The ancestry-testing company 23andMe has had a hard go lately. First, in 2023 a data leak at the company exposed millions of customers’ personal information—inhcluding genetic information—to hackers. As Wikipedia reports:
The cyberattack gathered profile and ethnicity information from millions of users. The affected customers were reported as primarily Ashkenazi Jews but also including hundreds of thousands of ethnically Chinese users. The hacker(s) stole information customers had chosen to share with their DNA matches, which could include name, profile photo, birth year, location, family surnames, grandparents’ birthplaces, ethnicity estimates, mitochondrial DNA haplogroup, Y-chromosome DNA haplogroup, link to external family tree, and any text content a customer had optionally included in their “About” section. On October 6, 2023, the company confirmed that the hacker(s) had illicitly accessed data on approximately 6.9 million users.
And now the company is going to sell off its genetic data to a new company, TTAM Research Institute. We were informed by 23andMe (I was a customer), that we could have our genetic data deleted before the sale, and I naturally did this; I believe I urged customers somewhere on this site to delete their data, too (you can always use a different company in the future). But 23andMe is now subject to a lawsuit involving this sale:
Twenty-seven states and the District of Columbia have sued the genetic-testing company 23andMe to oppose the sale of DNA data from its customers without their direct consent.
The suit, filed on Monday in U.S. Bankruptcy Court in the Eastern District of Missouri, argues that 23andMe needs to have permission from each and every customer before their data is potentially sold. The company had entered an agreement to sell itself and its assets in bankruptcy court.
The information for sale “comprises an unprecedented compilation of highly sensitive and immutable personal data of consumers,” according to the lawsuit.
The CEO of the company was promptly dragged before a Senate committee to explain what 23andMe were going to do with the data, and his performance, as you’ll see in the eight-minute video below, was abysmal; he wriggled like a caught eel.
This wiggling and evasion from CEO Joseph Selsavage is even more waffle-y than was the testimony of the MIT, Harvard, and Penn Presidents before Congress (actually, the Presidents answered accurately, but it wasn’t good enough for Representative Elise Stefanik). A reader sent me the link to the new
video with this comment:
I thought you might be interested in this. You recommended that readers who used 23&Me to conduct genetic analysis might want to delete their data after the company claimed bankruptcy and intend to sell this data to Regeneron for $300M [JAC: see above, TTAM won the bidding over Regeneron.] I followed your sound advice.
Very disconcerting is this hearing where Senator Josh Hawley absolutely hammers the CEO of 23&Me about whether they are actually deleting our data or not even after instructed by customers to do so. It’s not clear if they are actually permanently expunging our data records or not given the waffling but how outrageous if they are not:
Here’s the caption for the YouTube video, which was posted on June 12:
At today’s Senate Judiciary Committee hearing, Sen. Josh Hawley (R-MO) questioned interim 23andMe CEO Joseph Selsavage.
Oy vey! Look at Selsavage equivocate and squirm! It’s a pathetic and reprehensible performance. And only Ceiling Cat knows what TTAM will do with our data. (Since I asked for mine to be deleted, Regeneron presumably doesn’t have it, but Selsavage isn’t at all clear about that.) Hawley is civil but also persistent, and manages to show up Selsavage as somewhat of a liar.
I requested that they delete my data. When I made the request, the web site indicated that 23andMe would do so, but there was no positive indication that the data actually were deleted, nor was there any way to confirm this on my own. I am not confident that they actually deleted the data.
My understanding is that deleting data is not a trivial matter. Typically, when one deletes data from a computer, the computer deletes the pointer to the data, not the data themselves. This allows the actual data to be overwritten by new data, but doesn’t guarantee that the old data are overwritten. To delete the data requires a more definitive action, such as reformatting the disk drive or overwriting the original data with nonsense characters. If the data aren’t truly scrubbed or overwritten, the data can often be recovered from the disk.
