Given the nature of the service, you should probably treat it as inherently pseudonymous. You're handing over irrevocable genetic data which will link you to relatives. Whatever their data protection assurances are, you have to imagine the worst case scenario - massive data leakage. And if this happens then you will in all likelihood be identifiable.
Obviously I don't trust any assurances, but on the other hand I'm handing over my genetic data all the time because parts of me end up over in the hands of 3rd parties whenever I go outside but they just happen not to run test on those.
If I can have a test that is not connected to my persona, from their perspective the data would be as valuable as running a test on the hair in the barbershop or picking a random leftover of food and running test on the saliva left on the half consumed food.
There's quite a big difference between the DNA you leave in a forensic sense all around you (which would take a lot of effort and expense for someone to gather against your will) versus serving it up on a plate in a format that is trivially searchable for close matches against any relatives. The value is in the fact that millions of people's DNA is gathered in the same place in the same format, not the individual value of your DNA. It's a classic network effect.
I mean, what is your threat model, and what are you trying to get out of DNA/ancestry services?
If you're worried about getting arrested for one of the many crimes you've committed, and you want to meet far-flung relatives, you're kind of in a bind here. Assuming unlimited cooperation between the police and the DNA/ancestry services -- which your threat model in this case would require -- even if they don't have your name or address, they could fabricate a half-sibling/double-cousin in the system and have them reach out to you. What, are you not going to talk to and eventually meet the cop pretending to be your previously unknown half-sibling/double-cousin?
My threat model is about the changing world, essentially activist who feel like having right to tell who lives where. I usually pass by the look, fail by the accent and I intend not to have another data point they can use.
I wouldn't count on any data protections from firms in the United States. There's no responsibility taken by those with the influence to end lives.
Until there's actual punishment for being breached, there will never be data protections in the United States. Even HIPAA and the DMV sell access to businesses.
indeed, if you have a cousin that has already filled in the data about your grandparents, and they do a scan showing "John Doe" is the descendent of Arthur, Betty, Charlie, and Debbie; then you're already linked with a "shadow profile". Chances are they'll have the data from your cousin with your name added too, so now they can link the DNA of "John Doe" with the shadow profile of "YourActualName, cousin of Timmy TakeMyData".
The only solution to this is regulation and enough incentive that companies have to treat data as they treat radioactive waste material. Storing data should be a liability, not an asset.
