avatar

Ancestry's Privacy Policy Change

by Bradley Jansen June 30th, 2015 2:21 pm

If you haven't heard, Ancestry.com has changed it's privacy policy.  Over at geneabloggers, Thomas MacEntee has a wonderful post red-lining the changes.  See this PDF linked here:

http://www.geneabloggers.com/wp-content/uploads/2015/06/COMPARE-ACOM-POS-20140801-20150626.pdf

More generally, it's a good idea to follow news on developments not only of changes to privacy policies, but other corporate news as well.  Companies get bought and sold, and these ownership changes may bring changes to the privacy policies or other data use issues.

Similarly, sometimes companies go out of business (I am NOT trying to start a rumor about Ancestry.com or any other genealogy company!), and what happens to the data might be different in a bankruptcy proceeding than the company's stated privacy or other policies may indicate.

Some years ago, I wrote an op-ed "Our Bankrupt Privacy Policies" on exactly how the Federal Trade Commission approved the prostitution of personal consumer data in a bankruptcy proceeding.  Toysmart.com had a privacy policy saying, “When you register with Toysmart.com, you can rest assured that your information will never be shared with a third party."  Despite this clear statement, the FTC approved the selling of that information to a third party buyer.

In short, don't post or share any information--especially Personally Identifiable Information (PII) of living people--that you wouldn't want shared when privacy policies change or company ownership changes--especially if it goes out of business and bankruptcy proceedings put your personal information on the selling block.


avatar

Genealogists as Stakeholders in Digital Ecosystem Cybersecurity

by Kenneth H. Ryesky March 19th, 2015 7:01 am

[I am now very heavily preoccupied, as never before, with various and sundry personal and professional burdens and deadlines and agendas, so this posting will necessarily be superficial.].

Today's Federal Register [80 F.R. 14360] includes a Notice by the Department of Commerce, National Telecommunications and Information Administration requesting public comment " to identify substantive cybersecurity issues that affect the digital ecosystem and digital economic growth where broad consensus, coordinated action, and the development of best practices could substantially improve security for organizations and consumers."

 

It is definitely in the genealogy community's interest to take advantage of this invitation to weigh in with comments.  Imprimis, we will be affected by whatever rules and schemes come out on the topic.  Moreover, as alluded to in more than one prior Genealogical Privacy posting, we cannot allow ourselves to be seen as an obstacle to privacy; indeed, we need to engage in responsible privacy practices, even as we access and analyze some very personal facts and statistics.

 

We have been given the opportunity to submit input into a process that will, in some way, shape, or form, affect how we operate -- for better or for worse.

 

The comment deadline is 18 May 2015.

 

 

 


avatar

Update to posting of 23 April 2014 ("What's Behind the Adoption"):

by Kenneth H. Ryesky March 15th, 2015 12:17 am

Update to posting of 23 April 2014 ("What's Behind the Adoption"):

Quite unsurprisingly, the case is still unresolved and further court actions have transpired.

Firstly, there was an appeal to the Appellate Division, but, but for whatever reason, that was withdrawn.

More significantly, the Surrogate's Court granted the injunction against the Trustees, enjoining them from seeking any resolution in the Texas courts regarding the July 2012 settlement. "This court continues to defer to the Texas court on the question of whether the Texas orders of adoption at issue can be vacated or voided based on any theory pled, cognizable, and proved in Texas."

[This latest Surrogate's Court decision, entered on 6 March 2015, has not yet been picked up by the New York State Reporter, but did appear in the New York Law Journal of 10 March 2015, at p. 22, col. 6 - p.23, col. 1. It also is in the Dow-Jones Factiva database, Factiva document #
NYLJ000020150310eb3a00016.].

It is, of course, too early to call the end result of the litigation, but my personal call is that the adoptions will stand. But even if they don't, I stand by my contentions in the last two paragraphs of the 23 April 2014 posting:

" Never mind that there obviously was a scheme involved here, the propriety of which shall not now be taken to the mats. The decision in the case brings forth some questions hitting at the intersection of genealogy and privacy. What are the uses and misuses of adoption? How, if at all, should adult adoptions be treated differently than infant adoptions or pre-teen adoptions or teenager adoptions? How open or private should side deals behind adoptions be?

