I would have presumed that security-minded people, which includes those who work in tech, would not so easily give away their genome, and that most of 23andMe's customers are a slice of the general population. But then I read about things like WorldCoin and that people who go to startup parties jump at the chance to give away scans of their retinas and I'm befuddled. Why would anyone willingly do that?
Automatically opting-in customers to a more restrictive TOS is pretty suspect, especially given the timing. IANAL, but I'm pretty sure that a court would not allow that, given that the TOS was changed AFTER the breach and it's pretty clear that the company is trying to avoid legal issues after-the-fact.
I would expect the court would evaluate any breach under the TOS that was in effect at the time of the breach, rather than under a new (and arguably suspect one) that was put in place after it, arguably in an attempt to "rewrite history".
They probably know that it doesn't hold water legally. The hope is to victim blame as much as possible so that fewer people sue them in the first place. The next step will be to "remind" people about the TOS that they totally agreed to.
Exactly. Same reason construction vehicles have "Stay back 200 feet: not responsible for broken windshields" written on the back.
“Not responsible for black eye if something falls from your vehicle and damages my vehicle.”
Except that the truck driver has zero fault for the gravel on the road and the spacing between the tires and the mud guard of the truck his employer maintains.
Or did you mean you’d seek out the ceo of the truck company and give them a black eye?
This is usually related to drivers who do not use the cover of their truck they are legally supposed to. So rocks fly out the top.
Or smaller contractor type trucks with tools in them.
Ever have to dodge an axe at 35MPH? Not fun.
And usually because the truck is over full too. For almost any load, if you fill the truck to the brim you have overloaded it. (Unless you're moving styrofoam)
Also mud flaps
Or dump trucks, which leak out the seams as they go over bumps
If it's gravel they are transporting it's obviously their fault, it's the responsibility of the driver to secure the load (with some blame falling on truck companies for providing insufficient equipment).
If it's random gravel from the road it's more understandable. But even then the driver is very much responsible for the mud guards on the truck they are operating, just as the police would write a ticket to the driver for worn down tires or broken lights.
But are they “a punch in the face”-responsible?
I lived in Boston for a while. Cracked windshields were extremely common. No one was ever upset at another person.
I think you're missing the joke. If truck drivers could actually put up a sign saying they are not liable for any debris falling from their vehicle, and have it be a valid defense in court. Then they would just put up a sign saying they are not liable for any black eyes given when they see debris falling off a truck.
They're taking the unrealistic expectation of the truck driver's sign protecting them from doing something illegal and flipping it. In other words "If you coul just put up your own sign and get legal protection to break my windshield, then I could just as easily put up a sign giving me legal protection to break your nose."
A driver has a legal obligation to not drive a vehicle that is spreading debris on the road, which they are often doing and that debris often comes from their construction sites. There are places that use track washing stations at entrances and exits to prevent this.
At least in California, its illegal for anything to fall from a vehicle except water and bird feathers so not sure how that sign help them.
If I'm not mistaken, that's the point the person above you was making. Those stickers on dump trucks that say "Stay back 200 feet. Not responsible for broken windshields" are worthless from a legal perspective.
They do absolutely nothing to remove liability from the truck driver/company. If a rock falls from their truck and cracks your windshield, they absolutely are responsible for any damages.
Rather, their sole value is to convince drivers that the trucking companies aren't at fault, so that drivers whose vehicles are damaged from falling rocks erroneously elect not to press charges or pursue damages.
Such a lawsuit, if one was filed, would be in civil court, where nothing is guaranteed. If, in the unlikely case that the suit was not settled and it actually went to jury, no judge would direct that jury that truckers "absolutely are responsible for any damages."
If you are tailgating directly behind a rock truck with a big sign "stay back 200 feet" for an extended period of time, or end up right behind the truck because you're in a big hurry, or because you thought you could squeeze through an empty lane, a good lawyer could absolutely argue, successfully, that you are at least halfway responsible for the damage, if not 100%.
i’m guessing you have a problem with signs that say “danger, do not enter” as well
Isn't their sole value to keep most people back far enough so they don't get their windshields broken?
What about fallen leaves?
Straight to jail!
Or at least probable cause for a search :-)
The point being that while it’s not at all enforceable there’s a non zero number of people who will think it is and not fight it
Yep. A small tangent for anyone who has seen these: they’re very clearly not specifically enforceable. I got a window banged up by things falling off a truck with this signage, and the first thing they said when I called their “How Am I Driving” number the first thing they said was that they were not responsible citing this sign. Fortunately that sign was non binding. :)
“If you can read this bumper sticker, the occupants of your vehicle agree to…”
"Private sign, DO NOT READ"
Georgia (state) takes it a step further. They wrote an exemption to the license plate law that allows dump truck owners to display the plate only on the front of the vehicle. Makes it that much harder to hold them accountable.
Its like they don't know drivers and their willingness to make "for damn sure" the other side is made aware of their displeasure. lol
or the "Warranty void if removed" stickers on electronics, which are not legally enforceable in the US.
Does this apply to shopping carts in parking lots?
This looks like a perfect class action case. There's really no physical harm or financial harm to the users, but a class action might be the only way for it to hurt. But IANAL, and probably have it all wrong in my head???
Why is it that in the US individuals have to band together and privately launch a class action to stop these types of parasitic behaviours. The government is supposed to represent the interests of citizens.
That's exactly why - we have a largely dysfunctional federal government (and most state governments aren't much better).
The biggest downside is the lawyers take a massive chunk of any award and the actual victims are often left with very little. Or, even worse, the victims get worthless coupons (like with many credit/PII breaches - the award will be 1-year of credit monitoring from the company that allowed the breach in the first place).
This credit score system in the US always made me curious. Say some point I had a proposition to move to the US and I asked the company offering the job how they will ensure that I immediately get the best possible score. They said it was not possible because it was a personal score.
I told them that I will certainly not start to build a credit score at 40 yo so they will have to find someone else.
You refused a job because the company would not assist you in obtaining a perfect ("best possible") credit score?
a) nobody has a perfect score b) FICO algorithms are proprietary from third-party companies, how would your potential employer have any influence?
Yes, and this is when I discovered this system which looks quite crazy to me.
I am coming from abroad with experience nedded in a US company (and therefore in the US at large) and I start my finance as if I was 18.
Then if there is a problem with my PII I have to worry about why it was lost. The company that lot it is going to give me a year of some kind of monitoring.
Well, no. I am not really interested to depend on some proprietary system that can make my life difficult just because someone fucked up. Or go through hoops to build it without consideration of my past outside the US or my job.
Honest question, what do other nations do to determine credit-worthiness? There has to be some sort of risk assessment on the part of banks and other financial institutions. And that risk assessment would have to be made for immigrants there as well, presumably with less/zero data?
FWIW, as much as Americans complain about the credit score system, it's mostly not a problem (for most people, most of the time). It's not hard for a middle-income person to earn and maintain a top-tier score (800+) and the lowest possible APRs when borrowing.
And assuming a prospective employer would assist you with finding housing, it's not hard for an immigrant to begin building their credit score. Just make sure your landlord reports rent to the credit agencies and take out a credit card. 3-6 months later, you have a decent score.
Identity theft is a real problem, but that extends well beyond the credit agencies.
You go to a bank (people often go their bank with some expectation of a better rate) or you use check online comparator to see what deal you can get.
Then the bank will look at your current funds, the job you have, the earnings you have and after some abracadabra they will say yes or no.
There is no building of trust the assessment is on what you have and what you are capable of.
The credit is usually 1/3 of your salary (at least in France) and you novadays have to provide about 20-30% of the total amount.
It's also worth noting there is no singular credit score in the US. There are (at least) 3 agencies that generate credit reports. The "score" is usually the FICO score, but there are versions of FICO Score, and other scores.
In France, how doe a lender know if you have other loans/debt outstanding? Or if you have a history of non-payment? Those two make up the majority of a credit score (35% payment history, 30% debt burden). And the credit score is just one piece of an overall credit report.
I thought our government was dysfunctional on purpose?
working as intended. won't fix. <closes ticket>
The government is supposed to represent the interests of citizens.
I'm not sure that's ever happened in this country. They pay all sorts of lip service, but when challenged or under pressure, the US makes a lot of excuses for leaving its own people behind.
Thankfully we can repay that favor and see how they like it when there's nobody left to defend them.
Who is "we" and "them" in your statement?
1) Common law versus civil law. We rely a lot more on private lawsuits than on regulator action. This is probably a mistake, given that it sure looks like it adds costs to common law countries with little to no benefit (and, arguably, harm) but it’s what we have.
