23andMe confirms hackers stole ancestry data on 6.9 million users::Genetic testing company 23andMe revealed that its data breach was much worse than previously reported, hitting about half of its total customers.

  • MataVatnik@lemmy.world
    link
    fedilink
    English
    arrow-up
    140
    arrow-down
    1
    ·
    edit-2
    11 months ago

    Would you let government collect DNA from people when they are born? Absolutely not, but I will definitely give it to a silicon valley start up who will then proceed to sell it and have it stolen.

    • aelwero@lemmy.world
      link
      fedilink
      English
      arrow-up
      56
      arrow-down
      1
      ·
      11 months ago

      If you’re allowing a corporation to have it, you are giving de facto consent for government to collect it with zero regard for your rights whatsoever.

      They have the greatest ability to buy it, the greatest ability to steal it, and a fairly unique ability to confiscate it.

    • abhibeckert@lemmy.world
      link
      fedilink
      English
      arrow-up
      9
      arrow-down
      5
      ·
      edit-2
      11 months ago

      I don’t see how government vs private makes any difference.

      A baby isn’t capable of informed consent, so their DNA shouldn’t be collected unless it’s required for some medical reason (and then the sample should be immediately destroyed and no records kept).

      If an adult, however, wants to voluntarily give these folks a DNA sample… well that’s their choice. I’m not surprised it ended poorly.

    • r3df0x@7.62x54r.ru
      link
      fedilink
      English
      arrow-up
      3
      arrow-down
      15
      ·
      11 months ago

      I can very easily imagine a 23 year old liberal virgin technocratic atheist saying that DNA should be collected at birth to solve crimes. These are also the same people who likely support euthanizing disabled people if they “consent” to it.

      • grandkaiser@lemmy.world
        link
        fedilink
        English
        arrow-up
        6
        ·
        11 months ago

        Liberal? The “personal freedom from government” folks? I think you’re thinking of someone who is pro authoritarian. I could 100% see a tankie, fascist, or right-wing authoritarian agreeing with that.

  • Sir_Kevin@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    84
    arrow-down
    3
    ·
    11 months ago

    My gf wanted so bad for me to send my DNA to these clowns. I declined due to privacy reasons. She tried to convince me that they keep your info private. I told her that even if that was true, the government could still access it. She thinks I’m paranoid. And now her personal info is likely part of this leak.

    • merc@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      45
      ·
      11 months ago

      Lucky for you, if enough of your relatives send in their DNA they don’t need to get anything from you directly.

    • MuffinHeeler@aussie.zone
      link
      fedilink
      English
      arrow-up
      22
      arrow-down
      1
      ·
      edit-2
      11 months ago

      My mother had breast cancer. I couldn’t get a test to see if it was the inheritable one because then I would have to disclose it as pre-existing for the rest of my life. (For the record my mom took the genetic test and it was negative).

      This is just one example.

      What if in future, your insurance price depended on an inheritable diseases DNA clearance. You could refuse but then it would be $$$$$. What if my life insurance refused to pay upon my death because I had knowledge of a gene that causes cancer when I took out the policy?

      PS not American.

      • AliasAKA@lemmy.world
        link
        fedilink
        English
        arrow-up
        8
        ·
        11 months ago

        They’ll almost surely attempt this, but it will be much less clear cut on it. There’s federal law against discriminating on the basis of genetics, so they can’t explicitly charge more for it.

        But you better believe it’ll be a component in a deep learning insurance adjustment model that charges you more and just tells you the model says so — I’d expect this to occur and a court case to happen.

      • realharo@lemm.ee
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        5
        ·
        11 months ago

        That’s a situation for a government program, not insurance. Insurance is for situations where it’s unlikely that you’ll need a payout.

        Of course people today have to deal with the systems we have, but I’m talking about your hypothetical “future” scenario.

