Dutch Genealogy More Private

by Bradley Jansen June 5th, 2016 9:52 am

There is an interesting article on Dutch genealogy circulating on Facebook that caught my attention.  In particular, there is a point of how the Dutch genealogists are more respectful of privacy.  "Differences between Genealogy in the Netherlands and the US" by Yvette Hoitink offers some good insight into genealogy in the Netherlands which includes this section:

10: Privacy

Dutch society puts a much higher value on privacy than American society. In the Netherlands, privacy laws restrict access to records of people who were born less than 100 years ago. This makes it difficult to trace living cousins. As a professional genealogist in the Netherlands, you need a private investigator license to research living people; one of the reasons I do not offer this service. In the US, much more information is part of public records, and available to anyone.

The full article can be read here:



Consent to share DNA Test Results

by Kenneth H. Ryesky January 20th, 2016 10:19 am

Michael Cole swabbed his cheek and had Family Tree DNA (FTDNA) run a DNA test.  He then became exercised that (A) FTDNA posted his full DNA results on one of the FTDNA Project pages; and (B) shared his results with RootsWeb.


Cole is now the lead plaintiff in a class action lawsuit against Gene by Gene, Ltd. the actual legal name of the entity that does business as Family Tree DNA.  He has enlisted (or, perhaps, been enlisted by) Edelson, PC, a Chicago law firm that specializes in, among other things, class action litigation.  This is not necessarily a bad thing.  There are bona fide abuses whose resolution is best accomplished in the context of class action litigation.  Quite often, however, the lawyers for the plaintiffs are the disproportionate beneficiaries of class action litigation.  This posting posits no accusation or value judgment in such regard with respect to the subject litigation; as will be discussed presently, the litigation is likely far from finished and its outcome is not certain at this time.


Gene by Gene had purchased several liability insurance coverage policies from the Evanston Insurance Co.  Evanston sought to decline coverage, but the U.S. District Court for the Southern District of Texas has ruled that Evanston indeed has the duty to defend Gene by Gene under the policies.


Under insurance law, the duty to defend is broader than the duty to indemnify.  Evanston must engage an independent attorney to defend Gene by Gene; they cannot just assign their own in-house lawyers (which would constitute an obvious conflict of interest).  The lawyer they engage for Gene by Gene will have the duty to zealously advocate for Gene by Gene.


This case is likely to be in litigation for some time to come.  It may well set precedent for various issues, including but not limited to (1) what are the voluntary consent standards posting an individual's DNA on the Internet; (2) what are the permissible bounds for DNA testing firms to share their information with one another; (3) what actions must and must not be taken to safeguard the privacy of DNA test results; and (4) what is the value of genetic privacy.


The Ancestry Insider on Ancestry.com's Privacy Policy Changes

by Bradley Jansen July 10th, 2015 2:54 pm

In addition to the red-line analysis of Thomas MacEntee, my previous comments here and here and Judy Russell's observations, I wanted to point out that The Ancestry Insider has a very useful write up:


Of importance:

By using any of Ancestry’s family of websites, you consent to let users share your family history information with users of any of Ancestry’s websites, including fold3.com, newspapers.com, findagrave.com, archives.com, and any other website on which Ancestry provides a link to this privacy policy page. Does that means stuff on Find A Grave can be shared with users of Ancestry.com?

You consent to allow Ancestry to monitor, collect, and share with other users information about your activities on their websites, such as the courses you’ve taken on Ancestry Academy.

Additionally, they say, "Ancestry reminds users that it publishes legally available personal information on records about you." and "While Ancestry will generally send marketing information to you by email, you consent to contact by direct mail or even by telephone."

The whole write up is well worth the read.

But some comments on the Technology for Genealogy page on Facebook suggest that when The Ancestry Insider says "You can easily opt out of the emails" that it might not really be so easy.  If Ancestry.com says one can opt-out of some selling and sharing of personal information easily, their customers should be able to do so.  If not, please speak up!


Ancestry updates privacy terms: DNA and more

by Judy Russell July 9th, 2015 11:53 am

[Cross-posted from The Legal Genealogist]

Privacy terms and conditions have been updated at AncestryDNA and at all of Ancestry's other services, such as the main Ancestry.com site, Fold3.com and Newspapers.com.

The changes, overall, are minor.

