Genealogist’s Guide to Protecting Online Privacy

By Dana McCullough Premium

Sign up for the Family Tree Newsletter Plus, you’ll receive our 10 Essential Genealogy Research Forms PDF as a special thank you!

Get Your Free Genealogy Forms

"*" indicates required fields

This field is for validation purposes and should be left unchanged.
iPad with "online privacy" and picture of lock, surrounded by binder clips, pens, notebook and a cup of coffee

Personal information isn’t so private these days, is it? Companies routinely ask for email addresses and track online clicks. Many genealogy research websites require users to register their names and email addresses to use even the free areas of the sites. Family trees are posted online for the entire world to see, and genealogy discoveries are shared via social media. It’s amazing that there’s any privacy left in the modern digital world. It’s also amazing when you find a person who hasn’t had his personal information breached: a credit card number stolen, an email account hacked or an iPhone—packed with personal data—stolen or lost.
The good news: You can take many common-sense steps to protect your online identity and reduce the chance you’ll be the next target for a scammer, hacker or identity thief. To help you protect what little privacy you have left as consumers and genealogists, we’ve rounded up 10 things you can start doing now to protect your privacy—and the privacy of your family—while still balancing the desire you have as genealogists to openly access and share information. 

1. Review privacy policies.

Before registering to become a member of a website, read its privacy policies and statement of terms and conditions. We know this can be a bit time-consuming, but the privacy-related information buried in this fine print is often overlooked. Look for links to privacy policies and terms of use in small type at the bottom of most websites’ home pages. Some genealogy sites may allow you to limit public viewing of information you add, while others automatically make your profile and/or your tree public. Some sites let you delete data you posted if you change your mind about sharing it online; others don’t. A genealogy website may post your email address publicly so other users can contact you.

For example, the privacy statement at Find a Grave provides information on how the site uses your personal information and how you can manage privacy settings, such as who can see your email address or send messages to you. Users of FamilySearch essentially give the organization permission to use their photos, documents and information they post in any way it chooses (see FamilySearch’s content agreement).
What else should you look for when you review privacy policies and or terms of use? According to Ted Claypoole and Theresa Payton, authors of Protecting Your Internet Identity (Rowman & Littlefield Publishers), watch for terms such as “affiliated companies” or “marketing affiliates.” Those terms mean the company might share your information with or email you on behalf of third parties. The policies may describe how you can opt out. Contact the company with any questions about the policy.


Before registering or posting content, ask yourself: Does the website sell your information to third parties? Do you grant rights to any information or photos you post on the site? Does the username you choose or email address you provide appear publicly on the site? Stay informed on privacy policies, especially as they apply to genealogists, by following such blogs as The Legal Genealogist

2. Set strong passwords.

Year after year, people set passwords such as password, 123456, qwerty and abc123. If you’ve created such an obvious password on any site, change it. Now. In most cases, a password is considered strong if it uses a combination of letters and numbers, uses both uppercase and lowercase letters, doesn’t use real words (those that appear in a dictionary), doesn’t use names associated with you in public or online records, and doesn’t include your user name. When allowed, use special characters (such as &, * or %) to strengthen your password.

Passwords to Pass Up

The following are among password managing company TeamPassword’s list of the worst passwords in 2019 because they’re so common and easily guessed.



For genealogists, setting a strong password also means avoiding your mother’s maiden name, surnames in your tree or relatives’ birth dates, since that information could be within reach in your online tree or a recent obituary. Nor should you use information available in public records (including your address). Avoid using family data like this in security questions the site might ask you to set up, too.

If a website offers two-step authentication for logging in, use it. Requiring a dual means of identifying yourself will help protect your account and your privacy. Also, don’t use the same password for every site. If you need help remembering your passwords, consider using a free password manager such as LastPass, Dashlane or Norton Identity Safe. These services remember all of your passwords for you, and then provide you a single, extremely strong password you use to access your online accounts.