    • Animated_beans@lemmy.world
      link
      fedilink
      English
      arrow-up
      11
      arrow-down
      1
      ·
      11 months ago

      If you’ve ever had blood work done at the doctors office or had any tissue removed, your DNA is almost certainly on file somewhere. Human specimens are very valuable in research so whatever isn’t needed for testing is sent off to various research facilities. There really aren’t laws about tissue ownership so medical facilities can do whatever they like without your permission, though some still ask. Source: “The Immortal Life of Henrietta Lacks”

      • AliasAKA@lemmy.world
        link
        fedilink
        English
        arrow-up
        8
        ·
        11 months ago

        This is only partially true. Due to things like Henrietta Lacks cells (HeLa cells for those working in cell culture), we actually have informed consent around this. They can’t just use your samples for not consented collection purposes (though in some cases, the further testing may fall under the original consent)

        HHS rules note:

        “If the tissues are identifiable, then subjects must provide consent for the secondary use and that consent must cover the elements of consent in 21 CFR 50.25.”

        That really only applies to healthcare providers covered under FDA and HIPAA regs.

        Obligatory not a lawyer etc.

      • Echo Dot@feddit.uk
        link
        fedilink
        English
        arrow-up
        3
        ·
        11 months ago

        Yeah my blood’s already on file, that way after the fall of human civilisation people can clone me to find out what happened and I get to live.

    • r3df0x@7.62x54r.ru
      link
      fedilink
      English
      arrow-up
      6
      arrow-down
      3
      ·
      11 months ago

      I wonder how many people like this turn around and then use electronic payments in person for everything.

      • Duamerthrax@lemmy.world
        link
        fedilink
        English
        arrow-up
        14
        ·
        11 months ago

        Different levels of privacy. Electronic payments only reveal what you buy and at least serves a utility. 23andme is just for vanity and could reveal your preexisting conditions or family tree to people who would use it against you.

        • r3df0x@7.62x54r.ru
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          5
          ·
          11 months ago

          Each transaction isn’t that much. Beating the path toward a cashless economy is a different story.

          Do you remember the pregnant teenager outed to her parents over big data advertising?

          • Duamerthrax@lemmy.world
            link
            fedilink
            English
            arrow-up
            11
            ·
            11 months ago

            All I’m saying is that the two are not equivalent and people aren’t hypocrites for doing eletronics payments, but refusing vanity dna tests.

    • SCB@lemmy.world
      link
      fedilink
      English
      arrow-up
      15
      arrow-down
      14
      ·
      11 months ago

      I told her that even if that was true, the government could still access it. She thinks I’m paranoid. And now her personal info is likely part of this leak.

      You’re paranoid and she’s probably part of the leak.

      The odds the government gives any kind of shit about your 23 and me data, much less could competently do anything with it, are vanishingly small. That’s just pure paranoia.

      • Phoenixz@lemmy.ca
        link
        fedilink
        English
        arrow-up
        11
        arrow-down
        3
        ·
        11 months ago

        Not really… this info can and is being used in solving crimes. That and, if the US government ever turns into a dictatorship (hello trump!) then you won’t have to worry of being put on a list, you are already on one.

        • SCB@lemmy.world
          link
          fedilink
          English
          arrow-up
          5
          arrow-down
          4
          ·
          11 months ago

          I’m on several. Social security, the draft, etc.

          Point is the search methodology required has so far been worth it to catch one person. That person was a serial rapist and murderer. Hardly compelling.

          • Phoenixz@lemmy.ca
            link
            fedilink
            English
            arrow-up
            1
            ·
            11 months ago

            Lists you are on contain information that can be modified, updated. I lived at A? I move to B. You can’t change your DNA and if that would be abused, that would be much,uch worse than social security info

      • curious_betsy@lemmy.world
        link
        fedilink
        English
        arrow-up
        11
        arrow-down
        7
        ·
        edit-2
        11 months ago

        Sadly you are mistaken here, the government is very interested in your DNA data. Check out this article about how they caught the golden state killer:

        Law enforcement officials are more interested in whether their perp is closely related to other people in the database

    • ugh@lemm.ee
      link
      fedilink
      English
      arrow-up
      9
      arrow-down
      24
      ·
      11 months ago

      What is your concern with doing a DNA spit test? I’m honestly curious, because I haven’t heard an actual answer yet. I don’t see how it exposes any more information compared to what advertisers already have.

