[stcroixx]

I don't know about that. Geneology has been a hobby for me for a couple decades and I'd say only tech illiterates were willing to trust 23 and me. I've never seen any company I've worked at do well enough with security that I'd trust them with my DNA and with the constant data breaches across the industry with zero consequential penalties, this seems like the norm. Have you ever seen security done right anywhere? In my experience, it's always the bare minimum. Banks are about as close as it gets and that's only because they have higher obligations than most.

[valedan]

Gave them my DNA last year, am not tech illiterate. It was cool to see the results, though not life-changing. I don't regret the decision - I don't understand why I should care that my DNA sequence is on a shady website somewhere. I don't understand the threat model people have here - how will my life be negatively impacted by this?

[autoexec]

> how will my life be negatively impacted by this?

Your would-be future employers may reject you because of this data. Why hire someone with a higher risk of certain diseases or disables? It'd be illegal, but companies don't care about breaking the law if it's profitable and it'd basically take a whistleblower for anyone to know it happened. They certainly won't tell you that's why you weren't hired.

You could be denied housing or be targeted by extremists. More likely though, you'll be targeted by pharmaceutical companies. If the police didn't already have a copy of your DNA on file you might now have a place in every police line up, in any state in the US, for every crime committed where DNA evidence is collected. You could get wrongly flagged as a match through human error or statistics but either way it'll be on you to hire the lawyer who will have to prove your innocence.

We're moving toward a digital caste system (several really) where the data governments and corporations have on you will determine what you're allowed to do, how much you'll pay for things, and what opportunities you'll have. Every scrap of data you surrender will be used against you by anyone willing to pay for it, used in whatever way they think will benefit them, at any time, and you'll probably never even realize what happened. Just like right now, where companies don't tell you that they used your personal data to determine how long to leave you on hold. There's no telling what kinds of harms this could bring you, and there's no taking your data back to prevent any of it either.

I hope that data never comes back to haunt you. I'd sure hate to need to count on that never happening though.

[nylonstrung]

This seems pretty far fetched.

Do you really think a judge would allow a guilty verdict based on stolen genetic data obtained from a hacker?

Do you really think braindead landlords and HR people would make decisions based on Promethease or whatever future tool replaces it?

Monetarily the genetic data is marginally valuable at best, which is the same reasons 23andme revenue comes almost entirely from novelty-seeking consumers rather than industry.

[autoexec]

> Do you really think a judge would allow a guilty verdict based on stolen genetic data obtained from a hacker?

The judge won't have any idea how the innocent person's data got entered into the government's DNA database. The same way that judges doesn't care how police got your fingerprints on file (They got mine when I was in grade school. Teachers lined all the kids up in the hallway and the police fingerprinted us all. They told us it was in case we were kidnapped.). The judge cares about how the DNA was collected at the scene of the crime. It's enough that it matched DNA in the government's database. Even if it was discovered that the DNA came from 23andme's data I doubt they would care.

> Do you really think braindead landlords and HR people would make decisions based on Promethease or whatever future tool replaces it?

They already perform illegal background checks on employees and renters. (see https://money.cnn.com/2014/04/09/pf/data-brokers-ftc/index.h...). Whatever interesting data can be extracted from the DNA that was leaked will be added to the dossiers data brokers have on the victims.

[funcDropShadow]

> This seems pretty far fetched.

At the begin of Hitler's reign, the Nazis started to ask people at many occasions for so-called "Ariernachweis" papers. Those were collections of documents to show that someones ancestors were pure according to their race theory. Many people didn't question this at the beginning. Later that data was used to round up minorities, i.e. to commit the wellknown atrocities.

Once data is centrally collected, you cannot know for which future purposes it'll be used. So, the question with regards to companies like 23andme should be: Do you trust the current owners, all future owners, and current and future business partners to not misuse and safeguard your DNA data?

> Monetarily the genetic data is marginally valuable at best Tell that to big pharma, health insurers, adoption agencies, dating sites, and companies that produce addictive products for consumers.

> Do you really think braindead landlords and HR people would make decisions based on Promethease They have shown to make decisions based on DEI declarations. I rest my case.

[dspillett]

> Do you really think braindead landlords and HR people

Maybe that part is far fetched. But insurance people will make user off it I'm sure. By letting this data out there you might be opting in to higher costs, or hassle getting insurance at all, that way.

