return to table of content

23andMe updates their TOS to force binding arbitration

deckeraa
74 replies
20h12m

The more TOS I read through, the more it seems we need a "common law" solution. (I use the term "common law" loosely here) Something like a couple of pre-defined categories for software services (e.g. info provider, social network, real-world interface) with pre-set rules (e.g. the client cannot attempt to break the social network; the owner of the social network cannot re-sell data to a third party).

We have something like this for brick'n'mortar retail already -- each store can't just make up their own rules but rather has to operate within a societal framework.

The system we have right now leads to every corporation being incentivized to claim as much legal ground as possible in the TOS, leading to a de-facto corpo-state. It also undermines the rule of law in a cultural sense since many things in the TOS may be deemed unenforceable when actually challenged in court. The users will always be is a several disadvantageous bargaining position.

crote
41 replies
14h35m

Until your country actually implements laws like these and Hacker News starts complaining that it is "business hostile" and "stifling innovation".

There are plenty of European countries which already have some laws like these. When I buy something on the internet, I have 14 days to return it if I don't like it. I am guaranteed to have a reasonable warranty. Companies cannot abuse my personal data without explicit consent. And indeed, forced binding arbitrage is also not allowed.

There is no need to mandate a template ToS, you just need basic consumer protection laws.

logifail
15 replies
13h46m

When I buy something on the internet, I have 14 days to return it if I don't like it

One (unintended?) consequence of this is that as a consumer, you cannot buy an annual digital motorway toll pass in Austria with immediate validity. The earliest your pass can start from is 18 days from the date of purchase.

"Customers can withdraw from the online purchase of a digital vignette within 14 days. Taking into account a further three-day period for mail, your digital 2-months and annual vignette is only valid from the 18th day after purchase."

https://www.asfinag.at/en/toll/vignette/digital-vignette/

How glorious that it's necessary to include 3 extra days to cover the potential delivery time of postal mail in the event of a return for an entirely digital product :/

The workaround for this - which I discovered last time I drove a rental car in Austria - is to tick the box that says "I'm a business, not a consumer". You don't need to prove you're a business, just to tick the box. Consumer protection nullified, can purchase product valid immediately.... <sigh>

cjrp
3 replies
12h41m

Can't the rental car companies sell you a physical vignette when you pick up the car?

pjmlp
0 replies
11h35m

I can't speak for Austria, however that is exactly what it happens in Portugal and Switzerland.

In Portugal, we use digital ones (Via Verde) and they are activated at time of purchase.

In Switzerland, physical vignettes are always available on rented cars.

orangepurple
0 replies
7h30m

You can always buy a physical sticker at the gas stations near the border

logifail
0 replies
11h32m

If you collect a vehicle in Austria it's almost certainly already got a vignette (pretty tricky for the rental company to operate an Austria-registered vehicle without one).

If you collect in your car in Germany, as I did, and drive it over the border yourself then you almost certainly won't get one (although I've ever been lucky!) so you need to purchase one (physical or digital) before (or as) you cross the border.

mimischi
1 replies
13h29m

Aren’t you able to buy a sticker vignette at just about every stop kilometers away from the Austrian border, as well as inside?

I get your point that the digital one has to jump through hoops due to these regulations, but there are alternatives if you need one /now/

RyanHamilton
0 replies
13h1m

Yes, there are.

giik
1 replies
11h50m

This is no longer true, I believe (starting Dec 1 2023). You can buy the vignette online starting immediately.

logifail
0 replies
11h28m

This is no longer true, I believe (starting Dec 1 2023). You can buy the vignette online starting immediately

If that's true then it's possible that Asfinag (the toll agency) haven't updated their website. On trying a test purchase just now to buy a two-month or annual pass it still states:

"I'm a consumer

Digital 2-month vignettes and digital annual vignettes purchased today are valid from 25.12.2023 at the earliest due to the right of withdrawal when purchasing online. All other toll products can be used immediately. (More info in the FAQ)

I represent a company

The right of withdrawal does not apply to commercial customers; purchased digital toll products are therefore valid immediately. (More info in the FAQ)"

X0Refraction
1 replies
13h11m

Strange, I would have thought a pro rata refund would be allowable in these cases. I'm pretty sure that's how it works with insurance so I'm unsure why a toll pass would be any different.

carstenhag
0 replies
9h4m

Because they only sell them for durations of 10 days, 2 months and 1 year. So if you only need to cross the country for 5 hours, they would lose a lot of money.

NeoTar
1 replies
11h57m

Interesting though, that's not what the regulations say - DIRECTIVE 97/7/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 20 May 1997 on the protection of consumers in respect of distance contracts

https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A...

3. Unless the parties have agreed otherwise, the consumer may not exercise the right of withdrawal provided for in paragraph 1 in respect of contracts:

- for the provision of services if performance has begun, with the consumer's agreement, before the end of the seven working day period referred to in paragraph 1,

logifail
0 replies
11h30m

Interesting though, that's not what the regulations say [..]

Of course they don't, but thanks for the specific link!

The "gold-plating" - or indeed misunderstanding - of EU regulations has a long and (in)glorious history.

Detrytus
1 replies
11h51m

Some online services simply ask you to wave your 14-day return right if you want to start using the service immediately. Not sure why they won't do this in this case.

ponderings
0 replies
7h26m

In NL you don't get your 14 days on remote purchases when it doesn't make sense. You cant purchase a game play it and return it. You cant eat the food. You cant wear the dress etc

If the 14 days do apply you have to inform the customer about it or it turns into 12 months.

RandomLensman
0 replies
12h42m

You can buy digital goods for immediate use in other EU countries as a consumer - this sounds like something more specific (is it actually even the same in Austria for things like an e-book?).

timthelion
6 replies
11h50m

Having grown up in the US, my absolute favorite law in Czechia is the one that says the advertised price has to equal the price on the bill. In the US, you get a $20 cell phone plan and the bill is for $60 after fees. In Czechia the price is always exactly as advertised.

timthelion
4 replies
11h48m

Another great on is that text size has legal meaning here. The larger/darker the text the greater the legal weight. So if the contract says two contradictory things, the larger text wins out...

conjectures
1 replies
9h8m

A bold move. I like it.

anshorei
0 replies
6h9m

A *bold* move indeed

ajsnigrutin
1 replies
8h0m

Is that actually the law? Can I get a link to that? In slovenia we have a "suggest-to-government" website, and i'll put the working example there and hopefully at least gain some traction somewhere

timthelion
0 replies
2h11m

Yes and no. The Czech law is very vague saying that contracts must be written in good will and be understandable by the signatories. It is the Czech supreme court which wrote up a legal test for understandability which you can find here https://www.epravo.cz/top/clanky/absolutni-zakaz-smluvnich-p...

I've translated the test using deepl:

Translation results

"In practice, the principle of fairness is manifested, inter alia, by the fact that the text of a consumer contract, especially if it is a form contract, should be sufficiently legible, clear and logically organised for the average consumer. For example, contractual terms must be of sufficient font size, not be significantly smaller than the surrounding text, and not be set out in sections which give the impression of being irrelevant. This principle of fairness also applies to the application of general terms and conditions. As stated in paragraph 9, general terms and conditions may also be applied in consumer contracts, but such application is subject not only to the formal limitations mentioned but also to restrictions as to content."

sofixa
0 replies
8h55m

To expand a bit, this isn't Czech-specific, in fact it's the norm across most of the developed world.

mcpackieh
4 replies
11h53m

Until your country actually implements laws like these and Hacker News starts complaining that it is "business hostile" and "stifling innovation".

