Judy Russell


Judy Russell is a genealogist with a law degree who helps folks understand the often arcane and even impenetrable legal concepts and terminology that are important those studying family history. She has a bachelor’s degree in political science and journalism from George Washington University in Washington, D.C. and a law degree from Rutgers School of Law-Newark. Ms. Russel has worked as a newspaper reporter, trade association writer, legal investigator, defense attorney, federal prosecutor, law editor and, for more than 20 years, she has been an adjunct member of the faculty at Rutgers Law School. She is a Colorado native with roots deep in the American south on my mother’s side and entirely in Germany on my father’s side. She is a member of the National Genealogical Society, the Association of Professional Genealogists, and, among others, the state genealogical societies of New Jersey, North Carolina, Virginia, Texas and Illinois. Ms. Russell attended the National Institute on Genealogical Research (NIGR) at the National Archives in Washington, D.C., and completed Elizabeth Shown Mills’ course inAdvanced Methodology and Evidence Analysis and Thomas W. Jones’ course in Writing and Publishing for Genealogists at the Institute of Genealogy & Historical Research (IGHR) at Samford University. She has written for both the National Genealogical Society Quarterly (see Judy G. Russell, “`Don’t Stop There!’ Connecting Josias Baker to His Burke County, North Carolina, Parents,” National Genealogical Society Quarterly, March 2011, 25-41) and the National Genealogical Society Magazine (see Judy G. Russell, “Autosomal DNA testing,” National Genealogical Society Magazine, October-December 2011, 38-43). Ms. Russell lectures on a wide variety of genealogical topics, ranging from using court records in our family history to understanding DNA testing.


Ancestry updates privacy terms: DNA and more

by Judy Russell July 9th, 2015 11:53 am

[Cross-posted from The Legal Genealogist]

Privacy terms and conditions have been updated at AncestryDNA and at all of Ancestry's other services, such as the main Ancestry.com site, Fold3.com and Newspapers.com.

The changes, overall, are minor.

AncestryDNA privacy changes

Privacy terms and conditions have been updated at AncestryDNA (and, by the way, at all of Ancestry's other services, such as the main Ancestry.com site, Fold3.com and Newspapers.com).

The privacy terms at AncestryDNA were updated 12 June 2015 and the changes affect “visitors and new users registering on the Website on or after June 12th, 2015, and ... all users already registered on the Website on or after July 12th, 2015.”1

And the changes in those privacy terms are really very minor -- but they incorporate a change from earlier this year that The Legal Genealogist (and everybody else) missed.

Now, a reminder: terms and conditions -- terms of use -- are “the limits somebody who owns something you want to see or copy or use puts on whether or not he’ll let you see or copy or use it.”2 In this case, the terms of use govern whether we can use the AncestryDNA service and, if we do, what rights we’re giving AncestryDNA.

As savvy online genealogists we all know that we should read every last word of the terms of use and understand them before we agree to them by using a website.

And as human beings in a technological age we still generally just click through because, after all, what choice do we have? If we want to use AncestryDNA — and we do — we have to agree to the changes.

So what are we agreeing to this time?

Nothing that’s a whole lot different from what we’ve agreed to in the past -- though -- again -- there was a change earlier this year that we all missed.

Right from the very beginning, in its very first terms of use, the AncestryDNA service's terms appear to have permitted it to take our data and our information, strip off personally-identifying parts like our names and our addresses, aggregate it with data from other customers and use it to “research human genetic diversity.”3 While the original 2013 terms made it sound like that could happen only if we also signed a specific consent agreement, reading the document as a whole, that's not so clear.

That's because those original terms also gave AncestryDNA very broad rights to use non-personal information: “Because non-personal information does not personally identify you, we may use such non-personal information for any purpose. In addition, we reserve the right to share such non-personal information, with our Group Companies and with other third parties, for any purpose.”4

Then in February of this year, AncestryDNA amended its terms in a change that, frankly, I missed completely. The February change amplified the previous terms to include that AncestryDNA was allowed to conduct research to “internally analyze Users’ results to make discoveries in the study of genealogy, anthropology, evolution, languages, cultures, medicine, and other topics. In addition, if you voluntarily agreed to the Research Project Informed Consent we may use the Results and other information for the purposes of collaborative research and publication and in accordance with the Informed Consent.”5