Anyway, I’m not all that concerned that my 99% Ashkenazi Jewish ancestry will be revealed to the world but I am annoyed that I have no positive confirmation that the data were deleted and that the CEO isn’t coming clean. It’s possible that 23andMe truly deleted the data but, if so, why would the CEO be so squirrelly about it? Maybe they “deleted” the data only in the weak sense described above.
Yep Norman. Delete vs degauss or physically chop up the data medium. My first Nasa boss gave me my first briefing on the handling of classified data: Jim, he said, if you never want to be in trouble regarding handling classified data, just be sure to never accept any classified data. I saw creating a package of genetic info in a similar light: if I did not want unauthorized parties to have access to my genetic data, I should never have such a database created. So I never have and never voluntarily will. I have never trusted business any farther than I could throw them.
This is not a direct quote, but at least one of my relatives advised me to never do business with anyone that I would not be able and willing to sue if necessary.
It may be an unpopular opinion here, but I’d be a bit sad if the 23andMe database disappeared. It is a unique and difficult-to-recreate treasure trove of high scientific value (though being the property of a private company is sub-optimal). One solution could be to keep the data but delete all info (name, address, etc) that links it to a person, replacing that with a randomly generated ID number. That could then be made available to the world’s researchers.
I’m OK with anonymizing the data. That can be done effectively.
Do you know if there is indeed a call by scientific researchers for this information? It seems to me that most of the value comes from knowing that John James is related to Phyllis Phaneuf, and DNA left at a crime scene is related to that kindred, providing a key link to break a cold case. Presumably the unknown killer never submitted a specimen himself —that would be stupid! — but if any of his distant relatives did, the cops will nail him by elimination and surreptitious collection of his DNA. If this relatedness, with identifiable names, were destroyed by anonymizing the results, much of the database’s value would be lost, especially since placing the suspect at the crime scene (and under the victim’s fingernails or elsewhere) beyond reasonable doubt requires beefing up the priors by proving he’s part of the kindred that provided the initial match. Not just a random lucky match.
Perhaps the FBI should try to get an injunction prohibiting the company from doing anything to harm the searchability of the database, including forbidding the company’s bankruptcy trustees to honour any requests from customers to destroy or de-link their data. After all, you can’t demand that a doctor or a health insurance company destroy your medical information. There is a state interest in preserving it and the state can always over-rule contracts between private individuals in the public interest.
I have never submitted to DNA testing — I’m just not that curious about it — but I don’t see an over-riding privacy interest in it. I’m more worried about my credit cards, social insurance number, and other identity theft. None of that involves any Denisovan or aboriginal genes I might have. If I did have a specimen in there that helped nail some unknown relative for rape and murder of a schoolgirl, …cool!
Massive statistical analysis and data matching (e.g. by AI™) with genetic data could have direct adverse consequences for individuals seeking loans, insurance, security clearances, etc. Rather like “racial profiling” on steroids.
So what? If the statistical connections showed a large effect size that was reproducible in predicting loan default, early death, or betrayal of the nation’s secrets and discriminated more accurately than methods of profiling we already use, why would you not use them to reduce losses from making bad bets on people? You would also make fewer mistakes in the other direction, no longer rejecting people who would have been good risks and now accepting them.
If this caused disparate impact on touchy racial or gender minorities such as non-binary Scots, who cares? Maybe race realism isn’t racism after all…at least as applies to those insufferable Scots.
There is a 48 Hours episode that has a case with almost this exact scenario!
I used 23andme but haven’t deleted my data.
I’m nearly 74. I live in Canada so I don’t have to worry about health insurance.
At this point, I can’t see how it could hurt me.
Companies that retain our personal data should be subject to extremely strict regulations. This should include getting our permission, or that of our heirs, before sharing that data.
Having said that, these genetic databases have been invaluable in tracing murderers and rapists, including the Golden State serial killer. Many men are now being imprisoned for decades old crimes that they thought they had got away with.
The databases have also been critical in finding the identities of dead bodies and returning them to their families.
