Welcome to the future. For the low, low price of about a hundred bucks, you can choose from a bevy of companies that want to sequence your DNA and tell you what the results mean about your health, your ancestry, and your place within in the world as a whole.

That’s pretty cool.

What’s less cool is the thought that these companies might turn around and share or sell your genetic information to researchers or pharmaceutical companies.

That is decidedly uncool.

For once, the government is on the side of reason. In a blog post published December 12th of last year, the Federal Trade Commission advocates caution when dealing with these companies, specifically citing concerns about privacy and the various sites’ automatic settings.

Just what are the risks, though?

The testing companies themselves are more than willing to be partially transparent and condescending in equal measures.

Ancestry.com, which runs AncestryDNA, warns you that “wildly inaccurate articles don’t do you, the consumer, any favors. Their misleading and fear-inducing content confuses and confounds users, and generally does not help raise the level of dialog [sic] about consumer genetics privacy.”

Eric Heath, Chief Privacy Officer at Ancestry, and the man behind the above quote has accomplished a trifecta of bad PR in just these two sentences:

  1. He tries to discredit the company’s critics. (wildly inaccurate . . . misleading and fear-inducing).
  2. He insults the readers’ intelligence. (Reading criticism will leave you “confuse[d] and confound[ed]”).
  3. He suggests that the company has your best interests in mind at all times and wants to “raise the level of dialog[ue]” surrounding genetic testing.

And maybe this is all unintentional and he’s being genuine, but, as in all situations, we have to evaluate the company’s actions against his words.

And that means evaluating the Terms of Service (ToS).

We’re digging specifically into Ancestry’s Terms of Service because it seems to be regarded as one of the better ones issued by a DNA-testing company. It was also updated in December, meaning that it is pretty up-to-date with how the industry is approaching the situation as a whole. Though, I would like to point out that Ancestry did take the time to write a new ToS, which isn’t something one does unless the critics are on to something. Ironic.

To set the stage, I want to point out that people’s major concerns with DNA-testing companies involve privacy, as there are cases where having that information revealed to an insurance company or a potential employer might cause issues. The other big concern is over the sale of genetic information to third parties, something that shouldn’t be possible, as the companies in question don’t, or shouldn’t, own your DNA.

This is important because the companies have incentive to play both ends—charging you to sequence your DNA and give you relevant results, then turn around and sell that code to parties who are interested in it, such as the pharmaceutical industry.

So, let’s dig into Ancestry’s ToS to see just what they’re giving themselves the right to do.

The relevant section can be found here, and is titled “Ownership of Personal Information, Additionally User Information and User Provided Content.”

It reads “[b]y using the Services, you grant us the right to collect, host, transfer, process, analyze, communicate and store your Personal Information (including your Genetic Information) and Additional User Information in order to (a) provide the Services to you and other users, (b) for the purposes described in these Terms and our Privacy Statement . . .”

Looking at the privacy statement reveals that “Ancestry does not share your individual Personal Information (including your Genetic Information) with third-parties without your additional consent other than as described in this Privacy Statement. In particular, we will not share your Genetic Information with insurance companies, employers, or third-party marketers without your express consent.”

Well, the first sentence was great. The second sentence is quite concerning, as it modifies the broad claim given in the first, limiting the list of entities with which they will not share information. Importantly, both researchers and pharmaceutical companies are absent from the list.

Furthermore, Ancestry goes on to list five more circumstances in which your genetic information might be shared. Three appear fairly benign, as one is opt-in (sharing with other Ancestry members), one is required to sequence the genetics (sharing with Service Providers), and one is legally necessary (sharing in order to comply with a valid legal process, such as a warrant).

Two are concerning. Ancestry has a set of so-called “research partners” with whom they will share information if you agree to the Informed Consent to Research. While this is a step in the right direction, the specific legal wording suggests that if Ancestry does not label an organization as a “research partner,” then they maintain the right to share your information without your consent.

The second concerning bullet point warns that if Ancestry is acquired “or transferred to another entity . . . we will share your Personal Information with that entity.”

Consequently, a pharmaceutical company could get around the restrictions in the ToS by just purchasing Ancestry, which isn’t completely out of the question. The fact that this warning exists suggests that such a thing could conceivably happen, similarly to how Humble Bundle altered its ToS and the way data was handled before being bought by IGN.

It seems that Ancestry in particular and the industry as a whole are trying hard to appear “not very nefarious,” just with giant asterisks attached. The fact that the company refuses to come out and say, in an unqualified manner, that your genetic information is not being sold suggests that that is indeed what is happening.

This is especially concerning considering that unlike most data, the data in question here is yours. I think there’s a compelling argument that you could not transfer ownership to another entity even if you wanted to and that all uses of it would require your fully-informed and completely explicit consent, something these companies appear to be working hard to prevent you from having.