That February 2015 privacy statement also said:

Subject to the restrictions described in this Privacy Statement and applicable law, we may use personal information for any reasonable purpose related to the business, including to communicate with you, to provide you information about Ancestry’s and AncestryDNA’s products and services, to respond to your requests, to update our product offerings, to improve the content and User experience on the AncestryDNA Website, to let you know about offers of interest from AncestryDNA or Ancestry, and to prepare and perform demographic, benchmarking, advertising, marketing, and promotional studies.6>

So... since February 20th, we've all been bound by these new terms (and yes, you can delete your test and the results, but subject to the caveat that anything you've shared with others could have been copied and may be kept by those others).

Now... is this a change worth getting up in arms over?

Ummmm... no.

To provide us with accurate analyses of our own DNA results, any DNA testing company should “internally analyze Users’ results to make discoveries in the study of genealogy, anthropology, evolution, languages, cultures, medicine, and other topics.” The more internal analysis of user data that's undertaken, the better the matching algorithms, ethnicity estimates and the like may be.

As long as the use of data outside of a testing company is controlled by “the Research Project Informed Consent ... in accordance with the Informed Consent,” there's absolutely nothing wrong with a testing company using its customer data to produce a better result for its customers.

Sure, that should have been in the terms of use from the outset, but it really is a pretty basic concept, isn't it? How do you know you're doing it right unless you're constantly reviewing your customer data to doublecheck whether your analysis is standing the test of time?

So... the current changes. What about them? What actually has changed in this latest round of privacy terms updates is -- to coin a phrase -- not much:

• The terms now clarify that any comments you post on the website are part of the information that may be read, collected, and used by others.

• The terms now specify that one of the things AncestryDNA can use your personal information for is “to help you and others discover more about your family.”

• The terms note that there will be a “‘DNA Alert’ setting that will allow Ancestry to send you notifications for genetic matches, profile updates, and other DNA-related informational alerts.”

And that's really pretty much all that's changed in this latest round of changes at AncestryDNA.

Ancestry's other privacy changes

Ancestry is also in the process of updating its terms of use, applicable to all of its non-DNA-related websites, including Ancestry.com, Fold3.com, Newspapers.com and Ancestry Academy.

The update -- a minor rewrite of its privacy statement -- applies to “visitors and new users registering on any of the Websites on or after June 26, 2015 and to all users already registered or subscribing to any of the Websites on or after July 26, 2015.”7

In this first update since 1 August 2014, there are no surprises and no major changes -- just some tweaks.

First and foremost, the privacy statement now applies to the newly-launched Ancestry Academy -- the partly-free, partly-subscription-based learning center that began operations earlier this year. Many of the changes in the privacy statement simply add Ancestry Academy to the list of websites affected.

Second, the new terms make it clear that anything -- anything at all -- that you choose to make public on any website Ancestry operates is... well... public. Among the things Ancestry will make use of, if you choose to use any of the Ancestry websites:

• “Your background, interests, and activity on the Websites.”

• “Your age, gender, background and interests ... such as in your user profile.”

• “Information about some of your activity on the Website, such as historical records you save or Ancestry Academy courses you've taken.”

• “Personal information about yourself and others in the course of doing research on our Websites, e.g., adding a photo, adding information about a historical person, creating family trees, or sharing a photo with another user through our Services.”

• “Any comments on the Websites or ... in community discussions, chats, communications with us or between you and other users... (and) any information you provide in these areas may be read, collected, and used by others who access them.”8

None of this “your information may be shared” stuff is new. You can go online and read the prior terms, posted 1 August 2014, and all of that “your information may be shared” stuff is there too.9 And you can go back to the terms before that, posted 28 June 2013, and all of that “your information may be shared” stuff is there too.10

In fact, the earliest online version I can find -- from 2010 -- says essentially the same thing:

As a member of Ancestry.com, you can also chose to share further information about yourself, your activity on the site, and your background and interests, with other members of the site. ... Information about some of your activity on the site... may also be shared with other members in order to help you connect with others researching similar ancestors. ... To help you connect with other members researching similar ancestors, by default new accounts are set up to allow other members to learn about things you publicly add or post to the site, as well as some personal research activities (such as saving historical records to your Shoebox or private member tree).11

So if you don't like the Ancestry terms of use, what can you do? Under the agreement, you have one -- and only one -- choice: don't use the Ancestry websites. The terms explicitly provide that: “If you do not consent to any changes to our Privacy Statement and as a result you would like us not to use or hold personal information about you in accordance with the revised terms, you may notify us here so we can discontinue your account.”12


1. AncestryDNA Privacy Statement, June 12, 2015, AncestryDNA (http://dna.ancestry.com/ : accessed 4 July 2015).

2. See Judy G. Russell, “Reprise: a terms of use primer,” The Legal Genealogist, posted 29 Apr 2015 (http://www.legalgenealogist.com/blog : accessed 4 July 2015).

