[skummetmaelk]

This disaster is the perfect counter-argument to those always saying "why do you care so much about privacy. It doesn't affect you when I share things. You can just choose not to do it", except no, I can't choose when we're relatives and you chose to share our genome.

It is so obvious that your relatives sharing their genomic data with 23andMe reveals a lot of information about you. We can only hope people will realize that this also holds true for collecting behavioural data on other people sharing the same background as you.

[losvedir]

> This disaster is the perfect counter-argument to those always saying "why do you care so much about privacy. It doesn't affect you when I share things. You can just choose not to do it"

While I agree it's a perfect counter-argument to that, is that what people always say? I'm not sure I've heard that argument as much as "why do you care so much about privacy?" full stop. As in, they don't really understand why anyone should care about privacy. And this isn't really a counter argument to that, any more than any other breach. And to be fair it's not really even a counter argument to that until you show the harm that came from it. What do you think will happen to people who had their ancestry data stolen here?

[cj]

I think the more common one I've heard is "Why do you care about privacy if you have nothing to hide?"

In the case of 23andme, it's a perfect answer: We don't know what's hiding in our DNA and I don't know how people will use that against me in the future.

[Buttons840]

Imagine a correlation study between genes and worker productivity, it'd be an interesting study if done correctly, but it might not be done correctly (and to be clear, I don't think it should be done at all). Now imagine you have genes that have a negative correlation with productivity which makes it hard for you to find work.

[kjkjadksj]

Its illegal to discriminate on terms like this though. Replace the word gene with demography and you can see why.

[Buttons840]

It's illegal now, but maybe not forever. Plus, illegal things still happen.

Or, maybe more likely than discriminating based on demography, what if certain "Obamacare" provisions are repealed and insurance companies are allowed to adjust prices based on genes, including the genes of relatives.

It's all a little far fetch, but only a little. My point is privacy is important and even those "with nothing to hide" might second guess their view when they imagine being discriminated against because of their genes. I think we probably agree on this point but got caught up in the details of a hypothetical.

[kjkjadksj]

They can already do that without dna though. They can just deny coverage on preexising conditions. This is what I am getting at. All the harms people cite with dna data are usually predicated on some dystopian government emerging, but also you can perform those same exact harms if you wanted without the dna data. In essense the dna data is not enabling anything not already possible for bad actors.

[mensetmanusman]

Well, thankfully with AI, we all know the answer. If a computer learns enough about you, it can steal all of your money from the bank.

[pbhjpbhj]

So, the reason for privacy is because the profit motive of capitalism is not sufficiently restrained as to protect citizens from being abused by corporations?

[pc86]

Be careful you don't break something with those gymnastics.

The immediate concern I had with this story is nefarious groups or individuals purchasing this data to target people with violence based on their ethnicities. Imagine if the genome of millions of Europeans was available on the black market in 1930s Europe.

[happytiger]

That is one SOLID example of what could go wrong.

It’s similar to the Office of Personnel Management data breach when every Federal Employee was just 0wn3d. It included 21.5 million background investigations into people and the personnel files of every federal employee and most contractors.

Just slightly sensitive stuff. Nobody knows how many people died as a result of the hack, but I’m sure it was non-trivial because a LOT of people got surprised doxed.

This information is still rattling around out there and will have implications for generations.

Imagine if the same could be done for demographics based on genetics — the risk factors for medical conditions, the ethnic ties you’re talking about, etc.

It’s weighty stuff.

[bigtunacan]

Considering one of the hacker's first actions was to offer for sale data identifying people of Jewish or Chinese descent I think that's a very valid concern.

[jstarfish]

Did anybody actually buy it though? This could be misdirection, or just misguided marketing based on historical instances of abuse. China isn't known for trying to repatriate descendants, and it's not exactly difficult to find Jews.

Ancestry data would certainly be of interest to a particular demographic known to discriminate by caste. There's no escaping your low-class heritage when anyone can look up your stolen DNA profile on the black market.

[firen777]

Weren't the sales surface on Oct 6th?

[everydayentropy]

I'll take this one step further.

What if you're able to pinpoint unique loci for an individual or group which can serve as a target of a highly specific bio-weapon? Do you think genomic bio-weapons aren't being explored as future weapons?

[kjkjadksj]

If a group wanted to do that why bother with the dna data? Easier to just perform the violence. Even in 1930s europe I’d bet the SS would not really be concerned with whatever your dna data said if they really wanted you or your people gone, you’d just be labeled an enemy and sent off same as a jew or a gypsy or a communist.