This article explains how the majority of white Americans can already be traced via these databases, even if they haven’t chosen to upload their own data.
https://www.science.org/content/article/we-will-find-you-dna-search-used-nab-golden-state-killer-can-home-about-60-white
I don’t have any answers to this problem. I believe we have a right to privacy, but I see the advantages of putting criminals behind bars or being able to trace relatives in a case of genetic health issues.
The genie seems to be out of the bottle, and I don’t know if it can be put back in.
I acknowledge the value of these databases to aid law enforcement in capturing bad guys. The problem for me is that same data can be used by the government for any purpose, not just for the common good. Some day they may come for people who have done something that is maybe not approved by the state but not even naughty, let alone criminal. Justice here is aspirational at best anyway, so even though it would mean the loss of a dataset that might help some law enforcement agencies, the tradeoff isn’t worth it to me. IMO,OC
I did not submit to 23ANDME but my brother did, so I’m screwed anyway and I don’t like it
Exactly. It doesn’t take long for a government to become a dictatorship.. Laws we make can soon be turned against us.
My country recently introduced Hate Crime legislation that can have you prosecuted for free speech. A change of government could easily use that legislation against the people who pushed for the new law. Be careful what you wish for.
Joolz, does that mean Scotland Yard should close its fingerprint database (or its mug shot gallery) just because prints found on beer cans discarded at an anti-immigrant rally might be used as evidence to prosecute people for hate speech? (The cops seem to go for easier evidence of hate like social media posts, which they can obtain while enjoying tea and chocolate digestive biscuits at home in their pyjamas, as one British commenter acidly put it.)
There is no right to privacy that trumps the administration of justice. If what you told your psychiatrist undermines your credibility as a witness in a rape trial, the defence will find it and make the shrink read it in Court. If your private activities are illegal under good laws or bad, your privacy will yield if a judge says it must. And if you handed over a specimen to a private company, it’s not private anymore no matter what it might have promised you. It’s only private if you keep it a secret to yourself.
Companies share your personal information for legitimate business purposes such as managing credit risk. You can’t withhold consent for MasterCard to refer your chronically delinquent payment history to a collection agency. If you baulked at this provision in the credit agreement, MasterCard would reject your application. Your heirs have no standing. The information about you held by a third party for its purposes isn’t part of your estate. If it has value, and it apparently does, $300 million worth, it is the business assets of the company that analyzed and created the value from it. It’s valuable because it’s a curated collection. Each individual specimen is worth nothing by itself. It’s just a gob of saliva. If the company goes bankrupt, the database goes up for auction like the office furniture and the art in the lobby. The state should buy the data for forensic purposes, as I’ve argued, just as it buys up bankrupt railways and steel mills in the national interest. Or failing that it should require that the data be preserved in identifiable form, including prohibiting deletions. This might require legislation, although I think the owner will have an incentive to preserve it intact because the identifiers are precisely what make it so valuable. (Granted if the owner wants to make part of the collection available to third-party researchers, to them if should anonymize the data. But the state should be able to get the whole thing by show-cause court production order, with appropriate compensation to the owner for his efforts to comply.)
I think you have to distinguish between police tools that accurately identify the guilty (and exonerate the innocent) under robust rules of evidence on the one hand and laws that criminalize the wrong things on the other. Just because you don’t like one law, you ought not to make it harder to prosecute all laws. The blame for bad laws lies with Parliament, not with the police. And Parliament is you. MPs you Britons elected to make your laws.
What I particularly like about recreational DNA is that it causes the smug perpetrator of a perfect crime to worry for the rest of his life that some unknown member of his extended family might someday submit a specimen to 23andme….and then the cops will find him. He’ll be minding his business in some faraway place or maybe above suspicion just a block from where the poor girl died. One day he discards a cigarette butt in view of the detectives now tailing him (and maybe a dozen of his relatives) who scoop it up. Busted! Even if only one cold case in 10 or 100 is solved this way, it causes the other 99 to have sleepless nights while they wait for the knock at the door. “Sure I used a condom but did I leave any DNA under her nails when she scratched me?” (Yes, you did.) If 23andme is scrubbed, all those perps will sleep easy. And it will be the murderers of girls, women, and delicate boys who escape, because men who leave their DNA behind with a murder victim had to get up close and personal.