Finally, never tell your password or other personal information to someone you don’t know via email or phone. Scammers or phishers may use information you share to gain access to your computer or accounts. For information on the latest scams and tips for avoiding them, see, a website run by Steven Weisman, the author of The Truth About Avoiding Scams and 50 Ways to Protect Your Identity and Credit (both from FT Press).

3. Avoid sharing living relatives’ information.

Protecting your online privacy includes respecting the privacy of your living relatives. Even those who love you most may not want their photo (or their child’s) posted on your Facebook feed or genealogy blog. They may not care to be listed in your online family tree, even if the web host has policies against showing living persons’ information publicly. Your family members might object to you sharing their personal or contact information with anyone they don’t know, including distant relatives and fellow genealogists, without permission. Bottom line: If you do want to post living relatives’ information online or share it with others, always ask first.

Another type of sensitive family data is your health history. With test-takers’ permission, genetic genealogy testing services AncestryDNA and 23andMe both supply anonymous DNA data from customers for medical research. At press time, AncestryDNA was beta-testing a feature called AncestryHealth, where you can document which relatives suffer from what specific health conditions. 23andMe also asks customers about family health data. While both sites let you opt out of participation in medical research and offer privacy protections if you do participate, it’s important to read all terms of use and continue to monitor how your DNA data is stored and shared.

4. Lock your digital devices when not in use.

Ever set your smartphone down for just a minute, and then return to the room to find your 5-year-old grandchild sending a text or playing Candy Crush? Mobile devices left unlocked may expose your personal information not only to other family members, but random people who are using an archive or library, especially if you leave your device unattended by your pile of research notes while you grab another microfilm or book. Some devices now use fingerprint technology, while others use a password to allow you to unlock your device. Go into your device’s settings to set up a code to unlock your device, as well as set up how long your device should remain unlocked when inactive (the shorter the time frame, the more secure).

In addition, don’t store sensitive personal information—such as your tax return, bank account numbers, credit card number or lists of passwords—on your mobile devices or laptop. You never know when you could become a victim of “Apple picking” when you’re on the go. 

5. Be careful with email.

It’s important to have a dedicated email address for personal use, even if setting one up one seems like a hassle initially. Never use your work email to send personal or genealogy emails: Your employer can access those emails at anytime.

Even if you do already have a personal email address that you use for correspondence with close family and friends, consider creating a separate Yahoo! Mail or Gmail account for just genealogy-related items. Use it when leaving a message on a public forum or contacting a potential relative; this will help keep your genealogy messages organized and separate from your personal email account.

Don’t fall prey to email phishing scams. Don’t open messages from senders you don’t recognize, or attachments you weren’t expecting (even when you do recognize the sender). Don’t respond to emails from a bank or the IRS asking you to log in and check your account. If you’re not sure whether a message is a scam, Google the subject line to look for warnings about it. 

6. Use website messaging tools instead of email.

Sites such as, MyHeritage and FamilySearch have built-in tools to allow you to communicate with other genealogists without having to give strangers your email address or personal contact information. When genealogy websites offer user-to-user messaging, use it rather than providing your email address to people you don’t know. Just as with online dating sites, you never really know who’s on the other end of that communication.

7. Opt-out of browser tracking.

Ever notice how when you look at a product on a website, you’ll see an ad for it on the next site (and the next one) you visit? It’s like the product is following you around no matter where you go on the web. This is called retargeting, and marketers use it as a tool to try to get you to buy their products. They also use it to gain more information on the websites their site users visit. If this type of tracking creeps you out and you don’t want to be tracked from site to site as you surf the web, you can opt out of it.

Visit to find out which companies track your online activity and to opt out of tracking from participating companies. For more protection, check your web browser’s settings or preferences (look under the browser name, such as Chrome or Firefox, on the top left of the screen) and adjust any tracking preferences available. Then download and install a tool in your web browser that opts you out of tracking. Options include AdBlock Plus, DoNotTrackMe, Ghostery and PrivacyFix.