2) The consumer protection laws we do have, and the bodies to enforce them, are relatively weak and enforcement is spotty at best. The most recent serious attempt to kinda fix this is the formation of the CFPB, and one of our two relevant political parties deliberately prevents it from working when they hold the White House (sample size of one, admittedly) and has been trying to totally kill it, in the legislature or (better, because it’s popular and this is deniable) in the courts.
consumer protection laws we do have, and the bodies to enforce them, are relatively weak
IANL - however, in the US and in US States, many serious cases have been decided in favor of the consumer, over decades. It is the most recent waves of privacy versus ad revenue that are indeed, very weak. It is awkward to defend these regulators since their failures are sometimes glaring, however it is my impression that serious settlements against industry can have silence or "gag orders" attached, and they often do. The industry lawyers can argue that the news of the settlement alone constitutes additional commercial damage to the company, and of course they are right in a narrow sense.
Lobbying. Citizens United. Disinterested populace.
Do you need a longer list?
First Past The Post voting discouraging competition in the electoral system.
It's not true that individuals need to band together. A single individual can kick off a class action lawsuit, private litigators can even kick start a lawsuit themselves (though ultimately the lawsuit will bring in impacted individuals).
The idea of private litigators is to complement the innate limitations of federal/state lawyers, by offering profit as an incentive.
Ideally yeah Americans would have stronger laws around TOS, customer privacy, data handling and security, and robustly funded state lawyers... but we don't.
Practically speaking, such gaps are not unique to technology. Every industry has this same problem, and your awareness of those problems is reflective of the general public's political engagement with this thread's topic. So having gaps that private litigators address is really quite normal and part of the incremental progress of legislation and state enforcement.
I wish a class action could include those of us who have never used their service, but whose relatives have.
I'd say it's more than suspect, what's the point of agreeing to a terms of service if they can change after you agree to them?
They usually put that exact thing into the ToS. The right to change it at any time.
Ahh ok this sounds like a thing that’s OK in the USA but not EU :-/
NOTE: instead of downvoting as a knee-jerk defense of USA, just reflect on whether you'd benefit from some slightly better consumer protection laws.
Ahh ok this sounds like a thing that’s OK in the USA but not EU :-/
NOTE: instead of downvoting as a knee-jerk defense of USA, just reflect on whether you'd benefit from some slightly better consumer protection laws.
Indeed.
"Besides the general requirements of 'good faith' and 'balance', the EU rules contain a list of specific contract terms that may be judged unfair.
Here are some situations where contract terms may be judged unfair under EU rules:
[...]
- Terms which allow you to alter a contract unilaterally unless the contract states a valid reason for doing so."
https://europa.eu/youreurope/business/dealing-with-customers...
Just because they write that doesn't make it legally enforceable. You can't agree to terms you don't know. Which is why many services will haunt you to explicitly agree to the new ToS when you next log in.
And even if you click agree there are legal questions about how much that can change about your past relationship, and what kind of changes you can legally make.
They ought to be evaluated as if no TOS exists. Given the clear intent to defraud customers by misrepresenting the contract they were bound by, the claims should be evaluated under the TOS most favorable to the plaintiffs. The most favorable TOS is the one that's invalid because 23andMe didn't get anyone to actually agree, ergo the claims are evaluated as if no TOS exists.
This is an attempt to undermine consumer protection laws, and the government should treat it as a direct attack. Other companies are watching. The government needs to send a clear message that this won't be tolerated before it spreads, becomes the status quo, and leaves many consumers believing that they don't have any rights or protections.
The head of legal should also be disbarred under American Bar Association rule 1.2(d):
(d) A lawyer shall not counsel a client to engage, or assist a client, in conduct that the lawyer knows is criminal or fraudulent, but a lawyer may discuss the legal consequences of any proposed course of conduct with a client and may counsel or assist a client to make a good faith effort to determine the validity, scope, meaning or application of the law.
This reads as clear contract fraud in the factum [1]. Customers are told that they're bound by new contract terms, despite that 23andMe never got agreement, nor tried to get agreement, nor even know whether customers have read the new contract. I can't fathom any other reasonable interpretation of the situation. They created a fraudulent contract hoping to confuse other entrants to prior versions of the contract, and intend to benefit from that confusion. It seems clear to me. They are attempting to undermine the legal system, and the ABA needs to deal out swift punishment as one of the protectors of that system.
There should a (modern version of a) letter-writing campaign to pressure the government to take this seriously. The literal core of one's being is on the line.
ABA needs to deal out swift punishment as one of the protectors of that system.
This is part of the legal system. It shouldn't be, but it is. If you can toss a hundred issues the other party has to refute, you drive up legal costs to where litigation is no longer practical. The other side loses by default of not being able to afford litigation.
The ABA is, indeed, one of the protectors of the legal system, and have no vested interested in undermining it. The system means their constituents, lawyers, make more money.
Footnote: The mistake you made is that 23andme isn't undermining the legal system, but rather, justice. The two are not the same.
I’m curious if their lawyer has a defense in saying that they advised against it, but were told to try it anyway.
I’m even more curious if the change of ToS alone could be grounds for a trial, even a class action—making the risk not even worth the try.
Even harder to swallow: discover that the lawyers using the class action got hold of the data from the leak and used that in their marketing.
Federal Arbitration Act severely, and nearly completely, ties courts hands around throwing out binding arbitrations.
Of course, if people don’t accept the new terms, they are still bound by the one ones. But if you don’t opt out…
But having the company update a TOS that automatically removes rights from the consumer, after the consumer already agreed to a TOS that didn't previously restrict those rights is likely not going to hold up in court, either. Especially when the TOS changes were made after an event likely to trigger litigation.
This isn't a case of a minor change to consumer rights in the TOS like changing who would arbitrate a case. It's a significant restrictive change to the rights of the customer in favor of the company. And it was made after a security breach that affected a huge portion of the companies clients which is likely to trigger lawsuits of the form that the TOS now seeks to restrict.
This is clearly a case of attempting to close the barn door after the horse was spotted in the next county over.
The good news is binding arbitration has some significant downsides for corporations - look up "mass arbitration".
And just because a TOS says something doesn't mean it will necessarily hold up in court. They aren't law.
Right. Also, the practice of having a sticker on a shrink-wrapped box of software that read "By opening this package you agree to the Terms of Service contained within", where the TOS was inside the box that you needed to open the package to read, was deemed unenforceable back in the 90's. It's the reason that TOS' are now displayed as a pop-up during installation. Not that many more people actually read them before installing the software, but at least they are given the option to.
I suspect that a competent lawyer could fairly easily argue that this "automatic opt-in" is the same thing in a slightly different format.
Right! If this were a law rather than TOS it's the whole ex post facto situation.
I would like to think they will be nailed to the wall, but the current is that they will get a pittance fine, at best, before accepting their well earned bonuses.
I hate this timeline.
That should be a crime in itself. Looks a lot like fraud.
IANAL, but I'm pretty sure that a court would not allow that
You and a lot of the people who replied to you seem to be confusing what is unjust with what is illegal. You can't use one to deduce the other.
Any contract that can be changed at the whim of one party should automatically be invalid
"a court would not allow that"
I don't know where you have been the last few years, but I am pretty sure things like that happen all the time, based on the emails I received regarding ToS updates. And I have never heard any company got into trouble in court. Maybe public opinion, but that's it.
Cornell's law school has a pretty good guide to these "adhesion contracts" such as web TOS.[0] This alteration strikes me (IANAL) as running the risk of being unconscionable. If the contract change is unconscionable, then the new terms mandating binding arbitration are void.
Again, IANAL. Just my opinion as a citizen, not legal advice. Seek competent legal advice before taking legal action.
[0] https://www.law.cornell.edu/wex/adhesion_contract_(contract_...
What if they sell their entire business to a subsidiary?
Have they ever implied this would apply to accrued causes of action though?
Would like a laywer to correct me if wrong, but these terms would only apply to any future events, not to the hacks that happened under the previous terms, for which they've already accrued the right to sue in a court (or whatever those terms said) regarding that hack, and 23andMe hasn't really implied otherwise just by updating its terms?
If they wanted that, they'd have to have explicitly included language like "by continuing to use our services after this notice, you covenant not to sue in court for any prior causes of action" or the like?
Yep. Having defended contracts that legally the company could novate the circumstances that lead to the notation had to be either outside of our control with a third party changing our underlying costs or the first and second parties failing to agree a new contract and a standard contract that was already defined being put in place. This was later deemed unfair and the standard contract was made much cheaper. Ha!
My point being that in Australia my vibe is that this will be looked upon in a very negative light by courts and any regulators.
To duck out of the new ToS, just write this email to legal@23andme.com--
To Whom It May Concern:
My name is [name], and my 23andMe account is under the email [email]. I am writing to declare that I do not agree to the new terms of service at https://www.23andme.com/legal/terms-of-service/.
Email is arbitrationoptout@23andme.com
The email I got from 23andMe linked me to legal@23andme.com.
Yeah, but the actual terms say arbitrationoptout@23andme.com. I wouldn't put it past them to say "ah but you didn't email the right address".
I emailed this one and cc’d the legal@ address just to be sure.
Ah, bad news, you cc'd legal@, which technically isn't directly emailing legal@. We have denied your claim and you will be shot from a rocket directly into the sun next Wednesday.
Wow that is super hidden! They have a fake ToS to try to stop you from seeing the real one.
