[caio1982]

"We will not sell, lease, or rent your individual-level information (i.e., information about a single individual's genotypes, diseases or other traits/characteristics) to any third-party or to a third-party for research purposes without your explicit consent."

And...

"Unless you choose to store your sample with 23andMe (called consent to "bio-banking", which can be found here and changed in your settings), your saliva samples and DNA are destroyed after the laboratory completes its work, unless the laboratory's legal and regulatory requirements require it to maintain physical samples."

Also: https://www.23andme.com/en-int/legal/biobanking/

[alexbecker]

The "individual-level information" limitation is a huge weasel. 23andMe can and does share "anonymized" aggregations of its clients' genetic information [0]. Anonymization is not a property of a dataset though; it's a property of a dataset and the state of the world, and even if (and this is a big if) the dataset is truly anonymized right now, it won't always be.

[0] "23andMe says that it is also able to share anonymous and pooled data about their self-reported health traits without asking." - https://www.forbes.com/sites/matthewherper/2015/01/06/surpri...

[marchenko]

Well said. Genetic data is by nature personally identifiable, and genomic disaggregation techniques can be expected to improve. Data troves like 23 and Me are an attractive target for DNA dragnets - at present, their SNP data is not CODIS-compatible (although it is theoretically possible that the SNAP data could be queried against a physical sample assayed for the same SNPs), but the physical samples are very valuable and customers should inspect their sample retention terms very closely.

[decebalus1]

Yeah, for now but in general, that's useless. They have the leverage to change the policy whenever they want as long as they notify the customers at the login screen and via email. And hey, they can change the policy to not even notify anyone. And of course, they can be bought out and the customer data is part of the company value so there's that.

Unless they provide an anonymous way of consuming their product I would never. ever. EVER. give a for-profit company my genetic data (and it's debatable who owns that data because last time I checked lawmakers don't really give a shit about information ownership unless it's about Hollywood) and have them tie it to my name. Fuck that!

[astrange]

Not only your genes worthless, since everyone has genes, but you leave them everywhere, like when you get a haircut.

Might be important if you were planning on a life of crime, or if you owe someone child support. But for the moment there's no good way to use them to make money off you.

[marchenko]

There's a big difference between leaving your DNA on a cup and storing it in an easily-queried database. To collect your DNA from a cup , an interested party has to have an a priori interest in you specifically. To get it from a database (or databank, if 23 and Me is retaining physical samples, as their terms indicate they might), the interested party just has to have an a posteriori interest in "people's DNA", and hoover yours (and by probabilistic inference, your relatives') up along with everyone else's.

In the US, the protections against insurance companies using your genetic data against you are about as deeply entrenched as the protections against letting ISPs sell your internet history, and subject to much more intensive lobbying. Other countries have no protections at all - Canada's current bill is strongly opposed by the Trudeau government. Remember, even though most of these genetic risk scores are incredibly weak predictors, it is only necessary for insurers to believe they improve their actuarial models slightly to have a huge effect on differential insurance costs.

[decebalus1]

> Might be important if you were planning on a life of crime

I'm very sad reading statements like this on hackernews.

Is that really an argument when it comes to privacy? Especially these days?

'crime' is a generic term which can change depending on who's in charge of the country.

[astrange]

I mean, personally I think everyone should be prepared to start a life of crime. But hiding your genes is like trying to hide what you look like - basically impossible. Privacy is about not being able to associate people's actions with them, not hiding that people exist in the first place.

[lomnakkus]

"unless the laboratory's legal and regulatory [...]"

That [...] could hide a lot of shady stuff being done via NSLs (etc.).

EDIT: There is a very interesting issue here, though, namely how the findings by 23andme are presented to their customers. There's good research that shows that presenting relative probabilities[2] (as opposed to just picking a sample size and doing everything in numbers relative to that) is very hard to understand for the general public (and even for statisticians unless they're paying close attention!). The Base Rate Fallacy is basically a consequence of presentation. Hopefully, 23andme are doing this responsibly, but I honestly don't know.

[2]: Example: "Eating X increases risk of cancer by 50%". Well, yeah, that might change my risk of cancer from 0.01% to 0.015%, but that that's not something I should worry about. Yet, we see these headlines because they grab people's attention.

[Analemma_]

Those statements don't seem to say anything about the possibility of your data being acquired by God-knows-who in the event 23andme goes bankrupt.

[JumpCrisscross]

After the Cloudera incident, I asked them to destroy my genetic sample and data. 23andMe's certification seemed clear that my data were no longer accessible by anyone.

[chaostheory]

> unless the laboratory's legal and regulatory requirements require it to maintain physical samples.

I could be wrong but in a lot of cases in the US, labs are required to hold data for at least 2 years

[liuhenry]

What was the Cloudera incident? I couldn't find anything from Googling around.

[menacingly]

I obviously don't understand the specifics, but if they are later owned by someone else, is that new someone considered a third party?

For instance, doesn't this mean that a hypothetical future 23andMe drowning in debit could be acquired by a company who could use the data for all sorts of terrible things without ever technically selling it to a third party?

[awqrre]

Aren't they already selling your data to third parties? [0]

0. http://gizmodo.com/of-course-23andmes-business-plan-has-been...

[gotodengo]

This is what happened during the RadioShack bankruptcy iirc.

Instead of putting customer data up for sale they essentially just split off the portion of the company that held the data and put that up to be acquired.

[Balgair]

I'm pretty sure that is exactly how it will work, laws be damned.