead to cures of many illness and diseases particularly cancer research. So, your DNA means a lot o you but you do not own your DNA after its sent to a lab. They already have you on their database.

      • “State laws grant these labs sole right to your DNA once it’s in their lab.” I’d like to see a reference for that statement. Are you saying it is the same in all states? I also question that specimens submitted for one type of test (eg, blood) can be legally used for other purposes.

        As for the case of Henrietta Lacks, use of her cells began in the 50s, long before current laws regarding privacy. Note, also, that her family has received some recompense since they became aware of the used made of their ancestor’s cells.

  11. To inspire more confidence, GEDmatch could do a much better job of presenting their identity to the public. Their website is worse than horrible, and has absolutely no information about who they are, where they are, what they do with the information you submit, and so on. I would not upload any of my DNA tests to anyone whose “storefront” looks like this one. And do you know these folks personally? If so, you might suggest that they drag their website into the 21st century!

  12. LKM I think you fail to appreciate that GEDmatch was created by volunteers with day jobs to meet the needs of the genetic testing community and provide free tools for examining and comparing DNA. So your expectations are too high for such a site.

    But some fault is mine as I volunteered to help with the privacy policy page so I need to follow up on that.

    If you have some specific suggestions for improvements, let me know or if you can volunteer to help. But currently the problem is dealing with the incredible increase in traffic that they are experiencing so the issues you mention are taking a back seat

  13. Hello mskitty. Thank you for your efforts to educate website users. I also have reservations about uploading my 23andMe results because once I do, I lose control over it…forever. Nothing here tells me how this valuable information is protected/encrypted/secured/shielded from corporations/government entities who would love to use it to expand their knowledge about me, withhold services from me or market to me. This lack of transparency does not give me the confidence I need before sharing this important information. Also, thank you to all those who are volunteering to make this service possible. However, your comments 1) that volunteers are struggling to deal with the increase in volume and 2) privacy and protection expectations are too high because you use volunteers who also have day jobs, actually reinforces the point that privacy/security are reasonable concerns because you do not have dedicated people focused on the issue. I’d feel much better knowing there is a professional somewhere in the loop guarding this information and keeping it safe from emerging threats. To each his/her own and I do not mean to discourage anyone by this post. I am confident other people have sufficiently weighed risk against benefit and determined the insights they get from uploading their information is worth it. However, I hope objective people will realize reasonable people can and do have rational concerns about doing the same.

    • El –
      I think you are overthinking this. DNA science is not so advanced that marketeers can use it and I myself and happy to contribute to medical science
      Us old folk do not worry about DNA privacy but I can see how the younger generations might.
      The main volunteer for GEDmatch is a professional but he has a day job.
      You might consider uploading to DNA.land to help science and stay very private

  14. Hate to be such a skeptic, but ……You said the administrators at Gedmatch were straight arrows. We might have said the same about the IRS 10 years ago.

    Also the GINA law can be completely ignored as immigration laws have been in recent years.

    • Tom, there will always be skeptics in the crowd … I know the people a GEDmatch, have helped them a few times, they are volunteers interested in providing better tools for all of us and a place where people who have tested at different companies can compare to each other.
      As to GINA, we will see … I refuse to worry about these things but I am old. I never push young people to test who are afraid of all this …

  15. mskitty I personally am on the fence about this. We have had our bank account hacked and the repair work involved was daunting to say the least. DNA hacking could potentially have far worse ramifications. I am old so for me it would not matter but I love my children and my grandchildren. Our world is an unstable place and while the information could be used to find cures for cancer it has the potential to be misused as well. Scientist created the atom bomb, scientist created germ warfare, scientist create even without the intent of harm but military and government do with the info as they wish. I am prior service and am not knocking the military, however, leadership is run by people. People get greedy and have ulterior motives. Without even doing the health test 23andme offers I am aware of our families genetic issues and health concerns. I would not want to solidify something to be used against my grandchildren later on. I am not sure what I will decide but I certainly would like to see the privacy and sharing of our info updated on the website to allay some fears people might have.

