I would expect the court would evaluate any breach under the TOS that was in effect at the time of the breach, rather than under a new (and arguably suspect one) that was put in place after it, arguably in an attempt to "rewrite history".

This is an attempt to undermine consumer protection laws, and the government should treat it as a direct attack. Other companies are watching. The government needs to send a clear message that this won't be tolerated before it spreads, becomes the status quo, and leaves many consumers believing that they don't have any rights or protections.

The head of legal should also be disbarred under American Bar Association rule 1.2(d):

> (d) A lawyer shall not counsel a client to engage, or assist a client, in conduct that the lawyer knows is criminal or fraudulent, but a lawyer may discuss the legal consequences of any proposed course of conduct with a client and may counsel or assist a client to make a good faith effort to determine the validity, scope, meaning or application of the law.

This reads as clear contract fraud in the factum [1]. Customers are told that they're bound by new contract terms, despite that 23andMe never got agreement, nor tried to get agreement, nor even know whether customers have read the new contract. I can't fathom any other reasonable interpretation of the situation. They created a fraudulent contract hoping to confuse other entrants to prior versions of the contract, and intend to benefit from that confusion. It seems clear to me. They are attempting to undermine the legal system, and the ABA needs to deal out swift punishment as one of the protectors of that system.

1: https://en.wikipedia.org/wiki/Fraud_in_the_factum

This is part of the legal system. It shouldn't be, but it is. If you can toss a hundred issues the other party has to refute, you drive up legal costs to where litigation is no longer practical. The other side loses by default of not being able to afford litigation.

The ABA is, indeed, one of the protectors of the legal system, and have no vested interested in undermining it. The system means their constituents, lawyers, make more money.

Footnote: The mistake you made is that 23andme isn't undermining the legal system, but rather, justice. The two are not the same.

I’m even more curious if the change of ToS alone could be grounds for a trial, even a class action—making the risk not even worth the try.

Even harder to swallow: discover that the lawyers using the class action got hold of the data from the leak and used that in their marketing.

The biggest downside is the lawyers take a massive chunk of any award and the actual victims are often left with very little. Or, even worse, the victims get worthless coupons (like with many credit/PII breaches - the award will be 1-year of credit monitoring from the company that allowed the breach in the first place).

I told them that I will certainly not start to build a credit score at 40 yo so they will have to find someone else.

On a single individuals level it doesn't matter ofc, but don't be ignorant towards how that might affect your future if you're young enough to live through brilliant people leaving.

a) nobody has a perfect score b) FICO algorithms are proprietary from third-party companies, how would your potential employer have any influence?

I'm not sure that's ever happened in this country. They pay all sorts of lip service, but when challenged or under pressure, the US makes a lot of excuses for leaving its own people behind.

Thankfully we can repay that favor and see how they like it when there's nobody left to defend them.

2) The consumer protection laws we do have, and the bodies to enforce them, are relatively weak and enforcement is spotty at best. The most recent serious attempt to kinda fix this is the formation of the CFPB, and one of our two relevant political parties deliberately prevents it from working when they hold the White House (sample size of one, admittedly) and has been trying to totally kill it, in the legislature or (better, because it’s popular and this is deniable) in the courts.

IANL - however, in the US and in US States, many serious cases have been decided in favor of the consumer, over decades. It is the most recent waves of privacy versus ad revenue that are indeed, very weak. It is awkward to defend these regulators since their failures are sometimes glaring, however it is my impression that serious settlements against industry can have silence or "gag orders" attached, and they often do. The industry lawyers can argue that the news of the settlement alone constitutes additional commercial damage to the company, and of course they are right in a narrow sense.

The idea of private litigators is to complement the innate limitations of federal/state lawyers, by offering profit as an incentive.

Ideally yeah Americans would have stronger laws around TOS, customer privacy, data handling and security, and robustly funded state lawyers... but we don't.

Practically speaking, such gaps are not unique to technology. Every industry has this same problem, and your awareness of those problems is reflective of the general public's political engagement with this thread's topic. So having gaps that private litigators address is really quite normal and part of the incremental progress of legislation and state enforcement.

Do you need a longer list?

They do absolutely nothing to remove liability from the truck driver/company. If a rock falls from their truck and cracks your windshield, they absolutely are responsible for any damages.