Companies track your activity on your mobile devices as well. Be selective about the apps you download, and stick to those from a trusted app store such as iTunes, Google Play or Amazon. Install security software on your phone or tablet to combat spyware and malware.

8. Check (and adjust) privacy settings.

Once you post something on social media or a genealogy website, consider it online indefinitely—even if you delete it later. This is especially true if you haven’t set up privacy restrictions on your account. To help control who can see the content you post online, use site-specific privacy settings or preferences. For example, has three privacy settings you can choose when you post your family tree online: public, private or unindexed (hidden). And while the WikiTree privacy policy says profiles of active members cannot be hidden, you still can control some access to your private information through the site’s privacy controls and “Trusted List” feature.

When you register for a social media or genealogy website, research what information about you will be available publicly. Then go to Account Settings (which may also be called Privacy Settings or Preferences) to set restrictions on who can see your information. On Facebook, for example, you can change your overall setting to private so only friends can see you posts, and you can opt to disallow search engines from finding your profile. On FamilySearch under Settings, you can adjust what contact information (your real name, email address, mailing address, phone number and country) you want to keep private or share publicly.

If you use geolocating apps or sites such as Foursquare or geotagging on Facebook or Twitter, others will know your whereabouts in real time (or at least at the time you posted)—including when you’re not at home. Enter your Twitter handle at online oversharing awareness site to see whether your check-ins are visible.

The moral of this story: Avoid posting your current location on social media in posts or in geotags—even if you’ve set privacy restrictions. Think twice before posting that you’re leaving tomorrow for the Family History Library, and wait until you return home to upload photos from your trip to your ancestral homeland.

It’s also a good idea on Facebook to ignore “clickbait” posts (“You’ll never believe what happened next!”) and “like farming” posts (which ask you to like or share a sympathetic photo, such as a sick child). Clickbait can lead to websites embedded with malware links. And once like-farming scammers have gained enough popularity in the form of likes and shares, they can change the page to contain scam advertising or use the page as a platform to spread malware. Now also might be a good time to unlike any pages and delete any apps (look under settings) you don’t recognize. 

9. Keep software current.

Make sure your device’s software (including antivirus software), web browsers, plug-ins and mobile apps are up to date. Newer versions of this software often include security updates that are critical for protecting your devices and private information. When your device, software, app or other tool tells you that new updates are available, take a moment to install them. 

10. Secure your wireless internet network at home and on the go.

Your at-home wireless router should come with instructions for setting up a secure network. Be sure to change the router’s default password, too.

With free internet access available almost anywhere today, from coffee shops to libraries, it’s tempting to use that connection rather than your device’s data plan. But beware: Most publicly accessible wireless internet networks—particularly those that are free—aren’t secure. If you’re browsing the internet on one of these unsecured networks, someone at another table in the coffee shop or in the library parking lot could intercept your passwords, credit card number and other information you transmit.

To increase your security on public networks, sign in to all sites using an SSL connection by typing https:// at the beginning of the web address. Turn off your device’s WiFi when you don’t need it, and avoid online shopping or banking.

In addition, because unsecured public wireless networks are vulnerable to network attacks by hackers, you should protect your laptop’s security with a firewall program. A firewall is software that helps filter out hackers, viruses and worms. Anti-virus software companies offer a range of options for this protection. Alternately, you can use your smartphone device as a WiFi hot spot to access the internet while you’re out and about. While this will be a drain on your data plan, it’ll help you avoid the risks of sharing a network with untold numbers of unknown people.

Even if you follow these 10 measures to amp up your privacy online, remember that there’s no guarantee your information won’t be hacked or breached at some point. But the more vigilant you are about protecting your personal information, the safer it should be.

Tip: Review privacy policies carefully. Where possible, consider opting out of having your personal information shared with third parties or on a website.

Online Privacy Resources



A version of this article appeared in the May/June 2016 issue of Family Tree Magazine. is a participant in the Amazon Associates Program, an affiliate advertising program. It provides a means for this site to earn advertising fees, by advertising and linking to Amazon and affiliated websites.