Deeper in it has the other one.
I also set my future status to auto opt-out.
“I opt out of the updated terms and will stick to the current in place ones indefinitely, including any future changes. I declare myself immune from having to do anything like this again in the future and set my status to auto-opt-out.”
Is this legally binding? I'm extremely skeptical any time phrases like "immune" and "automatically" start making their way into legalese as it's usually something like those Facebook "don't use my photos" things your aunt reposts every few months.
Give them a 30 day notice that it is binding unless they object?
They have lawyers on staff, it doesn't matter if it is legally binding because they will ignore it and force you to spend thousands of dollars trying to enforce it (in the unlikely case it mattered).
send it to both!
legal@23andme.com rejects my email with the message "Account disabled". So yeah, definitely cc the other address.
If you do not notify us within 30 days, you will be deemed to have agreed to the new terms.
WTF. This is outrageous. And I had find that email in my spam after I read this comment. Hope this POS company goes down in flames after this.
But they hold your DNA hostage. Don't you want this company to exist on so nobody gets hurt. Oh, they peaked and leaked that's why the users get TOSsed. Carry on, Sir, baldly into a classy action lawsuit against a bankrupt company were some zeroday employee will get the biggest payout by insurance ever.
you can actually ask them to destroy your samples and any associated data.
And to whomever they've already likely sold it to, or in the case of gov'ts and police, given it to?
yes that ship has sailed but my comment is based on assumption that since they are going for this type of carte-blanch tos update they will be much more likely to sell to anybody going fwd (or stolen). the govt and police one is tricky because that will never go away in this digital age. that is essentially permanent record now.
Too bad to fail ?
Write back "you agree to pay me $10M in compensation unless you reply in 30 days" ...
*auto-replies are not accepted as a valid response
Lol that surely can't be enforceable. Imagine "you agree to give us your kidney if you don't opt out within 30 days" sitting in your spam folder. How is this different?
The last time I went rooting around in my SPAM folder, I came back a different person. I am forever changed by what I saw in there. I consider email totally broken in today's environment, but without a SPAM folder it would be closer to totally useless.
With the benefit of hindsight, the invention of SPAM should have told us all we needed to know about the future of the internet. A small percentage of users will do their damnedest to ruin it for everyone else. It's a sign that people cannot be trusted to not use the tech for evil. I'm sure it foretold the corruption of social media as well. It is all SPAM's fault!
I wonder if they can use things like opt out data to find a way screen for genetic markers of "troublemakers" or similar.
DNA driven targeted advertising that finds only the most docile consumers.
They can't tell you your eye color from their DNA data with any degree of confidence, and you seriously expect them to be able to find a marker of something as vague as "troublemakers" ?!
...And yet phrenology was a thing.
https://en.m.wikipedia.org/wiki/Phrenology
Never underestimate the willingness to engage in the days new "not-yet-clearly-identified-as-quackery-pseudo science" when there is a buck to be made.
https://pubmed.ncbi.nlm.nih.gov/19619260/ """Nevertheless, it has been estimated that 74% of the variance in human eye colour can be explained by one interval on chromosome 15 that contains the OCA2 gene"""
That's about blue/brown, and realistically, there are a bunch of other genes which also have effects, as "eye color" is really a collection of phenotypes, not just a single one.
> I wonder if
ADHD has genetic markers for example
maybe not but you can be assured they'll share whatever information they can predict with some degree of confidence with their 'partners'. Imaging FB getting a hold of you dna data (hashed up but still) and pairing it with eyeballs and other info from their AR/VR headsets.
I wonder what would happen if someone used one of the public email dumps and automated a mass opt-out of every email ever spotted in the wild.
wow, that's probably one of the most brilliant altruistic ideas I've read since buying other people's medical debt.
this is probably why the unsubscribe links require some interactive confirmation so that simply loading the page doesn't actually unsubscribe.
if this was doable, i'd put them above Troy Hunt in contributions to humankind ;-)
Some email providers navigate to every URL you receive to check them for phishing and malware. That doesn't play well with one-click unsubscribe links.
sounds like the email providers are in the wrong here. quit reading my mail.
My unsubscribe likes require a POST request, and have a form on the landing page, but specify the post requirements in the email header.
23andMe's ToS change right now seems in poor taste at best, and I think they need to get smacked for that, by a judge and/or the public.
But I don't see how drunken anarchist tactics help, and that noise seems like it would be a counterproductive diversion.
I am logging to my 23andme account to confirm my info and name registered there.
I forgot my password and did a password reset. They have password requirement of 12 characters minimum. A bunch of security theater just to get hacked anyways
So as soon as a company gets hacked once, all of their security measures get recategorized as security theater?
So as soon as a company gets hacked once, all of their security measures get recategorized as security theater?
Failing to secure user data and then overcompensate on user side is a security theatre. It's like having complicated lock on a cardboard box.
The requirement wasn't previously that long. Also, following the hack, they're requiring everyone to reset their passwords.
I don't give Facebook permission to use my pictures, my information or my publications, both of the past and the future, mine or those where I show up. By this statement, I give my notice to Facebook it is strictly forbidden to disclose, copy, distribute, give, sell my information, photos or take any other action against me on the basis of this profile and/or its contents. The content of this profile is private and confidential information. The violation of privacy can be punished by law (UCC 1-308-1 1 308-103 and the Rome statute). Note: Facebook is now a public entity. All members must post a note like this. If you prefer, you can copy and paste this version. If you do not publish a statement at least once, you have given the tacit agreement allowing the use of your photos, as well as the information contained in the updates of the state of the profile. Do not share. You have to copy.
The difference here being that 23 and me has communicated a specific opt-out process. This isn’t some sovereign citizen nonsense the person you’re replying to came up with on their own. It’s the official method you’re suppose to use.
Those notices are bullshit, but https://www.23andme.com/legal/terms-of-service/#dispute-reso... says emailing an opt-out is correct in this case.
30 Day Right to Opt-Out. You have the right to opt-out and not be bound by the arbitration and class action waiver provisions set forth above by sending written notice of your decision to opt-out by emailing us at arbitrationoptout@23andme.com. The notice must be sent within thirty (30) days of your first use of the Service, or the effective date of the first set of Terms containing an Arbitration and Class Action and Class Arbitration Waiver section otherwise you shall be bound to arbitrate disputes in accordance with the terms of those sections. If you opt out of these arbitration provisions, we also will not be bound by them.
I'm just surprised they aren't making you send a physical letter via USPS.
Some companies require that. Here is PayPal's process for example: https://www.paypal.com/us/legalhub/useragreement-full#table-...
They aren't the government, silly billy. Just because it's written down doesn't mean that it has value, it's just an (effectively unfortunate) deterrent, since oftentimes a court has to decide that it's illegal.
Hopefully our court system will get some more teeth vs other corporations soon.
fwiw the correct email for this is arbitrationoptout@23andme.com
You have to specifically opt out of the arbitration clause and class action waiver.
Thanks for sharing. Will def opt out and roll into the class action suits already filed.
Take security seriously people. Especially when dealing with super sensitive data.
Why did you send them your DNA? It was pretty obvious from day 1 that sending some random startup on the internet my DNA was a bad move.
No, I don't think that that's obvious. At least in the US, there are already protections for genetic information (including but not limited to GINA [1]).
In the long run, I think keeping your genetic information private will be untenable- the potential benefits will outweigh the drawbacks. Plus, anyone sufficiently motivated could get your DNA somehow, you shed your DNA everywhere you go, no getting around that.
So what's left is to urge your representatives to maintain and strengthen regulations on how that information can be used, and in the long run we'll just have to trust that that will be enough.
[1] https://en.wikipedia.org/wiki/Genetic_Information_Nondiscrim...
In the long run, I think keeping your genetic information private will be untenable- the potential benefits will outweigh the drawbacks.
Can you give an example?
Plus, anyone sufficiently motivated could get your DNA somehow, you shed your DNA everywhere you go, no getting around that.
That assumes there's someone out to get you specifically. That's like saying there's no point in having 2FA or strong passwords, because the FSB, the FBI and Mossad can get in anyway. Having my DNA because you vacuumed it up off the subway floor is significantly less useful to anyone without it being explicitly tied to me.
Can you give an example?
See my other comment, but in short I essentially mean the true realization of "precision medicine" and gaining a greater understanding of how different genotypes result in disease, information which can be used guide treatment and to develop better treatments.
That assumes there's someone out to get you specifically.
Not entirely true- the ability to reconstruct genotypes from environmental samples gets better all the time. I'd imagine that even with current technology, a sufficiently motivated organization could sample various locations to reconstruct the genomes of people who often visit there. With enough info, they could start building webs of genetic relation. From there, all they'd need is access to a database of samples from known individuals (which, as we can see, already exists), can chances are they could quickly deanonymize future samples. The only thing that could stop such mass collection is proper regulation.
That's like saying there's no point in having 2FA or strong passwords, because the FSB, the FBI and Mossad can get in anyway.
Unlike your password, your DNA is unencrypted and gets spread everywhere.