3. AncestryDNA Privacy Statement, March 20, 2013, AncestryDNA (http://dna.ancestry.com/ : accessed 4 July 2015).

4. Ibid.

5. AncestryDNA Privacy Statement, February 20, 2015, AncestryDNA (http://dna.ancestry.com/ : accessed 4 July 2015).

6. Ibid.

7. Ancestry Privacy Statement, June 26, 2015, Ancestry (http://www.ancestry.com/ : accessed 6 July 2015).

8. Ibid.

9. Ancestry Privacy Statement, August 1, 2014, Ancestry (http://www.ancestry.com/ : accessed 6 July 2015).

10. Ancestry Privacy Statement, June 28, 2013, Ancestry (http://www.ancestry.com/ : accessed 6 July 2015).

11. Privacy Statement, December 14, 2010, Ancestry (http://www.ancestry.com/ : accessed 6 July 2015).]

12. Ancestry Privacy Statement, June 26, 2015, Ancestry (http://www.ancestry.com/ : accessed 6 July 2015).


A matter of consent

by Judy Russell January 28th, 2015 10:00 am

[Cross-posted from The Legal Genealogist]

Ask first

The question posed to The Legal Genealogist on January 18th was whether the cousin who had paid for a DNA test should share the results with the cousin who took the DNA test.

The no-brainer answer is yes.1 Just because you paid for a test doesn't mean you can close off the results to the cousin whose DNA was tested.

blurAs noted then, we now have working standards for genetic genealogists to consult when it comes to ethical questions like this.2 And the applicable ethical standard here is that “Genealogists believe that testers have an inalienable right to their own DNA test results and raw data, even if someone other than the tester purchased the DNA test.”3

In the interim, the question that came in was about the flip side of this issue: whether the cousin who paid for the test should share the results far and wide -- with the name of the tested cousin, usually, still attached.

That answer should also be a no-brainer.

Unless you have consent, the answer is no.

No, no, no.

And in case that isn't clear enough:


The ethical standards are as clear on this as they were on the first question: “Genealogists respect all limitations on reviewing and sharing DNA test results imposed at the request of the tester. For example, genealogists do not share or otherwise reveal DNA test results (beyond the tools offered by the testing company) or other personal information (name, address, or email) without the written or oral consent of the tester.”4

Even when it comes to writing about DNA results for scholarly research, the standards require that:

When lecturing or writing about genetic genealogy, genealogists respect the privacy of others. Genealogists privatize or redact the names of living genetic matches from presentations unless the genetic matches have given prior permission or made their results publicly available. Genealogists share DNA test results of living individuals in a work of scholarship only if the tester has given permission or has previously made those results publicly available.5

What this means, put in simple terms, is that we should not take a screen capture of DNA results from a testing company and post it in a blog post or on Facebook with the names or pictures of our matches still attached unless we've asked those matches specifically if we can post it.

And this isn't a new idea, springing out of genetic genealogy alone. This is the long-time ethical standard of the genealogical community. This concept of protecting the privacy of living people can be found for example in:

• The Code of Ethics of the Board for Certification of Genealogists, which requires that board-certified genealogists pledge that: “I will keep confidential any personal or genealogical information given to me, unless I receive written consent to the contrary.”6

• The Standards for Sharing Information with Others of the National Genealogical Society, which advises us to “respect the restrictions on sharing information that arise from the rights of another ... as a living private person; ... inform people who have provided information about their families as to the ways it may be used, observing any conditions they impose and respecting any reservations they may express regarding the use of particular items... (and) require some evidence of consent before assuming that living people are agreeable to further sharing of information about themselves.”7

• The Code of Ethics of the International Association of Jewish Genealogical Societies, which notes that “If data is acquired that seems to contain the potential for harming the interests of other people, great caution should be applied to the treatment of any such data and wide consultation may be appropriate as to how such data is used. ... Generally, a request from an individual that certain information about themselves or close relatives be kept private should be respected.”8

So as responsible genetic genealogists we don't just take a screen shot and post it. We take a second, using the tools in every photo program out there -- including my favorite free program Irfanview -- and blur out the names or photos of our matches as you can see in the image above of my own AncestryDNA results.

