It is so obvious that your relatives sharing their genomic data with 23andMe reveals a lot of information about you. We can only hope people will realize that this also holds true for collecting behavioural data on other people sharing the same background as you.

While I agree it's a perfect counter-argument to that, is that what people always say? I'm not sure I've heard that argument as much as "why do you care so much about privacy?" full stop. As in, they don't really understand why anyone should care about privacy. And this isn't really a counter argument to that, any more than any other breach. And to be fair it's not really even a counter argument to that until you show the harm that came from it. What do you think will happen to people who had their ancestry data stolen here?

In the case of 23andme, it's a perfect answer: We don't know what's hiding in our DNA and I don't know how people will use that against me in the future.

The immediate concern I had with this story is nefarious groups or individuals purchasing this data to target people with violence based on their ethnicities. Imagine if the genome of millions of Europeans was available on the black market in 1930s Europe.

It’s similar to the Office of Personnel Management data breach when every Federal Employee was just 0wn3d. It included 21.5 million background investigations into people and the personnel files of every federal employee and most contractors.

Just slightly sensitive stuff. Nobody knows how many people died as a result of the hack, but I’m sure it was non-trivial because a LOT of people got surprised doxed.

This information is still rattling around out there and will have implications for generations.

Imagine if the same could be done for demographics based on genetics — the risk factors for medical conditions, the ethnic ties you’re talking about, etc.

It’s weighty stuff.

I'm not Jewish, but I feel like there's some sort of reason for them not wanting a list of who they and where they live to exist.

No, we need DNA profiles to find Jews. They're as elusive as the fucking Illuminati. There's just no way to find them unless we have blood samples and stolen DNA profiles.

Limited time offer: accuse Israel of war crimes on social media. The Jews will come to you.

There are a ton of Jews who don't follow kosher law, who aren't particularly religious, etc etc. Yet they would be targeted by anti-semites.

And the choice to share or protect this information just got taken away from every one of their customers forever.

What if you're able to pinpoint unique loci for an individual or group which can serve as a target of a highly specific bio-weapon? Do you think genomic bio-weapons aren't being explored as future weapons?

Ah yeah, exactly who you should go to for bio-engineering advice

This is true on one level, as economic systems are not actors, but abstractions for aggregates of actions; its false on a more concrete level because governments are also not real concrete actors but abstractions for aggregates of real actors.

Both governments and economic systems (and corporations, which you seem to drop in as ig they were the same as economic systems) are abstractions through which real actors act, including to oppress, and very often actions by thr same actors involves all thrre abstractions (even a single action might). Corporations, after all. are themselves creatures of gogernment through law, and economic systems exist only as ideals without being made manifest through legal systems.

> A corporation has never marched people to camps,

You probably don't want to think about most of the best known early joint-stock conpanies (any of the variously East India companies, but especially the British, the Royal African Company, etc.)

> If I don’t want to deal with a corporation, I have the right not to — unless government forces me to.

Corporations—like any individuals—can and do apply coercive force on their own with only after-the-fact review by governments (and, in many cases historically, with obvjecting governments having limited power to apply sanctions), so, no, this isn't correct.

Really?

Let me introduce you to Steven Donziger.

https://www.theguardian.com/business/2021/jul/26/lawyer-stev...

Ho and what about all those corporations that used Jewish slaves during world war 2?

Or just today, Coca Cola killing people protesting them taking their land away or Amazon imposing atrocious work conditions to their employees?

Before blindly defending corporations I'd try and take a look at reality...

It's not as simple as "government bad and corporations good"

And to you I guess a cotton or sugar plantation was not a capitalist enterprise?

Sounds like an absolute treasure trove for a life insurance company. Or, would you disagree?

Funny! We all know it would be a lone rogue engineer that did it in the end and management would apologize on their behalf.

"Feed personal data into this service and it'll spit out a risk assessment based on a model built on 6.9M historical health data sets."