> That's like saying there's no point in having 2FA or strong passwords, because the FSB, the FBI and Mossad can get in anyway.
Unlike your password, your DNA is unencrypted and gets spread everywhere.
This doesn't address the point. In both cases, someone sufficiently motivated could get what they want from you. So by your argument, there's no point in maintaining privacy for either piece of information (DNA / passwords).
Clearly a bad faith argument. someone with your passwords can do a lot more damage than someone with your DNA.
I think DNA is probably sensitive on the level of someone knowing your name and DOB. Not convinced it's much more dangerous than that.
That's only true now. You don't know that DNA leakage won't be a higher risk in the future (and FWIW, my opinion is the opposite of yours regarding the future risks). Moreover you can change your passwords, but you can't change your DNA.
So by your argument, there's no point in maintaining privacy for either piece of information (DNA / passwords).
The problem with privacy is that it's fragile. When your info is leaked, you should assume it's out there for good.
I also think that while right now when you do the cost/benefit analysis of having your DNA sequenced, you think the cost outweights the benefit. Clearly my personal calculus is different than yours, and that's ok. But I would caution you that in the future that calculation may be different for you.
So I think people will either lose privacy, or voluntarily give up some privacy for some benefit. In either case, we will need something other than privacy to protect ourselves. I think that well-enforced legislation, legislation that limits the way genetic info can be used and gives the individual more control over their own info, is really the only thing that can help.
I think that well-enforced legislation, legislation that limits the way genetic info can be used and gives the individual more control over their own info, is really the only thing that can help.
Absolutely, in theory. But when have politicians respected legislation's original intent over their self-interest over time, especially when monied parties are desirous of changes for those party's own ends?
What benefit will there be? And why do you assume that it won't be accompanied by negatives? The problem with all tech is that people direct its use, and the sole agent of evil in this world is people.
What benefit will there be?
Knowing your genetic information is currently of limited value for the majority of people, this I admit. I believe that in the future, however, the promise of precision medicine will be realized, and that having one's genetic information readily available will be crucial to receiving the best treatment possible for many diseases.
For example, take Crohn's Disease (and other inflammatory diseases more generally). The current thinking is that it is highly influenced by genetics, and that a number of different genotypes exist that can result in the phenotype we refer to as Crohn's Disease. It's conceivable that having a better understanding of someone's specific genotype could lead to more precise treatment of their condition.
And why do you assume that it won't be accompanied by negatives?
I explicitly don't assume this, I said that the benefits will outweigh the drawbacks.
the sole agent of evil in this world is people.
This is a specious argument. By that same measure, the sole agent of good in the world is also people. But that's irrelevant. Tech can be used both to harm and to benefit, and I'm arguing that personal gene sequencing can and will be used to provide more benefit than harm.
Yes, you did reference both, and I lost track in my response.
I expect a few relatively wealthy people to get some benefit, for example when they have real health conditions that can be helped by genetic knowledge. I don't expect benefit for the rest. Across the population, some will have net benefit, some will have net drawback, and it would be very easy for the second group to be an order of magnitude larger than the first.
Plus, anyone sufficiently motivated could get your DNA somehow, you shed your DNA everywhere you go, no getting around that.
But these people need to get close to you. 23andme made it easy for someone who could have been on the other side of the globe.
And do what with it?
I really don't see how this changes the threat model. If anything, I'm less worried about someone on the other side of the globe.
Not everyone opted in as such. My wife has an identical twin who sent in a test.
Presumably neither you, your kids, or your wife, has grounds to sue them
You could try the old Monsanto/JohnDeere approach: copyright your own DNA then sue them under DMCA.
Spot on!
Didn't really feel like a random startup - felt like one of the most innovative startups around, backed by impressive investors including Google, co-founder married to Sergey Brin... So perhaps in hindsight sending DNA to anyone is a bad idea, but if there were a startup one might have trusted, this was it.
Fear of the unknown about your own body. Think of how many people would sign up if you sold a service that scoured secret files to "find out what people are saying about you". Forget whether such a service could ever work, just the combination of "unknown" + "about you" is irresistible to a large segment of the population. It's the mother-of-all-clickbait.
For a lot of people it is a health decision.
I go to a doctor, they have a ton of info on me. Who knows what might happen with that data ... but I still go to the doctor because it is a good idea for health reasons.
Any other way to know the information they are offering? It is hard to own your own sequencing machine.
It was offered as a subsidized perk during my days as a Google employee.
The social aspect of other people at Google doing it made it feel normal.
In hindsight, I drank the Google kool-aid in more ways then one.
The sentiment of distrust towards tech companies and tech companies being yet-another-corporation is really only obvious in recent years. It wasn't the case a decade ago when we were busy being judgemental of Wall Street. Ironically, now it seems that Wall Street is more trustworthy because, at the very least, they are forthrite about their motive to make profit instead of all these lies about "changing the world".
Which super sensitive data was leaked? I have read contradicting things.
Same, excited to receive my check for $0.25 in 3 years (seriously though, I wonder if we should file in small claims court or something as well?)
Forcing customers to use arbitration hasn't always been in the companies interest - if only a fraction of the 7M effected customers started the arbitration process it could cost a lot more than a class action suit.
Didn't Uber drivers get a large payment from them in this way?
https://www.reuters.com/legal/litigation/uber-loses-appeal-b...
Trying or arbitrating a large number of cases individually is far more expensive than litigating a class action suit. But only if the people pushing the arbitration hold firm, rather than agreeing to the initial settlement offering.
I once looked into arbitration against a local company based on their ToS. Initiating arbitration would have cost me several hundred dollars, not to mention time, which was more than my dispute was worth.
And how much would it have cost you to file a lawsuit?
I don’t know, but I had agreed to the terms that specified arbitration through a specific firm as my only available recourse, so that’s not particularly relevant.
Arbitration almost always favors the company, why else would they push for arbitration instead of respecting your rights?
Huge HIPPA violation as well.
Huge HIPPA violation as well.
It's HIPAA.
IANAL: And unless 23andMe meets the HIPAA definition of a "covered entity", which I'm not sure they do, they're not going to be covered by HIPAA.
Right but the hackers are not covered entities.
That's not how HIPAA works. 23andme would be, or would not be, the covered entity, and the entity bound by HIPAA.
I dunno, they offer blood tests ordered by a clinician. That probably creates a covered entity.. then the hackers get the phi data, they for sure do not have a business associates agreement with 23andme. May only matter for the blood draws.
I'm not a lawyer but I doubt that this will matter in the court because the time of actions matter; or in another words at the time when user registered they agreed to TOS A and later when 23andMe changed their TOS A to TOS B they achieved nothing because you can't unregister users and register them again and force them to agree to the new TOS B. I mean they can ask you to agree to new TOS but you don't have to because TOS is not a law, it is a voluntary legal agreement between a company and a customer. Retroactively enforcing something is not possible not even for the governments e.g. if I pay my corporate tax of let's say 20% in 2023 to the government, government can't say like 5 years later: you know what corporate tax is now 30%, compensate for all the differences in the past.
I mean they can ask you to agree to new TOS but you don't have to because TOS is not a law
Aren't they forcing you to agree to the new TOS to continue using the product?
Then pull out and sue them for maliciously enforcing new TOS. People should collectively sue them.
Perhaps, but if someone ignores the email and never logs into or interacts with 23andMe in the meantime, the post hoc change in ToS should have no impact on their ability to join a class action lawsuit.
You got it wrong. They can throw a big TOS in front of you next time you login. Most users will just accept.
Additionally they sent an email out saying that you have 30 days yo tell them you want to "opt out" otherwise by default they assume you accept the new TOS agreement.
As someone living in the EU, these kind of things puzzle me a lot.
How can a legal system exist, where it's possible to deny a (consumer) contract party access to the legal system and law of the land?
(In the EU we do have arbitrations clauses, but they are only legal between businesses and tightly regulated. Arbitration "courts" must be neutral. And you can not put them into ToS.)
Also, I was under the impression that all sane legal systems on this planet are based on the broad principle of "pacta sunt servanda" = "agreements must be kept". One party of a contract never can change the contract without consent from the other party.
We do have the concept of "silent approval" for consumers over here, too, but that only applies to minor changes to terms that are not a "surprising" change to the consumer. It recently was ruled that for example Netflix increasing prices without active consent is not legal in the EU. There is not much that is not regarded as "surprising" by courts here. "You are not allowed to sue us after having lost your personal data, then lying about it" clearly would be regarded as surprising.
Im summary: Every aspect of that whole 23andMe story would be impossible in the EU. The amount of data they collected, the way they stored it, the way they tried to hide the breach, and them trying to prevent their customers to get access to the law.
I wonder how on earth the US legal system could deteriorate so much that such a story becomes possible.
[Disclaimer: I am not bragging about living in the EU. I did not have any influence on my place of birth. I do not wish to imply that the EU is "superior" to the US. I am just trying to give an outside perspective.]
The real issue is that lawyer can “try” anything with almost no consequences.
