To be honest, this is more like "requesting the data to be deleted". There's nothing that guarantees that the personal information will be physically wiped out of the hard drives used to store them.
Sure, you can sue the hollowed out shell of a bankrupt limited liability corporation that will soon have no assets for a court to sieze for whatever paltry damages a court finds.
Of course. And I'm not saying that they might do it in malice.
All I'm suggesting is that tapping some pixels on your backlit rectangular glass won't necessarily translate into pulses of electrons that'll eradicate the 0s and 1s representing your data.
I'm sure that corner of the codebase is one of the least visited parts, so bugs may lurk in, or misconfigurations, etc.
How you lawyer is going to prove the data is not deleted?
And what damages are you going to claim in court.
Lawyers are not cheap, no lawyer will work on a case less that even $1k. My only hope is donating to privacy fighting organizations like EFF that file class actions.
Also, what prevents new owners from restoring from backups because "we were hacked" or any other reason for retrieving backup data for something that is currently "deleted"?
For those curious about what actual data they are recording, they use Infinium Global Screening Array which records about 650-750k SNPs (single-nucleotide-polymorphisms) .
Obviously this data infers heritage, disease risk, relations. It could be used for discrimination, surveillance, potentially poisoning .
Everyone should request their data to be deleted, but this is an engineering forum, and we know what that means in practice. Every company like this has hundreds of copies of the data, and has shared it with dozens of providers.
Like Rev Tevia said, you can't put the feathers back into an opened pillow.
Their array of SNPs in ASCII letters is under 10MB compressed, probably well under that using a specialized SNP format/compression algorithm. Less than a complex Microsoft Office file.
Yeah, I can imagine they have a few dozen copies strewn over various backup media/blob buckets. There probably isn't much effort from what's left of their IT team to track them all down to delete.
It’s not about the size. Every task will have made a copy and a derivative . I doubt the company ever cared to build a dependency tree for removal, certainly not managing copies given to partners.
Now the company is bankrupt this is the last thing on their task list to implement.
Poisoning really? All the risks are pretty sci fi. It’s pretty easy otoh to harm someone without bothering analyzing the snp data if that is your intention.
This feels as hopeless as trying to keep your email/contacts from social media sites. Even if you are vigilant about never allowing an app/service to download your contacts, your friends will share theirs and it is trivial to recreate your contact list. If I keep my DNA from these companies, my relatives will share theirs and they basically have my DNA.
The distinction isn't super important, but 23andMe doesn't have your whole genome, just some specific locations from it. Roughly 750k base pairs or so.
The Genetic Information Nondiscrimination Act makes it illegal to adjust health (but not life) insurance premiums or discriminate for employment based on genetic information. Couples who do genetic testing before having kids have the same protections and they're very effective.
> have job offers rescinded, or be targeted by scams
Can you expand on this?
I understand the insurance thing due to genetic diseases and so on, but which jobs would I be denied for based on genetic information which wouldn’t be checked anyways?
I can only come up with stuff like colorblindness but that would probably be checked anyways if it were a strict requirement for the job so keeping the DNA secret wouldn’t help.
Question: How are they going to link the DNA to people?
Some will be easier than others, sure. I'm trying to decide how "safe" my data is, since I created a single-use gmail account, with fictitious name, and paid for it with a gift card. I was afraid that some information in there might lead to being uninsurable, so I decided to row away from the rocks. Thankfully, my genetics didn't pop up any red flags, knock on wood.
I guess if you signed up using your normal e-mail address and your real name and used your credit card, you can still take the Shaggy defense ("It wasn't me"), but I suppose at that point they could ask you to prove it. I mean, most businesses aren't obligated to do business with you, for any or no reason at all.
23andMe does not operate as a laboratory itself but contracts with U.S.-based labs that are certified under CLIA and accredited by the College of American Pathologists (CAP). According to their website, all saliva samples are processed in CLIA-certified and CAP-accredited labs, ensuring compliance with federal standards for accuracy and reliability. This certification is crucial, as it aligns with FDA requirements for certain health-related genetic tests. This distinction is significant, as CLIA primarily regulates labs, not the companies that contract them, potentially affecting the applicability of retention requirements to 23andMe’s broader operations.
CLIA’s record retention requirements, as per Section 493.1105, states labs must retain test requisitions, authorizations, and reports for at least 2 years, with longer periods for specific tests like pathology (10 years for slides).
CLIA Laboratory Record Retention Requirements:
- Test requisitions and authorizations: 2 years minimum.
- Test reports: 2 years minimum, 10 years for pathology reports.
- Cytology slide preparations: 5 years.
- Histopathology slides: 10 years.
- Pathology specimen blocks: 2 years.
- Tissue: Until diagnosis is made.