Disagree. Life insurance companies already requir blood tests and urine tests before insuring a consumer. They already have this data

I'm not sure I've ever heard anyone I know mention privacy at all, as if they're totally ignorant to it. In reality, the majority of people will just let Google or Microsoft do whatever with their personal information as long as the product or service is slightly more convenient than the last one.

It is not necessary to show actual harm from this breach for it to defeat the tacit premise behind the statement you are discussing, which is that their profligacy with their personal data cannot, by itself, reveal any of your personal data.

Do you talk family problems with all your neighbours ? With strangers ?

How would you feel when your employer will know everything you did last night ?

23andMe could still have operated legally under this scheme. They could have done the analysis and sent you a printed sheet. But no, they had to store everything to be able to double dip by selling the data to pharma companies and whoever else would pay for it.

If you can't turn a profit without underhandedly selling your users' data. You deserve to fail.

Could they tho? The ancestry analysis itself is based on the data of other users in other parts of the world?

For example, they talk about it on this page, which is linked from the about menu (so available with pretty small effort): https://www.23andme.com/research/

I expect lots of people also like that they get updates when information about new markers becomes available.

You're welcome to trust them, but no I.

It's all about the money, always. So not gonna happen.

Non-profit in the US is a tax status. Many CEOs of non-profits enjoy multi-million dollar salaries and bonuses.

And since 23andme (as I assume others) don't do these anonymously, there is no hope. Unless people use someone as a proxy (i.e. I-1 give my sample to a male colleague to send it as his-2, he-2 gives his sample to someone else to send it as his-3, and so on..). Police would eventually find the guilty in case of a crime, but the 23andme's of this world will be selling confusing (wrong) data.

One of your brothers committed a crime.

The police, during an investigation, find your father's data and realize that one of his children is the criminal.

Congratulations! You are now the target of an investigation, the purpose of which may not be to find the truth, but to successfully convict a suspect.

All you have to do to clear your name for that crime is to turn over your DNA to the police to be in their records forever[1], and Bob's [2] your brother [3].

[1] - You might be able to get a court to order that your DNA records are destroyed after proving your innocence, but it's an ask to believe this would actually happen in every case.

[2] - https://www.merriam-webster.com/dictionary/bob

bob 3 of 7 verb (2) bobbed; bobbing

transitive verb

1) obsolete : deceive, cheat

2) obsolete : to take by fraud : filch

[3] - https://www.phrases.org.uk/meanings/bobs-your-uncle.html

It's no longer so easy when the definition of "crime" gets expanded. Let's take this scenario:

- you're a first generation Chinese immigrant in the US

- a nephew of yours is in China and critical of the CCP

- you decide to have your genome scanned into 23andme or whatever to determine if you are at risk of genetic illness

- your nephew sprays an anti-CCP tag on a wall somewhere

- the Chinese police gathers DNA evidence from a laxly discarded spray can, but doesn't have fingerprints so they can't immediately link the can to your nephew

- the Chinese government, either via a legal subpoena or via espionage, gets its hands on your genetic profile from the genetic analytics company

- the Chinese government finds your data, now knows that the sprayer must be related to you in some way, and forces everyone of your family to subject to a DNA test

Sounds dystopic? Yes. But this is exactly where we will be headed. Police here in Germany already do DNA tests on petty vandalism [1].

[1] https://www.fuldaerzeitung.de/fulda/fulda-bahnhof-neuhof-dna...

This sort of thing looks more like a psychological crutch than an actual effective action.

They were processing so much DNA that they had to write a special rule allowing border agents to _not_ collect it if it would cause operational difficulties to do so.

https://www.federalregister.gov/documents/2020/03/09/2020-04...

An amusing thing here is that the arguments against DNA were also made against the use of photography, back in the 1800s. At some point people have to realize that personal unease is not an argument.

that's not how it works though. if you find enough other people that have the same uneasiness, then you can form groups that get people elected to make rules that forces everyone else to comply with your uneasiness.

You're uneasy? Boo frickin hoo.