Literally, so what? I don't understand your point. You can't be under the impression that all laws must be popular with all people, so what does it matter if some ancrap libertarians complain about it? This shouldn't stop the implementation of such laws.

acdha
3 replies
9h49m

It’s more than “so what” because those people aren’t coming from nowhere. American businesses spend a lot of money promoting libertarianism to this end, and it’s been effective enough that any reforms will face unified opposition from every Republican in Congress and likely some Democrats. Most of these are minority positions in the public but not in terms of legislative votes.

randomdata
2 replies
7h46m

> American businesses spend a lot of money promoting libertarianism to this end

American businesses would be the first one crying if they had to operate in a libertarian environment. In reality, they spend a lot of money to ensure heavy regulation that allows them to build moats.

acdha
1 replies
4h16m

They’re pretty fond of disclaiming obligations and not being sued in real courts, though. The key thing is recognizing that most of the libertarian media exists to serve the funders’ interests, not to promote a coherent ideology.

randomdata
0 replies
3h56m

What media is seen as holding a libertarian ideology? That is not a common bias. I do see the "consumers should have more choice" bent that you seem to be talking about more prevalently, but that's something quite different.

that_guy_iain
3 replies
14h14m

There are plenty of European countries which already have some laws like these. When I buy something on the internet, I have 14 days to return it if I don't like it. I am guaranteed to have a reasonable warranty. Companies cannot abuse my personal data without explicit consent. And indeed, forced binding arbitrage is also not allowed.

This is because of EU laws. A lot of the best laws we have in European countries are because of EU laws.

I also suspect that this clause isn't valid in most of Europe.

concerned_user
2 replies
11h4m

You are correct, I can not find where arbitration is forbidden in the directive also it is quite the opposite.

I think in this particular case we are talking about Directive 2011/83/EU of the European Parliament and of the Council on consumer rights.

Article 6(1)

(t) where applicable, the possibility of having recourse to an out-of-court complaint and redress mechanism, to which the trader is subject, and the methods for having access to it.

gpderetta
1 replies
7h47m

ADR is not forbidden. But it is regulated by 2013/11/EU [1]. In particular:

" (43)

An agreement between a consumer and a trader to submit complaints to an ADR entity should not be binding on the consumer if it was concluded before the dispute has materialised and if it has the effect of depriving the consumer of his right to bring an action before the courts for the settlement of the dispute. Furthermore, in ADR procedures which aim at resolving the dispute by imposing a solution, the solution imposed should be binding on the parties only if they were informed of its binding nature in advance and specifically accepted this. Specific acceptance by the trader should not be required if national rules provide that such solutions are binding on traders."

[1] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A...

that_guy_iain
0 replies
7h42m

And some countries such as Germany the ADR clause has to be separate from the main contract.

robertlagrant
3 replies
13h16m

and Hacker News starts complaining that it is "business hostile" and "stifling innovation".

Thinking in such simple terms is going to draw you to wrong conclusions. Hacker News doesn't complain. People discuss things. Different people have different opinions. And if they did - so what? You're phrasing this as though people talking on Hacker News would somehow overturn common law.

There is no need to mandate a template ToS

The post didn't mention this.

j_maffe
2 replies
10h12m

I think GP was a valid comment about how people propping up business hostility is one of the main reasons consumer law is very weak in the US. Of course, people are allowed to have opinions. GP is arguing what the results of one of these opinions are.

robertlagrant
0 replies
8h36m

GP is arguing what the results of one of these opinions are.

I'm saying HN is not the homogenous group the phrasing implies. I wasn't saying GP was implying people can't have opinions.

acdha
0 replies
10h0m

I’d also use the comparison between what was claimed about EU regulations in the UK during the years leading up to Brexit, and subsequent developments. The money spent promoting those false claims was effective.

throwaway2037
2 replies
13h55m

Australia also has very strong consumer protection laws. I'm not an Aussie, but many come here and tell us about it. It doesn't seem to scare companies away from doing B2C business in Australia.

Intermernet
1 replies
13h8m

As an Aussie, I can say that our consumer protection laws are awesome. Some multinational / international companies have been bitten by them, but only because they didn't do their due diligence before launching in Australia.

They're really an example of laws designed to protect people. I've universally found that people who complain about them either don't understand them, or they're trying to take advantage of people.

I don't understand how other countries operate without similar laws!

sensanaty
0 replies
7h50m

IIRC, Steam famously had to implement their refund system after the Aus government threatened legal action against them. They ended up making the refund system global rather than Aus-specific, so cheers for that one mates!

georgedegennaro
0 replies
10h43m

Only 14 days? You don’t get the gift card after the return in your country?

dimmke
0 replies
9h15m

The problem as I see it is that the internet gives businesses the ability to operate globally, but having to be in specific compliance with different laws from every single country (or group like EU) is really challenging and in some cases the regulations are misguided (I think the rise of cookie consent banners is one of the crappiest things to happen to the internet as a user)

And that does make it hard, especially if you want to start an internet based business without a ton of money. It adds a huge barrier to entry. Whereas existing players can take on the burden of complying etc... further solidifying the position of very large tech companies.

I do agree that basic consumer protection laws are needed, but one overzealous piece of regulation really can cause a lot of problems.

bushbaba
6 replies
19h20m

The easy answer should be TOS that are not non lawyer readable or not under N paragraphs are not binding. When you buy a house you don’t give 1 signature. You literally sign every friggen page including multiple places on the same page, TOS shouldn’t be different

kelnos
1 replies
15h14m

To be fair, I expect many people don't actually read every page of the stuff you have to sign when you buy a house, either.

carstenhag
0 replies
9h2m

Ironically in Germany there's a notary that reads out every single word of the several pages of such a contract :D

Buttons840
1 replies
16h14m

Require companies to make a reasonable effort to ensure users have read the license.

Want to order some food from some new delivery website? Hold on, I just have to sit on this screen for 30 minutes pretending to read the EULA -- oh nevermind, I'll just go pick it up.

closewith
0 replies
9h56m

Want to order some food from some new delivery website? Hold on, I just have to sit on this screen for 30 minutes pretending to read the EULA -- oh nevermind, I'll just go pick it up.

Well, that would be ideal, because in order to actually get users, the company would have to have very simple and reasonable terms. After all, that's the case for the cast majority of in-person businesses.

spacebanana7
0 replies
9h34m

Most consumers actively don't want to read ToS.

Youtube has a relatively short UK ToS [1] that doesn't require a lawyer to understand. This is impressive given the variety of copyright, monetisation, and content moderation rules it touches.

Yet almost nobody reads it, despite it being promoted on visitation to one of the world's most popular sites.

[1] https://www.youtube.com/static?gl=GB&template=terms

refactor_master
0 replies
18h48m

We all know how cookie consents turned out though.

space_fountain
3 replies
19h39m

I like this idea, but I think it's not flexible enough. Instead my over complicated dream is to allow companies to propose new TOS in a similar way to new top level domains. They can put in a lot of money and add TOS language to the approved list, but then anyone can use that language. Ideally the pricing would be such that only 10 to 50 unique TOS would exist at any point in time

rpmisms
2 replies
19h28m

So instead of the richest companies setting the standard for what a TOS contains.... The richest companies would formally set the standard for what a TOS contains.

space_fountain
1 replies
18h50m

I think the problem I was most interested in solving is maybe only somewhat related to this. I was frustrated that no one actually ever looks at TOS and so there is very little real informed choice happening. With a small fixed number it would be easier for audits and understanding to happen

rpmisms
0 replies
17h48m

The problem is that 99% of people will never read the TOS, period. South Park said it best in "Human Cent-iPad"

gen220
3 replies
19h41m

It's difficult because digital ToS are so tightly tailored to your business, and digital businesses are so malleable and formless.

If you went through the effort to standardize your ToS, it would only be "useful" to a tiny handful of businesses at specific points in their growth trajectory.

Regulations like GDPR are a top-down approach to the privacy component of a Terms of Service (i.e. there are only so many variations to the privacy sections within a ToS that comply with GDPR), but there are so many more components than just customer data locality.

That being said, as a privacy-respecting entrepreneur, coming up with a "user-respecting" (i.e. win/win, legible, minimally-demanding/withholding) ToS is a sizable challenge. It'd be nice to have templates. I basically resort to reading the ToS of companies I respect in similar verticals.

space_fountain
2 replies
19h38m

Is that true? Often ToS seem to mostly consist of boilerplate that's copied from business to business

nicd
1 replies
17h24m

Imagine there were a set of a few common terms that businesses could select, each with an icon, a high-level explanation, and the detailed legal copy.

I think there is a common set of those that would probably cover 80% of needs.

The remaining 20% could be "extended", custom terms for this company.

Such a system seems like it would make things much easier for consumers to understand, and also save legal fees for most companies. Maybe a good standard for a TOS-generator company to design and promote?

paulmd
0 replies
5h41m

In general the problem is not that the documents are not readable or comprehensible - I understand perfectly well that in legalese it says that the situation will favor the business in every possible legal fashion and if some of those are not legal the remaining document will favor the business in every remaining possible fashion.