I doubt this will work. But there’s “no harm in trying.”
Over here there are "consumer associations" that have the right to sue in such cases in the name of all consumers. That works quite well.
Due to this traditionally those things are not even tried.
That has changed with (mostly US) businesses entering the EU. A good example is booking.com, who again and again and again invented new dark patterns to then get sued for it, making it clear those are illegal.
We had the same with the airline industry with their advertised prices not matching the actual final price with all taxes and made-up fees. But by now even Ryanair has given up and no longer tries those tactics.
But there are no big financial penalties for losing such cases in court. I guess it's the bad PR these court cases generate every time that makes those businesses after a while giving up trying to screw over consumers...
In the US we have class actions (groups of aggrieved consumers). And States Attorney Generals who sue on behalf of the public.
The problem is most lawsuits end in plea deals, so it matters greatly who the specific litigants are, as they have to ability to agree to a compromise that affects everybody.
That’s why many conservatives (and only slightly fewer liberals) are “standing hawks” - people who think only folks with very specific harms should be part of lawsuit.
I wonder how on earth the US legal system could deteriorate so much that such a story becomes possible.
My impression is that everything in the USA has become lawyerized. Politicians are all lawyers. If you have assets of more than a mill, you have a legal team. You can't move for lawyers. I'm watching stories about a man facing 90 charges, who is still running for president (and has a good chance of winning). All of his co-accused are lawyers.
Youd think that, with so many lawyers around, it should be really quick to get justice. But it's the opposite; apparently, the more lawyers are involved, the longer justice is delayed.
There’s a word for changing the terms after a deal is signed to benefit one party over the other: fraud.
"I am altering the deal. Pray I do not alter it any further."
I mean, exactly. Don’t know why you’re getting downvoted for this quote. It’s hilarious.
This website prefers dry commentary over meme replies. Not my preference, but it's not my website so I do my best to reel in the clown show.
I have tried to quickly diff the previous TOS with the new one and I wasn't able to identify any big changes. I would like to know what the actual changes are. I see a lot of articles criticizing the new TOS, but no one is showing the actual wording differences.
Does anyone have an actual diff?
Comparing:
https://www.23andme.com/legal/terms-of-service/full-version/...
https://www.23andme.com/legal/terms-of-service/full-version/
two things jump out at me, as a layman:
insertion into the middle of Limitation of Liability "WITHIN THE LIMITS ALLOWED BY APPLICABLE LAWS, YOU EXPRESSLY ACKNOWLEDGE AND AGREE THAT 23ANDME SHALL NOT BE LIABLE FOR ANY DAMAGES"
Lots of changes to the Dispute Resolution, and new content re: Mass Arbitration. However, the previous ToS still had binding arbitration clauses, and stuff about class actions.
Ah, I really appreciate this. I did not know that the old TOS was available under the /4.1 link. And I like the full-version links!
In case the older version goes away, here is the archive.org version from October 25, 2023:
https://web.archive.org/web/20231025013949/https://www.23and...
Why do the actual work when you can just come to the HN comment section and rant about what you think it means!
"reports revealing that attackers accessed personal information of nearly 7 million people — half of the company’s user base — in an October hack."
Breaking into a system should never provide access to 7 million people. The database should be divided up into multiple "cells" each with its own separate access restrictions.
It's the same idea that spy networks use to prevent one compromised spy from bringing down the whole system. Or you can think of it like watertight compartments in a battleship.
What if you want to run a query to compare your DNA to everyone else’s to see if you have any relatives that are registered already? Wouldn’t that need access to the entire database and essentially be a point of weakness?
I am no expert on such systems. But it seems to me that the comparisons should only be run within the cells. The caller only passes the one to compare it to, and the only thing that comes back from each cell is any matches. That way, only the specific cell has access to its data.
You might be interested in homomorphic encryption. It allows for mathematical operations on encrypted data. I don't know if any database actually supports it, but it should allow for things like SUM operations on a column of encrypted numbers with a result that is also encrypted.
I interviewed for a security position there a few years ago, but they cut the role before the interview process was over. Kind of feels like they didn't prioritize security - you reap what you sow.
Could have been that they found someone internally.
Could be, but I've interviewed with dozens of companies and I've never had that experience elsewhere.
I don't feel bad for anyone who sent their dna to a private capitalistic company. It was always obvious this was gonna happen. Especially when these companies paid so much to politicians like Bernie Sanders to appear on their ads to seem "benign".
Do you feel bad for people who had relatives use the service without them knowing, making them party even though they did not consent?
23andMe thanks you for your lack of sympathy for their victims.
I don't understand how this is even legal but it has been widespread adopted without a backlash.
The older I get, the more I learn that "legal" doesn't mean what's on the books, it means what some entity cares to enforce.
And because court cases are so expensive, what really matters is who has more money to spend on lawyers.
I'm getting to a point where I automatically assume any business is both taking my money and trying to totally fuck other parts of my life behind my back to make more money.
If capitalism is so great why is it so incompatible with being a good and honest person?
If capitalism is so great why is it so incompatible with being a good and honest person?
Capitalism was never about that. It was about having acting in their own self-interest as to maximize economic efficiency. That model works great when you are selling commodities and physical products.
Capitalism in the era of personal information as currency is a entirely different beast that needs to be reworked.
Which companies offer similar services sans all the bullshit and privacy issues? I'm not interested in finding long lost relatives and even less interested in having my data sold or shared with LEO.
I am not familiar with either offering but this was on HN a few days ago: https://news.ycombinator.com/item?id=38578951
Gladly I never used any of these services, not just knowing my ancestors origins will add zero value to my life, but also I don’t trust any cloud services to store my passwords or notes, let alone a biometric I will never be able to change, alive or not.
The slightly annoying thing with this data, though, is that even if you don't provide your data your privacy can be violated via any relatives' data that did decide to use the service.
its insane that a company can just change a tos after you buy their product
why can't i be locked into what i chose to purchase?
Changes to the consumer law in Norway tries to account for digital services that a product you bought had at the time of purchase and that no longer work. Also where a lack of an update has caused something to not work an expected.
The actual ramifications of this are yet to be seen, since the changes come into effect from next year. It will be interesting if this means that apps need to be updated to support new iOS and android versions, or if phones will need to get security updates, or if cloud services must be available, or if a feature can be removed from an app or not.
The article doesn't add anything new from previous discussion,
23andMe updates their TOS to force binding arbitration (https://news.ycombinator.com/item?id=38551890) - (372 points | 6 days ago | 243 comments)
One interesting thing about this story though is that it appears that 23andMe is outright refusing to make a comment to anyone. Every single site that has covered the story and bothered to email them have added a, "23andMe has declined to comment" disclaimer.
Pretty scummy.
Yes, from the perspective of any user/consumer of the service. But since they are facing litigation, any lawyer will tell you that keeping your mouth shut until the action is adjudicated is THE best course of action, regardless of what some politicians and corporations may do these days.
The only other thing that they could say would be "We do not comment on matters involving pending litigation." But that's just a longer way of saying "No comment." It's not any more satisfying for the customers or partners understandably seeking answers to what happened, how, and why.
I have a vague recollection that some company fairly recently squirmed when it got tons of arbitration cases.
It would be really funny if 23andMe got dragged to the arbitrator a million times.
I think there was a general pattern of people striking back against mass forced arbitration by saying "ok, that's fine, we'll all go to arbitration at once". And companies ended up having to foot the bill for hundreds or thousands of arbitration cases...
Newer arbitration clauses that I've seen now cover this scenario. Something like "If many identical cases come forward at the same time, you agree to combine your cases in a single arbitration action"
Looks like CR wrote about it:
https://www.consumerreports.org/money/contracts-arbitration/...
I honestly don't understand how "If you don't opt out within 30 days you'll be bound to the new TOS" works.
I have heard of two big "trends" of how people think about legal contracts:
[1] What is written there and what both parties agreed to is the truth.
[2] A contract is supposed to be a "meeting of the minds". If it's proven that one party was being deceitful, then the contract (or that part) doesn't hold.
If we go by [1], then the company can change the TOS by sending me a notice with "if you don't opt out, then you're bound by these terms"... but so should I. I should be able to send a letter to 23&me saying "if you don't disagree these are the new terms: if my information is ever hacked, you owe me 10M dollars in damages"
If we go by [2], then sending a notice like that is absolutely invalid. They have no way of proving that I read that notice within 30 days, so there was never a "meeting of the minds".
The theory is that you start the contract with the terms specifying that changes put forward by the company (but not the user) are automatically accepted with 30 days' notice. That's where the meeting of the minds occurs: in theory, from that point on, you've agreed that the terms can change.
However, I'm not sure if that's ever been tested in court as a valid theory, and regardless it certainly shouldn't be legal (any more than noncompetes).
About 5 or 6 years ago, I thought about sequencing my DNA with them. I'm glad I didn't seriously consider it or actually go through with it.
Worth noting that 23andMe, plus many other low cost genealogy/health-focused companies do not sequence your DNA.