Regardless of whether or not this particular court decision stands (the dollars at stake here may well be impetus for an appeal), these questions will likely be reprised somewhere, at some future time, in some form."


avatar

Privacy at RootsTech

by Bradley Jansen February 9th, 2015 1:43 pm

If anyone will be attending RootsTech later this week and/or the Federation of Genealogical Societies conference, I'd like to highly recommend an unconferencing session: RT1922 "Genealogists, Technologists, Privacy Advocates: We REALLY Need to Talk!"

The session by Fred Moss and Jim Dempsey will address some important issues:

  • How the Internet is changing our lives
  • Resolving “Big Data” issues
  • Interests of the genealogical community
  • Genealogists share Privacy Concerns "Family Historians and their families are as vulnerable to the predations of identity thieves as any other citizen. Those who believe that genealogists are reckless with Personally Identifiable Information might be pleasantly surprised at some of the measures taken by websites and individual researchers. Our belief is that dialogue among genealogists, technologists, and privacy advocates offers the best potential for developing even better protective measures." 
  • Recent initiatives to restrict access to records

The syllabus can be found here:

https://rootstech.org/bc/content/pdfs/Class-Syllabus/RootsTech/RT1922_WeReallyNeedToTalk_Dempsey_Moss.pdf?lang=eng

The talk will be Friday (Feb. 13) in 251A at 4:00 pm.


avatar

Happy Data Privacy Day!

by Bradley Jansen January 28th, 2015 12:00 pm

Every year on January 28th since 2007, we celebrate Data Privacy Day (Data Protection Day to our European friends) going back to the start of the  Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.  The most important and pressing data privacy issue in the United States today is the fight to update the Electronic Communications Privacy Act.

The law that governs the privacy protections of your electronic communications (ECPA) such as text messaging, cloud computing, etc., was passed in 1986.  Needless to say, the general consensus is that the law needs updating. The Digital Due Process (DDP) coalition brings together a broad spectrum of groups from the left, including the American Civil Liberties Union, and the right including Americans for Tax Reform, as well as privacy groups, technology companies including Google, Microsoft, HP, Yahoo, Facebook, etc.

Importantly to this blog, I have to point out that the Records Preservation and Access Committee (RPAC) representing a more than critical mass of the genealogical community is part of DDP and helping in the fight to update ECPA.  Many of the reasons are spelled out in this letter to US Sen. Orin Hatch.

Yes, the genealogy community is active in the struggle to protect privacy.  For another example, check out Judy Russell's excellent post earlier today on this blog.

So here are some good privacy guidelines for genealogists:

  • Consent matters, as Judy explains.  Which dovetails with the general privacy principle of not sharing Personally Identifiable Information (PII) of living people without their consent, and
  • Law enforcement should need a warrant for content (except under well-established exceptions)--the Fourth Amendment should apply to the physical world and the digital one.

The more genealogists work to and respect privacy, the fewer problems we'll have with others wanting to restrict records access.

 


avatar

A matter of consent

by Judy Russell January 28th, 2015 10:00 am

[Cross-posted from The Legal Genealogist]

Ask first

The question posed to The Legal Genealogist on January 18th was whether the cousin who had paid for a DNA test should share the results with the cousin who took the DNA test.

The no-brainer answer is yes.1 Just because you paid for a test doesn't mean you can close off the results to the cousin whose DNA was tested.

blurAs noted then, we now have working standards for genetic genealogists to consult when it comes to ethical questions like this.2 And the applicable ethical standard here is that “Genealogists believe that testers have an inalienable right to their own DNA test results and raw data, even if someone other than the tester purchased the DNA test.”3

In the interim, the question that came in was about the flip side of this issue: whether the cousin who paid for the test should share the results far and wide -- with the name of the tested cousin, usually, still attached.

That answer should also be a no-brainer.

Unless you have consent, the answer is no.

No, no, no.

And in case that isn't clear enough:

No.