The problem is they are contracts of adhesion that consumers don’t have a real interest or consideration in, other than the performance being conditioned upon your agreement, and which they do not have any ability to debate or modify or generally any recourse except to go to another business with an equally odious contract as a condition of performance.

They’re not incomprehensible, they’re unconscionable, and solutions tackling the former are missing the point.

The problem is that the same “lobbying” that produced the regulatory environment permitting such contracts to be forced upon consumers also precludes any real attempt to tackle the latter. Businesses would scream here if you forced them to follow standard consumer protections, and our system is oriented to favor their interests over consumers in nearly every possible scenario as well.

Another “continental” solution to this would simply be to outlaw contracts of adhesion or contracts in which the consumer does not receive a consideration (other than performance of the contract). If you don’t have a consideration it’s simply not a valid or consciencable contract, people don’t agree to give up money or rights voluntarily in return for nothing, therefore these contracts must facially be coercive.

bruce511
3 replies
18h21m

While I understand that looseness of your "common law" phrase, it's precisely the newness of the field that leads us to the lack of historical precedence (ie "common law").

So I would argue that we don't need "common law", we need "actual law".

The problem is that "law" is a subject that is very, very specific. Don't want them yo sell "your data" - well then first you need to define what data is "yours" and what is "theirs". That might be harder than you think. (Do you own your docile security number? Or find the govt lend it to you? Are public records considered to be public data?)

Privacy is just one corner. What about finances - can a service cut you off? What if you never oaid for it? Can you delete posts? Can quotes from deleted posts still exist? Can advertisers target specific demographics?

The problem being that writing actual law gor this stuff is hard. Writing law that will satisfy even a majority of people is near impossible.

So I hear your call, but I suspect you won't be happy with the law when they make it.

bangoimby
1 replies
17h26m

I'm not sure, IANAL but I would say that much of what a EULA or ToS covers is not that novel, companies skate by on technicalities, and a nontrivial portion of a typical agreement may even already be invalid but lacks case law. If companies weren't worried this might be true they wouldn't need the severability clauses. For example, disassembling or repairing items you paid for or duplicating legally owned copyrighted works for personal use (not distribution) were rights that were well established, but sprinkle in the right technology (even if it has no purpose other than to interfere with these rights) and suddenly it gets a pass. It's not a novel situation, it's a loophole to opt out of established law.

You are right that we won't be happy with the new laws, as so far and with the examples I gave new laws have mostly removed consumer rights, not asserted them.

anileated
0 replies
16h57m

duplicating legally owned copyrighted works for personal use (not distribution) were rights that were well established, but sprinkle in the right technology and suddenly it gets a pass

True in more than one way; owning copyright to your works and being able to refuse/get paid for commercial distribution was a right well established, but a sprinkle of right technology and suddenly they can charge people to copy your work on demand with minor modifications for your own commercial use (while you get nothing).

barrysteve
0 replies
16h38m

The newness of the field has nothing to do with it. The internet and tech in general has benefitted from being outside the law and doing all the old illegal sales and marketing techniques, online.

We can get into the weeds on the detail of the law, and we'll find in the end it looks something like where we started with 'common' law.

Law doesn't need to satisfy the majority of people, most don't want or care about what the law says or does. The law needs to secure some core concepts of liberty, freedom and move on.

There's nothing new under the sun, it's a lot of work. Making small changes works better than thinking about an entirely new system.

m463
2 replies
16h25m

by law in california you can opt-out of binding arbitration in any contract for a short time after signing it. (30? 60? days? i am not a lawyer)

throwaway2037
1 replies
13h47m

This is interesting. Can anyone provide more details?

anon373839
0 replies
13h22m

Individual states don’t have the power to restrict arbitration agreements in this way. California has tried repeatedly, but the laws keep getting invalidated because they’re preempted by the Federal Arbitration Act, which requires that contracts containing binding arbitration clauses be enforced and treated the same as all other contracts. State laws that selectively disfavor or restrict arbitration agreements will violate this.

If this regrettable state of affairs is to be improved, it will require an act of Congress, unfortunately.

1vuio0pswjnm7
2 replies
16h49m

"... the owner of the social network cannot resell data to a third party)."

Not sure I understand. Social media operators do not sell data. They provide access to computer users, acting like a Trojan Horse. ("Our app is installed on millions of phones. Millions people use some individual's website to communicate with each other." Zuckerberg, Musk, etc.)

Perhaps "resell" refers to when social media companies buy data. What prohibits them from (re)selling it. Maybe the seller's terms would prohibit transfer to any third party.

m463
0 replies
16h24m

they don't sell it, they share it.

for example, I don't believe using google analytics or using a facebook badge is selling data, but it is sharing it.

1vuio0pswjnm7
0 replies
1h14m
ulucs
1 replies
15h9m

How about a "continental law" solution? Usually you can't give up rights you do not have yet, so you can't sign a binding arbitrage clause if you haven't been wronged yet. This is in addition to TOS'es being restricted heavily by laws that define the limits of general terms and conditions (generally contracts that are offered to a large amount of people) and the existence of consumer arbitration committees that make it really simple for consumers to go after firms.

denton-scratch
0 replies
11h56m

so you can't sign a binding arbitrage clause if you haven't been wronged yet.

This doesn't make sense to me.

Firstly, I take it that by "arbitrage" you mean "arbitration"; arbitrage is a kind of market trading, and "binding arbitrage clause" isn't a thing.

If we're talking about arbitration, many contracts contain binding arbitration clauses which are enforcible by either party from the outset; neither party has been wronged yet.

ronsor
1 replies
19h55m

Terms of service and end-user license agreements essentially serve more as private legislation than an actually negotiated contract.

squirrel6
0 replies
19h45m

Well stated. The only reason it’s not actually legislated is probably because this was just the path of least resistance.

osullip
0 replies
10h7m

I'm a little lost here.

If you don't want a company to have your DNA, don't give it to them.

It seems like a business was built around people wanting to be told they had 20% more fun in their bloodline, for a fee. Those people didn't consider the implications of giving this kind of data to a private company. Now the company is saying, "we got the DNA you gave us, for a fee and we don't want to go to court to fight you about how we use it".

Just don't give them your DNA. It's not that hard.

orbisvicis
0 replies
7h48m

It's not like we don't have cultural admonishments against this type of behavior - take Rapunzel for example.

* Walled garden of the sorceress equivalent to corporate walled garden.

* Rapunzel (the leafy green) representing either a life-saving service or unquenchable greed of the consumer. By holding the genetic health of future children hostage, The 23andMe connection is particularly apropos - the sorceress holds Rapunzel hostage.

* The husband agrees to a ToS in exchange for rapunzel (the leafy green).

As the story unfolds the consequences reveal themselves...

MisterBastahrd
0 replies
16h19m

Personally, I'd like for it to be illegal to force people into TOSes which add binding arbitration to access their accounts and data once they've already time and money into the system otherwise. I shouldn't be negatively impacted regarding my rights to data or damages just because you were careless with my data. Likewise, any explicit agreement to legal remedy should really be in its own independent section for users to approve.

consumer451
72 replies
20h26m

My mother innocently used this service, and filled out the form identifying all relatives by name.

The results she received were entirely unenlightening, 50% of my DNA is now in their sketchy database, and I have no way to opt-out of anything.

I truly despise this organization.

anon35
54 replies
19h31m

This 2021 New Yorker article: How Your Family Tree Could Catch a Killer (https://www.newyorker.com/magazine/2021/11/22/how-your-famil...) was incredibly illuminating and changed my perspective on our sense of privacy. With a surprisingly small fraction of the world's population sequenced, we can still match a sample to a person whose sequence we don't have. To quote the article: "Genetic genealogy, it turned out, could function as an all-purpose de-anonymizer".

So perhaps be less upset that Mom signed up; our DNA really isn't ours in the same way the documents on our hard drive. You were never going to be able to opt-out.

consumer451
39 replies
19h25m

This feels like a "think of the children" type of appeal.