[rixed]

You convinced me that, as I was already suspecting, there is no more risk in having your dna public than, for instance, having a picture of you on the internet. Arguably, even less.

[autoexec]

"no more risk" is an odd way to frame it. Its all compounded. Having a pic of yourself online is a risk. Having your DNA leaked a risk. Carrying a cell phone is a risk. Using Google is a risk. The more risks you take you more likely you are to get screwed over.

It doesn't really matter if you're the guy who gets arrested for riding his bike (https://www.nbcnews.com/news/us-news/google-tracked-his-bike...) or the guy who gets arrested because of his DNA (https://www.science.org/content/article/forensics-gone-wrong...) or the guy who gets arrested due to facial recognition (https://www.cnn.com/2021/04/29/tech/nijeer-parks-facial-reco...) it's going to suck for you either way. They're all just different types of ammo that will eventually be used against you somehow or other.

[ChumpGPT]

You forgot finger prints, photo's, AI, medical history through routine exams, spending habits harvested through CC use and any form of digital banking, living habits analyzed through electric bills, internet activity, auto use, travel, etc.

Your fear is misguided and you have already lost the game.

[autoexec]

You seem to be supporting the fact that this is a valid concern. Every piece of data can (and eventually will likely) be used against you at some point. The more data you give up, the more ammo you're handing over to the people today and tomorrow who want to exploit you. DNA contains a ton of data, and it's very different from the data in your utility bills or your GPS history. Keeping your DNA out of the dossiers data brokers keep on you would be a smart move even taking into account how much other data they already have.

[faeriechangling]

The breach affects those related to you and affects you multi-generationally so there’s a lot of time for the impact to materialize. There are strong financial incentives for genetic discrimination on the part of insurers and employers. There are also plenty of fascists are happy as a clam to discriminate against anybody with certain genes.

If there’s any reason not to care, it’s not the lack of impact, it’s the impossibility of securing the data. I could sit here all day and convince you that you should care and then your cousin would get a dna analysis done and that would ultimately make all your caution mostly irrelevant. The only effective way to ensure genetic privacy is a legislative effort to control access to genetic databases, trying to avoid being put in such a database is only going to slow down how fast this happens.

[jeromegv]

Once they sell it to your insurance company and they deny you some type of coverage for whatever reason.

[bernawil]

see, this is where I don't get it. Can you send your material anonymously (burner email, pay in cash/crypto/prepaid debit card)? Then how could they match your DNA to your identity to sell it to insurance companies, etc?

[dspillett]

I'm sure that is possible. But what ratio of the public actually would think of doing that?

[anjel]

Ask one of the serial killers now rotting in jail thanks to 23andme!

[bernawil]

Was there ever a case of a convict getting caught by their direct DNA being found in one of these databases? I thought all cases where correlated from relatives. Government gets DNA sample, asks the databases: 'who do you know that's a genetic relative of this suspect?' and then they go and interrogate that person's every third cousin. You can't keep your family tree private, your birth certificate is out there. Opting out of 23andMe won't help you here.

[runjake]

A couple. One infamous case was the Golden State Killer[1] case. Though in that case, it was GEDmatch, not 23and me -- similar service, though.

1. https://en.wikipedia.org/wiki/Joseph_James_DeAngelo#Investig...

[manxman]

But that’s just it. You now get the 23 and me defence… my DNA data was hacked therefore there’s reasonable doubt the DNA linking me to the murder was synthesized from the 23 and me leak.

[Eisenstein]

The fact that there is so much potential for the use of that information yet we haven't even started putting mechanisms in place to utilize it is what scares the hell out of me. If the threat model is 'to be determined' then especially when the data is being used commercially, for somewhat trivial reasons and without any substantial legal protections then the way to act is 'from my cold, dead, hands'.

Just remember that no matter who in charge you think is neutral or bad or great, things change, attitudes change, shit happens (remember the Patriot Act?)...

It isn't paranoid to say 'I don't trust the future, let's act cautiously instead of frivolously with things that have the potential to be extremely valuable to me, extremely impactful to society, and in which currently sits the greatest unexplored potential of this generation'.

[manxman]

Cool so you going to wear gloves every time you eat out, touch a door, hold a glass etc.? You’re shedding DNA throughout the day. How is that fundamentally different?