      • Snapz@lemmy.world
        link
        fedilink
        English
        arrow-up
        24
        arrow-down
        2
        ·
        11 months ago

        Is this a serious question? Advertisers don’t know that you carry a gene that means you may prematurely die? They’d like to know though, so they can feed you life insurance scams when they know you’re vulnerable, “last chance” style round the world cruises, last will and testament legal services and of course pharmaceuticals. They also want to target your loved ones while they know they’re especially vulnerable after you’ve loss. They want to send your spouse widows dating apps and psychic hotlines, etc. Advertising is knowing your specific weaknesses/vulnerabilities and exposing you to your triggers in your most vulnerable moments,for profit.

        Also, this data is correct, and it’s Data that can/will be used to deny people health coverage/insurance/jobs in the future. Also a potential tool to reveal layers of ethnic heritage they would make the nazis drool (look into how IBM did a version of this for the nazis to use the census to help enable the historic scale of that genocide). With trump potentially around the corner and other rising fascist powers worldwide, and the only way trump stays out of jail is to remain president indefinitely and “silence” his detractors, it’s just too much sensitive data to be amassed, especially by a poorly regulated private company. Also makes your DNA vulnerable to cups gaining access eventually and bringing you in as suspect for crimes you didn’t commit and, especially in places like Texas, executing you.

        Better question is, why are you on the side of this topic that you’re on?

      • n0m4n@lemmy.world
        link
        fedilink
        English
        arrow-up
        15
        arrow-down
        2
        ·
        11 months ago

        Have any of your blood relatives had any diseases that have a genetic component? Cancer? Heart disease? Yeah, we don’t cover that, it’s as clear as day, in the fine print, on page 13,131 of indexed addendum information. Additionally, you knowingly had this information from a DNA test, which constitutes fraud, making your policy null and void. Thank you for your business.

        • Duamerthrax@lemmy.world
          link
          fedilink
          English
          arrow-up
          6
          ·
          11 months ago

          Also, they could deny you coverage because of a preexisting condition, but come up with a different reason officially if that’s illegal. If they can get your dna through a back channel, they have plausible deniability for their motive.

        • ugh@lemm.ee
          link
          fedilink
          English
          arrow-up
          2
          ·
          11 months ago

          That’s a good point that I hadn’t considered. I’m not sure how that would go over legally in the US. They could gather very similar information by looking at records from relatives who have used the same insurance company, even just financial records, but that is monitored closely by the government. I wonder if we’ll be seeing any lawsuits in the near future.

      • Thorny_Insight@lemm.ee
        link
        fedilink
        English
        arrow-up
        13
        arrow-down
        1
        ·
        11 months ago

        For me the reason is the same than with all collection of personal data on social media. There is no any one specific scenario I’m worried about per se, but it has more to do with the potential for misuse in the future. I hate to compare things to nazies but it’s the best example I can come up with. Just imagine what a goldmine facebook user data would’ve been to them. There’s always the possibility for a fascistic government of some kind to take power one day and a database containing these amounts of personal information of near every person alive has near infinite possibilities to be misused. I couldn’t possibly imagines all the ways this information could be used against me but it can and thus the safest way is to prevent them from having the data in the first place. It’s sort of an insurance. You hope that it will not be needed and it probably wont but going completely without is pretty irresponsible too.

        • ugh@lemm.ee
          link
          fedilink
          English
          arrow-up
          1
          ·
          11 months ago

          I guess it would generate a bigger pool of people if they want to get super technical about who they want to genocide. US citizens already have to hand over their demographics to the government, but worst case… I could entertain that idea.