I personally don't have any murderous history to hide. But there are unintended consequences with all of these losses of privacy. As a peer comment has rightly pointed out, nation state adversaries now have these same profiles.

Maybe they can find a common DNA profile for an efficient bio-weapon. Oops.

I escaped an authoritarian regime as a child, thanks to the same mother. I hold no ill will towards her, but I am deeply aware of the issues that bad actors can create with by compiling huge databases of otherwise unnecessary information.

jimbob45
29 replies
19h1m

Maybe they can find a common DNA profile for an efficient bio-weapon. Oops.

I think we already reached the end of the bioweapon tech tree with Sarin gas.

jacquesm
28 replies
18h58m

No, you are misreading the GP. What they mean is a bioweapon specifically tailored to match a particular DNA profile. Think Germany, 1939, or South Africa, 1985, but with this capability to see what the possibilities are and how utterly unstoppable that would be. And probably there are contemporary examples as well, but I don't feel like starting a flame-fest.

Libcat99
23 replies
18h25m

I think the important takeaway is such a weapon could potentially target a DNA profile while ignoring others.

jacquesm
22 replies
18h24m

Yes, exactly. And that DNA profile could be more or less specific as well to the point where you can commit genocide. Think 'final solution', not 'James Bond'.

eesmith
21 replies
16h10m

There will be several Nobel Prizes in creating the technology to get this bioweapon.

You need something which reproduces itself even in non-targets, which enters the cell's nucleus, which detects the correct DNA - which may be scattered across the genome! -, which has a mechanism that kills the target people, and where none of this will mutate so as to stop effectiveness, change/broaden the target population, etc.

Furthermore, just because people identify as a group does not mean they have a distinct genetic pattern. How would you target "Christians" or "Americans" or "Hispanics"?

This appears to be a harder task than curing cancer, in that many of the same techniques could be used to target cancerous cells but that does not require the ability to spread from person to person.

A bioweapon doesn't appear in a vacuum. The required technological advances will be widely known. In this fantastical cancer-free world, why wouldn't your local health care center have the ability to sequence unexpected genomes and prepare a vaccine or phage in the same day?

janalsncm
16 replies
14h49m

How would you target "Christians" or "Americans" or "Hispanics"?

You don’t need to have a 1:1 mapping in order to be effective. Incapacitating a sufficient number of a group is enough.

Similarly, such a bioweapon in an assassination context doesn’t need to only kill the target or go unnoticed. It’s enough that it is a disease or irritant that a particular individual is susceptible to.

eesmith
15 replies
10h12m

I think you're missing the point.

Assuming you have a communicable bioweapon which is somehow able to target based on genetics, and assuming the rest of the world isn't able to defend against it, that still leaves the very tricky question of finding a genetic basis which characterizes any of those three categories in a way which is sufficiently effective.

Do you really believe there is way to identify "Christians" based on genetics?

"Incapacitating a sufficient number of a group" is NOT enough. You also need specificity.

What genetic markers indicate "American"? Sure, if you target something simple like "has a Y chromosome" you might take out about 50% of the US population, which is likely a sufficient number, but you'll do equal damage to your own population.

How would a bioweapon meaningfully target "Hispanics"? The term is definitely not based in genetics. If some villagers from a German town emigrated to Argentina and others from the same village emigrated to Canada, then according to the US the descendants of the first group are just as Hispanic as Black Spanish-speaking Cubans, while the descendants of the second group are "white".

But, okay, you've figured something out. Now how do you prevent your bioweapon from mutating the specificity away? You've added a lot of machinery to the organism which must be preserved perfectly even though that machinery isn't required in order to reproduce.

The more failsafes you put in, the bulkier the organism and/or the fewer genetic markers you can target.

Clearly you should be promoting DEI as a way to increase group robustness against future bioweapons. ;)

Filligree
10 replies
9h18m

I don’t think you really need to solve those problems to cause trouble.

You just need to think you have.

eesmith
9 replies
8h4m

Just because you think you can create a bioweapon doesn't mean it causes trouble.

And as I wrote, this sort of bioweapon won't be possible until we've effectively cured cancer, and likely also developed methods which can easily identify and stop it.

anonymouskimmer
8 replies
5h22m

A secret skunkworks approach could facilitate genetic inventions that don't get passed into the general knowledge base. It would be difficult making discoveries that all of the other biologists working in society miss, but is remotely plausible.

eesmith
7 replies
3h45m

Yeah, no. That does not seem plausible at all.

Again, the technology would be able to cure cancer. Do you really think all those employees - who know that their friends and family could be cured of their cancer - would be willing to keep mum of the cure?

jacquesm
3 replies
2h35m

Again, the technology would be able to cure cancer.

That's your strawman. But I can - easily, at that - imagine a POC that would be specific enough to kill a single human with a very high degree of success given some meta data about them and a sample of their DNA. I'm for obvious reasons not going to expand on that here because we have too many idiots in this world but the fact that you can't imagine such things doesn't mean that others can not.

anonymouskimmer
1 replies
2h27m

It would be easier to just novichok the person.

jacquesm
0 replies
1h34m

Maybe. Not always. Heads of state tend to be very well protected against such attacks for instance.

eesmith
0 replies
1h32m

So what? Movie plot scenarios do not need to reflect reality.

I can easily imagine hopping on the next Pan Am rocket service to Luna City.

I can easily imagine using a space laser to kill that same human.

I can easily imagine taking a bridge from Key West to Cuba.

I can easily imagine taking a pill to regrow an amputated leg.

Just because you can easily imagine a POC doesn't mean it's doable in our lifetimes.

What are you going to target in the DNA? Is it a single short sequence or multiple markers across the genome? How does the bioweapon sequence that DNA to find it? How does that then trigger the appropriate biological response? How do you prevent mutations? What infectious organism will you use? How do you know the target isn't already immune to that infection?

Even if you expand on one or two of these in convincing detail (congrats on your future Nobel Prize, by the way), that's still not enough for the idiots in the world to make a usable weapon.

And so many easier ways to kill someone exist.

anonymouskimmer
2 replies
3h7m

It depends on how isolated they are kept from each other's work. It's not as if we don't already have decent cancer therapeutic technologies in the pipeline.

eesmith
1 replies
1h57m

We do not have broad-spectrum anti-cancer therapeutics, much less ones which are based on self-reproducing communicable organisms that target the cancer's DNA.

If I'm wrong, what are you thinking of?

anonymouskimmer
0 replies
1h52m

Therapeutics which prompt the endogenous immune system to recognize the cancer cells as something to attack. I believe this is the basis of mRNA cancer therapeutics? I believe they are targeted for individual cancers and possibly individual people, but given the speed in which they can be made this doesn't seem like a major future hurdle.

Throw one into a gene therapy vector and it could conceivably reproduce itself (though that seems like a bad idea for a cancer therapeutic anyway).

anonymouskimmer
3 replies
5h24m

I'm really curious what, and how, these commenters think a genetic bioweapon would target. Cell-surface receptors seem the easy target, but as we've seen with COVID, and the more general swine and avian flus passing to humans, specificity changes. And cell surface receptors aren't that specific for any ethnicity, so expect a nuclear response from the survivors (both from your target and from the others states who had affected citizens).

If targeting proteins or regulatory regions of DNA, how? Are you going to try to CRISPR it? This may be effective in quiescent or senescent cells. But I think even quiescent cells have some DNA repair pathways. At best such targeting may speed up the aging process and cause some cancers.

Are you going to integrate a toxic gene at a specific chromosomal locus? Maybe that would work. You'd need a very efficient gene therapy approach to do it though.

jacquesm
2 replies
2h34m

You are thinking in entirely the wrong direction.

anonymouskimmer
1 replies
1h58m

I mentioned three different directions, it's not surprising I've missed one.

jacquesm
0 replies
1h34m

That's ok, I get it: I have the exact same thing when I'm too focused on a problem. And then a week later or so it's like a light bulb going off and I feel very silly for having missed the obvious. But let's not give people ideas here, this is pretty dangerous territory and I don't think HN should turn into a cookbook for miscreants.

jacquesm
3 replies
9h0m

How would you target "Christians" or "Americans" or "Hispanics"?

You don't have to be able to target any group to be able to target some groups. Blacks, Jews and Uighurs might be sufficient. And those definitely have genetic markers.

eesmith
2 replies
8h6m

"Blacks" is a term with very little basis in genetics. What do you think the bioweapon will target?

