This disaster is the perfect counter-argument to those always saying "why do you care so much about privacy. It doesn't affect you when I share things. You can just choose not to do it", except no, I can't choose when we're relatives and you chose to share our genome.
It is so obvious that your relatives sharing their genomic data with 23andMe reveals a lot of information about you. We can only hope people will realize that this also holds true for collecting behavioural data on other people sharing the same background as you.
I'm in favor of privacy, and I'm willing to go more out of my way to not share than the vast majority of people, but I'm also in favor of individual choice, and I can't think of a privacy model that would disallow other people from sharing their information just because you have some matching information.
FYI, the police is able to find criminals now by finding DNA sequences similarities with your relatives. Not saying this is good or bad, I am just saying you don't know the extent of the impact to your personal freedom when your relative's DNA is shared.
I can help track down distant family members who have committed crimes? Sounds like a plus.
I think the angst about this comes from men who don't want their status as fathers of illegitimate children (or, rapists when they were younger) unmasked.
It's no longer so easy when the definition of "crime" gets expanded. Let's take this scenario:
- you're a first generation Chinese immigrant in the US
- a nephew of yours is in China and critical of the CCP
- you decide to have your genome scanned into 23andme or whatever to determine if you are at risk of genetic illness
- your nephew sprays an anti-CCP tag on a wall somewhere
- the Chinese police gathers DNA evidence from a laxly discarded spray can, but doesn't have fingerprints so they can't immediately link the can to your nephew
- the Chinese government, either via a legal subpoena or via espionage, gets its hands on your genetic profile from the genetic analytics company
- the Chinese government finds your data, now knows that the sprayer must be related to you in some way, and forces everyone of your family to subject to a DNA test
Sounds dystopic? Yes. But this is exactly where we will be headed. Police here in Germany already do DNA tests on petty vandalism [1].
[1] https://www.fuldaerzeitung.de/fulda/fulda-bahnhof-neuhof-dna...
It's precious that you imagine not getting your DNA sequenced will provide any sort of shield against dystopian governments.
This sort of thing looks more like a psychological crutch than an actual effective action.
That’s not what the comment was driving at. At all. It’s about how data you think is innocent can be used in a manner you never thought about nor intended for dark purposes.
Fair. On the other hand, I'm a bit surprised that anti-immigrant forces in the US haven't made DNA sampling compulsory for new immigrants. The argument would be these would be harder to track down by these techniques, because the ancestry information is not as available, giving them an "unfair" advantage over white Americans.
I don’t think that fits with how people on this side of the pond think about immigration.
It fits with how some people think about immigration on either side of the pond. That some is close to 50% on the western side of the pond.
The US does do DNA collection for anyone it detains whether they end up being granted legal status or not.
They were processing so much DNA that they had to write a special rule allowing border agents to _not_ collect it if it would cause operational difficulties to do so.
https://www.federalregister.gov/documents/2020/03/09/2020-04...
I actually had intended to point out the dangers of "scope creep". Everyone is happy with a lot of pretty invasive stuff - dragnet surveillance, targeted surveillance (i.e. bugs placed in a suspect's home/car/computer/phone), DNA and fingerprint mass tests, no-knock raids - in severe crime cases such as terrorism, murder, rape, child sexual exploitation or abduction. So far, so good, and almost all Western countries have such provisions for decades that were introduced under the premise "it's only going to be used for <prior list of severe crimes>".
But in recent years, the scope of said "severe" crimes list has expanded massively, across the Western world, driven by both powerful industry lobbies (such as the copyright cartels) and "concerned citizens" aka authoritarians in disguise... and now you got a DNA investigation for about 4.000€ in damages of broken glass and a ticketing ATM. No matter what: this scope creep is not justifiable.
On top of that comes the risk of "what if our governments and the tools/data they and society (both in the form of individuals and companies) possess fall into the hands of authoritarians". For a long time this risk has been laughed off, but nowadays both the far-right (in Europe and the US) and the far-left (in Southern America) have seriously raised the probability of such a scenario.
Why is DNA investigation supposed to be limited to "severe" crimes? It's just another investigative tool. The idea that it should be limited implies there's something sordid about it. Why should I accept that implication?
An amusing thing here is that the arguments against DNA were also made against the use of photography, back in the 1800s. At some point people have to realize that personal unease is not an argument.
that's not how it works though. if you find enough other people that have the same uneasiness, then you can form groups that get people elected to make rules that forces everyone else to comply with your uneasiness.
I beg to differ. The fact we're even having this discussion means not everyone is happy with the situation. Maybe Stockholm Syndrome has kicked in for you, but I'm still resisting
Why do you make this issue gendered, and if you do why would it impact only men father of illegitimate children, and not cheating mothers ?
Cause in the case of cheating mother, it is clear she is the mother. And to confirm fatherhood of husband or partner, no external registry is needed or helpful.
