this post was submitted on 02 Oct 2024
291 points (99.0% liked)

Privacy

32471 readers
305 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

23andMe is not doing well. Its stock is on the verge of being delisted. It shut down its in-house drug-development unit last month, only the latest in several rounds of layoffs. Last week, the entire board of directors quit, save for Anne Wojcicki, a co-founder and the company’s CEO. Amid this downward spiral, Wojcicki has said she’ll consider selling 23andMe—which means the DNA of 23andMe’s 15 million customers would be up for sale, too.

23andMe’s trove of genetic data might be its most valuable asset. For about two decades now, since human-genome analysis became quick and common, the A’s, C’s, G’s, and T’s of DNA have allowed long-lost relatives to connect, revealed family secrets, and helped police catch serial killers. Some people’s genomes contain clues to what’s making them sick, or even, occasionally, how their disease should be treated. For most of us, though, consumer tests don’t have much to offer beyond a snapshot of our ancestors’ roots and confirmation of the traits we already know about. (Yes, 23andMe, my eyes are blue.) 23andMe is floundering in part because it hasn’t managed to prove the value of collecting all that sensitive, personal information. And potential buyers may have very different ideas about how to use the company’s DNA data to raise the company’s bottom line. This should concern anyone who has used the service.

DNA might contain health information, but unlike a doctor’s office, 23andMe is not bound by the health-privacy law HIPAA. And the company’s privacy policies make clear that in the event of a merger or an acquisition, customer information is a salable asset. 23andMe promises to ask its customers’ permission before using their data for research or targeted advertising, but that doesn’t mean the next boss will do the same. It says so right there in the fine print: The company reserves the right to update its policies at any time. A spokesperson acknowledged to me this week that the company can’t fully guarantee the sanctity of customer data, but said in a statement that “any scenario which impacts our customers’ data would need to be carefully considered. We take the privacy and trust of our customers very seriously, and would strive to maintain commitments outlined in our Privacy Statement.”

Certain parties might take an obvious interest in the secrets of Americans’ genomes. Insurers, for example, would probably like to know about any genetic predispositions that might make you more expensive to them. In the United States, a 2008 law called the Genetic Information Nondiscrimination Act protects against discrimination by employers and health insurers on the basis of genetic data, but gaps in it exempt providers of life, disability, and long-term-care insurance from such restrictions. That means that if you have, say, a genetic marker that can be correlated with a heart condition, a life insurer could find that out and legally deny you a policy—even if you never actually develop that condition. Law-enforcement agencies rely on DNA data to solve many difficult cases, and although 23andMe says it requires a warrant to share data, some other companies have granted broad access to police. You don’t have to commit a crime to be affected: Because we share large chunks of our genome with relatives, your DNA could be used to implicate a close family member or even a third cousin whom you’ve never met. Information about your ethnicity can also be sensitive, and that’s encoded in your genome, too. That’s all part of why, in 2020, the U.S. military advised its personnel against using consumer tests.

Spelling out all the potential consequences of an unknown party accessing your DNA is impossible, because scientists’ understanding of the genome is still evolving. Imagine drugmakers trolling your genome to find out what ailments you’re at risk for and then targeting you with ads for drugs to treat them. “There’s a lot of ways that this data might be misused or used in a way that the consumers couldn’t anticipate when they first bought 23andMe,” Suzanne Bernstein, counsel at the Electronic Privacy Information Center, told me. And unlike a password that can be changed after it leaks, once your DNA is out in the wild, it’s out there for good. Some states, such as California, give consumers additional genetic-privacy rights and might allow DNA data to be deleted ahead of a sale. The 23andMe spokesperson told me that “customers have the ability to download their data and delete their personal accounts.” Companies are also required to notify customers of any changes to terms of service and give them a chance to opt out, though typically such changes take effect automatically after a certain amount of time, whether or not you’ve read through the fine print. Consumers have assumed this risk without getting much in return. When the first draft of the human genome was unveiled, it was billed as a panacea, hiding within its code secrets that would help each and every one of us unlock a personalized health plan. But most diseases, it turns out, can’t be pinned on a single gene. And most people have a boring genome, free of red-flag mutations, which means DNA data just aren’t that useful to them—at least not in this form. And if a DNA test reveals elevated risk for a more common health condition, such as diabetes and heart disease, you probably already know the interventions: eating well, exercising often, getting a solid eight hours of sleep. (To an insurer, though, even a modicum of risk might make someone an unattractive candidate for coverage.) That’s likely a big part of why 23andMe’s sales have slipped. There are only so many people who want to know about their Swedish ancestry, and that, it turns out, is consumer DNA testing’s biggest sell.