"Jews" is less diverse, but it's not like there's a single "I am Jewish" marker. Just look at https://en.wikipedia.org/wiki/Genetic_studies_on_Jews to see how difficult is it, with overlaps to other populations, and the need to correlate multiple haplogroups. How do you put all that detection machinery into a bioweapon?

https://en.wikipedia.org/wiki/Uyghurs suggest there are similar issues with Uyghurs - what will the bioweapon target if "the average genetic ancestry of Uyghurs is 63.7% East Asian-related and 36.3% European-related"?

And how do you prevent the bioweapon from mutating that specificity away?

jacquesm
1 replies
3h31m

...

Yes, such a weapon will never be very precise. But since no weapon ever is (collateral damage) that doesn't mean it won't be used.

And how do you prevent the bioweapon from mutating that specificity away?

You don't. But even that won't stop such a weapon from being used. Every weapon that man kind has been able to envision and create has been used. Not a single exception.

eesmith
0 replies
1h2m

You have presumed that this sort of DNA-targeting bioweapon could exist. We have lots of pie-in-the-sky weapon ideas that haven't been developed, like the Supersonic Low Altitude Missile. Why are you so sure that this bioweapon isn't yet another one of those?

Setting that aside, the hydrogen bomb has not been used as a weapon, only a deterrent.

Same for the neutron bomb (an "enhanced radiation weapon").

And nuclear depth bombs ("All nuclear anti-submarine weapons were withdrawn from service by China, France, Russia, the United Kingdom and the United States in or around 1990.[citation needed] They were replaced by conventional weapons such as the Mk 54 Torpedo that provided ever-increasing accuracy and range as anti-submarine warfare technology improved." says https://en.wikipedia.org/wiki/Nuclear_depth_bomb ).

"The United States Army Biological Warfare Laboratories weaponized anthrax, tularemia, brucellosis, Q-fever and others.[51] ... In 1969, US President Richard Nixon decided to unilaterally terminate the offensive biological weapons program of the US, allowing only scientific research for defensive measures." says https://en.wikipedia.org/wiki/Biological_warfare .

Have all those weaponized organism really been used as a weapon? Not to my knowledge.

These all sound like exceptions.

consumer451
2 replies
18h25m

It could be specific to a family, or with this broad a DNA + meta data dataset, it could be enough data to wipe out much of an entire group. Choose the common traits in people who self-identified as a group. English, Jews, Slavs, Native South Americans, non-Han, etc.

The problem with bio-weapons has always been "blow back." Narrowing the scope of the weapon would help a lot with that.

jacquesm
0 replies
18h14m

Exactly, the better the control the bigger the chance that a weapon like this would be used.

anonymouskimmer
0 replies
15h39m

Any narrowing of scope would be temporary.

jimbob45
0 replies
14h47m

That only seems useful if said bioweapon can’t be determined by anyone else to have been DNA-based. Otherwise, why not just use a conventional bioweapon (lol) and target it more precisely? Using this hypothetical DNA targeting technology doesn’t seem like it’s solving a real problem.

I guess if you could target one person specifically? But then again there are way easier ways to kill people.

Rodeoclash
6 replies
18h52m

I personally don't have any murderous history to hide

I've been meaning to ask, could you please remove the curtains to your bedroom so I can see in? I know you're not doing anything wrong so you've got nothing to hide.

flir
3 replies
18h29m

Do you want a law that says people can't publish their own DNA SNPs?

Sounds like a free speech issue.

Filligree
1 replies
9h20m

Sounds like a good idea. Free speech isn’t the highest law.

flir
0 replies
8h42m

Now there's an opinion I don't often see on HN... hi, fellow European!

(Putting aside my modest proposal, I still want to be able to research my family history.)

sofixa
0 replies
8h44m

Already exists in some countries, like France. Non-court ordered DNA tests are illegal here, mostly for privacy reasons.

jacquesm
1 replies
18h12m

I think you missed the general tone of the GP's comment and inferred something they did not intend to say.

barnabyjones
0 replies
15h33m

I think his point was that using this qualifier gives more credence to the "nothing to hide" folks. The more people get used to saying it in defense, the easier it becomes to use as an attack.

rvba
0 replies
10h58m

Can you share your bank history?

anonymouskimmer
0 replies
5h36m

nation state adversaries

I think you mean "nation state country polity" :P

Maybe they can find a common DNA profile for an efficient bio-weapon

For this it doesn't matter whether a "nation state" is making the weapon. An empire state, sub-nation state, or non-state entity would be fine. What matters for a common DNA profile weapon is that said entity targets a mostly ethnic state, or non-state nation such as the Kurds, preferably with an ethnicity genetically distinct enough from one's own people, and that said ethnicity is genetically specific enough, in exactly the right ways, to target. As eesmith writes, good luck with that.

jacquesm
8 replies
18h59m

That took them until 2021? I wrote this in 2012:

https://jacquesmattheij.com/your-genetic-information-is-not-...

Diederich
4 replies
18h13m

Hah, beautiful, well done.

But yours isn't nearly so...catchy looking...as the New Yorker version.

jacquesm
3 replies
18h11m

Yes, I suck at the eye candy department. Function over form any day for me.

You should see my e-bike, it is quite literally covered in duct tape (it was meant temporary, but we all know how that goes).

Also:

https://jacquesmattheij.com/if-you-have-nothing-to-hide/

Which is probably my best article.

debok
2 replies
14h50m

You mention in the article:

Which undoubtedly well meaning civil servant long before World War II came up with the brilliant idea of registering religious affiliation during the census is lost in the mists of time.

I guess this happened because The Netherlands used to be a very religious nation?

I mean, in 1901 they got Abraham Kuyper[0] as a prime minister. Abraham Kuyper was a Christian minister, and is well-known among Reformed Christian circles as a very impactful theologian.

It is very understandable that a nation like that would want to list religion as part of their census data.

0: <https://en.wikipedia.org/wiki/Abraham_Kuyper>

sofixa
0 replies
8h46m

They used to be so religious that it incited a revolt in the southern parts of the country that were of a different religious branch. That's how Belgium came to be, with the only unifying trait for the new country being their shared religion, Catholics, regardless of the many other differences (French-speaking Walloons with many merchants and tradespeople, and Dutch-speaking Flemish that were mostly farmers, and mostly oppressed by the French-speaking ruling classes).

jacquesm
0 replies
10h41m

I guess this happened because The Netherlands used to be a very religious nation?

Yes.

consumer451
2 replies
18h31m

Before you submit your data for genetic testing please realize that you are giving away a portion of the ultimate family heirlooms, the genes that run in your family and that this decision could easily come back to bite others.

I wish my mom had read this. She would have understood the implications, and not done it.

jacquesm
1 replies
18h29m

I actually wrote it for my mom...

It's very annoying how these companies sucker people in to do things they might come to regret later, there is absolutely zero transparency here. Besides the potential for massive privacy violation there is also always the specter of future uses against your interests.

drivebyadvice
0 replies
16h3m

there is also always the specter of future uses against your interests.

This. The danger isn't even necessarily that we gain some crazy ability to predict things about a person from their DNA, but that people believe that it can be done accurately and that police, courts, government, marketers, etc believe it as well.

Police don't need much convincing if it gets them a conviction. Courts will already admit evidence from forensic labs which have been proven to fabricate evidence. Governments will let just about anything fly if someone donates enough, and if marketers are convinced that it might work, there will be no shortage of cash for campaign funds.

Currently, to my knowledge, you can take somebody's DNA and do just about anything with it without their knowledge or consent, and there seem to be a lot of well-monied interests with a stake in keeping things that way.

throwoutway
2 replies
19h27m

And now a nation state hacker can use the same database to identify U.S. citizen descendants (to what generation?). Good luck with "illegals" style espionage

jacoblambda
1 replies
18h48m

Or you know just a normal hacker (see this incident when a DB identifying 1 million people with Ashkenazi jewish ancestry from 23andMe data was leaked: https://www.bleepingcomputer.com/news/security/genetics-firm...)

jacquesm
0 replies
18h13m

They just had to have that data eh? Idiots. This is criminally irresponsible.