The mother will already be connected to the child. The father is what would be needing tracking down.
I mean, wasn't that completely obvious?
Well they can narrow it down to the family, unless it was the very DNA giver that left that DNA sample on the scene of the crime.
And since 23andme (as I assume others) don't do these anonymously, there is no hope. Unless people use someone as a proxy (i.e. I-1 give my sample to a male colleague to send it as his-2, he-2 gives his sample to someone else to send it as his-3, and so on..). Police would eventually find the guilty in case of a crime, but the 23andme's of this world will be selling confusing (wrong) data.
There are plenty of cases where DNA is found at the crime scene, run through a database, match is found with a relative. Then the cops start looking at the family and boom there's your shady uncle with priors they got their guy.
Yes it has come up a few times on forensic files usually on cold cases.
If this was someone trying to fly under the radar by using this scheme to buy burner phones or some such, sure. But this is literal DNA, so even in your attempts to obfuscate, they’d know the name and the sample do not line up, but then be able to link the sample to a family and then figure out who you really are
I can think of an easy model. Disallow collection of personal information. Pull the rug out from under "services" which are really just data collection fronts turning a profit from selling your data instead of the primary service/good for money transaction.
23andMe could still have operated legally under this scheme. They could have done the analysis and sent you a printed sheet. But no, they had to store everything to be able to double dip by selling the data to pharma companies and whoever else would pay for it.
If you can't turn a profit without underhandedly selling your users' data. You deserve to fail.
What about people who would want to donate their data to further the research?
They can enrol in studies at actual (non-profit so they don't benefit from selling data, probably public funded) research institutes.
Non-profit in the US is a tax status. Many CEOs of non-profits enjoy multi-million dollar salaries and bonuses.
They are frank about also selling the data for research, it is not underhanded. It's even opt in...
For example, they talk about it on this page, which is linked from the about menu (so available with pretty small effort): https://www.23andme.com/research/
I expect lots of people also like that they get updates when information about new markers becomes available.
I trust them to opt me out, not at all. It's safer to just assume your data is being used, regardless, because it's free money to them. If/when they get caught selling data marked as Opted Out, they'll get a pittance fine, paid with other people's money and bonuses for making numbers that quarter.
You're welcome to trust them, but no I.
It's all about the money, always. So not gonna happen.
Could they tho? The ancestry analysis itself is based on the data of other users in other parts of the world?
Nobody has perfect 100% individual choice/freedom. By itself, maximizing for it is a non-argument. The best explanation I've heard is that "my rights end where yours begin (and vice versa)". That is not an easy line to draw, so the debate becomes where exactly do we, as a society, decide to draw that line. (Noting that this also is never a singular, fixed answer)
Even without defining a specific model around how genetic data should be handled, I think it's more than fair to say that most people right now don't even consider how their choice to sign up for 23andme might affect their relatives (already born or otherwise). Even if they do, in my experience, it's only to a very surface-level degree.
But if it's genetic information, it's not your data alone. It's your data, your parents' data, your childrens data etc.
While I agree it's a perfect counter-argument to that, is that what people always say? I'm not sure I've heard that argument as much as "why do you care so much about privacy?" full stop. As in, they don't really understand why anyone should care about privacy. And this isn't really a counter argument to that, any more than any other breach. And to be fair it's not really even a counter argument to that until you show the harm that came from it. What do you think will happen to people who had their ancestry data stolen here?
I think the more common one I've heard is "Why do you care about privacy if you have nothing to hide?"
In the case of 23andme, it's a perfect answer: We don't know what's hiding in our DNA and I don't know how people will use that against me in the future.
So, the reason for privacy is because the profit motive of capitalism is not sufficiently restrained as to protect citizens from being abused by corporations?
Be careful you don't break something with those gymnastics.
The immediate concern I had with this story is nefarious groups or individuals purchasing this data to target people with violence based on their ethnicities. Imagine if the genome of millions of Europeans was available on the black market in 1930s Europe.
Considering one of the hacker's first actions was to offer for sale data identifying people of Jewish or Chinese descent I think that's a very valid concern.
Did anybody actually buy it though? This could be misdirection, or just misguided marketing based on historical instances of abuse. China isn't known for trying to repatriate descendants, and it's not exactly difficult to find Jews.
Ancestry data would certainly be of interest to a particular demographic known to discriminate by caste. There's no escaping your low-class heritage when anyone can look up your stolen DNA profile on the black market.
"not exactly difficult"...
I'm not Jewish, but I feel like there's some sort of reason for them not wanting a list of who they and where they live to exist.
Or a rival country could create a virus that targets 80% of their enemies population and only 20% of their own
This is tin-foil hat nonsense.
Unless you speak Kikongo.
It is becoming far easier than you are aware then. Sam Harris and Rob Reid discussed in length a few years ago.
https://www.samharris.org/podcasts/making-sense-episodes/spe...