Rather, their sole value is to convince drivers that the trucking companies aren't at fault, so that drivers whose vehicles are damaged from falling rocks erroneously elect not to press charges or pursue damages.

If it's random gravel from the road it's more understandable. But even then the driver is very much responsible for the mud guards on the truck they are operating, just as the police would write a ticket to the driver for worn down tires or broken lights.

I lived in Boston for a while. Cracked windshields were extremely common. No one was ever upset at another person.

They're taking the unrealistic expectation of the truck driver's sign protecting them from doing something illegal and flipping it. In other words "If you coul just put up your own sign and get legal protection to break my windshield, then I could just as easily put up a sign giving me legal protection to break your nose."

Ever have to dodge an axe at 35MPH? Not fun.

I don't know where you have been the last few years, but I am pretty sure things like that happen all the time, based on the emails I received regarding ToS updates. And I have never heard any company got into trouble in court. Maybe public opinion, but that's it.

I suspect that a competent lawyer could fairly easily argue that this "automatic opt-in" is the same thing in a slightly different format.

Would like a laywer to correct me if wrong, but these terms would only apply to any future events, not to the hacks that happened under the previous terms, for which they've already accrued the right to sue in a court (or whatever those terms said) regarding that hack, and 23andMe hasn't really implied otherwise just by updating its terms?

If they wanted that, they'd have to have explicitly included language like "by continuing to use our services after this notice, you covenant not to sue in court for any prior causes of action" or the like?

And even if you click agree there are legal questions about how much that can change about your past relationship, and what kind of changes you can legally make.

> "Besides the general requirements of 'good faith' and 'balance', the EU rules contain a list of specific contract terms that may be judged unfair.

> Here are some situations where contract terms may be judged unfair under EU rules:

> [...]

> - Terms which allow you to alter a contract unilaterally unless the contract states a valid reason for doing so."

https://europa.eu/youreurope/business/dealing-with-customers...

NOTE: instead of downvoting as a knee-jerk defense of USA, just reflect on whether you'd benefit from some slightly better consumer protection laws.

Of course, if people don’t accept the new terms, they are still bound by the one ones. But if you don’t opt out…

This isn't a case of a minor change to consumer rights in the TOS like changing who would arbitrate a case. It's a significant restrictive change to the rights of the customer in favor of the company. And it was made after a security breach that affected a huge portion of the companies clients which is likely to trigger lawsuits of the form that the TOS now seeks to restrict.

This is clearly a case of attempting to close the barn door after the horse was spotted in the next county over.

You and a lot of the people who replied to you seem to be confusing what is unjust with what is illegal. You can't use one to deduce the other.

My point being that in Australia my vibe is that this will be looked upon in a very negative light by courts and any regulators.

I hate this timeline.

Again, IANAL. Just my opinion as a citizen, not legal advice. Seek competent legal advice before taking legal action.

[0] https://www.law.cornell.edu/wex/adhesion_contract_(contract_...

To Whom It May Concern:

My name is [name], and my 23andMe account is under the email [email]. I am writing to declare that I do not agree to the new terms of service at https://www.23andme.com/legal/terms-of-service/.

WTF. This is outrageous. And I had find that email in my spam after I read this comment. Hope this POS company goes down in flames after this.

With the benefit of hindsight, the invention of SPAM should have told us all we needed to know about the future of the internet. A small percentage of users will do their damnedest to ruin it for everyone else. It's a sign that people cannot be trusted to not use the tech for evil. I'm sure it foretold the corruption of social media as well. It is all SPAM's fault!

Some companies require that. Here is PayPal's process for example: https://www.paypal.com/us/legalhub/useragreement-full#table-...

Hopefully our court system will get some more teeth vs other corporations soon.

But I don't see how drunken anarchist tactics help, and that noise seems like it would be a counterproductive diversion.

this is probably why the unsubscribe links require some interactive confirmation so that simply loading the page doesn't actually unsubscribe.

if this was doable, i'd put them above Troy Hunt in contributions to humankind ;-)

I also set my future status to auto opt-out.

“I opt out of the updated terms and will stick to the current in place ones indefinitely, including any future changes. I declare myself immune from having to do anything like this again in the future and set my status to auto-opt-out.”