      • geophysicist@discuss.tchncs.de
        link
        fedilink
        English
        arrow-up
        10
        arrow-down
        1
        ·
        11 months ago

        Advertisers have my preferences and buying and watching habits, my DNA is… my DNA. That’s another whole level

        • jennwiththesea@lemmy.world
          link
          fedilink
          English
          arrow-up
          3
          arrow-down
          13
          ·
          edit-2
          11 months ago

          But why? Why is your DNA more you than literally every thing you’ve ever looked at or expressed an interest in?

          • SkyNTP@lemmy.ca
            link
            fedilink
            English
            arrow-up
            13
            ·
            11 months ago

            Cataloging individual DNA data casually at a massive scale opens the door for massive genetic discrimination of all kinds, from discriminatory health insurance premiums and hiring discrimination to aparthied, eugenics, and genocide. “Don’t be silly that’ll never happen here.” Is the height of affluent arrogance.

            Humans have proven themselves to be fully capable of these horrors, it is just a matter of time until it happens again, and when we create tools of consolidated power-- just like IBM created machines that enabled Nazi concentration camps–we only increase the chance of enabling some deranged element of society oto repeat these catastrophic horrors.

            All that downside just so we can consume 15 minutes of dopamine.

            • r3df0x@7.62x54r.ru
              link
              fedilink
              English
              arrow-up
              7
              ·
              11 months ago

              I’m surprised how based everyone here is being. So many people are just “give over all your information bro, the corporations will get it anyway.”

      • coffeebiscuit@lemmy.world
        link
        fedilink
        English
        arrow-up
        9
        arrow-down
        1
        ·
        11 months ago

        Insurance companies would love your DNA too, for all the “good” reasons. And imagine not getting a job because of your DNA.

        Zipcodes can do just so much…

        • r3df0x@7.62x54r.ru
          link
          fedilink
          English
          arrow-up
          3
          ·
          edit-2
          11 months ago

          I can easily imagine hiring managers tossing out job applications of people who have a family history of autism, but that’s more a problem of it being too hard to fire them if they’re a problem.

          Religious people could also use a history of mental illiness to assume satanic activity.

      • Ook the Librarian@lemmy.world
        link
        fedilink
        English
        arrow-up
        7
        ·
        11 months ago

        What happens the worst that can happen when you give your DNA to a privite company? Delta Airlines will frame you for murder.

  • slumberlust@lemmy.world
    link
    fedilink
    English
    arrow-up
    53
    ·
    11 months ago

    Didn’t they originally try to brush this off as credential stuffing and aggregation?

    There should be harsher penalties around mishandling people’s data, especially if you lie about it to save face.

  • ѕєχυαℓ ρσℓутσρє@lemmy.sdf.org
    link
    fedilink
    English
    arrow-up
    40
    ·
    edit-2
    11 months ago

    Good thing that these things haven’t really taken off in my home country. Otherwise, you don’t even need to submit your DNA. If enough of your stupid relatives do it, they’ll have a good idea about you.

    • _Mantissa@lemmy.world
      link
      fedilink
      English
      arrow-up
      15
      ·
      11 months ago

      That might be true about DNA data but these places gather every public genealogy record available. If your country has a census, for example, they probably already know more about your family then you do.

    • r3df0x@7.62x54r.ru
      link
      fedilink
      English
      arrow-up
      12
      ·
      11 months ago

      My uncle did this and I found out that I’m 3% Irish. As a Gamer, this is a Clayton Bigsby moment.

  • bladerunnerspider@lemmy.world
    link
    fedilink
    English
    arrow-up
    37
    ·
    11 months ago

    Two days ago they sent an update to their TOS that they will require arbitration and to reply to their legal department to “opt out”.

      • Lucidlethargy@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        3
        ·
        11 months ago

        Supposedly Facebook runs a really clean and straightforward operation, too. I hear banks are really generous as well.