How do you make the leap to it being an issue of capitalism? There are plenty of bad actors who could use this information (or other hacked info) who are not a corporation seeking profit.
Capitalism isn't about corporations, it's about capital.
Like North Korea which by far has the most state sponsored cyber thugs per capita.
My go-to is "what if literal nazis come to power and use this information to kick-start their eugenics program", but I guess rampant capitalism is also on the threat list.
There are already businesses that practice eugenics based on illegal data like this or illegal maps
Sounds like an absolute treasure trove for a life insurance company. Or, would you disagree?
Yes, but one would hope that if an insurance company was caught using stolen data to calculate the premiums, that would be the end of that company and jail time for management (like the leaders of VW responsible of the emissions testing cheating).
Funny! We all know it would be a lone rogue engineer that did it in the end and management would apologize on their behalf.
That assumes they do so in a really stupid and straightforward way. LLMs already exist to "AI-wash" copyrighted material in ways that technically don't violate copyright. I'm pretty sure someone will find a way to create a dodgy shell company around a foreign B2B service that reycles this data for them in a way that is technically legal to use.
"Feed personal data into this service and it'll spit out a risk assessment based on a model built on 6.9M historical health data sets."
I'm not sure I've ever heard anyone I know mention privacy at all, as if they're totally ignorant to it. In reality, the majority of people will just let Google or Microsoft do whatever with their personal information as long as the product or service is slightly more convenient than the last one.
You are not likely to see the statement you are discussing unless you firstly somewhat frequently get into a situation where someone says something like "why do you care so much about privacy?" and then attempt to debate the issue.
It is not necessary to show actual harm from this breach for it to defeat the tacit premise behind the statement you are discussing, which is that their profligacy with their personal data cannot, by itself, reveal any of your personal data.
Do you talk family problems with all your neighbours ? With strangers ?
How would you feel when your employer will know everything you did last night ?
I wonder if that could be used as a list of possible organ donors. I don't know what else (data) is stored there tbh but if it helps narrow down to find a kidney or heart for someone rich...
Maybe we all shouldn’t be so Quic to create bad ideas.
Right, like the person posting an idea on an Internet forum was the first and only person to have that idea. Security through obscurity does not work. It’s much better to open up the curtains and let the sunlight in. It’s the best disinfectant. At least then everyone is working with all of the information.
Blinds open btw. I’m picking up what you are gracefully throwing down but not without checks and balances.
My checks are bouncing off the heavily skewed balance. These internet posts are pretty much the only "checks and balances", and they do diddly squat.
Written word anywhere always records to the record.
Touché, although people often identify what pharmacy they prescribe to with parroting other people’s phrases.
Personally speaking, I think Equihax was the better counter-argument; at least with 23andme YOU as a customer had to DECIDE to use their services and weigh the pros-cons of doing so, with Equihax I was forced into a rating system to determine my eligibility in a system that hoovers up any and all data sold to them by 3rd parties and holds all my personal information in order to complete anything from a loan application to a job application.
And when found to have been breached no effective recourse was made, and instead of admitting fault to a very high probability of Identity theft being the end result a token 'credit system monitoring' service was offered, which once again relies on these credit agencies who share/distribute this information without my consent and created the problem are let off scot-free and never suffer any consequences.
In short, it's a naive argument made from often ignorant and self-defeating practices that make others worse off because of their complacency and refusal to take privacy serious.
Completely true. However, Equifax was probably hard to wrap your head around. Whereas 23andme might seem a lot more personal and private to the average person. Of course, nothing is likely to come of this regardless.
Not identity theft. Libel. There's a high probability a bank will libel people whose info Equifax leaked. They'll do that because they depend solely on the same (largely public) data compaies like Equifax collect to identify loan applicants.
To clarify, genomic data was not reported stolen. It sounds like the breach was about genealogical data.
The stolen data included the person’s name, birth year, relationship labels, the percentage of DNA shared with relatives, ancestry reports and self-reported location.
Yes, and remember that data is commonly widely shared. Because, its mostly about long dead people?
The real breach is for recently deceased people (here the time span varies greatly, but dead for ~100 years is definitely enough if you ask me) and for living people. Actually in Sweden the death info is publically available generally right away, more or less. You can buy USB sticks with ~all deaths up until very recently.
Agree. Alternatively: how much do you earn? Do you mind if I read your physical mail? Can I have a key to your home?
I think it is difficult for some people to think about abstract ideas. When you bring it to the physical world everyone understands it is vexing.
I guess I'm feeling a bit philosophical today, but in some sense, aren't we all part of a shared data structure given that we are all somewhat related? While there a few bits that make us individuals, there is much that is shared to the point that privacy doesn't seem truly possible.
nobody will listen to your counterargument. They don't care.