I beg to differ. The fact we're even having this discussion means not everyone is happy with the situation. Maybe Stockholm Syndrome has kicked in for you, but I'm still resisting

could you stop repeating this simple fallacy? Because millions of people could not organize and opt-out of something being commercialized, that also benefits government, in the USA Does Not Equal "everyone is happy"

in fact, lots of people are deeply unhappy.. so the statement "everyone is happy" is not only not true, but actively provoking.

It is not in the power of an unhappy or protesting individual citizen, let along an elderly, impoverished or medically vulnerable person, to stop the rollout of Big Tech Thing.

I mean, wasn't that completely obvious?

Even without defining a specific model around how genetic data should be handled, I think it's more than fair to say that most people right now don't even consider how their choice to sign up for 23andme might affect their relatives (already born or otherwise). Even if they do, in my experience, it's only to a very surface-level degree.

I think it is difficult for some people to think about abstract ideas. When you bring it to the physical world everyone understands it is vexing.

Personally speaking, I think Equihax was the better counter-argument; at least with 23andme YOU as a customer had to DECIDE to use their services and weigh the pros-cons of doing so, with Equihax I was forced into a rating system to determine my eligibility in a system that hoovers up any and all data sold to them by 3rd parties and holds all my personal information in order to complete anything from a loan application to a job application.

And when found to have been breached no effective recourse was made, and instead of admitting fault to a very high probability of Identity theft being the end result a token 'credit system monitoring' service was offered, which once again relies on these credit agencies who share/distribute this information without my consent and created the problem are let off scot-free and never suffer any consequences.

In short, it's a naive argument made from often ignorant and self-defeating practices that make others worse off because of their complacency and refusal to take privacy serious.

What I'm trying to say is: I don't think comparing it to equifax is reasonable in that regard.

The stolen data included the person’s name, birth year, relationship labels, the percentage of DNA shared with relatives, ancestry reports and self-reported location.

The real breach is for recently deceased people (here the time span varies greatly, but dead for ~100 years is definitely enough if you ask me) and for living people. Actually in Sweden the death info is publically available generally right away, more or less. You can buy USB sticks with ~all deaths up until very recently.

* You don't have to care about privacy if you didn't do anything illegal.

* If you do care about it, you can just choose not to share your information.

* If you don't share but your data is still leaked, it didn't affect your life anyway.

The point is an average person is incapable of having boundaries with these corporations who have all their data and benefit from it, and we have no way of predicting how all this data about us will affect us.

The point is that these privacy claims are nearly exclusively theoretical. Privacy advocates constantly tell anyone who will listen about the complete destruction of privacy in modern society, and yet nothing even resembling the consequences they claim will occur is actually happening.

Probably not, but that doesn’t mean you’re comfortable with it being shared.

Functionally you as a customer have next to no legal rights, according to 23andMe lawyers who cooked this up.

At least in Germany any contracts that are heavily in favor of one side will be declared void if it comes to court.

I am also not a lawyer. But I think there are two types of changes to ToS.

One is purely administrative. For example, they might change the methods available to reach for support. For example, they might say that you are no longer able to send a Fax to get support help. Or that their domain name changed.

Second is something that changes the service that you are receiving. For example, when you have bought their product they said "we are offering free support for all owners or our doodad". But then one day they decide that support is now paid option for all existing customers.

So the question is: can ToS changes that changes the service/product that you have already paid for binding without your consent? If they decide to introduce extra protection from class action, requirement for arbitrage, etc. is this just administrative or is it actually changing the service you are receiving by restricting your rights?

Regardless of whether terms are changed for administrative or product reasons, what matters is the reasonableness of terms imposed on the other party.

“23andMe may make changes to the Terms at any time. If we make a material change to the Terms, we will notify you, such as by posting a notice on our website or sending a message to the email address associated with your account. By continuing to access or use the Services, you agree to be bound by the revised Terms.”