The ethical standards are as clear on this as they were on the first question: “Genealogists respect all limitations on reviewing and sharing DNA test results imposed at the request of the tester. For example, genealogists do not share or otherwise reveal DNA test results (beyond the tools offered by the testing company) or other personal information (name, address, or email) without the written or oral consent of the tester.”4

Even when it comes to writing about DNA results for scholarly research, the standards require that:

When lecturing or writing about genetic genealogy, genealogists respect the privacy of others. Genealogists privatize or redact the names of living genetic matches from presentations unless the genetic matches have given prior permission or made their results publicly available. Genealogists share DNA test results of living individuals in a work of scholarship only if the tester has given permission or has previously made those results publicly available.5

What this means, put in simple terms, is that we should not take a screen capture of DNA results from a testing company and post it in a blog post or on Facebook with the names or pictures of our matches still attached unless we've asked those matches specifically if we can post it.

And this isn't a new idea, springing out of genetic genealogy alone. This is the long-time ethical standard of the genealogical community. This concept of protecting the privacy of living people can be found for example in:

• The Code of Ethics of the Board for Certification of Genealogists, which requires that board-certified genealogists pledge that: “I will keep confidential any personal or genealogical information given to me, unless I receive written consent to the contrary.”6

• The Standards for Sharing Information with Others of the National Genealogical Society, which advises us to “respect the restrictions on sharing information that arise from the rights of another ... as a living private person; ... inform people who have provided information about their families as to the ways it may be used, observing any conditions they impose and respecting any reservations they may express regarding the use of particular items... (and) require some evidence of consent before assuming that living people are agreeable to further sharing of information about themselves.”7

• The Code of Ethics of the International Association of Jewish Genealogical Societies, which notes that “If data is acquired that seems to contain the potential for harming the interests of other people, great caution should be applied to the treatment of any such data and wide consultation may be appropriate as to how such data is used. ... Generally, a request from an individual that certain information about themselves or close relatives be kept private should be respected.”8

So as responsible genetic genealogists we don't just take a screen shot and post it. We take a second, using the tools in every photo program out there -- including my favorite free program Irfanview -- and blur out the names or photos of our matches as you can see in the image above of my own AncestryDNA results.

Or we do something really unusual.

We ask first.


SOURCES

1. Judy G. Russell, “Whose DNA it is anyway?,” The Legal Genealogist, posted 18 Jan 2015 (http://www.legalgenealogist.com/blog : accessed 24 Jan 2015).
2. See ibid., “DNA: good news, bad news,” The Legal Genealogist, posted 11 Jan 2015.
3. Paragraph 3, Standards for Obtaining, Using, and Sharing Genetic Genealogy Test Results, “Genetic Genealogy Standards,” GeneticGenealogyStandards.com (http://www.geneticgenealogystandards.com/ : accessed 18 Jan 2015).
4. Ibid., paragraph 8.
5. Ibid., paragraph 9.
6. “Code of Ethics and Conduct,” Board for Certification of Genealogists (http://bcgcertification.org/ : accessed 24 Jan 2015).
7. Standards for Sharing Information with Others, 2000, PDF, National Genealogical Society (http://www.ngsgenealogy.org/ : accessed 24 Jan 2015).
8. “IAJGS Ethics for Jewish Genealogists,” International Association of Jewish Genealogical Societies (http://www.iajgs.org/ : accessed 24 Jan 2015).


avatar

Genetic Genealogical Privacy Standards

by Bradley Jansen January 18th, 2015 1:12 pm

The Genetic Genealogy Standards Committee recently came out with a document on Genetic Genealogy Standards that can be found here:

http://www.thegeneticgenealogist.com/wp-content/uploads/2015/01/Genetic-Genealogy-Standards.pdf

My take at first blush is that it's good that the genealogy community continues to update its standards with the times--and that it increasing recognizes the importance of privacy in those standards.

For example, there are several sections where the standards address areas of concern to this blog:

2. Testing With Consent. Genealogists only obtain DNA for testing after receiving consent, written or oral, from the tester. In the case of a deceased individual, consent can be obtained from a legal representative. In the case of a minor, consent can be given by a parent or legal guardian of the minor. However, genealogists do not obtain DNA from someone who refuses to undergo testing.1

3. Raw Data. Genealogists believe that testers have an inalienable right to their own DNA test results and raw data, even if someone other than the tester purchased the DNA test.