[titzer]

The proper reason to give for privacy is: I don't need to have a reason for privacy; you're the one that needs to justify violating it.

[partitioned]

Or a rival country could create a virus that targets 80% of their enemies population and only 20% of their own

[anonymouskimmer]

Until that virus mutates its receptor binding protein.

[pc86]

This is tin-foil hat nonsense.

[jstarfish]

Unless you speak Kikongo.

[_jas]

It is becoming far easier than you are aware then. Sam Harris and Rob Reid discussed in length a few years ago.

https://www.samharris.org/podcasts/making-sense-episodes/spe...

[jairuhme]

How do you make the leap to it being an issue of capitalism? There are plenty of bad actors who could use this information (or other hacked info) who are not a corporation seeking profit.

[lvass]

Like North Korea which by far has the most state sponsored cyber thugs per capita.

[cjaybo]

It’s the ideological form of “when all you have is a hammer, everything looks like a nail”

[uoaei]

Capitalism isn't about corporations, it's about capital.

[pbhjpbhj]

Yeah, I didn't mean 'a philosophical ideal of Capitalism'. Apologies for my imprecise question. I meant Western Capitalism which of course is a form of corporatism.

[briandear]

Governements abuse people more than an economic system ever has. A corporation has never marched people to camps, nor have corporations ever imprisoned anyone for their politics. If I don’t want to deal with a corporation, I have the right not to — unless government forces me to.

[dragonwriter]

> Governements abuse people more than an economic system ever has

This is true on one level, as economic systems are not actors, but abstractions for aggregates of actions; its false on a more concrete level because governments are also not real concrete actors but abstractions for aggregates of real actors.

Both governments and economic systems (and corporations, which you seem to drop in as ig they were the same as economic systems) are abstractions through which real actors act, including to oppress, and very often actions by thr same actors involves all thrre abstractions (even a single action might). Corporations, after all. are themselves creatures of gogernment through law, and economic systems exist only as ideals without being made manifest through legal systems.

> A corporation has never marched people to camps,

You probably don't want to think about most of the best known early joint-stock conpanies (any of the variously East India companies, but especially the British, the Royal African Company, etc.)

> If I don’t want to deal with a corporation, I have the right not to — unless government forces me to.

Corporations—like any individuals—can and do apply coercive force on their own with only after-the-fact review by governments (and, in many cases historically, with obvjecting governments having limited power to apply sanctions), so, no, this isn't correct.

[Pat_Murph]

"Corporations have never imprisoned anyone for their politics"

Really?

Let me introduce you to Steven Donziger.

https://www.theguardian.com/business/2021/jul/26/lawyer-stev...

Ho and what about all those corporations that used Jewish slaves during world war 2?

Or just today, Coca Cola killing people protesting them taking their land away or Amazon imposing atrocious work conditions to their employees?

Before blindly defending corporations I'd try and take a look at reality...

It's not as simple as "government bad and corporations good"

[quantified]

Corporations have pushed wars and has people shot and beaten for their politics.

And to you I guess a cotton or sugar plantation was not a capitalist enterprise?

[wongarsu]

My go-to is "what if literal nazis come to power and use this information to kick-start their eugenics program", but I guess rampant capitalism is also on the threat list.

[wahnfrieden]

There are already businesses that practice eugenics based on illegal data like this or illegal maps

[briandear]

How is a map illegal?

[read_if_gay_]

Capitalism bad!

[zlg_codes]

Exploitation good!

[read_if_gay_]

Exploitation bad. Socialism good!

[CaptainZapp]

> What do you think will happen to people who had their ancestry data stolen here?

Sounds like an absolute treasure trove for a life insurance company. Or, would you disagree?

[jalk]

Yes, but one would hope that if an insurance company was caught using stolen data to calculate the premiums, that would be the end of that company and jail time for management (like the leaders of VW responsible of the emissions testing cheating).

[hnbad]

That assumes they do so in a really stupid and straightforward way. LLMs already exist to "AI-wash" copyrighted material in ways that technically don't violate copyright. I'm pretty sure someone will find a way to create a dodgy shell company around a foreign B2B service that reycles this data for them in a way that is technically legal to use.

"Feed personal data into this service and it'll spit out a risk assessment based on a model built on 6.9M historical health data sets."

[psychlops]

> jail time for management

Funny! We all know it would be a lone rogue engineer that did it in the end and management would apologize on their behalf.

[manishsharan]

>Sounds like an absolute treasure trove for a life insurance company. Or, would you disagree?