DNA driven targeted advertising that finds only the most docile consumers.

That's about blue/brown, and realistically, there are a bunch of other genes which also have effects, as "eye color" is really a collection of phenotypes, not just a single one.

https://en.m.wikipedia.org/wiki/Phrenology

Never underestimate the willingness to engage in the days new "not-yet-clearly-identified-as-quackery-pseudo science" when there is a buck to be made.

I forgot my password and did a password reset. They have password requirement of 12 characters minimum. A bunch of security theater just to get hacked anyways

> 30 Day Right to Opt-Out. You have the right to opt-out and not be bound by the arbitration and class action waiver provisions set forth above by sending written notice of your decision to opt-out by emailing us at [email protected]. The notice must be sent within thirty (30) days of your first use of the Service, or the effective date of the first set of Terms containing an Arbitration and Class Action and Class Arbitration Waiver section otherwise you shall be bound to arbitrate disputes in accordance with the terms of those sections. If you opt out of these arbitration provisions, we also will not be bound by them.

Please let me know in technical terms, combined with rational argument, why what I did was unwise. Presume I already know all the common arguments, evaluated them using my background knowledge (which includes a PhD in biology, extensive experience in human genome analysis, and years of launching products in tech).

I've been asking people to come up with coherent arguments for genome secrecy (given the technical knowledge we have of privacy, both in tech and medicine) and nobody has managed to come up with anything that I hadn't heard before, typically variations on "well, gattaca, and maybe something else we can't predict, or insurance, or something something".

2) It's a risk for anything that's DNA-based. For example, your data can be used to create false evidence for crimes irrelevant to you. You don't even need to be a target for that. You can just be an entry in a list of available DNA profiles. I'm not sure how much DNA can be manufactured based on full genome data, but with CRISPR and everything I don't think we're too far away either. You can even experience that accidentally because the data is out there and mistakes happen.

3) You can't be famous. If you're famous, you'd be target of endless torrent of news based on your DNA bits. You'd be stigmatized left and right.

4) You can't change your DNA, so when it's leaked, you can't mitigate the future risks that doesn't exist today. For example, DNA-based biometrics, or genome simulation to a point where they can create an accurate lookalike of you. They're not risks today, doesn't mean they're not tomorrow.

There are also additional risks involved based on the country you're living in. So, you might be living in a country that protects your rights and privacy, but it's not the case with the others.

About insurance companies, they're legally forbidden to use such data.

This is completely false. Any two random humans have more than 99% overlap by virtue of being the same species. It's even higher for brothers. We also share around 90% DNA with cats, dogs and elephants.

https://www.amacad.org/publication/unequal-nature-geneticist...

> I'm not too worried about it because it's never a 100% overlap.

This doesn't make sense. If they were equal, you'd be the same person except for environmental differences. Many applications don't need equal DNAs. E.g.

https://youtube.com/watch?v=KT18KJouHWg

> About insurance companies, they're legally forbidden to use such data.

This is a very weak argument. There's a long history of companies doing illegal things, and even if it's illegal today it doesn't mean it'll be illegal tomorrow.

Great training set to check the results of other factors, then use those to infer.

Moreover "legally forbidden" means jack faeces unless you can point to people who had convictions recorded and went to jail. Otherwise we're merely discussing business conditions & expenses.

So let's assume you committed to publishing your genome in advance regardless of result. Sounds like you spun the barrel and dry snapped to demonstrate that russian roulette is safe for everybody.

Tell us about how differing views on this to yours would influence opinion about your products you've launched in tech given your extensive experience in human genome analysis. Not at all?

This really may not be a case of being unable to understand something one's paycheck depends on not understanding at all but we can't know that yet.

I think part of my point is that DNA, by its nature, simply cannot remain confidential, and that thinking we can keep it that way is just going to lead to inevitable disappointment.

Second, whether DNA can or cannot remain confidential is yet to be seen, but feasibility is certainly orthogonal to whether it ought to be, which is the point at hand.

Third, whether you believe it's a breach of privacy to leak part of your relatives' DNA is besides the point. It's their decision to make, since it's their personal data and deemed confidential under most privacy frameworks, and therefore a breach.