This makes me so angry it is hard to describe.

throwaway2037
0 replies
13h30m

This is essentially how the Golden State Killer[1] was caught.

[1] https://en.wikipedia.org/wiki/Joseph_James_DeAngelo

Joeri
0 replies
7h16m

Doesn’t that imply that we should object to all dna databases? If a database can be used to identify people not in the database, does the scale of the database matter? The consequence would be that law enforcement can no longer compile databases of dna materials (a curtailment which I wouldn’t mind, but many people see these databases as essential for modern law enforcement).

hsbauauvhabzb
7 replies
20h1m

I fully agree with everything you say, but until legislation is enforced you can hardly blame a company for capitalizing on the lack of privacy laws (you can still hate them).

Point is, start demanding legislation around data privacy and security to anyone who will listen.

marginalia_nu
2 replies
19h55m

You can absolutely blame a company for unethical but legal actions.

hsbauauvhabzb
1 replies
13h57m

Exactly what will that achieve?

marginalia_nu
0 replies
9h35m

If you drink a cup of coffee and say "this is too hot for me!", what will that accomplish?

Nothing, as it's a judgement and not an action.

We may act on a judgement though, let the coffee cool down, or avoid dealing with the unethical company.

consumer451
2 replies
19h47m

I feel like I can blame the humans involved with 23andMe specifically, as they are the specific humans who allowed unknown 3rd parties to have enough of my DNA to profile my family and myself.

However, I entirely agree with your last statement. I would like to call upon anyone who appreciates privacy to get behind a neural bill of rights. While it sounds a bit "tin foil hat" at the moment, non-invasive brain–computer interfaces are coming very soon. Especially using infrared techniques.

Today, TSA scans your face, soon enough it will be your brain. This is not a joke.

If the USA misses the boat on regulating neural interfaces, we will sail through the final frontier of personal privacy, and even agency.

I highly recommend that everyone listens to, or reads the transcript of Sean Carroll's podcast with Nina Farahany on the topic. It is dense with legal and technical information.

"Nita Farahany on Ethics, Law, and Neurotechnology"

https://www.preposterousuniverse.com/podcast/2023/03/13/229-...

gorgoiler
1 replies
19h31m

By “unknown third parties” do you mean the hackers? The breach was bad but not that bad — it didn’t include your genetic material.

The stolen data included the person’s name, birth year, relationship labels, the percentage of DNA shared with relatives, ancestry reports and self-reported location.

https://techcrunch.com/2023/12/04/23andme-confirms-hackers-s...

consumer451
0 replies
18h57m

I meant 23andMe partners, and yes, also the hack, and future hacks.

This DB is a goldmine and I take an extremely pessimistic view on infosec.

Information wants to be "free" after all. Look at the KSA agents who were implanted at Twitter as an example. I would have to assume that nation state actors would also implant employees at 23andMe.

The publicized hack is the one we, and 23andMe, know about. It's just too juicy a target to keep safely guarded in perpetuity.

Simply by compiling this information, you are more or less guaranteeing it falling into the wrong hands eventually. This is an example of information which never should have been compiled.

thrtythreeforty
0 replies
19h39m

There's no law against being a dirtbag but I am definitely still going to blame you for being a dirtbag. You could always choose... not to be a dirtbag.

I would rephrase your point, "don't be surprised when a company capitalizes on lack of laws" -- this I agree with. It's virtually a force of nature.

dudul
2 replies
19h53m

What does "innocently" mean in this context?

jen20
0 replies
19h29m

I'd assume: "with the understanding of a layman who believes the marketing claims they make without understanding the problems inherent".

consumer451
0 replies
19h5m

Meaning that she was over 70, and just wanted to learn some ambiguously defined information about her family history. There were some unknowns as far as where her great-grandparents came from. Maybe "naively" would be a better term.

We are all law abiding citizens, what do we have to hide, right?

Well, she did not read the T&C as far as how this information would be shared, and did not consider the implications of how she was making a choice for the people who she named on the family form, and did not consider the inevitable infosec implications which we are now all enjoying.

vintermann
0 replies
8h12m

The worst is the classic social media tactic of using user-submitted data to attract others.

Imagine there came a responsible DNA service tomorrow, which used differential cryptography or something, so that you could share DNA and look for relatives with some semblance of privacy.

They wouldn't get off the ground, because your relatives? They're on this service, or Ancestry or MyHeritage or FamilyTreeDNA, which are every inch as sleazy, US or Israeli megacorporations which you can trust as far as you can throw them (which isn't an inch).

pokstad
0 replies
19h52m

Sue your mother

m463
0 replies
16h23m

Maybe you CAN ask for deletion.

lsllc
0 replies
18h12m

Perhaps you can file a DMCA takedown with 23andMe for the illegal copying of your proprietary code (instigated by your mother!).

epistasis
0 replies
19h11m

23andMe claims that no DNA information was revealed, and I'm having trouble finding a primary source that claims that the SNP info was taken. From a more detailed article:

... which exposed sensitive personal information that included things relevant to ancestry trees, birthdays and general geographic locations. In some cases, the company said that the hack could have exposed the pictures and display names of affiliated family members also using the company’s services through the accounts that were primarily breached. 23andMe insists that no actual genetic material or DNA records were exposed

... A 23andMe spokesperson told Engadget that hackers accessed the DNAR profiles of roughly 5.5 million customers this way, plus Family Tree profile information from 1.4 million DNA Relative participants.

DNAR Profiles contain sensitive details including self-reported information like display names and locations, as well as shared DNA percentages for DNA Relatives matches, family names, predicted relationships and ancestry reports. Family Tree profiles contain display names and relationship labels, plus other information that a user may choose to add, including birth year and location. When the breach was first revealed in October, the company said its investigation “found that no genetic testing results have been leaked.”

https://www.engadget.com/23andme-hack-now-estimated-to-affec...

Presumably the journalist at Stackdiary translated "DNAR profile" into "genetic profile," which is a term with no standard definition, but if it had one, I would have guessed it would mean at least some DNA info.

23andMe could be lying or ignorant of what happened, but that would also mean that there would also be another news cycle when further disclosure was mandated.

blindriver
0 replies
17h2m

To make you feel better, it doesn't have to be your mother to identify you. If a cousin were to have done it, you would still be easily identifiable. Basically anyone in your blood line using any of the services would make you easily identifiable.

mindvirus
15 replies
20h16m

"If you have not notified us... you will be deemed to have agreed..."

Is changing the terms of a service agreement with no confirmation/acceptance from the user even legal or enforceable?

justinpombrio
4 replies
15h39m

My understanding is that courts haven't even tested if terms of service are enforceable, never mind sudden updates to them.

mminer237
1 replies
7h49m

The absolute limits of terms of service aren't clear, but there have been tons of cases about website/software terms of service. A quick search of Westlaw finds hundreds of reported cases in my state alone. There are certain things like binding arbitration that courts have found unconscionable to be in a clickwrap agreement[0], but generally terms of service have been found fully enforceable. There's definitely been a lot of court testing.[1]

[0]: https://www.faegredrinker.com/en/insights/publications/2022/...

[1]: https://www.goodwinlaw.com/en/insights/publications/2022/08/...

justinpombrio
0 replies
2h23m

I was repeating bad information then. Thank you for the correction!

carstenhag
1 replies
8h57m

I assume you mean US courts? In other countries there have been lots of cases about TOS, in one way or another. Strange that there isn't such a thing in the us

lcnPylGDnU4H9OF
0 replies
3h43m

Not the parent commenter nor a lawyer, but I believe it's something like a company can't put things that someone would never agree to in the TOS and have it be binding. But obviously that "would never agree to" part is fuzzy at best and possibly what they're referring to when saying it's not been tested. I might be mistaken about that but I have heard something to that effect from a prosecutor I know.

amethyst
2 replies
19h43m

Part of the initial terms of service that you agree to is that the terms can be changed by the company at any time as long as they give you X days of notice.

saagarjha
1 replies
15h20m

Some don't even require that! They can change the terms at any time and without notice, or so they say.

ddalex
0 replies
11h58m

I'm altering the deal. Pray I don't further alter it.

ellisv
1 replies
19h55m

Yes, companies do it all the time.

nerdponx
0 replies
19h47m

That doesn't mean it's legal or enforceable, that just means they do it all the time.

verbify
0 replies
9h40m

In the UK an unfair contract term or notice is not binding. It is defined as "contrary to the requirement of good faith, it causes a significant imbalance in the parties’ rights and obligations under the contract to the detriment of the consumer."

https://www.legislation.gov.uk/ukpga/2015/15/section/62?view...

pndy
0 replies
14h54m

A kind of related story:

Polish Competition and Consumer Protection Office looked at the terms and conditions for subscriptions to various Amazon services available in Poland and in a message published in the press yesterday office chairman says:

"(...) companies Amazon EU and Amazon Digital UK had procedures in place that allowed unilateral price changes from the new subscription period onward. This type of condition is particularly detrimental to customers in situations where a payment card (debit or credit card) has been assigned to the account, and the operator grants itself the right to automatically charge the new amount for the next subscription period."