6. Privacy. Genealogists only test with companies that respect and protect the privacy of testers. However, genealogists understand that complete anonymity of DNA tests results can never be guaranteed.

7. Access by Third Parties. Genealogists understand that once DNA test results are made publicly available, they can be freely accessed, copied, and analyzed by a third party without permission. For example, DNA test results published on a DNA project website are publicly available.

8. Sharing Results. Genealogists respect all limitations on reviewing and sharing DNA test results imposed at the request of the tester. For example, genealogists do not share or otherwise reveal DNA test results (beyond the tools offered by the testing company) or other personal information (name, address, or email) without the written or oral consent of the tester.

9. Scholarship. When lecturing or writing about genetic genealogy, genealogists respect the privacy of others. Genealogists privatize or redact the names of living genetic matches from presentations unless the genetic matches have given prior permission or made their results publicly available. Genealogists share DNA test results of living individuals in a work of scholarship only if the tester has given permission or has previously made those results publicly available. Genealogists may confidentially share an individual’s DNA test results with an editor and/or peer-reviewer of a work of scholarship. Genealogists also disclose any professional relationship they have with a for-profit DNA testing company or service when lecturing or writing about genetic genealogy.

The committee explains their process, membership, review of comments, etc., all here
http://www.geneticgenealogystandards.com

It was pointed out that many of the members on the committee have ties to 23andMe and Ancestry.com which should have been disclosed properly.

The question then remains whether the community will be able to self-regulate.  We will have to come back to this subject soon.


avatar

23andMe and Genentech reach deal on genetic research

by Bradley Jansen January 12th, 2015 11:11 am

According to a Forbes article, 23andMe has reached a very lucrative deal with Genentech--the first of nearly a dozen agreements the company has reached with pharmaceutical and biotech companies.

Explains the "Surprise! With $60 Million Genentech Deal, 23andMe Has A Business Plan" story:

Such deals, which make use of the database created by customers who have bought 23andMe’s DNA test kits and donated their genetic and health data for research, could be a far more significant opportunity than 23andMe’s primary business of selling the DNA kits to consumers. Since it was founded in 2006, 23andMe has collected data from 800,000 customers and it sells its tests for $99 each. That means this single deal with one large drug company could generate almost as much revenue as doubling 23andMe’s customer base.

“I think that this illustrates how pharma companies are interested in the fact that we have a massive amount of information,” says Anne Wojcicki, 23andMe’s chief executive and co-founder. “We have a very engaged consumer population, and these people want to participate in research. And we can do things much faster and more efficiently than any other research means in the world.”

The prospects of advances in genetic research should not be unappreciated, but the story raises the privacy implications of the 23andMe customers:

People who have bought 23andMe kits and agreed to donate their data to research (that’s about 600,000 of the company’s 800,000 customers) automatically consent for 23andMe to sequence their genomes. 23andMe says that it is also able to share anonymous and pooled data about their self-reported health traits without asking. But Genentech wants even more: it wants to look at health and genetic data on an anonymous but individual basis. For that reason, the company will have to ask customers if they want to enter the study.

Let's hope 23andMe has worked out the way to respect consumer privacy and promote genetic research!


avatar

Privacy Concerns Fuel Vital Records Access Restrictions

by Bradley Jansen December 30th, 2014 12:16 pm

Hat tip to Dick Eastman who posted "Privacy Concerns Raised about Vermont Town Reports of Births, Marriages, and Deaths" on his blog.  As he explained, "some [Pittsford,Vermont] residents are concerned that publishing birth, marriage, civil union and death names in the annual town report harms their privacy."  These concerns (sometimes very real and justified, sometimes not) are fueling the movement to restrict access to vital records that is quietly sweeping the country.  More here:

http://www.rutlandherald.com/article/20141224/THISJUSTIN/712249902

The Federation of Genealogical Societies, among other groups, has been warning about the loss of access to vital records for a few years now.  Almost a year ago, there was this update, "We expect the introduction of state legislation based on the unapproved 2011 Model Act and Regulations." referencing this report from March 2013:

The registration of births, deaths, marriages, and divorces is done on the local level, that is, by 50 states, 5 territories, the City of New York, and Washington, DC. Information contained in those records is shared with U.S. government entities such as the Social Security Administration.