Wojcicki has pulled 23andMe back from the brink before, after the Food and Drug Administration ordered the company to stop selling its health tests in 2013 until they could be proved safe and effective. In recent months, Wojcicki has explored a variety of options to save the company, including splitting it to separate the cash-burning drug business from the consumer side. Wojcicki has still expressed interest in trying to take the company private herself, but the board rejected her initial offer. 23andMe has until November 4 to raise its shares to at least $1, or be delisted. As that date approaches, a sale looks more and more likely—whether to Wojcicki or someone else.

The risk of DNA data being misused has existed since DNA tests first became available. When customers opt in to participate in drug-development research, third parties already get access to their de-identified DNA data, which can in some cases be linked back to people’s identities after all. Plus, 23andMe has failed to protect its customers’ information in the past—it just agreed to pay $30 million to settle a lawsuit resulting from an October 2023 data breach. But for nearly two decades, the company had an incentive to keep its customers’ data private: 23andMe is a consumer-facing business, and to sell kits, it also needed to win trust. Whoever buys the company’s data may not operate under the same constraints.

all 45 comments
sorted by: hot top controversial new old
[–] [email protected] 71 points 2 months ago (2 children)

which means the DNA of 23andMe’s 15 million customers would be up for sale, too.

Wild to me that this isn't categorized as sensitive health data you aren't allowed to sell.

[–] [email protected] 42 points 2 months ago

It's America - your data and privacy do not matter right now and the septuagenarian congress will only look at regulating this 150 years from now

[–] [email protected] 7 points 2 months ago (2 children)

HIPAA does categorize genetic information as protected health information: https://www.hhs.gov/hipaa/for-professionals/faq/354/does-hipaa-protect-genetic-information/index.html

That said... it wouldn't surprise me if all of that data gets sold right before 23andMe tanks, the higher-ups take the cash and split, and there isn't much left of a company to fine. Company tanks and that's the end of it.

[–] [email protected] 5 points 2 months ago

HIPAA only applies to Covered Entities. 23andMe does not meet the HHS definition of a Covered Entity.

https://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html

[–] [email protected] 2 points 2 months ago (1 children)

Owner can't be sued for illegal acts while it was still running?

[–] [email protected] 2 points 2 months ago

Disclaimer: I am not a lawyer.

I don't know.

If a company is dissolved before lawsuits or charges are filed, the argument could be made that the entity in question no longer exists and the filings are invalid. Just like you can't sue somebody who's dead. It might not hold up in court but I wouldn't put it past some very expensive lawyers to try it anyway because it might work.

This article says that "it depends." There might be a period of time after a company dissolves that it can still be sued, namely, if the legal process to go about it wasn't followed precisely. If there are no assets remaining sometimes the former owners can be sued. There is also the question of whether or not you'll spend more on a lawsuit than you'll get from the settlement.

I just realized something: Most of the time when talking about stuff like this, people seem to implicitly be talking about getting some money out of it (as punishment, maybe). Rarely do folks ever talk about suing for the express purpose of preventing the thing (in this case, selling customers' genomic information to third parties) from ever happening.

This article talks about suing for undistributed assets. Suing to get your genomic data back and verifying that it's been destroyed before it could be sold to anyone else is a possibility. It also talks about suing shareholders; if 23andMe is being delisted that seems like a legal gray area to be exploited: If a company is delisted are there still shareholders? Logically, yes (people hold worthless shares of stock in a company that doesn't exist anymore) but legally? It might be state-dependent as this article suggests (per Favila v. Katten Muchin Rosenman LLP (2010) 188 Cal.App.4th 189, 213).

Maybe under a quiet title action to get the genomic data back?

[–] [email protected] 61 points 2 months ago (4 children)

I always wanted to check out my genome, but never did so because of shady companies like this.

Is there any genome sequencing service for consumers that actually respects your privacy? Especially for full genome sequencing.

[–] [email protected] 9 points 2 months ago (1 children)

Same. I'd love to know any privacy-respecting companies.......that is, if they even exist.

[–] [email protected] 5 points 2 months ago (1 children)

Well, Swiss has some companies and strict laws to handling of health data (including DNA). But i dunno if you can just send your sample via package.

[–] [email protected] 2 points 2 months ago

Yeah, I imagine the USPS would would have some concerns about transporting biological samples across international borders. Lol.

[–] [email protected] 5 points 2 months ago (1 children)

https://www.dnasquirrel.com/

This site walks you through how to take a DNA test anonymously. That’s as close as I’m aware of that you can get to privacy.

[–] [email protected] 4 points 2 months ago

That's cool, but seems kind of pointless, considering you can be easily reasonably deanonymized if your relatives take a DNA test. It doesn't address the main issue of your genetic information being used commercially.