[Eisenstein]

If I said I didn't want to go hunting with Dick Cheyney would you ask if I wore a bullet proof vest everywhere I went? When people look before walking into an intersection do you ask them if they erect bollards in front of their house?

But ok. Next time you go in for surgery tell the doc not to wash their hands because you aren't a scaredy cat.

Refusing to willingly take stupid risks is different than trying to live a life without them at all.

[keskival]

I agree, I have had my raw DNA data and all the analysis results publicly available since the day I took the tests. No problems.

https://globatic.blogspot.com/2013/10/the-23andme-full-and-r...

[mixmastamyk]

Biometric auth being used more and more every day. Not hard to see requirements or and crime/impersonation in the future. Gattaca is still far off but one step closer than it was.

[upwardbound]

Someday when DNA synthesis machines have enough write length to be able to synthesize entire human chromosomes, someone with your genome data could clone you without your consent. Even if this takes 50 years to become possible, you still might not want unauthorized clones of you being made using data that you gave up when you were younger.

[a_bonobo]

That's not possible with 23andMe data, they have 640,000 SNPs, not the entire genome/exome/methylome. They have 640k points where the genome is often different from others, but your own genome is 3Gbp long (3,000,000,000 basepairs) with usually a few million SNPs per person. 23andMe has a subset of the diversity in your genome.

[upwardbound]

That's good to know. In that case, my concern would lie with the physical saliva samples that 23andMe has retained, since they could be comprehensively sequenced later.

[a_bonobo]

That is true! Samples are usually good forever in the freezer. Do they keep all samples?

Running -80C freezers is not cheap! I have 3 -80C freezers in my lab, those large chest-freezers, and each uses 22 kWh per day for a total of 66 kWh per day. Apparently the average US household consumes 29 kWh per day, so we use up 2 houses per day.

Our freezers certainly don't hold the 14 million samples 23andMe supposedly has, more like in the low thousands. They'd need the power-usage of a city to keep all those samples OK!

[aden1ne]

You can extract the DNA and store that instead - and they already had to that to their analysis in the first place. Far smaller volume than the raw sample.

Storing this for an effectively indefinite amount is not uncommon. I used to work at a clinical genetics lab, and some material had to be stored (by law!) for a whopping 120 years.

[kaba0]

As opposed to getting a bit of hair/dead skin from you, they rather hack into some digital system?

[31337Logic]

You don't hack into the system to obtain the data. You buy it. It's literally the most profitable thing on the planet right now.

[keskival]

I hereby authorize any and all clones anyone ever wants to make out of my full DNA or parts thereof.

[tapatio]

Ignorance is bliss.

[0xDEAFBEAD]

>Have you ever seen security done right anywhere? In my experience, it's always the bare minimum.

Google is pretty good at security, no?

https://cloud.google.com/blog/products/management-tools/lear...

[stcroixx]

Google itself is a threat, about as user hostile of an organization as there has ever been.

[kaba0]

That was not the question asked. Google is good at data security, and at the same time they are probably the biggest privacy violators, and both of this can be true.

[fsckboy]

if you talk about security, you're talking about threats. To put Google into both categories, sorry, GP is right.

[0xDEAFBEAD]

Some users may consider targeting advertising to be a threat, others less so.

My take is, if targeted advertising is the biggest thing you're worried about in terms of cybersecurity, you are probably doing reasonably well at staying secure.

[lioeters]

This is the kind of answer I like to see on this forum, and I hope more people become as aware and outspoken.

[0xDEAFBEAD]

It's the kind of answer that makes me wish people actually followed the HN guidelines. I understand people are very passionate, but I prefer to make decisions based on facts. My experience is that the people who are super passionate often show themselves to be uninformed when you drill down and start asking them hard questions about their strong claims.

[0xDEAFBEAD]

This seems like hyperbole.

I'm not particularly worried about Google stealing my credit card number and making fraudulent purchases. But I am worried about criminal organizations doing this.

There's so much FUD on HN about big tech companies, but I'm skeptical that their wickedness actually lives up to the hype. I suspect it is more of a clickbait miasma (journalists hate Google because they took revenue from the media industry) than anything based in fact. Google provides free and useful products (Google Search, Gmail, Android) to people across the world. Billions of people use this stuff voluntarily -- why?