Or we do something really unusual.

We ask first.


1. Judy G. Russell, “Whose DNA it is anyway?,” The Legal Genealogist, posted 18 Jan 2015 (http://www.legalgenealogist.com/blog : accessed 24 Jan 2015).
2. See ibid., “DNA: good news, bad news,” The Legal Genealogist, posted 11 Jan 2015.
3. Paragraph 3, Standards for Obtaining, Using, and Sharing Genetic Genealogy Test Results, “Genetic Genealogy Standards,” GeneticGenealogyStandards.com (http://www.geneticgenealogystandards.com/ : accessed 18 Jan 2015).
4. Ibid., paragraph 8.
5. Ibid., paragraph 9.
6. “Code of Ethics and Conduct,” Board for Certification of Genealogists (http://bcgcertification.org/ : accessed 24 Jan 2015).
7. Standards for Sharing Information with Others, 2000, PDF, National Genealogical Society (http://www.ngsgenealogy.org/ : accessed 24 Jan 2015).
8. “IAJGS Ethics for Jewish Genealogists,” International Association of Jewish Genealogical Societies (http://www.iajgs.org/ : accessed 24 Jan 2015).


Fooling with the FDA

by Judy Russell November 27th, 2013 4:13 pm

FDA blasts 23andMe (and it looks like 23andMe deserved it)

So you remember that old commercial where a margarine company gave Mother Nature a taste of its product and she thought it was butter. The tagline of all the commercials — just before something bad happened — was: “It’s not nice to fool Mother Nature.”

Monday, news reports revealed that the DNA testing company 23andMe got the 21st-century regulatory version of that tagline: it’s not nice to fool with the FDA.

On Friday of last week, the Food and Drug Administration sent what’s called a warning letter to 23andMe, laying out a litany of complaints it had with 23andMe with respect to the health claims made for its DNA test, called the Personal Genome Service, and giving it 15 days to stop marketing the service.

How did it get to this state of affairs between the FDA and 23andMe -- and what does it mean for genetic genealogy?

Read more at Fooling with FDA


Bill introduced to "sunset" the SSDI

by Judy Russell July 23rd, 2013 1:40 pm

Congressman Sam Johnson (R-Texas) thinks closing the Social Security Death Master File (known to genealogists as the Social Security Death Index or SSDI) is The Answer (or at least An Answer) to the problem of identity theft.

So he’s out to kill the SSDI just as he tried to do in the last session of Congress. This time it's in a sunset provision hidden away in a bill introduced last week.

Read more at Johnson: into the sunset for SSDI


When privacy and history collide

by Judy Russell June 18th, 2013 2:51 pm

When does an individual have a right to be forgotten? How does that square -- can it be squared -- with the right of society to know what people did, and why?

These are questions up for debate right now as the European Union considers its privacy laws and the scope of the so-called “right to be forgotten.”

And it's a matter of deep concern to archivists, genealogists and family historians as we consider the value of those small bits of personal history contained in yesterday's letters, diaries and scrap paper ... and in today's email, tweets and Facebook posts.

If every person's individual right to privacy is honored so greatly that we can all edit our own personal history to fit our own sensitivities, what happens to the truth?

Read more at Privacy and history: on a collision course?


Non-residents lose FOI battle

by Judy Russell May 6th, 2013 2:39 pm

Supreme Court upholds limits

Information access took a hit last week, when the United States Supreme Court ruled that states have no constitutional obligation to treat non-residents the way they treat residents under their freedom-of-information laws.

To be sure, most of the specific information at the center of the decision in McBurney v. Young, No. 12-17, slip opinion (U.S. Supreme Court, 29 April 2013), was not information near and dear to the heart of the genealogical community in general.

Still, it's sad to see the High Court -- unanimously -- come down on the side of freedom of information being a service provided by a state, and not a right enjoyed by the people -- all the people -- no matter where they live.