Instead, they perform what is called a genotyping microarray test, which looks at less than 0.1% of your genome.
To quote from 23andMe: "In order to be genotyped, the amplified DNA is “cut” into smaller pieces, which are then applied to our DNA chip (also known as a microarray), a small glass slide with millions of microscopic “beads” on its surface. Each bead is attached to a “probe," a bit of DNA that matches one of the genetic variants that we test. The cut pieces of your DNA stick to the matching DNA probes. A fluorescent label on each probe identifies which version of that genetic variant your DNA corresponds to."
Source: https://customercare.23andme.com/hc/en-us/articles/227968028...
In case anyone is interested I've been compiling as much factual information on arbitration here. Not yet complete but reasonably useful and well sourced
thank you this is really helpful!
I got downvoted in another thread for suggesting that a company might do exactly this
I’ll give you a upvote if you link it!
I almost laughed out loud when I got the email a few days after the leak. There's no way a company can just change the TOS AFTER a major leak, right?
yes, companies can change TOS when they want regardless of what happened before, so long as they weren't legally prevented from doing so.
"In October, the San Francisco-based genetic testing company headed by Anne Wojcicki announced that hackers had accessed sensitive user information including photos, full names, geographical location, information related to ancestry trees, and even names of related family members."
For those who do not know, her sister is a longtime Google marketing person since 1999, who worked on AdWords, AdSense, DoubleClick, GoogleAnalytics and the money-losing data collection and advertising subsidiary YouTube.
It seems personal data collection for profit runs in the family.
She was also married to Sergey Brin for 8 years.
Meh not really binding in the EU, as its not done in good faith and it disadvantage consumers. I see no reason to write them and tell them you don't agree, if you are a EU citizen.
Will this work I wonder ?
An alternative take is that they changed their terms of service so that if/when this happens again they'd have more control over the fallout. I think they're totally expecting to get railed for the last one and are preparing for it, but this doesn't mean they can't prepare for the future as well. I imagine other providers will also revise their TOS.
Just email to say you opt out.
Exporting raw genetic data is conveniently "temporarily unavailable" at the time time this bullshit is happening, which is something I'm almost certain discovery would prove is an intentional choice by them.
Ok, but where is the class action?
I don't support this, but I'm surprised they only do this until now.
There is no retcon possible from a TOS update. They're a soft target for a class action lawsuit right now and they know it.
I'm a lawyer. Some of the assertions here are a bit extreme, as is the headline, imo. The company can add a class waiver to its terms when it wants to. Whether it's enforceable against people who have a claim predating the terms update will be an interesting legal issue to debate. But let's not call them the devil.
Sociopaths.
23andMe would like to point out that hackers already have access to 99.9% of your DNA right now. That means they are at most only 0.1% at fault for anything else.
Exactly.this behavior is why I never gonna send my DNA to any of these services. Certainly not US. I hope than EU will have some regulations for this soon.
Was never interested in this service previously and will never consider them in the future.
Did 23andme not expect themselves to be hacked?
So glad I never became a customer of 23andMe.
I hope that I would have cause to go after them if they leaked DNA from a relative, and that DNA was used to cause harm to me.
As a customer from EU who has been affected by this, how do I sue them? Can I join the class action?
Didn't use ancestry feature, but from what I understood my data has been leaked as well.
I'm in the UK and I've not received a notification that the terms have changed. Is this because our law is more consumer-friendly?
I haven't logged in in years. Is it possible for me to cancel my service without agreeing to updated terms?
What exactly was breached isn't clear... Very worrying
Well at least, 23andMe promises that it also can't participate in a class-action lawsuit against me. So that's pretty fair.
Reminds me of Paypal that keeps spamming me with Terms of Service update emails. It doesn't exactly build trust.
This should be a reminder to DELETE YOUR 23&ME ACCOUNT and destroy the samples asap. God knows who this horrible company will sell all that info to next.
23andMe DNA kits make great x-mas gifts. 50% off!
I'm familiar with security (I keep a copy of Applied Cryptography on my shelf for "fun reading") and tech, here's a copy of my whole genome: https://my.pgp-hms.org/profile/hu80855C Note it's a full human genome, far more data than a 23&Me report. You can download the data yourself and try to find risk factors (at the time, the genetic counsellors were surprised to find that I had no credible genetic risk factors).
Please let me know in technical terms, combined with rational argument, why what I did was unwise. Presume I already know all the common arguments, evaluated them using my background knowledge (which includes a PhD in biology, extensive experience in human genome analysis, and years of launching products in tech).
I've been asking people to come up with coherent arguments for genome secrecy (given the technical knowledge we have of privacy, both in tech and medicine) and nobody has managed to come up with anything that I hadn't heard before, typically variations on "well, gattaca, and maybe something else we can't predict, or insurance, or something something".
1) You can be subject to discrimination based on your ethnicity, race, or health related factors. That's especially a problem when the data leaks at scale as in 23andme's case because that motivates the development of easy-to-search databases sold in hacking forums. The data you presented here would be harder to find, but not the case with mass leaks.
2) It's a risk for anything that's DNA-based. For example, your data can be used to create false evidence for crimes irrelevant to you. You don't even need to be a target for that. You can just be an entry in a list of available DNA profiles. I'm not sure how much DNA can be manufactured based on full genome data, but with CRISPR and everything I don't think we're too far away either. You can even experience that accidentally because the data is out there and mistakes happen.
3) You can't be famous. If you're famous, you'd be target of endless torrent of news based on your DNA bits. You'd be stigmatized left and right.
4) You can't change your DNA, so when it's leaked, you can't mitigate the future risks that doesn't exist today. For example, DNA-based biometrics, or genome simulation to a point where they can create an accurate lookalike of you. They're not risks today, doesn't mean they're not tomorrow.
There are also additional risks involved based on the country you're living in. So, you might be living in a country that protects your rights and privacy, but it's not the case with the others.
You forgot an important one: Your ancestors, descendants, siblings, and cousins share much of the same DNA but did not consent to its release. All of the above risks apply to them as well. I'd be most concerned about insurance companies using genetic family history to deny coverage.
I'm not too worried about it because it's never a 100% overlap. Even my brother and I share only ~50% DNA. It gets way sparser for more distant relatives.
About insurance companies, they're legally forbidden to use such data.
Great training set to check the results of other factors, then use those to infer.
Moreover "legally forbidden" means jack faeces unless you can point to people who had convictions recorded and went to jail. Otherwise we're merely discussing business conditions & expenses.
I mean, of course but that’s applicable to all regulations, isn’t it? Yes, they can be violated, but what else do we have?
If you keep things secret they can't be used in a regulation breach by people who don't know those things.
We have /that/.
Theft is illegal and you lock your house, and that regulation is a serious one. The idea we have nothing but regulation is absurd in the extreme.
This is completely false. Any two random humans have more than 99% overlap by virtue of being the same species. It's even higher for brothers. We also share around 90% DNA with cats, dogs and elephants.
https://www.amacad.org/publication/unequal-nature-geneticist...
This doesn't make sense. If they were equal, you'd be the same person except for environmental differences. Many applications don't need equal DNAs. E.g.
https://youtube.com/watch?v=KT18KJouHWg
This is a very weak argument. There's a long history of companies doing illegal things, and even if it's illegal today it doesn't mean it'll be illegal tomorrow.
I think it was clear that @sedatk was referring to the 1% that separates him from other human beings, not the 99% that separates him from trees.
Why do you think people are entitled to have genome data on you? The morality is flipped. Privacy is recognized as a core, natural right. Others have to prove their onus for wanting your biological data. Trusting others is a moral and character weakness, because you have no guarantees as to how that data will be used. Or more specifically, what new ways to analyze and take advantage of that data will become.
I think actuaries will care an awful lot about this data and could use it to negatively influence your risk factor, and thus insurance premiums.
I think if your prior includes "trusting others is a moral and character weakness" then I don't think it's useful for us to discuss this topic further.
As for actuaries, in the US, the GINA law prevents health insurance companies from using this data. I think legal protection is much more important than attempting to hide my DNA.
I agree, if you can't justify trust with reason then it's hard to trust your argument that relies on trust. Trust can be broken, and your stance doesn't address that concern.
While I hold privacy in high regard, your standpoint on trust is pretty extreme.
With your own "trust can be broken", you could conclude that you should distrust "with reason" (hey, it was broken) — basically, flipping it is an equally sound stance.
As a rule, I trust people, keep private stuff not easily aggregated (eg. I might talk some stuff over lunch, but will not email it to the person so they have it on record), and I am quick to distrust people once they fail me. Legal protections do matter, because they discourage misuse of unintended data sharing.
The law could change, allowing the usage of your data without your consent.
Where is it stated exactly that privacy is a core, natural right? Not in the Constitution, though the 4th suggests it. It’s not part of the natural order, I don’t think (most stuff is out in the open). I’m not saying I think privacy is bad or people deserve to have their info out in the open, I just don’t understand why people feel such a right to it, or where governance — natural or man-made — dictates it.