Disagree. Life insurance companies already requir blood tests and urine tests before insuring a consumer. They already have this data

[anonymouskimmer]

The test labs wouldn't spend the additional funds to run a genome sequencing, or even a SNP array.

[nulcow]

> I'm not sure I've heard that argument as much as "why do you care so much about privacy?" full stop.

I'm not sure I've ever heard anyone I know mention privacy at all, as if they're totally ignorant to it. In reality, the majority of people will just let Google or Microsoft do whatever with their personal information as long as the product or service is slightly more convenient than the last one.

[mannykannot]

You are not likely to see the statement you are discussing unless you firstly somewhat frequently get into a situation where someone says something like "why do you care so much about privacy?" and then attempt to debate the issue.

It is not necessary to show actual harm from this breach for it to defeat the tacit premise behind the statement you are discussing, which is that their profligacy with their personal data cannot, by itself, reveal any of your personal data.

[White_Wolf]

I wonder if that could be used as a list of possible organ donors. I don't know what else (data) is stored there tbh but if it helps narrow down to find a kidney or heart for someone rich...

[hulitu]

> "why do you care so much about privacy?"

Do you talk family problems with all your neighbours ? With strangers ?

How would you feel when your employer will know everything you did last night ?

[quantified]

"People always saying" means two different things to you and the parent commenter. Some people do always (or generally) say that. Other people do not always say it.

[Melting_Harps]

> This disaster is the perfect counter-argument to those always saying

Personally speaking, I think Equihax was the better counter-argument; at least with 23andme YOU as a customer had to DECIDE to use their services and weigh the pros-cons of doing so, with Equihax I was forced into a rating system to determine my eligibility in a system that hoovers up any and all data sold to them by 3rd parties and holds all my personal information in order to complete anything from a loan application to a job application.

And when found to have been breached no effective recourse was made, and instead of admitting fault to a very high probability of Identity theft being the end result a token 'credit system monitoring' service was offered, which once again relies on these credit agencies who share/distribute this information without my consent and created the problem are let off scot-free and never suffer any consequences.

In short, it's a naive argument made from often ignorant and self-defeating practices that make others worse off because of their complacency and refusal to take privacy serious.

[skummetmaelk]

Completely true. However, Equifax was probably hard to wrap your head around. Whereas 23andme might seem a lot more personal and private to the average person. Of course, nothing is likely to come of this regardless.

[SAI_Peregrinus]

Not identity theft. Libel. There's a high probability a bank will libel people whose info Equifax leaked. They'll do that because they depend solely on the same (largely public) data compaies like Equifax collect to identify loan applicants.

[envp]

Sure the customers decided, but what about their relatives? If any of my relatives uploaded their genetic info to this, it by extension has a huge part of my genetic info too, and my consent was decided without my knowlegde...

What I'm trying to say is: I don't think comparing it to equifax is reasonable in that regard.

[fsckboy]

I'm in favor of privacy, and I'm willing to go more out of my way to not share than the vast majority of people, but I'm also in favor of individual choice, and I can't think of a privacy model that would disallow other people from sharing their information just because you have some matching information.

[skummetmaelk]

I can think of an easy model. Disallow collection of personal information. Pull the rug out from under "services" which are really just data collection fronts turning a profit from selling your data instead of the primary service/good for money transaction.

23andMe could still have operated legally under this scheme. They could have done the analysis and sent you a printed sheet. But no, they had to store everything to be able to double dip by selling the data to pharma companies and whoever else would pay for it.

If you can't turn a profit without underhandedly selling your users' data. You deserve to fail.

[maxerickson]

They are frank about also selling the data for research, it is not underhanded. It's even opt in...

For example, they talk about it on this page, which is linked from the about menu (so available with pretty small effort): https://www.23andme.com/research/

I expect lots of people also like that they get updates when information about new markers becomes available.

[sonicanatidae]

I trust them to opt me out, not at all. It's safer to just assume your data is being used, regardless, because it's free money to them. If/when they get caught selling data marked as Opted Out, they'll get a pittance fine, paid with other people's money and bonuses for making numbers that quarter.

You're welcome to trust them, but no I.

[joshuahedlund]

> They could have done the analysis and sent you a printed sheet.

Could they tho? The ancestry analysis itself is based on the data of other users in other parts of the world?

[stef25]

> Disallow collection of personal information

It's all about the money, always. So not gonna happen.

[mewpmewp2]

What about people who would want to donate their data to further the research?

[seszett]

They can enrol in studies at actual (non-profit so they don't benefit from selling data, probably public funded) research institutes.