This is expensive work that consumes time and resources and might still come up empty. Only murder where DNA was found and no clue of a suspect will be investigated this way. There are much easier ways to get compromat on consumers of legal but unsavoury recreation.
I’ll yield to da Roolz.
“Joolz, does that mean Scotland Yard should close its fingerprint database…”
Of course not. But fingerprints are very different from DNA. If EdwardM’s brother had submitted his fingerprints to a database then they couldn’t be traced back to identify Edward. His DNA can.
“There is no right to privacy that trumps the administration of justice. ”
You are making the assumption that ‘justice’ is the same thing around the world. It isn’t. I live in a country that is becoming more totalitarian, but I don’t think it will become a dictatorship anytime soon, so I’m ok if I can be traced through those databases. But if I was a woman in Iran or any other muslim country, I certainly wouldn’t feel the same way.
The other examples you give are also very different from DNA. The issue with DNA is that it isn’t just your own personal data, like credit scoring and disclosures required by a judge. If I hand over my financial data to a private company and they share it, then it only affects me, not my siblings, parents cousins etc.
“Companies share your personal information for legitimate business purposes”
Who decides what is legitimate for DNA data and who polices the usage? I certainly don’t trust big business to make these decisions. I think we need conversations about this and legislation to control the use of DNA info.
“Your heirs have no standing”.
I disagree. My father’s DNA links to me, so the use of his data impacts me personally. Legislation should allow me to break the connection in DNA databases. This is why we need public consultation on the issue.
I agree that the state should be the holder of this data, not private companies, but it is nothing like privatising railways.
I’m not against using DNA in principle. The Gartnavel hospital has my DNA, and that of many kin, as we were involved in a project to identify and eliminate a genetic illness that runs in my family. It is not a private company, and I trust them only to use the data for the purpose it was collected. They developed a blood test from our data, so they probably don’t even need our details any more.
I have never suggested deleting all these databases. I follow true crime and have seen many, many men captured after decades of thinking they had got away with rape or murder. There are so many success stories. DNA gave “Valentine Jane Doe” her name back after 30 years, identified her murderer and let her family bury her.
I love hearing about criminals being caught and having to pay for their crimes, but DNA isn’t just about crime. It has a huge use in medical research. At a seminar recently, medics announced that there will probably be a test for Alzheimer’s within a decade. With a DNA database, you could, in theory, contact everyone who is susceptible to the disease, some may welcome that but others wouldn’t. This is why we need to have the conversation now about what this data can be used for. There’s no point locking the stable door after the horse has bolted. We need to have those open and honest conversations now, before it’s too late.
Without supporting this mook in any way, I just want to note that testifying before a hostile Congress is really, really hard. Ideally, you should be trained first by a team of lawyers, and not just any lawyers, but lawyers who understand this particular skill. Otherwise, I don’t care how smart and in the right you are, you will come off looking like this.
Natasha Hausdorff could probably pull it off (were she a subject of its jurisdiction), but anymore it’s pretty much a “gotcha” set up being hauled into one of those dramatizations. I believe in them, in theory. In practice the outcomes are largely predetermined.
I’m almost surprised how little this whole kerfuffle surprises me.
Exactly. I pretty much expected something like this. Takes me back to Edward Snowden. The only thing that surprised me about his revelations was the public’s collective shock at it.
It would be a shame to lose this data. It can be used in identifying genetic patterns leading to a better ability to predict disease if GWAS is anything to go by.
“Genome-wide association studies (GWAS) are a research approach used to identify genetic variations associated with specific traits or diseases by examining a large number of genetic markers across the entire genome of many individuals. These studies primarily focus on identifying single nucleotide polymorphisms (SNPs) that are more common in individuals with a particular trait or disease compared to those without it.”