If Google is "about as user hostile of an organization as there has ever been", it should be easy for you to come up with at least 3 examples off the top of your head (no searching for "14 ways Google is evil" listicles) of them being at least as nasty (on a per capita basis relative to the population of people they have relationships with) as the literal mafia. It should be no trouble at all. So, could you please do that for me?

[stcroixx]

1 - They built a product to follow everyone around online and in real life, breaking multiple consumer protection laws in the process, say 40 of our 50 states https://www.npr.org/2022/11/14/1136521305/google-settlement-...

2 - They've created an illegal advertising monopoly https://www.justice.gov/opa/pr/justice-department-sues-googl...

3 - Violate the law to illegally collect data on children, say multiple states https://www.ftc.gov/news-events/news/press-releases/2019/09/..., https://iapp.org/news/a/google-new-mexico-ag-settle-coppa-al...

Over a billion people smoke cigarettes, doesn't make it a good idea. Most of the worlds population can't afford an iPhone, so are left using Android.

Is it unreasonable to think they're probably doing something else illegal that hurts us right now? Or that they'll use their ill gotten treasure hoard to buy the resolution of their choice when they're caught again?

[0xDEAFBEAD]

I still think your statement was hyperbole, but thanks for giving me the list I asked for.

[mixmastamyk]

The company pwned by the NSA for over a decade?

[0xDEAFBEAD]

I agree that if the NSA is your threat model, then you shouldn't trust any company.

I also think we can learn a lot about security from Google even if they comply with federal court orders requesting user data. "Willingness to comply with federal court orders" and "competence at securing data against cyberattacks" are two different things.

[fsckboy]

"if NSA is your threat model" sounds like something somebody from the 1980's would say. It's been a long time now that we've known they spy on everybody and that they share the data, and they Five Eyes the data they can't get. NSA is everybody's threat model and it has been for a long time. Intervening in electoral politics, getting private companies to do their bidding... where have you been?

[0xDEAFBEAD]

The turn this thread has taken has been interesting. A few comments ago, stcroixx wrote:

>Have you ever seen security done right anywhere? In my experience, it's always the bare minimum.

I think there's a lot of ground between doing the bare minimum for security and hardening your organization against the NSA. Every step towards greater security is a step I support, even if your organization isn't able to reach the "hardened against the NSA" level.

I'm happy for you if you want to harden yourself against the NSA, but I dislike black-and-white thinking. I care about harms to users which come from non-NSA threats too. Case in point: the original post about hackers selling 23andme data -- presumably to clients who are not the NSA, in some cases.

If every discussion of how to improve security gets derailed into a discussion of how evil the NSA is and how practically no one is secure against them, then organizations will continue to do security badly, and we'll see more breaches like this 23andme breach. Fatalism is a self-fulfilling prophecy. I see it every day here on HN.

[k12sosse]

When "your" military officers are selling state secrets out for $5k in bribes [0], you realize there's probably very little you can do to prevent bad actors in positions of trust from blowing up any security model anywhere. Your only choice is between minimizing your risk with hoping for the best, or rolling your own everything and not taking part in any modern anything and living and dying alone. And even then, there's still probably going to be a file on you somewhere.

[0] https://abcnews.go.com/US/2-us-navy-sailors-arrested-alleged...

[mixmastamyk]

You may have missed some news:

https://www.zdnet.com/article/google-the-nsa-and-the-need-fo...

[Jach]

What's interesting to me remembering this is that back then, even that late into Google's life, Google had enough people to actually be pissed off about this and try doing something about it. Google of today? I have the sense that management would just shrug its shoulders and let the violating by any nation-state-backed group that pleases continue.

[0xDEAFBEAD]

There's a mutual cynicism here. If Google's users think: "Google will violate my privacy no matter what, there's no point in complaining", then Google's executives will think: "Users will believe we are weak on privacy no matter what, there's no point in protecting user privacy".

To break the cycle, it helps to share concrete evidence of Google misbehaving rather than just presenting it as a fact that everyone knows. You get what you incentivize. If the feeling that Google sucks on privacy isn't linked to specific Google misbehavior whenever it is brought up, Google execs will correctly realize that users will feel the same no matter what decisions they actually make.

As a concrete point for discussion, in the zdnet article it states:

>After the news about NSA snooping first broke over the summer, Google decided it was time to start encrypting its datacenter-to-datacenter communications.

Is there an analogous security story from more recently where Google didn't try to address the problem in a similar way?