23andMe Makes Honor Roll for Privacy and Security

article by Maria Perinic
May 29, 2019

In today’s day and age, privacy and security are important elements that we all look for when undertaking new projects. Our lives are now very much online with virtually all of us using social media platforms, emails, and online banking. When taking part in something like at-home DNA testing, you want your sensitive information to remain secure, but not all companies work with the same privacy measures.  

In the 10th annual Online Trust Audit & Honor Roll, the Internet Society’s Online Trust Alliance (OTA) has declared that 23andMe made the 2018 “Honor Roll”, taking the number one spot in the Healthcare category. The audit screened more than 1200 websites and found that 70% of them qualified for the Honor Roll. This is due to many of them making huge improvements both in session encryption as well as email authentication.

Comparing all 1200 online organizations, 23andMe made the top 50 in each of the tested groups as well as being number one in the healthcare industry. The top scorers in their selected categories are as follows:

  • Top Overall: Google Play
  • Top Bank: First National Bank of Omaha
  • Top Consumer: PayPal
  • Top Healthcare: 23andMe
  • Top ISP/Host: Google Cloud Platform
  • Top News: Google News
  • Top Retailer: Google Play
  • Top U.S. Federal: Federal Emergency Management Agency (FEMA)

User privacy is something that is of incredible importance to the team at 23andMe. “Protecting the privacy and security of our customers’ data is at the core of what we do here at 23andMe,” said Ashutosh Agrawal, 23andMe’s Senior Manager for Security & Privacy Compliance. “So seeing how we compare to the healthcare industry as a whole is validation of all the hard work and our security and privacy practices. Finishing top in the Healthcare category is also a great recognition.”

This audit is currently the most comprehensive and acts as an independent benchmark. So, what does it assess? The websites are evaluated in three different categories including:

  • Domain, brand and consumer protection
  • Site, server, and infrastructure security
  • Transparency and disclosures

Individual breakdowns of organization’s scores will not be available to the public because of the risk of disclosing vulnerabilities. However, we know that some of the key aspects investigated included:

Email Authentication – this secures users from domain and email spoofing.

Domain Locking – prevents unauthorized transfers of your domain by third parties who might try to redirect your domain.

Transport Layered Security for Email – helps avoid eavesdropping on your emails and creates secure email transport.

Multi-Factor Authentication – combining a strong password with an added security measure such as a fingerprint or a code received in a text message helps protect from account takeovers.

Server and TLS/SSL Configuration – elements like server architecture, configuration, and digital certificates are examined for possibly weak keys, protocols or algorithms.

Always On SSL – sites with sensitive information must ensure that HTTPS is always present within the website or else cybercriminals are able to sidejack data from vulnerable users.

Bot and Botnet Protection – sites needed to be free from scraping, vulnerability scanning, scripted form completion, and other common bot-driven activities.

Malware, Malicious Links & Cross-Site Scripting – All the audited sites required scanning from malware and threatening links. Those that were found to contain such links received penalty points.

As you can see, a lot of key security elements were considered when it comes to protecting customer privacy. When it comes to privacy policies, things like the privacy policy itself and data collection were analyzed. Other components that set some websites apart from the rest were:

  • Privacy policy link discoverable on home page
  • Data sharing language
  • Data retention language
  • Data sharing with third parties
  • Layered notices
  • Mention of adherence to COPPA
  • Do Not Track (DNT) disclosure
  • Date stamp at the top of the privacy policy
  • Access to previous versions (previously awarded bonus points, part of baseline in 2018)

Offering privacy policies in multiple languages managing multiple trackers, those who did not have any data breaches from January 1st, 2017 scored extra points. Additionally, easy to locate privacy policies with consumer-friendly icons fared better than those who did not.

An emphasis was also placed on the importance of those organizations that complied with the General Data Protection Regulation (GDPR) which came into effect on May 25th, 2018 for all EU residents.

23andMe took the top spot due to all these aspects and more. Their website includes a privacy policy but also has “Privacy Highlights” which make it easier for customers to see an overview of some of their core components of data handling practices. You can easily see everything you need to know about: the information they collect, how that information is used, how you can control which information is shared, access your information, how your information is secured as well as risks and considerations.

It is true that using online platforms to get information is risky due to cybercrime being at an all-time high. There are various risks to watch out for including malware, ransomware, spyware, and phishing that can leave you devastated. All of these threats are out there and yet so many people know nothing about them and therefore are unable to protect themselves. This is why the Internet Society’s OTA is crucial, raising the public’s awareness and keeping the world globally connected within a circle of trust.

“In this age where many companies are accused of putting profits ahead of customers, the websites that made the Honor Roll should be commended for their commitment to online trust,” said Jeff Wilbur, Technical Director of the Online Trust Alliance initiative at the Internet Society. “This designation shows that you can be one of the world’s most successful businesses without sacrificing consumer privacy, protection, and security.”

Making the OTA Honor Roll, 23andMe proves once more that it is a reputable and popular choice when it comes to at home DNA testing. Not only can you find out about your ethnic heritage, you can also discover things like food sensitivities, genetic health issues, predispositions to diseases, genetic mutations, and risks of various cancers. Now, 23andMe is evidently the best when it comes to protecting your privacy and security as well.

Read more about 23andMe in our expert review.