        I hear bitcoin investors only want to decentralize currency, too. It’s def not a scam. Totes legit. Let’s all go buy lots of bitcoins! Who wants monkey nfc’s and exploding kittens nfc’s!?

  • Nurse_Robot@lemmy.world
    link
    fedilink
    English
    arrow-up
    35
    arrow-down
    1
    ·
    11 months ago

    So I got an email today telling me that I would automatically accept their new ToS (which included barring me from class action lawsuits without 1-2 months of arbitration), but I could email them to refuse the change and keep the old ToS. I emailed them to refuse the change, was that a mistake?

    • abhibeckert@lemmy.world
      link
      fedilink
      English
      arrow-up
      27
      ·
      edit-2
      11 months ago

      I find it hard to believe “not responding to an email” is consent. I mean they can write that in an email but there’s no way they could hold you to that in court.

      • treefrog@lemm.ee
        link
        fedilink
        English
        arrow-up
        5
        ·
        edit-2
        11 months ago

        If the original contract has provisions for changing it in this manner then it might hold up in court. But of they didn’t have the foresight to include mandatory arbitration to begin with that’s unlikely the lawyers who drafted it thought that far ahead.

        What I’m curious about is if my brother’s DNA was stolen. Do I have the right to sue for negligent handling of data that’s as much his as mine?

        • TechAnon@lemm.ee
          link
          fedilink
          English
          arrow-up
          3
          ·
          11 months ago

          I would think so. IANAL but I’m sure there’s a ton of precedence for cases similar to this. HIPAA laws are very good for the people.

          • treefrog@lemm.ee
            link
            fedilink
            English
            arrow-up
            1
            ·
            11 months ago

            I hadn’t considered HIPAA. IANAL either but I have taken business law 101 as well as human services classes that both covered it.

            If I remember right though, HIPAA isn’t a personal lawsuit. It’s the feds suing corporations for violations. I can’t like, personally sue the health industry for a violation (as far as I remember).

    • TechAnon@lemm.ee
      link
      fedilink
      English
      arrow-up
      4
      ·
      11 months ago

      Not a mistake, but their ToS change without consent probably wouldn’t stand up in court.

  • DirkMcCallahan@lemmy.world
    link
    fedilink
    English
    arrow-up
    13
    ·
    11 months ago

    Yet more evidence that we shouldn’t be handing over sensitive data to random companies. Will this change anyone’s behaviour? Sadly, probably not.

    • ugh@lemm.ee
      link
      fedilink
      English
      arrow-up
      6
      arrow-down
      3
      ·
      11 months ago

      I struggle to see what someone could do with that information. My ethnicity is already known by the government and every advertiser collecting my information online. I randomly had my identity connected to my cousin’s before any family took DNA tests. Her name would show up in those questionnaires along with what car I’ve owned and where I’ve lived when I had to go through online government stuff.

      I’m relatively paranoid about giving out personal information, but I don’t consider my spit very sensitive.

      • cman6@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        1
        ·
        edit-2
        11 months ago

        You get a phone call from someone claiming to be from 23andme but they’re not…

        Hi it’s Jim from 23andme.
        Just going through security with you. You did a test with us on the 5th Dec, your mother is X and your father is Y.
        Ok that confirms who I am.
        So as I said it’s Jim and in your results we see you have a genetic condition which means you will have early onset dementia.
        We offer a preventative treatment. Want to enrol in the trial? It’s $200.

        Not the best example I admit but an example of how that data could be misused and you’ve just paid “Jim” $200

      • r3df0x@7.62x54r.ru
        link
        fedilink
        English
        arrow-up
        2
        ·
        11 months ago

        There is a lot of job discrimination in hiring of autistic people, especially when it’s hard to fire them.

        Many places actively profile for it and consider symptoms to be red flags since they can’t explicitly ask. This is why making it hard to fire people hurts the disadvantaged.