> We encourage you to read the new terms in full. Please notify us within 30 days of receiving this email if you do not agree to the terms, in which case you will remain subject to the current Terms of Service. If you do not notify us within 30 days, you will be deemed to have agreed to the new terms.

Notification email: [email protected]

Probably not, but it doesn’t mean we can’t guide the conversations about how it looks in the future. Sitting idly by just means they win, but discussing it in the open means that we might be able to put some safe guards in place.

Oh, who am I kidding. We’re all screwed and evilCorp will win so we’re just wasting our energy and making ourselves crazy fighting. Resistance is futile

About a decade ago I knew people researching computer vision algorithms doing non-facial recognition (stuff like ear shape/gait/etc) because companies like Fortinet were trying to build "automated doormans" to apartment/condo complexes where they would scan and analyze any humans walking by the cameras placed at the door.

Not a lick of ethics from anyone involved.

What we need is rabid legislation that encodes a right to be forgotten, because clearly an expectation of privacy isn't enough. I don't think there's anything inherently wrong with automating identification, but I do think there's a lot wrong with companies trying to do it for every human being that they can possibly find without any consent.

Turns out the UK government was working on privacy-preserving walks decades ago: https://youtu.be/eCLp7zodUiI

Any answer to why do you care about hiding this information? can all be boiled down to the fear that "[person or group] might use [private data item] to create [bad outcome] for me."

So the thing people actually care about is the risk of bad outcome, not the actual data itself.

If your theory is correct, then the focus should be on the prevention of asymmetric power imbalances in societal transactions that can even create [bad outcome].

It's more than that. Privacy affects the psychological context for daily activity and alters behavior, sometimes subtly, sometimes overty. If a person knows they have no privacy, they will go about life completely differently, and they will think about life completely differently.

Privacy is a freedom-of-thought, freedom-of-action, and also freedom-from-anxiety consideration.

Regardless of the outcome, I’m entitled to my privacy and my privacy is important to me simply for the sake of my autonomy.

Simply having my privacy violated is a bad outcome in and of itself.

Relinquishing privacy in order to participate in modern society in a meaningful way is one of the great frustrations of modern times… for some.

The rules governing social systems built to obscure the jungle (e.g., political, legal, and penal systems) can always be trumped by that which they were chosen to tame. This is the unfortunate reality of our wetware.

> the thing people actually care about is the risk of bad outcome, not the actual data itself

"Bad" is subjective, no?

Is it good or bad if a father learns that his teenage son is not his own?

I feel like that would depend on the person. If the father wanted to know and the son didn't, that would be good for one and bad for the other, and vice versa.

1) the large hack of Optus in which about half of the population had their credit card details stolen. 2) the large hack of Medibank in which the details of a large portion of private health insurance customer details were stolen. 3) I applied for a mortgage and found out every 2-bit mortgage broker is emailed 100s if not 1000s of sensitive ID documents every year and they definitely do not go through their email and delete them after the closure of deals. 4) Most companies in Australia only require a name, address, and, birth date to verify identity which is easily found with five minutes of searching most of the time. 5) I set up a pin with Telstra that should have blocked administrative changes on my account for years. One day I called in, got my password ready, and they didn’t ask for it. They just did it anyway. It was entirely futile.

IMO the only way that privacy will ever become respected is if we move the onus for fraud onto the actual victims of fraud: the companies. This is the whole ancient joke about someone’s identity being “stolen”. It wasn’t stolen, your verification procedures ultimately failed as a business and you are trying to divert responsibility to avoid having to suffer a loss. This is one of the reasons I use my credit card exclusively these days - if it used fraudulently I know that I can charge back, and that’s about the only mechanism I can use to truly prevent unauthorised access to my money.

People are easy to mislead and so that's what's been done. In the future, privacy will have to be enforced through jammers and Faraday cages.

None of the gait and keyboard detection attempts work in field conditions.

