Hacker News new | ask | show | jobs
by rhizome 4625 days ago
The third-party doctrine (in the US) means that their customers have no expectation of privacy anyway, so any promises they make can be thought of as little more than window dressing: customers will have no real avenues for redress when the data does in fact leak. I can't find any information about whether they are bound by HIPAA, so my guess there is "no," or else it would be trumpeted a bit more.
1 comments
magicalist 4625 days ago
The "third-party doctrine" is the shorthand name for a rule that only holds for Fourth Amendment protection (whether you take it as a placeholder for "reasonable expectation of privacy" or other interpretations). Disclosing your data to other companies wouldn't be protected by the Fourth even without it. Suing for breaking ToS is always an option, if the company isn't already bankrupt by that point. Definitely something important to consider.

It looks like you're correct that 23andMe is not covered by HIPAA:

http://www.genomicslawreport.com/index.php/2009/10/27/federa...

link
rhizome 4625 days ago
Suing for breaking ToS is always an option, if the company isn't already bankrupt by that point. Definitely something important to consider.

I have to think you're just being contrarian, because as far as I can tell this idea is a joke at best. In other words, "good luck with that," and not important at all.

I'm not being butthurt, I could not find a single case of anything close to this "important consideration" succeeding. The only possible angle I can come up with is a DMCA action, but as far as the CFAA, contract law, or anything that has any precedent behind it, I'd guess the victim is shit out of luck, and for DMCA to succeed you'd have to forge some heavy tools to establish some IP control over the data that was leaked/shared. IANAL.

tl;dr: once you give data to a business, they can do whatever they want with it.

link
magicalist 4625 days ago
Er, what? Maybe I wasn't very clear; I think I was mostly agreeing with you. "Definitely something important to consider" was in reference to customers having little leverage in that relationship, something important to consider before using them for genetic testing.

Suing over breaking ToS is an option (and it is done; just because they say they aim to "minimize the possibility of exposing individual-level information", which seems to offer wiggle room, doesn't mean that there aren't many interpretations of that phrase that are unconscionable and you could then sue over), however, that's not a whole lot of leverage, and there's the very real possibility that the reason your data is out is because they've gone bankrupt or are very nearly bankrupt and are either trying to recoup investor money or are in a last ditch effort to stay profitable. At that point there's not much your suit is going to do or recover, if they even disclose what they've done in the first place.

link
rhizome 4624 days ago
Suing over breaking ToS is an option (and it is done

When has someone sued over ToS for a data leak?

link