[acuozzo]

> non-profit so they don't benefit from selling data

Non-profit in the US is a tax status. Many CEOs of non-profits enjoy multi-million dollar salaries and bonuses.

[kfk]

FYI, the police is able to find criminals now by finding DNA sequences similarities with your relatives. Not saying this is good or bad, I am just saying you don't know the extent of the impact to your personal freedom when your relative's DNA is shared.

[HenryBemis]

Well they can narrow it down to the family, unless it was the very DNA giver that left that DNA sample on the scene of the crime.

And since 23andme (as I assume others) don't do these anonymously, there is no hope. Unless people use someone as a proxy (i.e. I-1 give my sample to a male colleague to send it as his-2, he-2 gives his sample to someone else to send it as his-3, and so on..). Police would eventually find the guilty in case of a crime, but the 23andme's of this world will be selling confusing (wrong) data.

[stef25]

There are plenty of cases where DNA is found at the crime scene, run through a database, match is found with a relative. Then the cops start looking at the family and boom there's your shady uncle with priors they got their guy.

[quickthrower2]

Yes it has come up a few times on forensic files usually on cold cases.

[dylan604]

If this was someone trying to fly under the radar by using this scheme to buy burner phones or some such, sure. But this is literal DNA, so even in your attempts to obfuscate, they’d know the name and the sample do not line up, but then be able to link the sample to a family and then figure out who you really are

[pavel_lishin]

They can narrow it down to individual family members, based on how much DNA overlap there is.

[pfdietz]

I can help track down distant family members who have committed crimes? Sounds like a plus.

I think the angst about this comes from men who don't want their status as fathers of illegitimate children (or, rapists when they were younger) unmasked.

[mschuster91]

> I can help track down distant family members who have committed crimes? Sounds like a plus.

It's no longer so easy when the definition of "crime" gets expanded. Let's take this scenario:

- you're a first generation Chinese immigrant in the US

- a nephew of yours is in China and critical of the CCP

- you decide to have your genome scanned into 23andme or whatever to determine if you are at risk of genetic illness

- your nephew sprays an anti-CCP tag on a wall somewhere

- the Chinese police gathers DNA evidence from a laxly discarded spray can, but doesn't have fingerprints so they can't immediately link the can to your nephew

- the Chinese government, either via a legal subpoena or via espionage, gets its hands on your genetic profile from the genetic analytics company

- the Chinese government finds your data, now knows that the sprayer must be related to you in some way, and forces everyone of your family to subject to a DNA test

Sounds dystopic? Yes. But this is exactly where we will be headed. Police here in Germany already do DNA tests on petty vandalism [1].

[1] https://www.fuldaerzeitung.de/fulda/fulda-bahnhof-neuhof-dna...

[pfdietz]

It's precious that you imagine not getting your DNA sequenced will provide any sort of shield against dystopian governments.

This sort of thing looks more like a psychological crutch than an actual effective action.

[dylan604]

That’s not what the comment was driving at. At all. It’s about how data you think is innocent can be used in a manner you never thought about nor intended for dark purposes.

[pavel_lishin]

Your father submits his DNA to 23 and Me.

One of your brothers committed a crime.

The police, during an investigation, find your father's data and realize that one of his children is the criminal.

Congratulations! You are now the target of an investigation, the purpose of which may not be to find the truth, but to successfully convict a suspect.

[anonymouskimmer]

> You are now the target of an investigation

All you have to do to clear your name for that crime is to turn over your DNA to the police to be in their records forever[1], and Bob's [2] your brother [3].

[1] - You might be able to get a court to order that your DNA records are destroyed after proving your innocence, but it's an ask to believe this would actually happen in every case.

[2] - https://www.merriam-webster.com/dictionary/bob

bob 3 of 7 verb (2) bobbed; bobbing

transitive verb

1) obsolete : deceive, cheat

2) obsolete : to take by fraud : filch

[3] - https://www.phrases.org.uk/meanings/bobs-your-uncle.html

[Majestic121]

Why do you make this issue gendered, and if you do why would it impact only men father of illegitimate children, and not cheating mothers ?

[watwut]

Cause in the case of cheating mother, it is clear she is the mother. And to confirm fatherhood of husband or partner, no external registry is needed or helpful.

[pfdietz]

The mother will already be connected to the child. The father is what would be needing tracking down.

I mean, wasn't that completely obvious?