AncestryDNA privacy changes

Privacy terms and conditions have been updated at AncestryDNA (and, by the way, at all of Ancestry's other services, such as the main Ancestry.com site, Fold3.com and Newspapers.com).

The privacy terms at AncestryDNA were updated 12 June 2015 and the changes affect “visitors and new users registering on the Website on or after June 12th, 2015, and ... all users already registered on the Website on or after July 12th, 2015.”1

And the changes in those privacy terms are really very minor -- but they incorporate a change from earlier this year that The Legal Genealogist (and everybody else) missed.

Now, a reminder: terms and conditions -- terms of use -- are “the limits somebody who owns something you want to see or copy or use puts on whether or not he’ll let you see or copy or use it.”2 In this case, the terms of use govern whether we can use the AncestryDNA service and, if we do, what rights we’re giving AncestryDNA.

As savvy online genealogists we all know that we should read every last word of the terms of use and understand them before we agree to them by using a website.

And as human beings in a technological age we still generally just click through because, after all, what choice do we have? If we want to use AncestryDNA — and we do — we have to agree to the changes.

So what are we agreeing to this time?

Nothing that’s a whole lot different from what we’ve agreed to in the past -- though -- again -- there was a change earlier this year that we all missed.

Right from the very beginning, in its very first terms of use, the AncestryDNA service's terms appear to have permitted it to take our data and our information, strip off personally-identifying parts like our names and our addresses, aggregate it with data from other customers and use it to “research human genetic diversity.”3 While the original 2013 terms made it sound like that could happen only if we also signed a specific consent agreement, reading the document as a whole, that's not so clear.

That's because those original terms also gave AncestryDNA very broad rights to use non-personal information: “Because non-personal information does not personally identify you, we may use such non-personal information for any purpose. In addition, we reserve the right to share such non-personal information, with our Group Companies and with other third parties, for any purpose.”4

Then in February of this year, AncestryDNA amended its terms in a change that, frankly, I missed completely. The February change amplified the previous terms to include that AncestryDNA was allowed to conduct research to “internally analyze Users’ results to make discoveries in the study of genealogy, anthropology, evolution, languages, cultures, medicine, and other topics. In addition, if you voluntarily agreed to the Research Project Informed Consent we may use the Results and other information for the purposes of collaborative research and publication and in accordance with the Informed Consent.”5

That February 2015 privacy statement also said:

Subject to the restrictions described in this Privacy Statement and applicable law, we may use personal information for any reasonable purpose related to the business, including to communicate with you, to provide you information about Ancestry’s and AncestryDNA’s products and services, to respond to your requests, to update our product offerings, to improve the content and User experience on the AncestryDNA Website, to let you know about offers of interest from AncestryDNA or Ancestry, and to prepare and perform demographic, benchmarking, advertising, marketing, and promotional studies.6>

So... since February 20th, we've all been bound by these new terms (and yes, you can delete your test and the results, but subject to the caveat that anything you've shared with others could have been copied and may be kept by those others).

Now... is this a change worth getting up in arms over?

Ummmm... no.

To provide us with accurate analyses of our own DNA results, any DNA testing company should “internally analyze Users’ results to make discoveries in the study of genealogy, anthropology, evolution, languages, cultures, medicine, and other topics.” The more internal analysis of user data that's undertaken, the better the matching algorithms, ethnicity estimates and the like may be.

As long as the use of data outside of a testing company is controlled by “the Research Project Informed Consent ... in accordance with the Informed Consent,” there's absolutely nothing wrong with a testing company using its customer data to produce a better result for its customers.

Sure, that should have been in the terms of use from the outset, but it really is a pretty basic concept, isn't it? How do you know you're doing it right unless you're constantly reviewing your customer data to doublecheck whether your analysis is standing the test of time?

So... the current changes. What about them? What actually has changed in this latest round of privacy terms updates is -- to coin a phrase -- not much:

• The terms now clarify that any comments you post on the website are part of the information that may be read, collected, and used by others.

• The terms now specify that one of the things AncestryDNA can use your personal information for is “to help you and others discover more about your family.”

• The terms note that there will be a “‘DNA Alert’ setting that will allow Ancestry to send you notifications for genetic matches, profile updates, and other DNA-related informational alerts.”

And that's really pretty much all that's changed in this latest round of changes at AncestryDNA.

Ancestry's other privacy changes

Ancestry is also in the process of updating its terms of use, applicable to all of its non-DNA-related websites, including Ancestry.com, Fold3.com, Newspapers.com and Ancestry Academy.