"We have been advocating for years that contractual terms should fairly regulate the obligations of the contracting parties. In the case of subscription services, which are gaining popularity, consumers trust the service provider and entrust their payment card data to access and pay their obligations on a regular basis. >>This does not mean that from that point on, operators can, without their consent, charge more than what consumers had previously agreed to<<."

"It is unacceptable to automatically charge according to the amended price list in the form of blocking the funds from the connected payment card or unilaterally introducing significant changes in the contractual terms,"

https://uokik.gov.pl/aktualnosci.php?news_id=20132 - the message in Polish

It's about Amazon here but the office investigates subscription services offered by other companies as well. Amazon EU and Amazon Digital UK cooperated with the office and now will notify their customers about the upcoming changes allowing them to refuse these and break contracts without any penalites. This work for ISP providers already - they can't change contracts at own whims; tho, they can pest you with phones with "totally new tied for your needs plans".

It's possible to push companies to change their behavior but I doubt this could apply to a specific service that 23andMe is. Although, this data breach might force data protection offices from various countries to look closer what they're doing here.

jes5199
0 replies
14h46m

even if, in general, a TOS could be changed without explicit consent, a judge may well decide that agreeing to arbitration requires a higher standard than just ignoring an email

SkyPuncher
0 replies
7h54m

For the vast majority of the public, they won’t care beyond that line. They might be upset, but they’ll move on.

1letterunixname
0 replies
15h50m

IANAL, but I believe it works the same way to say physical property. If you don't "defend" it by objecting to it or putting up fences, and let people move in or say they are changing things, it's effectively qui tacet consentire videtur (silence gives consent).

RyanShook
10 replies
18h44m

To: arbitrationoptout@23andme.com Subject: Request to Opt-Out of Updated TOS

23andMe Team,

I am contacting you regarding the recent changes to the 23andMe Terms of Service, dated November 30, 2023. My name is [your name as registered with 23andMe], and the email associated with my 23andMe account is [your 23andMe account email].

I hereby formally request to opt out of the newly updated Terms of Service. I do not consent to the terms as outlined in the recent update.

Thank you for processing my request promptly.

[Your Name]

guiambros
4 replies
18h37m

Where did you get the arbitrationoptout@23andme from? The email I get says to "please notify us", and the link is a mail-to legal@23andme.com.

That's the email I used yesterday to say I do not agree with the new terms.

tropdrop
3 replies
18h20m

The article points out that the mass-sent email used a different email address than that of the ToS. arbitrationoptout@23andme is the email in the ToS.

Jury is out whether this hyperlink mix-up was intentional...

heliodor
1 replies
7h59m

There are two processes at play:

- refuse the updated terms of service

- refuse the arbitration

The previous version of the TOS had arbitration too, so I'm not sure what all the stink is about.

Both versions tell you that you have 30 days to opt out of arbitration by emailing arbitrationoptout@...

As usual, the journalists failed at the job and are spreading misinformation.

Current version: https://www.23andme.com/legal/terms-of-service/full-version/

Previous version linked at the bottom: https://www.23andme.com/legal/terms-of-service/full-version/...

Go to both and search for arbitrationoptout@ and you'll see they both have the 30-day opt-out.

guiambros
0 replies
5h11m

Ah, that makes sense now, thank you.

I was confused exactly because arbitration was in the previous ToS, so disagreeing with the new T&S doesn't give you new benefits (other than the full refund in case sampling doesn't work). See Bard [1] / ChatGPT's [2] assessment here.

It seems the 30d opt out was intentionally buried, so folks thought opting out of T&S would get you out of the forced arbitration.

[1] https://g.co/bard/share/9d7782eb4d99

[2] https://chat.openai.com/share/c63c4078-608c-46d7-8529-a9dcac...

throwaway2037
0 replies
13h32m

Confirm here: https://www.theverge.com/2023/12/6/23991132/warning-23andmes...

    23andMe is only giving users 30 days from when they receive the email to opt out of the new policy, which you can do by contacting arbitrationoptout@23andme.com.

CaptainZapp
2 replies
14h35m

Send it by certified mail. Or fax it. Or even send it via Telex

Any mode of transmission where you can prove you sent it but don't send it just by email.

voxic11
0 replies
6h33m

I am a young person who has never sent a fax so please forgive my ignorance, but how does a fax allow you to prove you sent it?

edit: nvm I looked it up myself and learned about fax receipts. Sucks that the equivalent feature in email (read receipts) is usually not enabled due to abuse by spammers.

palencharizard
0 replies
8h31m

But you can prove you sent it by email.

1letterunixname
1 replies
15h55m

Thank you kindly for throwing this template together. You have the makings of an awesome associate or paralegal. ;]

sedatk
0 replies
12h56m

The template is from the article.

CrendKing
5 replies
18h29m

What prevents 23andMe from simply deleting the opt-out emails they receive and claiming they never received anything, in case someone did sue them?

houston_Euler
2 replies
18h26m

Wouldn't the sender have a time-stamped copy?

justneedaname
1 replies
12h38m

2 Generals problem

lcnPylGDnU4H9OF
0 replies
3h27m

Courts aren't dumb, though. It's a lot harder for an average person to fake something in their gmail outbox than it is for someone working for a corporation to delete emails from an inbox. Google could also possibly be sent a subpoena.

mminer237
1 replies
7h46m

The sender could simply show in his outbox that he did send such and 23andMe would be in even worse legal trouble then?

CrendKing
0 replies
3h26m

I asked because unlike paper mail where the deliverer is one trust-able government/commercial body, email by its distributed nature is delivered by hosts everywhere in the internet. How does plaintiff generally gather evidence to prove the email was indeed delivered in these cases?

throwaway2037
4 replies
13h49m

Can someone please confirm: Is forced binding arbitrage allowed in EU/EEA/EFTA?

If no, what happens if you are a customer from France or Germany? It seems like this contract is totally unenforceable!

A bit deeper, I really wish it was illegal to create intentionally unenforceable contracts. Too many companies create these incredibly scary contracts that no mortal human can understand, let alone know if unenforceable.

sofixa
1 replies
8h42m

what happens if you are a customer from France

There are no French customers of 23andme because non-court ordered DNA tests are illegal here.

impish9208
0 replies
8h6m

According to Wikipedia [0], this is to preserve the “peace of families”. Quite bizarre.

[0] https://en.wikipedia.org/wiki/DNA_paternity_testing?wprov=sf...

bux93
1 replies
13h41m

No, not if the customer is a individual ("consumer").

Directive 2013/11/EU, article 10 states "Member States shall ensure that an agreement between a consumer and a trader to submit complaints to an ADR entity is not binding on the consumer if it was concluded before the dispute has materialised and if it has the effect of depriving the consumer of his right to bring an action before the courts for the settlement of the dispute." https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:...

This does not preclude the customer signing away their rights after the dispute arose, as part of a settlement agreement for instance.

acatton
0 replies
12h26m

Not only if you're a consumer. There are multiple cases in Germany of Oberlandesgerichten (~= "Circuit courts") voiding arbitration clauses in B2B contracts as well.