To your second point: we already know DNA can't remain confidential (there is no practical mechanism by which even a wealthy person could avoid a sufficiently motivated adversary who wanted to expose their DNA). That's just a fact, we should adjust our understanding based on that fact.

Most important: sharing my genomic information with the world is not a breach of any privacy framework I'm aware of and subject to (US laws). Do you have a specific framework or country in mind?

But that is a value judgement, and I believe it is one that comes at a great cost to society- I wouldn't be surprised if >50% of the cost of medical care is directly or indirectly due to this attitude, and that medical progress has been slowed immensely for the same reason.

If we could make medical data more open, it would greatly benefit the vast majority of people. OF COURSE it is true that some smaller number of other people/patients are helped by the existing medical secrecy system. I fully admit this is a trade-off, where we have to decide what values are more important.

(source: Am medical doctor)

I'm disgusting for "people having power over other people", you're disgusting for the graveyard of dead people due to the status quo system.

Sure, if you don't believe in any of the potential negative scenarios, anything goes. You could also post your full name, SSN, DOB, address, etc. here if you are secure in the knowledge that no harm could ever come of it.

Genome is still pretty theoretical, except getting caught for committing crimes.

It is? I mean then why are we bothering to protect anything, this shit is all super available for any given person.

https://www.pnas.org/doi/10.1073/pnas.0904891106

Konerding's 12th law, amended: "There is no bit of pseudonymized data which cannot be de-anonymized by a sufficiently motivated MIT grad student" (not entirely joking; see https://archive.nytimes.com/bits.blogs.nytimes.com/2015/01/2...)

I think actuaries will care an awful lot about this data and could use it to negatively influence your risk factor, and thus insurance premiums.

As for actuaries, in the US, the GINA law prevents health insurance companies from using this data. I think legal protection is much more important than attempting to hide my DNA.

I agree, if you can't justify trust with reason then it's hard to trust your argument that relies on trust. Trust can be broken, and your stance doesn't address that concern.

With your own "trust can be broken", you could conclude that you should distrust "with reason" (hey, it was broken) — basically, flipping it is an equally sound stance.

As a rule, I trust people, keep private stuff not easily aggregated (eg. I might talk some stuff over lunch, but will not email it to the person so they have it on record), and I am quick to distrust people once they fail me. Legal protections do matter, because they discourage misuse of unintended data sharing.

While genetic information is not yet understood well enough by masses to be abused in stereotyping and rejecting and — indeed — "cancelling", there is a huge potential to do so. This especially holds true for gender, racial, national differentiation, genetic disease potential and health profiling — all accessible through a full genome (even if some of the indicators are not with 100% confidence). Lots of this can also be used to start linking genome data to an actual person (helped with data from other contexts), which is where it starts to become risky according to known risk profiles.

Unsurprisingly, someone who is likely a white male (I could have checked using your genome too, but loading up your profile above confirms that) with "no credible genetic risk factors" is a lot less concerned about opening up their genome to the public: you are unlikely to get discriminated against. With that said, even you can get potentially ignored for your privilege: even I just engaged in that — somewhat discounting a part of your experience/claim because you are a white male. Part of that is also education: your extensive experience in the field allows you to make an educated choice. Many can't attain that much knowledge before they decide whether to share their genome or not.

This opens up the question similar to that entire face recognition fiasco — how will unprivileged be affected by the privileged being mostly used to train the models on and do research on?

So the question is how do we ensure enough anonymity to make everyone happy to contribute to the world knowledge, but reduce chances of linking data back to actual people? I know nebula.org is doing something of the sort (though mostly just guaranteeing that they will remove the data at your request, and not share it without your permission), but we could have one genome produce a bunch of part-genomes, still allowing causation/correlation research, but none of them having the full picture.

That would disable some of the groundwork research (is there a correlation/causation only visible in the full genome or larger part of it?), so it's a tricky balance to find.

And finally, I always like to make this choice a bit personal: how would you feel about your child being linked to a criminal case due to your genome being publicly available?

Would a bunch of your cells be sufficient at some point in the near future? (I know progress is being made to turn any cell into a reproductive cell, but that's still not exactly the same thing, but it's on that exact path)

You still might not mind a bunch of your clones though, so I don't think that's much of an argument.