The update -- a minor rewrite of its privacy statement -- applies to “visitors and new users registering on any of the Websites on or after June 26, 2015 and to all users already registered or subscribing to any of the Websites on or after July 26, 2015.”7

In this first update since 1 August 2014, there are no surprises and no major changes -- just some tweaks.

First and foremost, the privacy statement now applies to the newly-launched Ancestry Academy -- the partly-free, partly-subscription-based learning center that began operations earlier this year. Many of the changes in the privacy statement simply add Ancestry Academy to the list of websites affected.

Second, the new terms make it clear that anything -- anything at all -- that you choose to make public on any website Ancestry operates is... well... public. Among the things Ancestry will make use of, if you choose to use any of the Ancestry websites:

• “Your background, interests, and activity on the Websites.”

• “Your age, gender, background and interests ... such as in your user profile.”

• “Information about some of your activity on the Website, such as historical records you save or Ancestry Academy courses you've taken.”

• “Personal information about yourself and others in the course of doing research on our Websites, e.g., adding a photo, adding information about a historical person, creating family trees, or sharing a photo with another user through our Services.”

• “Any comments on the Websites or ... in community discussions, chats, communications with us or between you and other users... (and) any information you provide in these areas may be read, collected, and used by others who access them.”8

None of this “your information may be shared” stuff is new. You can go online and read the prior terms, posted 1 August 2014, and all of that “your information may be shared” stuff is there too.9 And you can go back to the terms before that, posted 28 June 2013, and all of that “your information may be shared” stuff is there too.10

In fact, the earliest online version I can find -- from 2010 -- says essentially the same thing:

As a member of Ancestry.com, you can also chose to share further information about yourself, your activity on the site, and your background and interests, with other members of the site. ... Information about some of your activity on the site... may also be shared with other members in order to help you connect with others researching similar ancestors. ... To help you connect with other members researching similar ancestors, by default new accounts are set up to allow other members to learn about things you publicly add or post to the site, as well as some personal research activities (such as saving historical records to your Shoebox or private member tree).11

So if you don't like the Ancestry terms of use, what can you do? Under the agreement, you have one -- and only one -- choice: don't use the Ancestry websites. The terms explicitly provide that: “If you do not consent to any changes to our Privacy Statement and as a result you would like us not to use or hold personal information about you in accordance with the revised terms, you may notify us here so we can discontinue your account.”12


1. AncestryDNA Privacy Statement, June 12, 2015, AncestryDNA (http://dna.ancestry.com/ : accessed 4 July 2015).

2. See Judy G. Russell, “Reprise: a terms of use primer,” The Legal Genealogist, posted 29 Apr 2015 (http://www.legalgenealogist.com/blog : accessed 4 July 2015).

3. AncestryDNA Privacy Statement, March 20, 2013, AncestryDNA (http://dna.ancestry.com/ : accessed 4 July 2015).

4. Ibid.

5. AncestryDNA Privacy Statement, February 20, 2015, AncestryDNA (http://dna.ancestry.com/ : accessed 4 July 2015).

6. Ibid.

7. Ancestry Privacy Statement, June 26, 2015, Ancestry (http://www.ancestry.com/ : accessed 6 July 2015).

8. Ibid.

9. Ancestry Privacy Statement, August 1, 2014, Ancestry (http://www.ancestry.com/ : accessed 6 July 2015).

10. Ancestry Privacy Statement, June 28, 2013, Ancestry (http://www.ancestry.com/ : accessed 6 July 2015).

11. Privacy Statement, December 14, 2010, Ancestry (http://www.ancestry.com/ : accessed 6 July 2015).]

12. Ancestry Privacy Statement, June 26, 2015, Ancestry (http://www.ancestry.com/ : accessed 6 July 2015).


More on Ancestry.com's Privacy Policy

by Bradley Jansen July 7th, 2015 1:56 pm

I recently brought to attention Thomas MacEntree's redline analysis of the updated privacy policy at Ancestry.com here:


along with a few thoughts of my own to put it in perspective.  My main point was to hark back to warnings I've been making for years that privacy policies of companies can change--even against the company's expressed wishes (such as in bankruptcy proceedings).

In addition to my 2002 commentary, my Center for Financial Privacy and Human Rights signed on to comments to the Federal Trade Commission on a related issue in 2009 (PDF):


which read, in part:

The issue of whether data about me is “my data”, or is actually owned by commercial
entities that have collected or obtained it, is most important when such a company goes bankrupt.