Read more at Freedom of information: residents only.


HIPAA privacy rule eases access for medical genealogy

by Judy Russell April 8th, 2013 2:05 pm

[Cross-posted from The Legal Genealogist]

One for our side

There's been a major breakthrough in records access for those of us with family medical issues that we research in part through our genealogy.

Quietly, without much fanfare, the federal Department of Health and Human Services (HHS) has finally come around to understanding that closing medical records forever, even after the death of the person treated, isn't the way to go.

It adopted a new set of rules earlier this year, effective just two weeks ago, that opens medical records 50 years after the patient's death.

The change -- first proposed nearly three years ago1 -- came in an omnibus Final Rule adoption governing a vast array of issues under the federal Health Insurance Portability and Accountability Act (HIPAA) designed primarily to update personal privacy rules in light of technological changes in medical recordkeeping.2 The rule was adopted in January and became effective on March 26th.

As far back as 2003, archivists had complained to HHS about the old rule, under which personal health information was to be protected forever and only disclosed even after the patient's death only if the legal representative of the estate authorized it.

In 2005, Stephen E. Novak of Columbia University had quoted from those earlier complaints in an HHS conference, explaining that “certain historical, biographical and genealogical works where the identity of the individual is the whole point could not be written, such as the Pulitzer Prize-winning A Midwife’s Tale, based on the late 18th and early 19th century diary of Maine midwife Martha Ballard.”3

Nancy McCall of the Johns Hopkins Medical Institutions told that same conference that “a number of state archives have acquired the records of defunct hospitals in their states and do not know whether they are covered entities. This is especially important for mental hospitals and TB hospitals that have closed.”4

All of those participating pleaded for clarity -- and for access.

The new rule is, finally, the HHS response.

In its rulemaking, HHS recognized the problems inherent in “the lack of access to ancient or old records of historical value held by covered entities, even when there are likely few surviving individuals concerned with the privacy of such information. Archives and libraries may hold medical records, as well as correspondence files, physician diaries and casebooks, and photograph collections containing fragments of identifiable health information, that are centuries old. Currently, to the extent such information is maintained by a covered entity, it is subject to the Privacy Rule.”5

It noted that the “majority of public comment on this proposal was in favor of limiting the period of protection for decedent health information to 50 years past the date of death. Some of these commenters specifically cited the potential benefits to research. A few commenters stated that the 50-year period was too long and should be shortened to, for example, 25 years.”6

Based on its review and the public comments, HHS concluded:

We believe 50 years is an appropriate period of protection for decedent health information, taking into account the remaining privacy interests of living individuals after the span of approximately two generations have passed, and the difficulty of obtaining authorizations from a personal representative of a decedent as the same amount of time passes. For the same reason, we decline to shorten the period of protection as suggested by some commenters or to adopt a 100-year period of protection for decedent information.7

So, as of the 26th of March, HIPAA's definition of “protected health information” expressly excludes information regarding “a person who has been deceased for more than 50 years,”8 and covered entities need only comply with HIPAA “with respect to the protected health information of a deceased individual for a period of 50 years following the death of the individual.”9

Now the fact that the federal government isn't standing in the way doesn't mean that all of us with family health issues can rush out and expect to be given immediate access to those old health records that may tell us so much about things we face today. The feds have never been the only player in the privacy game -- state laws may also restrict access to health information.

But it's a major breakthrough to have the federal government finally move out of the way of access to records of critical importance.


1. Notice of proposed rulemaking, 75 Fed. Reg. 40868, 40874 (14 Jul 2010).
2. See “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules,” 78 Fed. Reg. 5565 (25 Jan 2013), PDF version, U.S. Government Printing Office (http://www.gpo.gov/fdsys/ : accessed 7 Apr 2013).
3. Minutes, 11-12 January 2005, Subcommittee on Privacy and Confidentiality, National Committee on Vital and Health Statistics, HHS.gov (http://ncvhs.hhs.gov/ : accessed 7 Apr 2013).
4. Ibid.
5. “Modifications to the HIPAA ... Rules,” 78 Fed. Reg. 5613-5614.
6. Ibid., 78 Fed. Reg. 5614.
7. Ibid.
8. 45 CFR §160.103.
9. 45 CFR §164.502(f).