Predictably?, amusingly? police never had access to this data, until a government minister was murdered in 2003, when a sample from the suspect was retrieved. From what we know it has not been used since. So we can be cynical, but under the circumstances, the police use of the registry has not yet taken hold and is guarded by the courts..

But assuming they obey the law they did not used your samples.

So there are privacy laws in place? Also they could have been cleaning old results/samples and this was one step.

THere isn't anything nefarious going on here. Just scientific research with medical data.

And also - could eg. police use it?

> They already did something with my biological samples

I can only guess you were tested for something in the hospital. Samples are sent to the lab (separate department) to be tested. If additional tests need to be perform they can use the blood they already received. The samples are kept for ready availability if additional tests are requested by doctor. Doctors dont care how its done, they dont have time to inform lab patient x is out home.

After some time they need to be destroyed - due to expiry date on it. Before destroying the lab contacted you and asked for dna permission.

> And also - could eg. police use it?

I don't know that. But you might want to check how medical data is protected in your jurisdiction.

See https://www.hhs.gov/ohrp/regulations-and-policy/guidance/faq... under "Should the initial consent ... be repeated or supplemented?" and I think this is the law: (45 CFR 46.116(b)(5)).

"23andMe said the data breach was caused by customers reusing passwords"

Yet 14,000 accounts were breached in one go? Where did these passwords come from? Maybe there was another related breach (something like lastpass can explain this)?

Also, using the "DNA Relatives" features the hackers were able to access personal information relating to 6.9 million individuals. That means each one of the original 14,000 accounts had about 492 unique relatives. What am I missing?

That part isn't super surprising beyond the technical issue of the data usurpers probably not being metered or flagged for continuously logging into different accounts. They could have used a massively distributed network to pull all the data, but there probably simply wasn't the detection or protection.

Having said that, in logging into my account to verify how many relatives are shown to add this response, 23andme refused to let me login and demanded that I reset my password because of password reuse. I have always had a very strong password on this account, and it isn't reused anywhere. I even have 2FA on. So it seems that the company isn't entirely comfortable with the notion that it was reused passwords behind it...

However after resetting my password that I never reused anywhere, the DNA relatives panel shows 60 pages of relatives, with each having 25 relatives. So 1500 relatives could be pulled. Grabbing that for 14000 random accounts would be a pretty formidable network someone could build.

A quick search says 23andMe has 14 million customers, so 14000 accounts breached would be 1 in 1000 accounts breached.

The DNA relatives listing for me lists just over 1500 people. If each of those accounts had a 1/1000 probability of being hacked, the probability none of my relatives were hacked would be (1-1/1000)^1500 = 0.223. The probability that at least one of my relatives was hacked would then be 0.777.

I'd then expect, based on my assumption that I'm typical, about 10.8 million people to have had relatives with hacked accounts, which is close enough to 6.9 million that the latter seems plausible.

With a sword.

It isn't even slightly surprising that a list of credentials leaked from some other website (or a composite list built from leaks from several sites) might have 14,000 users in common with 23andMe.

If the test was done, the results were sent, and then my test data/info were destroyed on their end, or if I could do a home test where the data never left my home, then I’d do it.

I struggle to understand why companies hold on to all this data. It is a huge liability. In this case, maybe it is so they can identify familial relationships, but is that feature worth the risk?

they claim, at least, that this is the case if you delete your account; i got my results, downloaded my data and deleted my account years ago

To sell it, did you miss the news? https://www.bloomberg.com/news/articles/2023-10-30/23andme-w...

Sure, now they can start hating on people who have the gene that makes Cilantro taste like soap, but a lot of genetic things are already visible so I don't see this as being fundamentally different.

So place your data like your railways, where you can blow em up when circumstances necessitate it.

> Troy Hunt is such a treasure. And for us web application developers, there is no excuse for not having protection against credential stuffing! While the best defense is likely two-factor, checking against Hunt's hashed password database is also very good and requires no extra work for users!

That user even listed 23andMe [2] as an example but it's from 60 days ago. This incident is referenced on the techcrunch article.