No consumer actually intends to agree, when they provide personal information to a
business, that if the company goes bankrupt, that personal information not only can but should
and must be sold to the highest bidder for the sole benefit of the company's creditors, not the
individuals to whom that data pertains. In assuming this, the bankruptcy laws flagrantly violate
any reasonable or likely understanding of consumers actual expectations.

The possibility of a bankruptcy auction of a personal data archive about consumers is not
limited, of course, to the possibility of bankruptcy of a travel company...

Reform of the bankruptcy laws is urgently needed to protect personal information about consumers, which they provided to a particular company for a particular purpose, from being sold at bankruptcy auction to an unrelated third party, most likely a data mining or direct marketing company, without the consent of the individuals to whom this data pertains. And the potential bankruptcy liquidation of a travel company is clearly the paradigmatic case of the danger posed by the current lack of protection in bankruptcy law for personal information.

I also neglected to mention how the importance of this issue has been gathering public attention.  Let me rectify that now.  The New York Times has an article out "When a Company Is Put Up for Sale, in Many Cases, Your Personal Data Is, Too" repeating my warning from years ago about the change of data policies when a company changes hands.  From the article citing the privacy policy of a major online video company, it says

That respect could lapse, however, if the company is ever sold or goes bankrupt. At that point, according to a clause several screens deep in the policy, the host of details that Hulu can gather about subscribers — names, birth dates, email addresses, videos watched, device locations and more — could be transferred to “one or more third parties as part of the transaction.” The policy does not promise to contact users if their data changes hands.

The article then went on to cite the bankruptcy case Toysmart.com I wrote about at the time.  The NYTs article does offer some hope.  It relates the story of how the Texas Attorney General's office intervened to protect the consumer data privacy of the online dating site True.com which was going through a bankruptcy proceeding.

I guess the moral of that story is that we'd have to argue genealogy sites are really like online dating sites!


Ancestry's Privacy Policy Change

by Bradley Jansen June 30th, 2015 2:21 pm

If you haven't heard, Ancestry.com has changed it's privacy policy.  Over at geneabloggers, Thomas MacEntee has a wonderful post red-lining the changes.  See this PDF linked here:


More generally, it's a good idea to follow news on developments not only of changes to privacy policies, but other corporate news as well.  Companies get bought and sold, and these ownership changes may bring changes to the privacy policies or other data use issues.

Similarly, sometimes companies go out of business (I am NOT trying to start a rumor about Ancestry.com or any other genealogy company!), and what happens to the data might be different in a bankruptcy proceeding than the company's stated privacy or other policies may indicate.

Some years ago, I wrote an op-ed "Our Bankrupt Privacy Policies" on exactly how the Federal Trade Commission approved the prostitution of personal consumer data in a bankruptcy proceeding.  Toysmart.com had a privacy policy saying, “When you register with Toysmart.com, you can rest assured that your information will never be shared with a third party."  Despite this clear statement, the FTC approved the selling of that information to a third party buyer.

In short, don't post or share any information--especially Personally Identifiable Information (PII) of living people--that you wouldn't want shared when privacy policies change or company ownership changes--especially if it goes out of business and bankruptcy proceedings put your personal information on the selling block.


Genealogists as Stakeholders in Digital Ecosystem Cybersecurity

by Kenneth H. Ryesky March 19th, 2015 7:01 am

[I am now very heavily preoccupied, as never before, with various and sundry personal and professional burdens and deadlines and agendas, so this posting will necessarily be superficial.].

Today's Federal Register [80 F.R. 14360] includes a Notice by the Department of Commerce, National Telecommunications and Information Administration requesting public comment " to identify substantive cybersecurity issues that affect the digital ecosystem and digital economic growth where broad consensus, coordinated action, and the development of best practices could substantially improve security for organizations and consumers."


It is definitely in the genealogy community's interest to take advantage of this invitation to weigh in with comments.  Imprimis, we will be affected by whatever rules and schemes come out on the topic.  Moreover, as alluded to in more than one prior Genealogical Privacy posting, we cannot allow ourselves to be seen as an obstacle to privacy; indeed, we need to engage in responsible privacy practices, even as we access and analyze some very personal facts and statistics.