      • ExLisper@linux.community
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        1
        ·
        11 months ago

        What I would do is search for data where the kid is not biological child of both parents. For all the cases I found I would send automated email to both parents saying that if they don’t pay me I will reveal this info to their child, post it on their facebook and email all their friends. How many couples do you think found out that there was a mixup in the in vitro clinic or simply that there was some cheating and didn’t reveal it to everyone My guess is more than 0.

        Or I would email everyone on the list saying that I analysed their data and found that there’s 100% probability they are gay/trans/have a small dick. Out of the 7 million, how many would believe it and pay not to have this revealed?

        With 7 million users it’s more about running scams than getting ‘dirt’ on the individuals.

      • TechAnon@lemm.ee
        link
        fedilink
        English
        arrow-up
        1
        ·
        11 months ago

        It sucks as a whole. Imagine having everyone’s DNA. You can develop things that hurt a specific set of people only. It may or may not affect you directly, but it affects our communities. You’re right as an individual. No one really cares about your hair or spit and if they did, it’s very easy to get a hair sample in most cases without you even knowing it. As technology gets better there will be (maybe already are ways) to get your DNA that are less intrusive or need less material. AI trained on DNA and physical attribute could probably narrow it down A LOT using video alone.

        • psud@aussie.zone
          link
          fedilink
          English
          arrow-up
          1
          ·
          11 months ago

          They don’t have anything DNA. They have generic relationships and percentages

          I can’t see any good use

  • nymwit@lemm.ee
    link
    fedilink
    English
    arrow-up
    10
    ·
    11 months ago

    The stolen data included the person’s name, birth year, relationship labels, the percentage of DNA shared with relatives, ancestry reports, and self-reported location.

    23andMe also confirmed that another group of about 1.4 million people who opted-in to DNA Relatives also “had their Family Tree profile information accessed,” which includes display names, relationship labels, birth year, self-reported location and whether the user decided to share their information, the spokesperson said.

    This is of course bad but is everyone thinking that actual DNA information was copied or what? That’s what it seems like from y’all’s comments. I mean that’s a pretty easy leap to make, it’s a DNA testing company after all, but they seem pretty specific on what data got out. I don’t immediately see that this specific information is worse than say what a credit reporting agency has on you.

    • Pyr_Pressure@lemmy.ca
      link
      fedilink
      English
      arrow-up
      8
      ·
      11 months ago

      I can see someone nefarious blackmailing people that discovered they accidentally married their long lost sister or those who found out their father cheated on their mother or something.

    • banneryear1868@lemmy.world
      link
      fedilink
      English
      arrow-up
      4
      ·
      11 months ago

      The relatives thing is weird anyway. I took the 23andMe test and downloaded my raw data and wrote a script to find different marker values. The other info I provided the site probably isn’t accurate. Don’t really care if someone gets my DNA markers either cause DNA isn’t like what most people think it is.

  • jet@hackertalks.com
    link
    fedilink
    English
    arrow-up
    8
    arrow-down
    1
    ·
    11 months ago

    Wait for the new wave of digital parenitity blackmail. Dear X, we see you have two children. We will let Z Y Q from Facebook know if you don’t send eleventy itunes gift cards to…

  • nucleative@lemmy.world
    link
    fedilink
    English
    arrow-up
    4
    ·
    11 months ago

    This is so predictable. Large databases are valuable targets for theft.

    It seems like the vulnerability at 23 was users who used the same password on another site.

    Presumably the attackers had those databases (easy to obtain peeps, thats why we use different passwords and password managers) and a good script that let them login and download. Probably over a whole lot of proxy IPs, so it was hard for 23 to see that they were under attack for a while.

    Don’t know what else to say… Maybe 2 factor authentication should be more common. I guess with them you could spit on your monitor and it should log you in.

    If that’s the only issue it seems a bit of a far reach to say they were breached.