They could also use it to positively influence my risk factor.
Sure, if you don't believe in any of the potential negative scenarios, anything goes. You could also post your full name, SSN, DOB, address, etc. here if you are secure in the knowledge that no harm could ever come of it.
I think what they're saying is that name (probably not), SSN (almost definitely), DOB (maybe?) and address (probably) have known, confirmed risks. There are current ways that bad actors can abuse that information.
Genome is still pretty theoretical, except getting caught for committing crimes.
I just checked, and using my True Name (https://en.wikipedia.org/wiki/True_Names) I can easily find my DOB, prior addresses and phone numbers, and using that information, it's likely I could make a reasonable guess for the SSN.
it's likely I could make a reasonable guess for the SSN.
It is? I mean then why are we bothering to protect anything, this shit is all super available for any given person.
SSNs are fairly predictable- if you know region of birth and DOB you can get awfully close, for a wide range of the population.
https://www.pnas.org/doi/10.1073/pnas.0904891106
Konerding's 12th law, amended: "There is no bit of pseudonymized data which cannot be de-anonymized by a sufficiently motivated MIT grad student" (not entirely joking; see https://archive.nytimes.com/bits.blogs.nytimes.com/2015/01/2...)
The question is, what are the potential negative scenarios.
I think we already know for sure that posting a combination of full name, SSN, DOB, and address is a reliable way to provide scammers with the necessary information to commit fraud.
That's not the same risk because 23andme also has name, address, email.
One risk if you have PII+genome is that a technically sophisticated entity can determine if you've physically been in a location. Also with an extensive PII+genome database they could find your family, for example for blackmail purposes.
Another risk is that a health insurance provider could deny you based on potential health issues they find in your genome.
Yes, but technically sophisticated entities can also use methods that require less effort.
https://xkcd.com/538/
That's your defense? You asked for actual risks and when shown real, plausible ones recede into XKCD quotes. Clearly just a spoiler.
What real, actual risks which I didn't already know about have been shown in this thread?
The point is that while you can use DNA to identify people in most cases, sufficiently motivated adversaries have more effective, cheaper, lower-technology approaches that they will use first.
Like with many things, the issue is the aggregation of data on many individuals (a database), and easy accessibility of your individual data on request (discoverability and processing).
Me shouting my sensitive private details in a crowded bar is entirely different from putting them on my webpage. There's even a difference between writing them down on a napkin or shouting them out.
Technically, even without PII an adversary could determine that you have been in a physical place, they just wouldn't know what to call you.
For one thing, this leaks a portion of the genome of your relatives, which is a clear breach of their privacy. Whether you personally deem it sensitive or not, genetic data is meant to remain confidential.
I don't believe making my genome available, which contains similarity to my relatives, is a breach of their privacy.
I think part of my point is that DNA, by its nature, simply cannot remain confidential, and that thinking we can keep it that way is just going to lead to inevitable disappointment.
First, some people extend your argument from DNA to everything and say "I believe that privacy in the modern world is unrealistic"; that doesn't make the argument applicable to the rest of us.
Second, whether DNA can or cannot remain confidential is yet to be seen, but feasibility is certainly orthogonal to whether it ought to be, which is the point at hand.
Third, whether you believe it's a breach of privacy to leak part of your relatives' DNA is besides the point. It's their decision to make, since it's their personal data and deemed confidential under most privacy frameworks, and therefore a breach.
To your first point: Yes, I generally extend my argument to more or less everything in the modern world. Put your garbage out on the street: reporters can rifle through it looking for evidence.
To your second point: we already know DNA can't remain confidential (there is no practical mechanism by which even a wealthy person could avoid a sufficiently motivated adversary who wanted to expose their DNA). That's just a fact, we should adjust our understanding based on that fact.
Most important: sharing my genomic information with the world is not a breach of any privacy framework I'm aware of and subject to (US laws). Do you have a specific framework or country in mind?
Fully agree with you here. I can understand why people argue "We must do everything possible that no human being ever finds out anything medical-related about another human being, ever"
But that is a value judgement, and I believe it is one that comes at a great cost to society- I wouldn't be surprised if >50% of the cost of medical care is directly or indirectly due to this attitude, and that medical progress has been slowed immensely for the same reason.
If we could make medical data more open, it would greatly benefit the vast majority of people. OF COURSE it is true that some smaller number of other people/patients are helped by the existing medical secrecy system. I fully admit this is a trade-off, where we have to decide what values are more important.
(source: Am medical doctor)
This is disgusting. You want people knowing the maladies they got treated, and how?
There's the old saying of knowledge being power. If you want this information about people being spread, then you're advocating having power over these people over that information.
It takes very little imagination to see how humans would misuse this data.
it's a tradeoff
I'm disgusting for "people having power over other people", you're disgusting for the graveyard of dead people due to the status quo system.
I'm gonna start making clones of you.
I'm fine with that, but merely having my genome sequence doesn't enable you to do that.
Wasn't your original argument that they could easily get your genetic material (to figure out the genome from) anyway?
Would a bunch of your cells be sufficient at some point in the near future? (I know progress is being made to turn any cell into a reproductive cell, but that's still not exactly the same thing, but it's on that exact path)
You still might not mind a bunch of your clones though, so I don't think that's much of an argument.
Generally, being pseudo-anonymous is what allows open and free discussion (but lots of vitriol too).
While genetic information is not yet understood well enough by masses to be abused in stereotyping and rejecting and — indeed — "cancelling", there is a huge potential to do so. This especially holds true for gender, racial, national differentiation, genetic disease potential and health profiling — all accessible through a full genome (even if some of the indicators are not with 100% confidence). Lots of this can also be used to start linking genome data to an actual person (helped with data from other contexts), which is where it starts to become risky according to known risk profiles.
Unsurprisingly, someone who is likely a white male (I could have checked using your genome too, but loading up your profile above confirms that) with "no credible genetic risk factors" is a lot less concerned about opening up their genome to the public: you are unlikely to get discriminated against. With that said, even you can get potentially ignored for your privilege: even I just engaged in that — somewhat discounting a part of your experience/claim because you are a white male. Part of that is also education: your extensive experience in the field allows you to make an educated choice. Many can't attain that much knowledge before they decide whether to share their genome or not.
This opens up the question similar to that entire face recognition fiasco — how will unprivileged be affected by the privileged being mostly used to train the models on and do research on?
So the question is how do we ensure enough anonymity to make everyone happy to contribute to the world knowledge, but reduce chances of linking data back to actual people? I know nebula.org is doing something of the sort (though mostly just guaranteeing that they will remove the data at your request, and not share it without your permission), but we could have one genome produce a bunch of part-genomes, still allowing causation/correlation research, but none of them having the full picture.
That would disable some of the groundwork research (is there a correlation/causation only visible in the full genome or larger part of it?), so it's a tricky balance to find.
And finally, I always like to make this choice a bit personal: how would you feel about your child being linked to a criminal case due to your genome being publicly available?
One non-theoretical risk is that you or a relative leaves DNA on the scene of a crime you didn't commit (or?), and this makes you a suspect. This is also assuming a real identity is tied to the DNA.
So let's assume you committed to publishing your genome in advance regardless of result. Sounds like you spun the barrel and dry snapped to demonstrate that russian roulette is safe for everybody.
Tell us about how differing views on this to yours would influence opinion about your products you've launched in tech given your extensive experience in human genome analysis. Not at all?
This really may not be a case of being unable to understand something one's paycheck depends on not understanding at all but we can't know that yet.
I am a security engineer. When I signed up for 23andme, I assumed with certainty that it would be hacked and all data leaked at some point. I balanced that with the value of knowing potentially important health/genetic bio markers.
In the end, I valued knowing these bio markers above the privacy of my genome. The former is actionable and I can use it to optimize my health and longevity; the latter is of vague value and not terribly exploitable outside of edge-case threat models.
Exactly my thoughts.
I'd be more upset if a combination of my name and email/phone number got leaked than if my DNA was made available public.
Why would you be upset if your name+phone combo was leaked? Mine is all over internet so wonder why you feel it would be bad.
I simply don't want to deal with spam or scams. If I'm exposing my contact details it would be a separate set that is dedicated to dealing with communication coming from the public.
Why? You can change your phone number and your name. Good luck with doing so with your DNA.
And that is exactly why they can be changed - because they're valuable details that can be used to track someone down. Your DNA is easily obtainable and is not used in any meaningful way that would affect your life if it was exposed.
Phone numbers are an increasingly important identifier. Sucks to lose one.
Q: Is it a HN thing to be (obsessively?) interested in health and longevity?
Dying is a natural process. Sorry.
I don't really care whether it's natural or not. Maybe if you ever have a NDE you will understand.
It's a human thing. Not all humans, but many.
Avoiding dying, as best one can, is also a natural behaviour.
We fight all sorts of natural processes. Most common forms of death from a couple of centuries ago are solved. Our average lifespan has increased dramatically. We fly around in planes, travel to space, grow fruit out of season and build giant cities.
As a species, we're excellent at working around or ignoring what's "natural".