[1] https://news.ycombinator.com/item?id=38521106

[2] https://news.ycombinator.com/item?id=37794379

23andMe hackers accessed a whole lot of personal data - https://news.ycombinator.com/item?id=38519466 - Dec 2023 (36 comments)

Hacker leaks millions more 23andMe user records on cybercrime forum - https://news.ycombinator.com/item?id=37931383 - Oct 2023 (394 comments)

23andMe Sued over Hack of Genetic Data Affecting Thousands - https://news.ycombinator.com/item?id=37895586 - Oct 2023 (20 comments)

23andMe Accounts Hijacked and Data Put Up for Sale on Hacker Forum - https://news.ycombinator.com/item?id=37810755 - Oct 2023 (2 comments)

23andMe says user data stolen in credential stuffing attack - https://news.ycombinator.com/item?id=37794379 - Oct 2023 (298 comments)

We haven't signed any licensing agreements with 23&me waiving our privacy, so presumably we still have some rights?

How feasible it is to use a payment and an address that doesn't directly connect you to your samples?

If I can have a test that is not connected to my persona, from their perspective the data would be as valuable as running a test on the hair in the barbershop or picking a random leftover of food and running test on the saliva left on the half consumed food.

Until there's actual punishment for being breached, there will never be data protections in the United States. Even HIPAA and the DMV sell access to businesses.

The only solution to this is regulation and enough incentive that companies have to treat data as they treat radioactive waste material. Storing data should be a liability, not an asset.

I'd recommend to use a fake name and not something like "Ano Nymous" as their rules don't allow that.

The exact info though should be easy to protect. Just dont give it away.

But remember that other close family members to you are very likely to know who you are, and they may share that info by accident. Normally you can't share data of anyone living on these services, since that is illegal pretty much anywhere, but its enough if one user happen to mark you dead in their tree and has filled in your real data.

So yes, there's a risk but its not much different from going outside and leave behind hair or saliva unaccounted for. That's Putin level of paranoia IMHO(he is known to have men collecting his poo etc. when outside).

Maybe can be useful for insurance companies to match you and price you according to your DNA but they are not allowed to do that and they can only exist within legal structure.

Or just a part of it, which is the point: no, complete knowledge isn't required here.

Definitely not true, many services require KYC and others do it to prevent fraud.

Recent Gnome sequencing research is revealing that actually a Gene (downstream) doesn't necessitate a Health/Medical Condition (upstream) [1]. I think we need highest security measures, user education and Regulation when it comes to DNA, medical records, and biometric data (face, finger, iris, voice etc).

Charles Darwin & Co documented their theory of evolution well, there's enough ancestry there for most i think, at least as a solid starting point / platform. My guess would be if there was more education around theory of evolution (science), there would be less interest in Ancestry services (DNA based), leaving only a Medical case for them, and hence demanding greater protection/security.

[1] A biological relativity view of the relationships between genomes and phenotypes, Denis Noble - https://doi.org/10.1016/j.pbiomolbio.2012.09.004

It's funny that they had to note "without authorization".

In this case the data is your genome.

I was thinking about getting a DNA testing kit for my parents and my conclusion was that I'd have to advise them that they'd need to be comfortable with their genome being public because over time leaks are inevitable. As the UK marches on towards increased fascism the chances a Tory government will demand access to such data "for security purposes" gets higher.

Data that isn't about you doesn't actually belong to you.

Do they have 0 fraud prevention? I doubt the attackers cycled IPs.

Since its a site about sharing data, its not weird that its easy to extract data from it. It is sort of the purpose.

I think this was the article that talked about this (apologies for the paywall): https://www.nytimes.com/2021/12/27/magazine/dna-test-crime-i...

Danish police only upgraded from 10 DNA markers to 16 in 2021, forcing them to review 12.000 cases and redoing the DNA test. Resulting in at least one person having the sentence reversed. No word on how many was falsely suspected, but I assume more than a few.