One risk if you have PII+genome is that a technically sophisticated entity can determine if you've physically been in a location. Also with an extensive PII+genome database they could find your family, for example for blackmail purposes.

Another risk is that a health insurance provider could deny you based on potential health issues they find in your genome.

https://xkcd.com/538/

The point is that while you can use DNA to identify people in most cases, sufficiently motivated adversaries have more effective, cheaper, lower-technology approaches that they will use first.

Me shouting my sensitive private details in a crowded bar is entirely different from putting them on my webpage. There's even a difference between writing them down on a napkin or shouting them out.

I'm befuddled that anyone thinks Sam Altman is the least bit trustworthy after WorldCoin.

Genomic data doesn't have the same risk factors--at least at the moment. I think that the point many are trying to make here is that there may be risk vectors available at some point in the future that aren't known now. A couple of theoretical examples:

* You had to give a blood sample rather than other biometric data like a retina scan.

* Spoofing DNA evidence. That would be very/prohibitively expensive/difficult at the moment, but I suppose could become as easy as 3d printing at some point in the future.

What I find strange is that 23andMe did not automatically delete data after 30 days, or at the very least took it offline, only to be available on request. Notify people that their results are available and inform them that the data will be available for 30 days after the first download. This is potentially really sensitive data and based on 23andMe's response, they seem to be aware of that fact. So why would they keep the data around? That seem fairly irresponsible and potentially dangerous to the company.

It's all in the fine print. The labs will keep the genetic information as well as at least your DOB and sex for at least 10 years (CLIA requirements), and 23andMe will keep your identifying information (such as your email address) and account deletion request ID for some undefined period of time. Yes, this will remove some links (and birthday paradox works in user's favor), but this is certainly not a full and complete removal.

Quenching someone's curiosity about where their ancestors are from? Do we even know how accurate it is at doing that?

Over time it became clear that 23andMe's data set had limited predictive ability for health for a number of technical reasons (previously, dahinds, one of their statistical geneticists, has defended the quality of their predictions on HN, you can search for his comments. I suspect he can no longer comment on HN because of 23&Me's security debacle).

However, around that same time, 23&Me's dataset turned out to be excellent for ancestry analysis. It's generally considered fairly accurate (not just 23&Me- the entire process of ancestry through snp genotyping workings really well).

I never did 23&Me but my dad did- and he learned he has children all around the US (half brothers and sisters of mine) from some samples he provided some 45+ years ago. Both my dad and those people gained value from making that connection. It's interesting because my dad had already done most of the paper research (including going to SLC to visit the Mormon archives) to identify our obvious ancestors, and these relatives would never have shown up.

Once I enabled the social graph thing I was immediately hounded by distant relatives who I assume want to chop me up for parts.

> Do we even know how accurate it is at doing that?

The police have closed a few cold murder cases based on adjacency (once Parabon got their hands on samples), so it must be pretty accurate.

Anecdotally, my profile told a radically different story about our ancestry than my family's vague lore led me to believe. 23andMe's data made way more sense.

That doesn't stop my family from doing so, but I sure as hell will never.

In the end, I valued knowing these bio markers above the privacy of my genome. The former is actionable and I can use it to optimize my health and longevity; the latter is of vague value and not terribly exploitable outside of edge-case threat models.

I'd be more upset if a combination of my name and email/phone number got leaked than if my DNA was made available public.

On balance, was the utility worth the cost (of a breach)? Probably not, because I found no major actionable issues. But if I did find severe biomarkers, it would have been worth it. So I do still think I made the right choice.

Q: Is it a HN thing to be (obsessively?) interested in health and longevity?

Dying is a natural process. Sorry.

> Dying is a natural process. Sorry.

Avoiding dying, as best one can, is also a natural behaviour.

As a species, we're excellent at working around or ignoring what's "natural".

Is this actually happening, or is that just what the stories say?

Maybe they accept the possibility that they die one day?

The only missing piece is a way to scan your DNA as part of a login form.

Maybe I want to steal a kidney, or a child that could reasonably pass as my own?

Unless this is an online joke I don't get, I think you mean "scapegoat".