[–] [email protected] 2 points 2 months ago (1 children)

I've had bots scouting for such a thing for a couple of years. So far, we haven't found any that aren't way sketchy. Your best bet might be to social engineer the folks at a cellular biology lab at a big college or something, get them to sequence your DNA, and have them copy the data onto a flash drive or something. Then the trick is finding somebody who can analyze the data and make sense of it all.

[–] [email protected] 4 points 2 months ago (1 children)

I think the safest bet would be to get a PhD in medical genetics and manually go through your data base pair by base pair

[–] [email protected] 1 points 2 months ago

But hardly practical.

[–] [email protected] 1 points 2 months ago

I as well was curious, but it was clear to me that this was a bad idea from the get go. Long before I became truly privacy focused, it was still blatantly obvious this was a bad idea. It sucks that it was such a hot trend and terms written in a horrible, and dare I say predatory fashion.

[–] [email protected] 30 points 2 months ago (1 children)

Spelling out all the potential consequences of an unknown party accessing your DNA is impossible, because scientists’ understanding of the genome is still evolving.

Honestly, this is something that I hadn't actually considered before. I'm almost embarrassed, since I like to think of myself as someone who is always thinking about how my data can be misused, haha.

It's not just about data that can currently be used unethically; there's also the fact that someone may figure out a way in the future to use today's data unethically. This is definitely true with something like your DNA, which is so complex that there are infinite things to learn from it. But it can be true of more simple things, too. There's no way to predict what someone will be able to extrapolate from seemingly harmless information today.

[–] [email protected] 12 points 2 months ago

Plus this applies to your family as well. DNA is shared and by you giving it up you give up info about those related to you as well.

[–] [email protected] 29 points 2 months ago* (last edited 2 weeks ago) (2 children)

US government should buy them, not for the data, but the research and disease information. That was the most eye-opening things about the results. Until I got results, my family had no idea that we carried the CF gene.

[–] [email protected] 6 points 2 months ago (1 children)

Some countries, like Finland, already started collecting their population's DNA sequences of willing individuals for research purposes.

[–] [email protected] 8 points 2 months ago

And as far as I've researched it is nowadays very hard to deny the finnish biobanks of access, storage and sharing of your collected samples. Which are used as a marketing leverage to honeypot healthcare investors and researchers to Finland from abroad by granting access. The sample data is "anonymized". I would like to opt out, but it is made so hard that it is generally impossible. Nobody asked if this is okay to us or not. And we are talking about private data that was collected for national research.

The least the legislators could've done for the participiants would've been to make an effective way to opt out from the databases, and deny all personal collection in the future. No such general solution available.

Disgusting from privacy point of an individual. And alarming that your state does something like this.

[–] [email protected] 2 points 2 months ago (1 children)

CF being short for what, in this case?

[–] [email protected] 4 points 2 months ago

Probably cystic fibrosis

[–] [email protected] 22 points 2 months ago

I should be able to copyright my DNA so they can't use it without paying me royalties.

If Lays can bother potato farmers in africa about it I should be able to own an organism too (myself)

[–] [email protected] 13 points 2 months ago (1 children)

Great. Now how do I get them to delete my data and account?

[–] [email protected] 12 points 2 months ago (1 children)

I really didn't expect this when I used them 15 years ago.

[–] [email protected] 5 points 2 months ago

I did and thus didn't use them.

I hope it gets settled in a way for you, though. Should be outright illegal

[–] confuser 7 points 2 months ago

maybe it would be helpful if someone leaves some comments on how to delete olyour 23andme account and revoke as much of your data from them before they flop

[–] [email protected] 5 points 2 months ago (1 children)

Luckily I signed up with fake details (name, address, etc.).

[–] [email protected] 30 points 2 months ago

It doesn't help much if your cousins signed up with their real name. If you are male, they can figure out your surname even if no close relative submitted samples: https://en.wikipedia.org/wiki/Surname_DNA_project

[–] [email protected] 3 points 2 months ago

if you've forgotten your log-in info, contact customer service.

If you've previously downloaded your data, you can use that to help.

[–] [email protected] 3 points 2 months ago

Let's break this down a bit:

There is a service that people are likely to use only once. Send them a DNA sample, they sequence it and send you a report. It is highly unlikely that customers are going to have their DNA sequenced repeatedly. The company fails to introduce any other services that lead to customers sending them more money.

This means a revenue curve that goes up, plateaus, and then drops back down.

It was all right there to begin with. The "good while it lasted" curve doesn't take a lot of imagination.

[–] [email protected] 3 points 2 months ago

Every platform Every time