In retrospect, how do you so far value the utility of the data you got? Did you take any actions based on them, do you think you will be doing so in the future?
Luckily I had no severe biomarkers. Some minor ones, but nothing I didn't know already. I loved learning about my ancient ancestry, though (ie migratory patterns 300k years ago.)
On balance, was the utility worth the cost (of a breach)? Probably not, because I found no major actionable issues. But if I did find severe biomarkers, it would have been worth it. So I do still think I made the right choice.
Or the reality is, if someone wants your dna they will follow you around and grab a coffee cup.
Yes, yours specifically, but what if I want like 200.000 people so I can find one that has a DNA profile similar to mine, who could serve as a escape-goat or victim?
Maybe I want to steal a kidney, or a child that could reasonably pass as my own?
There are already literally entire databases of millions of peoples DNA freely available for scientific research.
Not with names and contact information I assume?
If you were smart enough to hack 23andMe to get genetic data to find a specific person, you'd be smart enough to reconstruct identities from publicly available data. You'd just have to cross-reference public anonymous databases with public non-anonymous ones. Both of which exist, and are free.
So far, the only real use-case for doing this is people trying to identify criminals from just DNA.
You realize this data is often available for purchase or eventually publicly leaked, right? You don't have to be "smart enough" to do the hacking to benefit from it.
In the US, the bad actor here is much more likely to be insurance companies who can tune their secret algorithms to make sure no one with a gene tied to an illness which blooms later in life can get affordable heath care.
In the US, health insurers can only price based on age, location, and tobacco use. Setting health insurance premiums or denying coverage based on any health-related factors has been illegal for over a decade, and changing that would be totally unviable politically.
However, it's a significant risk for other types of insurance including life, disability, and long term care.
Just because it's illegal, doesn't mean health insurance companies don't find loopholes, and consider fines when they get caught as the cost of doing business. See this series of articles[1] for some of their criminal shenanigans.
It's more than likely that they would use genetic data to deny insurance, and then settle the cases in court if they happen to get sued, which statistically is probably a rare occurrence.
[1]: https://www.propublica.org/series/uncovered
They are denying claims. If they are going to do that, why would they condition it on genetics (vs just denying anything they think they can)?
The paranoia about insurance and genetics is that they simply refuse to do business with high risk customers.
Unless this is an online joke I don't get, I think you mean "scapegoat".
Seems to be the same thing.
"The concept comes from an ancient Jewish ritual described in the Bible, specifically in Leviticus 16. During the Day of Atonement (Yom Kippur), two goats were chosen: one to be sacrificed and the other to be sent into the wilderness, symbolically carrying away the sins of the community. This second goat was called the "Azazel" or the "scapegoat".
Over time, the term "scapegoat" evolved to have a more general meaning in English. It came to refer to a person or group that is unjustly blamed for the problems or misfortunes of others, reflecting the original ritual in which the goat was symbolically burdened with the sins of others before being sent away. "
The same people believed crypto-currency, infinite growth, social media and many other things. At least 23andMe provided actual value, to some at least.
What I find strange is that 23andMe did not automatically delete data after 30 days, or at the very least took it offline, only to be available on request. Notify people that their results are available and inform them that the data will be available for 30 days after the first download. This is potentially really sensitive data and based on 23andMe's response, they seem to be aware of that fact. So why would they keep the data around? That seem fairly irresponsible and potentially dangerous to the company.
What actual value did 23andMe and similar services offer in the first place?
Quenching someone's curiosity about where their ancestors are from? Do we even know how accurate it is at doing that?
I was adopted. I have no idea who my biological parents were or what genetic risks I might have inherited from them. When the doctor asks "Has anyone in your family ever had <fill in the blank>?" I have no answer to those questions without a genomic test.
Ancestry data, but also health markers. I.e. you're probably going to get macular degeneration, Tay-Sachs and cervical cancer.
Once I enabled the social graph thing I was immediately hounded by distant relatives who I assume want to chop me up for parts.
The police have closed a few cold murder cases based on adjacency (once Parabon got their hands on samples), so it must be pretty accurate.
Anecdotally, my profile told a radically different story about our ancestry than my family's vague lore led me to believe. 23andMe's data made way more sense.
If you go back in time, 23andMe was founded to collect genetic data with the goal of using that data to improve the health condition of humanity.
Over time it became clear that 23andMe's data set had limited predictive ability for health for a number of technical reasons (previously, dahinds, one of their statistical geneticists, has defended the quality of their predictions on HN, you can search for his comments. I suspect he can no longer comment on HN because of 23&Me's security debacle).
However, around that same time, 23&Me's dataset turned out to be excellent for ancestry analysis. It's generally considered fairly accurate (not just 23&Me- the entire process of ancestry through snp genotyping workings really well).
I never did 23&Me but my dad did- and he learned he has children all around the US (half brothers and sisters of mine) from some samples he provided some 45+ years ago. Both my dad and those people gained value from making that connection. It's interesting because my dad had already done most of the paper research (including going to SLC to visit the Mormon archives) to identify our obvious ancestors, and these relatives would never have shown up.
I just wanted to confirm my connection to royalty because I've always felt, y'know... special
Locating secret/hidden family is kinda nice.
Their service is selling you a dashboard over your genetic data that’s continually updated for new gene correlation studies and ancestry matches. It’s not really the one and done “Promethease” style analysis service you’re thinking of.
They will NOT delete your data even if you request a full account deletion, so surely they aren't interested in voluntarily deleting it.
It's all in the fine print. The labs will keep the genetic information as well as at least your DOB and sex for at least 10 years (CLIA requirements), and 23andMe will keep your identifying information (such as your email address) and account deletion request ID for some undefined period of time. Yes, this will remove some links (and birthday paradox works in user's favor), but this is certainly not a full and complete removal.
You didn't need to supply accurate information, this isn't a bank here with any validation of your identity.
You can at least change your name. You can't change your DNA, so when companies start selling that data it will be easy to detect when you give out fake information.
The only missing piece is a way to scan your DNA as part of a login form.
What good is my DNA without a real identity attached to it?
Idk, it probably has some value. But my point was that it's going to be difficult to prevent your real identity from becoming attached to your DNA forever. The moment your real (DNA, identity) pair leaks from a credible source, your privacy is permanently and retroactively ruined.
So if 23andMe leaked a fake name with your DNA, it's out there in the hands of advertisers/scammers/governments/etc. From now on, anyone who gets access to your DNA will be able to build up data on you, and all it will take is a single leak/sale from a credible source to make it accurate.
(...but in truth, I have no idea what "DNA data" looks like, or if it's even possible to use it for targeting...)
If someone else is leaking a credible ID/DNA combo, it doesn't matter whether or not I did 23andMe. And credible identification is actually kinda hard.
It will be a cold day in hell before I ever submit to dna analysis of this nature.
That doesn't stop my family from doing so, but I sure as hell will never.
So they've basically done it for you. Primary sensitive information is about is predisposition to hereditary disease. That's the same for you and your siblings.
I understand that but I can't control them so I must draw the line where I'm able.
I'm befuddled that anyone thinks Sam Altman is the least bit trustworthy after WorldCoin.
There is a difference between genomic data and biometric data: biometric data has a known potential exploit vectors. So, with a picture of your retina, a sophisticated adversary could potentially reproduce your retina to allow access to some secure facility.
Genomic data doesn't have the same risk factors--at least at the moment. I think that the point many are trying to make here is that there may be risk vectors available at some point in the future that aren't known now. A couple of theoretical examples:
* You had to give a blood sample rather than other biometric data like a retina scan.
* Spoofing DNA evidence. That would be very/prohibitively expensive/difficult at the moment, but I suppose could become as easy as 3d printing at some point in the future.
Poor and desperate people don't have the luxury thinking of these first world privacy issues. There a reasin Altman and launched it where they did.
That explains the WorldCoin but not 23andme, people voluntarily paid for that so they couldn't have been that poor.
The long term premise of WorldCoin is to not store retina scans in any way, and scanning stations in the US already do not do so.
'long term premise'
I know someone who is very security-minded, but also he was born to parents misplaced due to a war and they didn't know where they come from (their adoptive parents would only know a region, but not for sure). At the time it was an easy option to learn something about his heritage to him. His curiosity was satisfied.
Maybe they accept the possibility that they die one day?
I was 24 in 2015 and not in tech or as security minded as I am now when I received the test as a Christmas present. Obviously now I wouldn’t have dared do it, but it’s too late. Lacked the foresight at the time.
What's the implication here, that tech people should know better? I just don't care a ton about my privacy. At least that makes me not a hypocrite for working at a company that profits from user data (like many tech ones do).
Is this actually happening, or is that just what the stories say?
Well, in the case of WorldCoin, I think there's still some pretty significant questions of why they made Africa a prominent launch market (well, there are some reasons), but in some places they repeatedly increased incentives until they were offering people there up to a month's income to give their scans. That might not be a lot of money to a big startup, but is telling that they had to offer that much to get some people to "opt" in.