[dil4heys]

And you thought Zuckerberg was bad.

The cavalier attitude towards privacy that pervades the field of genomics is deeply troubling to me. From the article: "23andMe's privacy statement clearly states that it collects a person's genetic, registration, web browsing, and self-reported information. The company can share its data with third parties '[after] it has been stripped of Registration Information and combined with data from a number of other users sufficient to minimize the possibility of exposing individual-level information while still providing scientific evidence.'"

Having read that, consider that "a team of geneticists reported Thursday in the journal Science that it was able to figure out the names of people who had donated their DNA to research -- even though test subjects' identities were stripped from their genomic data." (Source: http://articles.latimes.com/2013/jan/18/science/la-sci-sn-ge...)

Anne Wojcicki, co-founder of 23andme, is married to Google co-founder Sergey Brin. It doesn't seem entirely implausible that the two companies could have joint business ventures down the road. I wonder how valuable "anonymized" genomic sequences would be to advertisers.

[AceJohnny2]

> Anne Wojcicki, co-founder of 23andme, is married to Google co-founder Sergey Brin.

Not for long: http://allthingsd.com/20130828/google-co-founder-sergey-brin...

[rhizome]

The third-party doctrine (in the US) means that their customers have no expectation of privacy anyway, so any promises they make can be thought of as little more than window dressing: customers will have no real avenues for redress when the data does in fact leak. I can't find any information about whether they are bound by HIPAA, so my guess there is "no," or else it would be trumpeted a bit more.

[magicalist]

The "third-party doctrine" is the shorthand name for a rule that only holds for Fourth Amendment protection (whether you take it as a placeholder for "reasonable expectation of privacy" or other interpretations). Disclosing your data to other companies wouldn't be protected by the Fourth even without it. Suing for breaking ToS is always an option, if the company isn't already bankrupt by that point. Definitely something important to consider.

It looks like you're correct that 23andMe is not covered by HIPAA:

http://www.genomicslawreport.com/index.php/2009/10/27/federa...

[rhizome]

Suing for breaking ToS is always an option, if the company isn't already bankrupt by that point. Definitely something important to consider.

I have to think you're just being contrarian, because as far as I can tell this idea is a joke at best. In other words, "good luck with that," and not important at all.

I'm not being butthurt, I could not find a single case of anything close to this "important consideration" succeeding. The only possible angle I can come up with is a DMCA action, but as far as the CFAA, contract law, or anything that has any precedent behind it, I'd guess the victim is shit out of luck, and for DMCA to succeed you'd have to forge some heavy tools to establish some IP control over the data that was leaked/shared. IANAL.

tl;dr: once you give data to a business, they can do whatever they want with it.

[magicalist]

Er, what? Maybe I wasn't very clear; I think I was mostly agreeing with you. "Definitely something important to consider" was in reference to customers having little leverage in that relationship, something important to consider before using them for genetic testing.

Suing over breaking ToS is an option (and it is done; just because they say they aim to "minimize the possibility of exposing individual-level information", which seems to offer wiggle room, doesn't mean that there aren't many interpretations of that phrase that are unconscionable and you could then sue over), however, that's not a whole lot of leverage, and there's the very real possibility that the reason your data is out is because they've gone bankrupt or are very nearly bankrupt and are either trying to recoup investor money or are in a last ditch effort to stay profitable. At that point there's not much your suit is going to do or recover, if they even disclose what they've done in the first place.

[rhizome]

Suing over breaking ToS is an option (and it is done

When has someone sued over ToS for a data leak?

[loceng]

What I want to know and be disclosed is a) if they have my DNA fingerprint and if b) they or a third-party is using the data to filter and direct certain information (or eliminate certain information from coming) at me - e.g. ads or otherwise. If you know I have a higher risk of X type of cancer, and you know I know - are you going to pull the fear card to sell me something? What about relating to diabetes or intelligence or ADD or depression or how I'm likely to vote or or or or or ... The amount of manipulation and control that can result from this - realized as power - is immense, the nuanced value of the information gives insight never before possible on a person. Could this lead to highly accurate priming patterns to lead a person to a certain decision - consciously impossible to realize? This could be used for very bad purposes, and usually it's people with profit or looking to gain more profit and control - who will put the most money towards such purposes, meaning the highest bidder for targeted ads - meaning for-profit businesses, Google et al, will be okay with it, and where government needs to regulate and actively monitor - though I'm not sure you can detect such patterns, meaning the only real option is ability to opt-out. Services like DuckDuckGo are feeling more important as time goes by - though how shielded are we if Google becomes the main internet provider - and where government / society can't even compete, or at a higher cost as Google or others will be have more value they can extract to compete.. ugh.

[dweinus]

From the LA Times article: "Using information posted to genealogy websites and other publicly available Internet resources, the Whitehead Institute researchers were able to ferret out the names of nearly 50 people"

They don't link the study, so it is hard to tell, but it appears that what actually happened is they used self-reported identifying information linked to DNA entries.

It's not apparent that they did any genetic analysis whatsoever.

That is still certainly a privacy attack vector, but one on par with getting your email hacked because you always use your birthday as you password.

[berberous]

That's not correct. The Personal Genome Project (PGP) is a Harvard-run study that aims to get 100k people to publicly post their full genome, along with their health and trait information.

The study took some of these public DNA samples, and searched genealogy databases to find likely relatives. The self-reported surnames were thus those of distant relatives, not of the PGP-participants themselves. The researches then combined those likely surnames with information such as zip codes on the PGP public profiles to correctly identify several participants (given that a zip code, gender, and surname is often enough information to uniquely identify a person).

It should be noted that the PGP has a rigorous education and consent process of the risks of publicly posting DNA. So while the study may have surprised some of the participants, it's not something any of them were expecting could never happen.

You can read more info on the study here: http://www.wired.com/wiredscience/2013/01/your-genome-could-...

[dweinus]

Thank you, I stand corrected! Thanks to the other commenter with the study link too.

[dil4heys]

"They don't link the study, so it is hard to tell."

The study: "Identifying personal genomes by surname inference." Gymrek et al. Science. 2013 Jan 18. (http://www.jhu.edu/pfleming/bioinform/files/gymrek_science_2...)

[jasiek]

That, or the NSA, or any other govt agency comes in and says: "Hand over the data, or we'll fuck you up."