"The concept comes from an ancient Jewish ritual described in the Bible, specifically in Leviticus 16. During the Day of Atonement (Yom Kippur), two goats were chosen: one to be sacrificed and the other to be sent into the wilderness, symbolically carrying away the sins of the community. This second goat was called the "Azazel" or the "scapegoat".

Over time, the term "scapegoat" evolved to have a more general meaning in English. It came to refer to a person or group that is unjustly blamed for the problems or misfortunes of others, reflecting the original ritual in which the goat was symbolically burdened with the sins of others before being sent away. "

However, it's a significant risk for other types of insurance including life, disability, and long term care.

It's more than likely that they would use genetic data to deny insurance, and then settle the cases in court if they happen to get sued, which statistically is probably a rare occurrence.

[1]: https://www.propublica.org/series/uncovered

The paranoia about insurance and genetics is that they simply refuse to do business with high risk customers.

There are already literally entire databases of millions of peoples DNA freely available for scientific research.

So far, the only real use-case for doing this is people trying to identify criminals from just DNA.

Well, in the case of WorldCoin, I think there's still some pretty significant questions of why they made Africa a prominent launch market (well, there are some reasons), but in some places they repeatedly increased incentives until they were offering people there up to a month's income to give their scans. That might not be a lot of money to a big startup, but is telling that they had to offer that much to get some people to "opt" in.

https://grimreaper.github.io/arbitration/docs/problems/

Take security seriously people. Especially when dealing with super sensitive data.

In the long run, I think keeping your genetic information private will be untenable- the potential benefits will outweigh the drawbacks. Plus, anyone sufficiently motivated could get your DNA somehow, you shed your DNA everywhere you go, no getting around that.

So what's left is to urge your representatives to maintain and strengthen regulations on how that information can be used, and in the long run we'll just have to trust that that will be enough.

[1] https://en.wikipedia.org/wiki/Genetic_Information_Nondiscrim...

Can you give an example?

> Plus, anyone sufficiently motivated could get your DNA somehow, you shed your DNA everywhere you go, no getting around that.

That assumes there's someone out to get you specifically. That's like saying there's no point in having 2FA or strong passwords, because the FSB, the FBI and Mossad can get in anyway. Having my DNA because you vacuumed it up off the subway floor is significantly less useful to anyone without it being explicitly tied to me.

See my other comment, but in short I essentially mean the true realization of "precision medicine" and gaining a greater understanding of how different genotypes result in disease, information which can be used guide treatment and to develop better treatments.

> That assumes there's someone out to get you specifically.

Not entirely true- the ability to reconstruct genotypes from environmental samples gets better all the time. I'd imagine that even with current technology, a sufficiently motivated organization could sample various locations to reconstruct the genomes of people who often visit there. With enough info, they could start building webs of genetic relation. From there, all they'd need is access to a database of samples from known individuals (which, as we can see, already exists), can chances are they could quickly deanonymize future samples. The only thing that could stop such mass collection is proper regulation.

> That's like saying there's no point in having 2FA or strong passwords, because the FSB, the FBI and Mossad can get in anyway.

Unlike your password, your DNA is unencrypted and gets spread everywhere.

> Unlike your password, your DNA is unencrypted and gets spread everywhere.

This doesn't address the point. In both cases, someone sufficiently motivated could get what they want from you. So by your argument, there's no point in maintaining privacy for either piece of information (DNA / passwords).

The problem with privacy is that it's fragile. When your info is leaked, you should assume it's out there for good.

I also think that while right now when you do the cost/benefit analysis of having your DNA sequenced, you think the cost outweights the benefit. Clearly my personal calculus is different than yours, and that's ok. But I would caution you that in the future that calculation may be different for you.

So I think people will either lose privacy, or voluntarily give up some privacy for some benefit. In either case, we will need something other than privacy to protect ourselves. I think that well-enforced legislation, legislation that limits the way genetic info can be used and gives the individual more control over their own info, is really the only thing that can help.

Absolutely, in theory. But when have politicians respected legislation's original intent over their self-interest over time, especially when monied parties are desirous of changes for those party's own ends?

I think DNA is probably sensitive on the level of someone knowing your name and DOB. Not convinced it's much more dangerous than that.

But these people need to get close to you. 23andme made it easy for someone who could have been on the other side of the globe.