LEHI, Utah — It markets its DNA kits with promises that tug at the heartstrings: Discover ancestors. Strengthen family ties. Understand your life.

Aided by venture capital and a flood of savvy marketing, Ancestry LLC has grown to become the world's largest DNA testing conglomerate. Since 2012, it has lured more than 5 million people to spit into tubes and add their genetic code to the world's largest private database of DNA. It has also banked away the world's largest collection of human spittle, numbering in the hundreds of gallons.

In the age of Facebook and Google, consumers seem comfortable surrendering their personal information to corporations that aggregate it and monetize it. But Ancestry and other DNA testing companies have added an audacious tweak: Consumers are now paying to hand over their genetic code, their most sensitive individual identifier, to companies that could monetize it far into the future.

Ancestry officials say they have state-of-the-art systems to prevent hacking and security breaches. So far the company has sidestepped privacy scandals that tripped up companies like Facebook, which allowed a political data firm, Cambridge Analytica, to access data from 50 million customers, or government agencies like the U.S. Office of Personnel Management, which a few years ago exposed more than a million personnel records and security clearance data to hackers.

But a three-month review by McClatchy, including visits to Ancestry's headquarters and a main testing lab, reveals a pattern of breached promises to customers, security concerns and inflated marketing pledges that could give consumers some pause:

People also reading: Why does every Florida Publix have a big scale?

People also reading: FBI agent does a backflip in a club, drops his gun and accidentally shoots someone, police say

People also reading: Rick Scott's outsider image as Senate candidate clashes with Florida reality

Unidentified hackers last year accessed an Ancestry website, RootsWeb, compromising the sign-ins of 55,000 Ancestry customers who had the same log-in credentials with RootsWeb. The site has since been shut down. The incident received little attention, but revealed how customers' personal information could be accessed and exploited through Ancestry's partnerships and acquisitions.

AncestryDNA, a subsidiary of Ancestry LLC that markets genetic testing, pledges to safeguard people's private data. But the company has a history of changing the terms of its agreements with customers. In the most high-profile example, Ancestry in 2014 shut down MyFamily.com, a social networking site where more than 1.5 million users had posted family memories, photos and conversations. Numerous customers said they lost treasured family history because of inadequate notification from the company, which decided not to back up the data.

Ancestry claims to beat its competitors in accurate analysis of a person's ethnicity. But interviews with company officials reveal that Ancestry has wide gaps in its ethnic markers for Asia and other sections of the world. Outside geneticists and anthropologists say that Ancestry and other companies are making misleading claims about the accuracy of their ethnic analyses.

Most Ancestry customers consent to have their DNA results, in a de-identified form, shared with the company's research partners in the pursuit of sciences, including finding cures to diseases. But Ancestry's main research partner is a secretive Google subsidiary called Calico Life Sciences, which is focused on ways to extend human longevity through biotechnology. Critics have labeled Calico a "vanity project" of several Silicon Valley billionaires who want to extend their own lifespans.

Peter Pitts, a former associate commissioner for the Food and Drug Administration, said it was inevitable that private companies would one day commercialize DNA analysis. But the speed and scope of the industry's rise is worrisome, he said, in part because few consumers read the fine print of a company's terms and conditions.

"People need to be aware there are risks and benefits," said Pitts, who now runs Center for Medicine in the Public Interest, a New York-based nonprofit. "Right now they see the benefit as being able to have cocktail-party conversation about their genetic makeup. They aren't thinking about the risks of giving up their personal information, and the long-term implications."

Many consumers, he said, have a limited understanding of how DNA is such a unique personal identifier, even more than a fingerprint or social security number. DNA determines the color of a person's hair and eyes, their skin color and propensity to inherited diseases - information that employers or insurers might want to obtain.

And when someone takes a DNA test, the results not only provide information about that individual, but close relatives as well, said Marcy Darnovsky, director of the Center for Genetics and Society, a biotech watchdog group based in Berkeley, Calif. "You are not just taking the test for you. You are taking it for the whole family," she said.

Read more: U.S. wants 1 million to share DNA, health habits for science

Founded by a pair of Brigham Young University graduates in the 1990s, Ancestry.com was one of the early internet start-ups that allowed customers to build their family trees online, accessing troves of information that the company assembled. Paul B. Allen, one of the founders of Ancestry.com, said it makes sense that a family-tree internet company would arise in Utah, where the Mormon church has long kept extensive family history records. "This is the mother lode of genealogical research," he said.

Thirty years later, Ancestry is still based in Utah, but has mushroomed into a multinational company that operates in more than 30 countries, pulling in $1 billion in revenue in 2017. Its headquarters in Lehi, south of Salt Lake City, is home to 1,100 of the company's 1,600 employees. The building features a display of lanterns, descending through several floors, meant to resemble DNA strands.

But to really grasp the company's rapid growth, one needs to visit one of Ancestry's contractor labs, where the company sends customer's genetic samples for analysis. One of these labs is in La Jolla, Calif., owned by Illumina, a leading company in sequencing and genotyping DNA.

On a recent weekday, Illumina lab manager Jay Antico donned gloves and a gown and entered a room where Ancestry kits arrive daily. A line of workers were removing spit tubes from the kits, scanning their bar codes and checking for defects. Behind them were a wall of shelving filled with thousands of partly full tubes.

How many tubes arrive at Illumina daily? Antico and Ancestry officials declined to say. "Let's just say it's a lot," said Antico, eyeing the shelves lined with people's saliva.

Like other DNA testing companies, Ancestry uses spit for genetic analysis because is it an easy way for consumers to provide their DNA. Saliva contains white blood cells and cells from the inner lining of people's mouths. Companies such as Illumina isolate the DNA, then go through a multi-step process of "amplifying" it, processing it and turning it into a machine-readable code. The entire process takes about four days, after which Ancestry uses the code to analyze a customer's ethnicity.

