“I’m hoping they’re an ethical company that won’t do anything that I’ll regret”: Users’ Perceptions of At-home DNA Testing Companies Khadija Baig Carleton University Ottawa, Canada khadija.baig@carleton.ca Reham Mohamed Carleton University Ottawa, Canada riham.mohamed@carleton.ca Anna-Lena Theus Carleton University Ottawa, Canada anna.theus@carleton.ca Sonia Chiasson Carleton University Ottawa, Canada chiasson@scs.carleton.ca ABSTRACT At-home DNA testing has become increasingly popular due to the ability to be able to gain both ancestry and health infor- mation, as well as connect with others who share your DNA. Do users have reasonable mental models of how these sys- tems work? Do users have privacy concerns and what do they understand as the benefits and risks involved? We conducted 27 interviews with Canadian users of at-home DNA testing companies. Our interviews covered perceived and desired data use, data management, data sharing practices, control over data, and any regrets. Our qualitative analysis revealed that many users have inconsistencies in their mental models and liken their DNA data to their data stored with existing tech- nologies, such as social media, rather than health data. They are generally either dismissive of privacy concerns towards themselves or their relatives or they had not considered privacy in their choice. We discuss our findings and propose possible future work in this area. Author Keywords Privacy; at home DNA-testing; interviews CCS Concepts •Security and privacy → Human and societal aspects of security and privacy; INTRODUCTION Direct-to-consumer (DTC) or at-home Deoxyribonucleic acid (DNA) testing has recently gained popularity. At-home DNA testing companies provide ancestry or health-related informa- tion for consumers that is thought to be beneficial [24, 40]. For Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from permissions@acm.org. CHI ’20, April 25–30, 2020, Honolulu, HI, USA. © 2020 Copyright is held by the owner/author(s). Publication rights licensed to ACM. ACM ISBN 978-1-4503-6708-0/20/04 ...$15.00. http://dx.doi.org/10.1145/3313831.3376800 instance, they may help adoptees learn about their biological families [24], or identify health concerns to prompt users to reduce risks of some diseases [17, 24, 37, 40]. On the other hand, there is no clear evidence that such results promote more positive health behavior [17]. Moreover, the emergence of at- home DNA tests has resulted in many privacy, ethical, and legal questions [1–3, 6, 9, 10, 14, 15, 21–23, 25, 33, 35, 36, 45]. The intrinsic characteristics of DNA make it personally identifiable information [2, 22, 40], even if stored anony- mously [21,40]. However, the privacy policies from at-home DNA testing companies are unclear on how they store DNA samples (e.g., [36]). Moreover, these databases are often shared with third parties [27, 28, 38, 40], which poses consent issues; DNA testing results reveal details of the individual and of other family members [3, 15] who have not consented to such testing. Further, social media users share sensitive DNA information online while unaware of potential consequences [33]. These disclosures could be used by unsolicited third parties, such as health insurance companies, to genetically discriminate against individuals [33]. Existing laws to prevent genetic discrimination inadequately protect the privacy of individuals and better data governance is needed [1, 25, 45]. For example, some laws in the US [8] and Canada [49] prohibit genetic discrimination, but do not apply to all situations. US laws do not apply to using DNA test results for life insurance cases [25, 45] and Canadian laws do not apply to scientific or pharmaceutical research [1]. Given these privacy and legal concerns, it is important to understand individuals’ mental models towards at-home DNA testing services. Previous research [5,16,17,24,37] has looked at users’ motivations and desires for requesting the service, and their awareness of such services. However, there is a lack of a deeper understanding of individuals’ mental models of the service and potential risks or privacy concerns. For example, there is no literature on users’ perception of how companies