    • Bonnie, I understand your concerns but your DNA is not your credit card or social security number. Frankly I think uploading your results to Gedmatch is a gift to future generations and to your relatives. Here is a link to their privacy policy https://www.gedmatch.com/policy.php

  16. Health reports are available for purchase immediately upon receiving your ancestry results at 23 and me. Whether you wanted them to be done or not.
    Just so you know.

  17. My aunt has worries about the site, not because she is worried about the matches, but because of 2 different reasons:

    1. You HAVE to create an account before you can find out any FAQ’s or other identifying information from the site itself. The home page has no information available to view for the curious.

    2. My aunt’s main worry, is not knowing WHO runs the site, and what they MIGHT be doing with your raw DNA data. As with all the major testing companies, we are well aware that much of the profit for providing DNA testing, is made through selling general info to the drug companies, who buy the overall statistical info. They want to “forsee” upcoming illnesses in certain regions, etc. and getting a heads-up helps increase their own profit. We also understand testing companies are NOT selling your personal DNA info, but the collective information that pertains to the demands of their business clients, based on everyone’s statiatical info. But without knowing who runs the site, and without being provided with the legal jargon and privacy laws before creating her account, with or without uploading DNA, has made her extremely uneasy. I actually can say that I can see how she would feel this way, I just never thought about it, or cared!

    Any links to help alleviate her fears, and educate her on the folks who run the site? I would love for her test to be uploaded so I can really knuckle down with preliminary family grouping before having to actually contact cousin strangers!

    • Erin –
      The privacy page does not require a log in, read it here
      https://www.gedmatch.com/policy.php
      Gedmatch was founded by volunteers as a place where people could compare Gedcoms then later a place where people who had tested at different DNA companies could compare results. I have met one of the founders and worked online with the other. They are both fine folk. This is not a large for profit company. They have day jobs (or used to) but as it got so popular they had to take money to afford their servers.
      To protect identity many people set up a separate email account at gmail and use a pseudonym.
      But frankly, unless you have a medical condition you need privacy for, it hardly matters in my opinion. These DNA tests are just a small sample of your DNA, like a finger print. You leave your DNA everywhere… Do you ever watch Bones? Easy for anyone to get if they want it.

  18. Your points are excellent Kitty, however there is a very real threat to gedmatch.com users, and that is when another user runs admixture tests on you kit and then publishes the data online without your permission. This past week I have been working on having my personal data scrubbed from anthrogenica.com, theapricity.com, forumbiodiversity.com, and eupedia.com. To have my admixture test uploaded to the internet along with a photo, my name, and my gedmatch.com kit number, where people are invited to discuss whether I look Western European or Southern European, and where I am identified as a “German Jew” is very concerning.

  19. Kitty, I love Gedmatch but think there’s a simple change that would make it much easier for Ancestry members to use effectively. I don’t know where to make the suggestion, and wanted to try it out on you first for feasibility reasons.

    My suggestion is simple: allow Gedmatch users with Ancestry tests to indicate their Ancestry username if they so choose, perhaps in a separate column like the Gedcom column.

    My reason is based on experience: it turns out to be fairly complicated to move from a match or a list of shared matches on Gedmatch to seeing whatever trees these matches might have in a search for the MRCA. Most folks don’t post gedcoms. I’ve found that direct inquiries by email are tedious to produce and may not result in obtaining a username. But if someone is willing to be located on Ancestry by another Ancestry member without a prior email contact, help them indicate this willingness on Gedmatch by adding their Ancestry username.

    Or at least add an instruction on the Gedmatch registry form suggesting that an Ancestry username could be incorporated in each kit’s i.d. name to make it easier to find a match’s tree.

    • Mary
      That is a good and interesting suggestion. I will pass it along.
      I have found that many ancestry users have the same username on their email address as they use at ancestry or close enough for good guesswork

  20. Kitty

    WHAT IS A CRIMINAL ?

    Do you know that the FBI has “listed” NOT having a “Social Media” PRESENCE as SUSPICIOUS and an indicator > That the PERSON is a “Terrorist”

Leave a Reply to Ann Cancel reply

Your email address will not be published. Required fields are marked *