Ancestry is highly sensitive about concerns that customer's privacy could be compromised as DNA is shipping around the country, passing through labs and sorting centers.

"Privacy is basically our top priority here," Eric Heath, Ancestry's chief privacy officer, said. "In terms of security, you know, we are very cognizant that without our customers' trust, we do not have a business."

To prevent disclosure of customer identities, the kits and spit tubes that Ancestry sends to Illumina are marked only with bar codes, not people's names and addresses. After Illumina finishes its analysis, the results are sent back to Ancestry, which, according to Heath, is the only entity that can reconnect the results with individual customers. After Ancestry generates an ethnicity estimate for a customer, it is forwarded onto that person's email.

—-

Privacy experts say that while this protocol guards against inadvertent disclosure, it still leaves people's genetic data vulnerable.

Cyber theft is one risk. A 2017 hacking incident forced Ancestry to shut down its RootsWeb website and notify customers whose sign-on information may have been stolen. Ancestry in 2000 had purchased RootsWeb - a free genealogical website that offered online forums for people to research their family histories - but apparently had not fully upgraded its security protocols.

"The RootsWeb situation was certainly unfortunate," Heath said. But he said the RootsWeb was a "completely separate system" from Ancestry's databases that contain sensitive customer information, including DNA data. The company stores that sensitive data in the cloud, he said, with an encrypted system that only can be accessed through Ancestry's own key.

Martin Shelton, a cybersecurity expert based in Silicon Valley, said it's encouraging that Ancestry encrypts its data. But the ultimate security of this system, he added, "depends on how they store the encryption keys." Wide internal access to encryption keys, he said, could contribute to security breaches in the future.

Law enforcement also has various ways to access people's DNA data.

To make an arrest in the East Area Rapist case, Sacramento investigators created a bogus account on a open-access DNA database, GEDmatch, and then found a lucky match to DNA taken from a crime scene.

Officials for Ancestry, 23andMe and other leading DNA-testing companies say it would be impossible for law enforcement to use similar surreptitious methods to find suspects on their sites, which only allow customers to send in saliva, not DNA results from an outside testing service. But DNA-testing companies could be forced to hand over genetic data in response to a court warrant or subpoena, as they generally disclose.

"AncestryDNA will never disclose your data to insurance providers, employers or law enforcement (unless compelled by valid legal process)," the company notes on its website.

Ancestry also acknowledges that customers could face various risks if their DNA data and other personal information is made public or somehow obtained by third parties.

"It may be used to identify you, and may negatively impact your ability to obtain certain types of insurance coverage, or used by law enforcement agencies to identify you if they have additional DNA data to compare to your Data," the company notes its informed consent clause, which testing companies use to shield themselves from future liability.

Read more: Use of DNA in serial killer probe sparks privacy concerns

—-

Unless customers request otherwise, Ancestry adds people's DNA data to its proprietary database, the largest of its kind. In a mere six years, the database has grown to include DNA from more than 5 million people, up from 2 million in mid-2016, according to company figures.

Ancestry not only stores people's genetic data, but the raw DNA itself. After labs such as Illumina extract a small amount of saliva from the tubes for analysis, the remainder of people's biological sample is returned to Ancestry's custody. Where that DNA is stored, and how long it will be stored, is unknown. Company officials won't say.

Ownership of this DNA has been source of controversy, for Ancestry and other companies. Last year, privacy lawyer Joel Winston wrote an article, re-posted on ThinkProgress, which criticized Ancestry's terms and conditions, arguing they give the company a free license to exploit people's DNA for the rest of time.

"Customers must understand that turning over their DNA means a loss of complete ownership and control," Winston wrote. "Ancestry.com customers should also know they're giving up the genetic privacy of themselves and their relatives."

Ancestry reacted strongly to the article, with Heath, the company's chief privacy officer, calling it "inflammatory and inaccurate." Soon after, Ancestry updated its terms and conditions, clarifying its does not "claim ownership rights in the DNA that is submitted for testing." The company, he added, needs to obtain a license from customers to provide the product they purchased.

Winston, based in Pittsburgh, said he was surprised at the company's strong pushback, but asserts the upshot is still the same.

"Ancestry's terms and conditions are long, and somewhat boring, but people should read them," he said. "They make a big deal of stating that you own your DNA. But they are taking a worldwide, perpetual, royalty-free license to do what they want with your DNA and your actual genetic sample that they keep in storage."

Ancestry allows customers to request their DNA analysis be erased from the company's database after results are received, and also request destruction of their remaining biological sample. But it is a two-step process, and customers must read deep into the company's privacy statement to learn how to do it. Requests for DNA data elimination can be made online, but the company asks customers to call its support center to request destruction of their biological sample.

"They don't make it easy," said Pitts, of Center for Medicine in the Public Interest. "One thing they could do right now is have a button right next to the "I accept" button that says please destroy my genetic information after obtaining results. That would be a very robust statement and the step in the right direction."

Jennifer Lynch, a lawyer with the Electronic Frontier Foundation, another watchdog group, said a major concern with Ancestry and other DNA testing companies is whether their policies will change over time, with new ownership and management. Future owners could change privacy protections, she said, including Ancestry's promise not to share personal data with insurance companies.

Ancestry officials insist that will never happen, for business and other reasons. But the company's terms and conditions, in boilerplate language, make clear that the company's policies could change in the future. The company says customers will be contacted about any changes, and then will have the option of canceling their accounts. But if they don't notice or don't opt out, any changes will become effective 30 days after notification.

"We have the right to modify these Terms or any additional terms that apply to a Service at any time," the company says.