Notably, these requirements focus on test-related records, such as requisitions (which may include patient details like date of birth and sex) and reports (which for genetic tests would include interpreted results). However, there is no explicit mention of retaining raw genetic data, such as the full genotype data, in the CLIA regulations. This raises questions about whether 23andMe’s assertion to retain raw genetic information is strictly required by CLIA or if it extends beyond the regulation for other reasons, such as research or quality control.
Here's a great post by a lawyer, linked to further down in that thread: https://bourniquelaw.com/2024/10/09/data-23-and-me/ It suggests a way to challenge them on their assertions that they must keep your data and samples.
I'm sorry but this lawyer has absolutely no idea what he is talking about with regards to CLIA compliance. And he even admits as much, but keeps talking anyway.
The data has already been sold off to the real customers (i.e., not you and me) [1]. You can (and should) request a deletion, but the damage has already been done.
This is false, we've sold data with PII to no one. Or it is misleading: the page you linked to even says, "It is selling de-identified, aggregate data for research, if you give them consent."
To what extent and using what method is it "de-identified"? Plenty of such schemes are very easy to circumvent, especially with a large enough pool of data. Given the nature of genetics in particular positively identifying a single case can be used to unmask whole families. In particular depending on the anonymization this would be a task suited to 'AI' very well.
Readit News
All I'm suggesting is that tapping some pixels on your backlit rectangular glass won't necessarily translate into pulses of electrons that'll eradicate the 0s and 1s representing your data.
I'm sure that corner of the codebase is one of the least visited parts, so bugs may lurk in, or misconfigurations, etc.
And what damages are you going to claim in court.
Lawyers are not cheap, no lawyer will work on a case less that even $1k. My only hope is donating to privacy fighting organizations like EFF that file class actions.
if (userRequestsToDeleteAccount || user.deactivated) { user.deactivated = true; showDeletionSuccessfulPage(); }
In this implementation, the user believes their data is deleted, but it has not.
Obviously this data infers heritage, disease risk, relations. It could be used for discrimination, surveillance, potentially poisoning .
Everyone should request their data to be deleted, but this is an engineering forum, and we know what that means in practice. Every company like this has hundreds of copies of the data, and has shared it with dozens of providers.
Like Rev Tevia said, you can't put the feathers back into an opened pillow.
Yeah, I can imagine they have a few dozen copies strewn over various backup media/blob buckets. There probably isn't much effort from what's left of their IT team to track them all down to delete.
Now the company is bankrupt this is the last thing on their task list to implement.
The cynic in me agrees, but the process was quick and easy, and I know I'm not safer by not deleting my information from 23andMe. I recommend it.
https://www.quora.com/How-much-of-the-genome-does-23andMe-se...
And they don't even have to have your DNA. Just a close enough relative will do.
Can you expand on this?
I understand the insurance thing due to genetic diseases and so on, but which jobs would I be denied for based on genetic information which wouldn’t be checked anyways?
I can only come up with stuff like colorblindness but that would probably be checked anyways if it were a strict requirement for the job so keeping the DNA secret wouldn’t help.
And what’s the scam angle when the DNA is known?
Some will be easier than others, sure. I'm trying to decide how "safe" my data is, since I created a single-use gmail account, with fictitious name, and paid for it with a gift card. I was afraid that some information in there might lead to being uninsurable, so I decided to row away from the rocks. Thankfully, my genetics didn't pop up any red flags, knock on wood.
I guess if you signed up using your normal e-mail address and your real name and used your credit card, you can still take the Shaggy defense ("It wasn't me"), but I suppose at that point they could ask you to prove it. I mean, most businesses aren't obligated to do business with you, for any or no reason at all.
Not just you, but your children who never had anything to do with 23andMe as well!
It’s not true—not yet—but once you say it, it will be.
Just… don’t mention that part. Not until after the first.
CLIA’s record retention requirements, as per Section 493.1105, states labs must retain test requisitions, authorizations, and reports for at least 2 years, with longer periods for specific tests like pathology (10 years for slides).
CLIA Laboratory Record Retention Requirements:
- Test requisitions and authorizations: 2 years minimum. - Test reports: 2 years minimum, 10 years for pathology reports. - Cytology slide preparations: 5 years. - Histopathology slides: 10 years. - Pathology specimen blocks: 2 years. - Tissue: Until diagnosis is made.
Notably, these requirements focus on test-related records, such as requisitions (which may include patient details like date of birth and sex) and reports (which for genetic tests would include interpreted results). However, there is no explicit mention of retaining raw genetic data, such as the full genotype data, in the CLIA regulations. This raises questions about whether 23andMe’s assertion to retain raw genetic information is strictly required by CLIA or if it extends beyond the regulation for other reasons, such as research or quality control.
[1] https://gizmodo.com/23andme-is-selling-your-data-but-not-how...
Note that selling deidentified data (genomic, health, etc) is common in the industry already and 23&Me is hardly unique in this respect.
Just a note that re-identifying aggregate data is a whole field of study that is decently successful.