Subway (the sandwich chain) is a good example of that. They were kinda screwing their franchisees and were forcing them to do arbitration in NYC, even for German franchisees. This was voided by the northern German "circuit court"[1]

[1] https://www.omsels.info/wp-content/uploads/OLG-Schleswig-Urt...

owlninja
4 replies
19h53m

So would it be wise to opt-out?

toomuchtodo
3 replies
19h40m

It costs nothing to preserve you rights. To opt out, email legal@23andme.com notice you do not agree to arbitration.

cebert
2 replies
19h27m

What benefit would you get out of doing that?

toomuchtodo
0 replies
19h12m

The ability to join a class action. You may get very little or nothing, but litigators will extract for 23andme’s data security failures. Private actions fill a gap when regulators and statute are inadequate.

If there is no cost, business as usual continues.

(I have opted out and intend to join a class action; I also own customer IAM in my day job, and am aware of the effort that would’ve prevented the root cause)

postalrat
0 replies
19h18m

I'd assume you are able to sue them through court.

Obscurity4340
2 replies
17h25m

Is there an actually privacy-respectful genome service like this or is 23&me literally the only game in town(the world)?

xbar
0 replies
16h49m

There is not any privacy-respectful business that won't eventually be acquired by private equity and squeezed for every just-this-side-of-legal dollar they can get.

Don't give away your genetic information if you can avoid it.

Ephil012
0 replies
16h15m

Your best bet is probably to go through a doctor and get testing from a medical genome sequencing service that is covered under HIPAA. I am not 100% sure if this is bulletproof, but it is probably better than going through a DTC company. Plus, most DTC companies like 23 and me use imprecise genome sequencing and not full genome sequencing like many medical providers do.

4death4
2 replies
19h34m

Have terms of service ever successfully been challenged for failing to meet the requirements of a contract? Like if I make an Uber account for my mom, and she uses it, at what point is she bound by the ToS?

mminer237
0 replies
7h35m

Ordinarily, ToS do meet all the requirements of a contract. Both sides assent to certain promises. They make an offer of the terms and you accept it by checking the box or whatever like they ask. That's what a contract is: https://matthewminer.name/law/outlines/1L/1st+Semester/LAW+5...

Even where you don't make the account, a court would assumedly find she agreed to the contract by virtue of quantum meruit by consenting to have you make it and her continuing to use the account.

If you sign your mom up for a credit card in her name, what makes her have to repay the debt if she uses it?

guntars
0 replies
14h23m

Not that I'm aware, but happy to stand corrected. They pretend they are enforceable, we pretend to abide by them.

whatshisface
1 replies
18h42m

There is no way the courts will uphold this scheme where you sign away your right to go to court through inaction.

lostdog
0 replies
18h24m

You are completely wrong. The courts encourage this. Specifically, Republican appointees to the supreme court favor arbitration, because it is better for corporations.

spondyl
1 replies
19h38m

There is perhaps one upside.

As it turns out, when binding arbitrarion is forced, those very same companies can't handle the caseloads that come with thousands of cases being filed individually so it can be a bit of a footgun

https://www.nytimes.com/2020/04/06/business/arbitration-over...

AlexandrB
0 replies
19h5m

Seems the law critters at 23andMe have thought of that. From the Ars Technica coverage[1]:

The updated terms also explain a new process for mass arbitration. This requires that "if 25 or more demands for arbitration are filed relating to the same or similar subject matter and sharing common issues of law or fact, and counsel for the parties submitting the demands are the same or coordinated," this "will constitute a 'Mass Arbitration.'" Any mass arbitration dispute will be settled by the National Arbitration and Mediation, "a nationally recognized arbitration provider."

[1] https://arstechnica.com/tech-policy/2023/12/23andme-changes-...

orbz
1 replies
20h22m

“… encourage a prompt resolution of any disputes and to streamline arbitration proceedings where multiple similar claims are filed“

Someone’s getting ready for some fallout from data leaks.

LispSporks22
0 replies
20h19m

Heh they are really having it both ways!

lordfrito
1 replies
9h16m

How do unilateral TOS changes like this work in practice? If the previous TOS didn't force binding arbitration, can they unilaterally impose this change on existing users? Basically forcing existing users to "agree" to this? What recourse do existing users have?

I don't use / won't use 23andMe, because of issues like this (the nature of the relationship changing unilaterally). I don't like sharing private data, nothing is more private than my DNA.

momento
0 replies
9h3m

They sent out an email saying you can disagree to the TOS. I wonder what would happen if you did.

catchnear4321
1 replies
19h16m

do note you can and should send a response that says “no.”

then you get to keep the existing terms, which are likely slightly better. hence the hoop through which you must jump.

metadat
0 replies
17h16m

Submit your request here:

https://customercare.23andme.com/hc/en-us/requests/new

The email that sent the ToS update message is a do-not-reply address.

Kye
1 replies
17h54m

Remember to change your DNA and enable 2FA on all your cells.

1letterunixname
0 replies
16h24m

I roll my genes every 3 months and use 4FA.

unixhero
0 replies
11h31m

It is not strange to have binding arbitration instead of court, in the choice of law clause and dispute resolution clause.

rvba
0 replies
11h17m

How is this sfuff even legal?

Retroactive change of contract?

robomartin
0 replies
16h18m

I can’t count the times I have advised friends and family against using certain products and services, only to be ignored or be accused of being paranoid. In some cases the response is “well, you can already find anything about anyone on the internet” or “they already have everything”, etc. It’s incredibly frustrating to watch some of these highly consequential breaches happen. I have yet to have someone come back to me to say “You know, you were right.

I am sure many/most HN readers have come across this to varying degrees.

Not sure there’s a fix. The only people who eventually get it are those who are unlucky enough to eventually suffer the consequences of their lack of interest in privacy and data safety.

nicman23
0 replies
12h25m

i wanna see them try

neilv
0 replies
19h30m

Regardless of TOS, relatives who never agreed to the TOS may still have standing.

Will some non-TOS-signing relative who was impacted by the data breach lead a trillion-dollar class action suit?

(Class action, with the goal of putting a healthy fear of the public into abuse-inclined industry. Not the class action goal of letting a misbehaving company pay off liability with a small percentage of their gains from misbehavior, in exchange for making a few lawyers wealthy.)

kornhole
0 replies
16h39m

You have to go through all of this and give away your body's code to corps and governments just to learn maybe your grandparents were from some part of the world?

jvanderbot
0 replies
7h58m

Just to share a positive from 23andMe, given all the bad press around here.

I got on this service a couple years ago. I am adopted and had spent a long time trying to track down one side of my biological family. I had very little to go on other than a first name and general whereabouts 40+ years ago.

As it became more popular, I had half siblings and, eventually, my biological father reach out to connect.

Its been great knowing I have that connection finally. We're planning to meet soon.

This is a huge benefit of this kind of "opt in" service, but I recognize how devastating it might be if someone was concealing my existence for, say, religious reasons and a data leak or loose privacy settings from a common relative revealed something.

It's a nuanced issue, but my experience has been immensely positive in that it gave me something I may never have had.

eadler
0 replies
5h19m

In case anyone is interested I've been compiling as much factual information on arbitration here. Not yet complete but reasonably useful and well sourced

https://grimreaper.github.io/arbitration/docs/problems/

dutchbrit
0 replies
9h3m

“ If you do not notify us within 30 days, you will be deemed to have agreed to the new terms.” - surely this wouldn’t hold up in court?

dreamcompiler
0 replies
17h27m

People who are not 23andMe customers might nevertheless be harmed by these breaches due to the peculiar nature of DNA data, and they could conceivably sue without being bound by any TOS.

dbg31415
0 replies
18h23m
clwg
0 replies
12h56m

Society and lawmakers need to update the TOS and legislate these companies out of existence and their databases need to be wiped.

Privacy laws really need to be updated for both collection against individuals as well as taking into account what the aggregate data represents.

TheRealDunkirk
0 replies
7h42m

Thanks for reminding me that I needed to cancel my account. I should have done it years ago when they announced they were being bought out by private equity, and before the inevitable security breaches. Oh well, better late than never, I guess.

And, before the "why did you ever do this?!" replies, my wife really wanted to do it, all the way back when they first started, and I relented. Our common 0.3% "sub-Saharan African" results is still a running joke.

Taranis
0 replies
11h53m

How is it, that after the fact (the hack), can the TOS be changed to mitigate damages from their lack of security? If this is the case, why worry about security then if all we need to do is change the TOS after the fact. No, I suspect a good lawyer or two can challenge this.