
Ancestry.com can use your DNA to target ads - randomwalker
https://freedom-to-tinker.com/blog/paulellenbogen/ancestry-com-can-use-your-dna-to-target-ads/
======
sudo_bang_bang
"Research has shown that users are already desensitized to privacy and
security warnings."

This along with the quote below are my biggest takeaways from this article:

"it can be difficult to avoid information leakage through URLs or cookies or
more sophisticated attacks."

People may not even realize they are giving the keys away until it's too late.
It's unlikely that a dialog box for confirmation would be explicit anyway,
especially if Ancestry and others stand to monetarily gain from your DNA.

Moreover, if you're a malicious actor you can simply display an ad from
Ancestry and when you have a logged in user you could potentially identify a
whole host of other information that can be associated with their email and
other aspects of their identity. The malicious actor could resell this to even
worse offenders.

------
pavel_lishin
This is one of the reasons I've never sent a DNA swab to Ancestry.com, or
23andme. If I could do so anonymously, I'd do it in a heartbeat - but the
potential losses+ outweigh the gains%.

\+ admittedly, I'm not even sure what the worst case scenarios are, but that
just makes them even scarier.

% ooooh, I might learn that I have a predisposition to alcoholism and rectal
cancer? That's nothing that my Russian father couldn't have told me.

~~~
throwaway4567
> If I could do so anonymously, I'd do it in a heartbeat

You can. See "How to use 23andMe without violating your genetic privacy",
[https://www.abine.com/blog/2013/23andme-without-violating-
yo...](https://www.abine.com/blog/2013/23andme-without-violating-your-genetic-
privacy/).

~~~
dfc

      Once  I checked  out, I  went to  my real,  personal inbox  to
      complete the 23andMe registration by clicking the confirmation
      email, which was forwarded to me from the alias email address.
    
    

LOL. Thanks for posting this bit of comedy.

~~~
throwaway4567
How was that problematic? I don't see the issue, especially given that the
author was on a VPN and using Firefox in Private Browsing mode while running
DoNotTrackMe.

~~~
ikeboy
Most email is sent unencrypted, so the NSA likely has a record of that email
and can cross-reference it with the 23 account if needed.

Even the header would probably be enough in this case, just to identify the
particular masked email with the real email behind it.

~~~
throwaway4567
> Even the header would probably be enough in this case, just to identify the
> particular masked email with the real email behind it.

Are you implying that an HTTP header sent in the request to 23andme upon
clicking the confirmation link would contain the forwarded email address of
the user?

Unless the user were on a web page that included their email account name in
the URL (and thus visible in the REFERER header), I don't see how that would
happen. And I don't think I've ever seen an email system that puts the account
name in the URL.

~~~
ikeboy
No, the email header sent by abine when they forward the email from 23andme.
That contains their real email address in plaintext, and might also contain
the masked address; if not, a timing attack given the time of 23's emails and
the time of the forwarded email might work.

If the actual email is unencrypted, then the NSA gets everything for free.

------
johansch
Here we go again, reading privacy policies like the devil reads the bible.

A more honest headline would have have been:

"There is no exception in place in the privacy policy stopping Ancestry.com
from theoretically being able to target ads using your DNA."

------
thrownaway2424
That's not even close to the most offensive thing ancestry.com does to you.

~~~
pavel_lishin
What else do they do?

~~~
thrownaway2424
The mormons use ancestry.com data to proxy-baptize your ancestors into their
ridiculous death cult.

~~~
pavel_lishin
I was going to reply with, "I don't care what mumbo-jumbo people say with my
name embedded", but that actually is pretty offensive to someone with strong
religious beliefs.

~~~
xahrepap
You have to be a descendant of the deceased to submit their name to be done.
Also, there's a lot of sensitivity toward religions who have general qualms
about the practice (for example, it's against the rules to submit Jewish
holocaust victims). Also, many religious leaders of other faiths have gone on
record[1] saying how they're glad the Mormons have brought back the biblical
practice of baptisms for the dead.

The practice isn't as cultist as some (gp) may want to imply without
understanding what it implies and really means.

[1] [https://youtu.be/4mMDYt0Twpo](https://youtu.be/4mMDYt0Twpo)

~~~
hueving
>The practice isn't as cultist as some (gp) may want to imply without
understanding what it implies and really means.

You are having some group of people you don't know say something about a dead
relative followed by a ritual not based in any science to change which
imaginary place they will be in.

~~~
_delirium
Well yes, but that's not really a criticism specific to Mormon rituals; it
applies to most religious rituals.

------
mirimir
Everything to do with DNA sequences ought to be done by personal agents who
are certified, licensed and bonded. And subject to strict oversight and
liability. Or it could be done client-side, by those with requisite skills and
resources. Only specific information, suitably redacted and abstracted, should
be submitted to untrusted third parties.

Sending swabs to untrusted firms is just batshit insane, in my humble opinion.
And being "anonymous" is rather pointless. It's ones DNA! That's an ultimate
biometric.

~~~
pavel_lishin
> _And being "anonymous" is rather pointless. It's ones DNA! That's an
> ultimate biometric._

But unless it's tied to my identity, I don't care! It may be the ultimate
biometric, but _that_ only matters if they can compare it to my DNA by taking
it from me directly - and at that point, they have my DNA, so it doesn't
matter whether I previously provided it anonymously or not!

~~~
mirimir
I suppose. But once there's a bunch of stuff online that's linked to your DNA
data, anyone who has your DNA data can correlate it all. And tie it to your
true name.

Bottom line, I see no compelling upside to putting ones DNA data on the
Internet.

~~~
pavel_lishin
That's why I would like to send my DNA in anonymously; I _don 't_ want to link
anything to my DNA data.

~~~
a_bonobo
Even if you send it in anonymously, your DNA is so unique to you that by
comparing it to other data you can infer at least the last name.

See for example
[http://www.ncbi.nlm.nih.gov/pubmed/23329047](http://www.ncbi.nlm.nih.gov/pubmed/23329047)

~~~
pavel_lishin
That's a valid concern, actually, my last name is fairly rare, especially in
the United States.

------
ancestrydotcom
The link is clickbait, but ancestry.com is both a ripoff and full of incorrect
data. They infer relationships based on totally faulty or very circumstantial
inputs, and then dangle those relationships in front of people with more money
than sense.

------
fapjacks
Ancestry.com is run by trolls on par with the current owners of Sourceforge.
Absolutely nothing surprises me when it comes to that site.