We have been given the opportunity to submit input into a process that will, in some way, shape, or form, affect how we operate -- for better or for worse.


The comment deadline is 18 May 2015.





Update to posting of 23 April 2014 ("What's Behind the Adoption"):

by Kenneth H. Ryesky March 15th, 2015 12:17 am

Update to posting of 23 April 2014 ("What's Behind the Adoption"):

Quite unsurprisingly, the case is still unresolved and further court actions have transpired.

Firstly, there was an appeal to the Appellate Division, but, but for whatever reason, that was withdrawn.

More significantly, the Surrogate's Court granted the injunction against the Trustees, enjoining them from seeking any resolution in the Texas courts regarding the July 2012 settlement. "This court continues to defer to the Texas court on the question of whether the Texas orders of adoption at issue can be vacated or voided based on any theory pled, cognizable, and proved in Texas."

[This latest Surrogate's Court decision, entered on 6 March 2015, has not yet been picked up by the New York State Reporter, but did appear in the New York Law Journal of 10 March 2015, at p. 22, col. 6 - p.23, col. 1. It also is in the Dow-Jones Factiva database, Factiva document #

It is, of course, too early to call the end result of the litigation, but my personal call is that the adoptions will stand. But even if they don't, I stand by my contentions in the last two paragraphs of the 23 April 2014 posting:

" Never mind that there obviously was a scheme involved here, the propriety of which shall not now be taken to the mats. The decision in the case brings forth some questions hitting at the intersection of genealogy and privacy. What are the uses and misuses of adoption? How, if at all, should adult adoptions be treated differently than infant adoptions or pre-teen adoptions or teenager adoptions? How open or private should side deals behind adoptions be?

Regardless of whether or not this particular court decision stands (the dollars at stake here may well be impetus for an appeal), these questions will likely be reprised somewhere, at some future time, in some form."


Privacy at RootsTech

by Bradley Jansen February 9th, 2015 1:43 pm

If anyone will be attending RootsTech later this week and/or the Federation of Genealogical Societies conference, I'd like to highly recommend an unconferencing session: RT1922 "Genealogists, Technologists, Privacy Advocates: We REALLY Need to Talk!"

The session by Fred Moss and Jim Dempsey will address some important issues:

  • How the Internet is changing our lives
  • Resolving “Big Data” issues
  • Interests of the genealogical community
  • Genealogists share Privacy Concerns "Family Historians and their families are as vulnerable to the predations of identity thieves as any other citizen. Those who believe that genealogists are reckless with Personally Identifiable Information might be pleasantly surprised at some of the measures taken by websites and individual researchers. Our belief is that dialogue among genealogists, technologists, and privacy advocates offers the best potential for developing even better protective measures." 
  • Recent initiatives to restrict access to records

The syllabus can be found here:


The talk will be Friday (Feb. 13) in 251A at 4:00 pm.


Happy Data Privacy Day!

by Bradley Jansen January 28th, 2015 12:00 pm

Every year on January 28th since 2007, we celebrate Data Privacy Day (Data Protection Day to our European friends) going back to the start of the  Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.  The most important and pressing data privacy issue in the United States today is the fight to update the Electronic Communications Privacy Act.

The law that governs the privacy protections of your electronic communications (ECPA) such as text messaging, cloud computing, etc., was passed in 1986.  Needless to say, the general consensus is that the law needs updating. The Digital Due Process (DDP) coalition brings together a broad spectrum of groups from the left, including the American Civil Liberties Union, and the right including Americans for Tax Reform, as well as privacy groups, technology companies including Google, Microsoft, HP, Yahoo, Facebook, etc.

Importantly to this blog, I have to point out that the Records Preservation and Access Committee (RPAC) representing a more than critical mass of the genealogical community is part of DDP and helping in the fight to update ECPA.  Many of the reasons are spelled out in this letter to US Sen. Orin Hatch.

Yes, the genealogy community is active in the struggle to protect privacy.  For another example, check out Judy Russell's excellent post earlier today on this blog.

So here are some good privacy guidelines for genealogists:

  • Consent matters, as Judy explains.  Which dovetails with the general privacy principle of not sharing Personally Identifiable Information (PII) of living people without their consent, and
  • Law enforcement should need a warrant for content (except under well-established exceptions)--the Fourth Amendment should apply to the physical world and the digital one.

The more genealogists work to and respect privacy, the fewer problems we'll have with others wanting to restrict records access.


Next Page »