[epicide]

Nobody has perfect 100% individual choice/freedom. By itself, maximizing for it is a non-argument. The best explanation I've heard is that "my rights end where yours begin (and vice versa)". That is not an easy line to draw, so the debate becomes where exactly do we, as a society, decide to draw that line. (Noting that this also is never a singular, fixed answer)

Even without defining a specific model around how genetic data should be handled, I think it's more than fair to say that most people right now don't even consider how their choice to sign up for 23andme might affect their relatives (already born or otherwise). Even if they do, in my experience, it's only to a very surface-level degree.

[croes]

But if it's genetic information, it's not your data alone. It's your data, your parents' data, your childrens data etc.

[suslik]

That can be achieved through anonimity. I don't understand why companies have to know who I am in such detail. Every little website requires my phone number, SSN, retina patterns and the name of my childhood pet. If I could use 23andme under the pen name "Ivar the Boneless" and pay for it with a bit of cash in an envelope (or crypto), the current problem wouldn't exist.

Tools like Telegram or Signal do not allow creating accounts without having a valid phone number. Of course, it is possible to use a web service to receive the registration SMS, but that shouldn't be the case in the first place.

[adolph]

To clarify, genomic data was not reported stolen. It sounds like the breach was about genealogical data.

The stolen data included the person’s name, birth year, relationship labels, the percentage of DNA shared with relatives, ancestry reports and self-reported location.

[sandos]

Yes, and remember that data is commonly widely shared. Because, its mostly about long dead people?

The real breach is for recently deceased people (here the time span varies greatly, but dead for ~100 years is definitely enough if you ask me) and for living people. Actually in Sweden the death info is publically available generally right away, more or less. You can buy USB sticks with ~all deaths up until very recently.

[illiac786]

ah, good point, I misread the bit “percentage of DNS shared with relatives”, I really thought one could share only Chromosome 3 with relatives for example (which does not make sense, granted), and that it was the bit which was stolen. Thanks for pointing this out.

[mejutoco]

Agree. Alternatively: how much do you earn? Do you mind if I read your physical mail? Can I have a key to your home?

I think it is difficult for some people to think about abstract ideas. When you bring it to the physical world everyone understands it is vexing.

[hotpotamus]

I guess I'm feeling a bit philosophical today, but in some sense, aren't we all part of a shared data structure given that we are all somewhat related? While there a few bits that make us individuals, there is much that is shared to the point that privacy doesn't seem truly possible.

[spacebacon]

Maybe we all shouldn’t be so Quic to create bad ideas.

[dylan604]

Right, like the person posting an idea on an Internet forum was the first and only person to have that idea. Security through obscurity does not work. It’s much better to open up the curtains and let the sunlight in. It’s the best disinfectant. At least then everyone is working with all of the information.

[spacebacon]

Touché, although people often identify what pharmacy they prescribe to with parroting other people’s phrases.

[spacebacon]

Blinds open btw. I’m picking up what you are gracefully throwing down but not without checks and balances.

[dylan604]

My checks are bouncing off the heavily skewed balance. These internet posts are pretty much the only "checks and balances", and they do diddly squat.

[spacebacon]

Written word anywhere always records to the record.

[WendyTheWillow]

Please provide one concrete example where this leaked information was used to materially impact someone's life that would not have otherwise been possible without the leak.

Absent that, the argument holds that screeching declarations about privacy tend to be overblown.

[gnulinux]

Goalposts keep being pushed:

* You don't have to care about privacy if you didn't do anything illegal.

* If you do care about it, you can just choose not to share your information.

* If you don't share but your data is still leaked, it didn't affect your life anyway.

The point is an average person is incapable of having boundaries with these corporations who have all their data and benefit from it, and we have no way of predicting how all this data about us will affect us.

[WendyTheWillow]

This is the first time you and I have spoken in our lives; it's impossible for me to have moved any goalposts.

The point is that these privacy claims are nearly exclusively theoretical. Privacy advocates constantly tell anyone who will listen about the complete destruction of privacy in modern society, and yet nothing even resembling the consequences they claim will occur is actually happening.

[l33t7332273]

Would it materially impact your life to send me a video each time you use the restroom?

Probably not, but that doesn’t mean you’re comfortable with it being shared.

[WendyTheWillow]

That counts, can you show an example of this data being used in that way? In literally any way at all, has this data actually been used for anything?

[jabradoodle]

It's being sold illegally on the dark web; how do you propose we tell you how it's being used?

[WendyTheWillow]

When something actually happens.

[illiac786]

the classic counter argument here is “when something happens, it will be too late”.

[ekianjo]

nobody will listen to your counterargument. They don't care.