To ensure successful sharing, the U.S. government has made available text that states may elect to use for law as well as for regulations describing how those laws are implemented. States are not required to conform to the Model Act and Regulations. Each state, city, or territory is free to implement laws and regulations for its own needs. Nonetheless, the Model Act can have significant impact. For example, the movement of state vital records offices into state Departments of Public Health was first advised by the 1977 version of the Model Act.

Beginning in 2009, a committee formed by the U.S. Department of Health and Human Services convened to update the 1992 Model Act. The National Association for Public Health Statistics and Information Systems (NAPHSIS) approved the update by resolution 8 June 2011. NAPHSIS is an association of representatives from the 57 states, cities, and territories. Members of the organization had participated in the drafting of the new Model Act.

Previous iterations of the Model Act have gone through periods of public feedback and revision before approval by the federal agency involved. The 2011 revision has not yet been made available for public review by DHHS (see their note here) and so it is not yet considered final. In the meantime, several state public health departments developed legislation that conformed to the unreviewed version of the Model Act. This past Friday, 1 March 2013, at noon Eastern time, NAPHSIS independently released the 2011 revision of the Model Act on its website. It can be downloaded here.

What does the new version do? It incorporates changes in technology over the twenty years since the 1992 version. It also changes the records closure periods. Please compare these periods to the ones currently in law in the states in which you research. If they differ, it would be wise to work with local genealogy societies to monitor for the introduction of state legislation affecting records closure.

  • Birth records closed for 125 years.
  • Marriage and divorce records closed for 100 years.
  • Death records closed for 75 years.

 

Unless family history researchers are comfortable with these proposed delays in access to vital records, they'd we be well served working to understand the underlying privacy concerns and actively addressing them.


avatar

EU Medical Privacy Rule Could Hamper Genealogical Research

by Bradley Jansen December 29th, 2014 8:40 am

Alan McQuinn at the Information Technology & Innovation Foundation wrote an op-ed "E.U. data privacy rules threaten medical research" recently.  He rightly raises the fact that the reality of circumstances is often more complicated than presented.  In this case, new medical privacy rules that sound great at first blush might have negative consequences for medical research and ultimately people's health.  Genealogists won't be none to pleased either.

Explains the op-ed,

Last March, the European Union proposed the General Data Protection Regulation (GDPR). The new privacy rules would dramatically harm the ability of researchers to conduct medical research throughout all of its member states. If allowed to pass in its current form, many in the medical community believe the GDPR could cost the European Union not only medical knowledge and money, but human lives as well.

The GDPR was created to protect Europeans’ personal data. In pursuit of this goal, it forces organizations that process personal data to obtain informed consent each time they want to use that data for a purpose other than for what it was originally collected. As the Center for Data Innovation’s Travis Korte has argued, while these regulations have chilling effects on many big data initiatives, their greatest potential for harm is in medical research.

He continues:

There are many solutions that could be incorporated into the GDPR to help it address these problems. For use of data after death, the GDPR should offer a mechanism to “donate your data to science,” giving blanket consent for a patient’s data to be used after their death. This would allow researchers that are studying rare diseases with limited access to patients to achieve effective sample sizes. The GDPR should also be more explicit about when organizations must seek consent to reuse data, or allow organizations to ask once to obtain consent for the reuse of data for multiple purposes. This “one-time consent” framework would reduce costs and regulatory uncertainty for organizations, as well as help address the problem of consent after death.

and concludes, "policymakers should craft narrowly targeted rules to mitigate specific harms, protect individual privacy and ensure medical research can flourish."

With genetic genealogy offering new avenues for research and medical genealogy offering real world insights that could help people with their health, we should tread carefully on how to both protect privacy and research responsibly.

Best to read the whole op-ed here:
http://fedscoop.com/eu-data-privacy-rules-threaten-derail-medical-research/


Next Page »