I would extremely surprised if the US government doesn’t have all of 23andme’s data, it’s simply too valuable not to get that data by any means possible for black ops side of government.
When you say "the US govt", do you mean whether DHS(/FBI/etc.) freely access the genetic data of ~15m users without warrant (or disclosure), or that various LE agencies have for a decade been requesting specific users to voluntarily share their ancestry/genetic data supposedly for cold cases [0], or whether third parties have also subpoenaed the genetic data of specific users (e.g. paternity suits), or whether 23andMe in future firesale/auction that data to other entities and whether there are limits on how they can exploit it? Anyway I guess some year soon there'll be a precedent case (like the 2019 FL Amazon Alexa voice recordings at the time of a murder), probably too late for public awareness.
Has 23andMe disclosed how many users' genetic data have been accessed by govt or LE agencies or third parties? Is it obligated to? Does this obligation still attach if/when 23andMe ceases to exist? Have any privacy researchers estimated what (ancestry-only?) data got resold on the darkweb since 2023?
Since federal laws like HIPAA don't cover 23andMe or the genetic data(!) it holds on 14+m users, because as currently written “HIPAA does not protect data that’s held by direct-to-consumer companies [outside of healthcare] like 23andMe” [1]. Although CA and FL consumer laws give some protection against the company - but no criminal protection against people selling it on the darkweb. Also, it's unclear whether any protections automatically attach in the event of a firesale of assets/bankruptcy.
Hence 23andMe was able to settle the 2023 breach of 6.9m users' data (ancestry data, not actual genetic data) lawsuit for a tiny $30m [2], no criminal penalty, no admission of negligence or wrongdoing, no executive resignations.
Compare to the (suspended) criminal conviction of the CEO in the 2020 Finland Vastaamo psychotherapy center data breach (only ~36,000 patients), for violating GDPR. [3]
Also, to the GDPR-related discussion on expectations about cloud sovereignty of genetic and ancestry data, there's an obvious implication that consumers want GDPR to effectively protect their data, they should at absolute minimum insist on a cast-iron guarantee that sovereignty is enforced. With strong criminal penalties.
Has 23andMe disclosed how many users' genetic data have been accessed by govt or LE agencies or third parties? Is it obligated to? Does this obligation still attach if/when 23andMe ceases to exist? Have any privacy researchers estimated what (ancestry-only?) data got resold on the darkweb since 2023?
Since federal laws like HIPAA don't cover 23andMe or the genetic data(!) it holds on 14+m users, because as currently written “HIPAA does not protect data that’s held by direct-to-consumer companies [outside of healthcare] like 23andMe” [1]. Although CA and FL consumer laws give some protection against the company - but no criminal protection against people selling it on the darkweb. Also, it's unclear whether any protections automatically attach in the event of a firesale of assets/bankruptcy.
Hence 23andMe was able to settle the 2023 breach of 6.9m users' data (ancestry data, not actual genetic data) lawsuit for a tiny $30m [2], no criminal penalty, no admission of negligence or wrongdoing, no executive resignations.
Compare to the (suspended) criminal conviction of the CEO in the 2020 Finland Vastaamo psychotherapy center data breach (only ~36,000 patients), for violating GDPR. [3]
Also, to the GDPR-related discussion on expectations about cloud sovereignty of genetic and ancestry data, there's an obvious implication that consumers want GDPR to effectively protect their data, they should at absolute minimum insist on a cast-iron guarantee that sovereignty is enforced. With strong criminal penalties.
[0]: Fusion.net, 2015, "Cops are asking Ancestry.com and 23andMe for their customers’ DNA" https://news.ycombinator.com/item?id=10400550 -> https://web.archive.org/web/20160707221934/http://fusion.net...
[1]: https://www.npr.org/2024/10/03/g-s1-25795/23andme-data-genet...
[2]: https://news.ycombinator.com/item?id=41536494
[3]: https://en.wikipedia.org/wiki/Vastaamo_data_breach#Legal_aft...