Privacy Advocates Urge 23andMe Customers to Delete Their Data. But Can They? (sfgate.com) 24
"Some prominent privacy advocates are encouraging customers to pull their data" from 23andMe, reports SFGate.
But can you actually do that? 23andMe makes it easy to feel like you've protected your genetic footprint. In their account settings, customers can download versions of their data to a computer and choose to delete the data attached to their 23andMe profile. An email then arrives with a big pink button: "Permanently Delete All Records." Doing so, it promises, will "terminate your relationship with 23andMe and irreversibly delete your account and Personal Information."
But there's another clause in the email that conflicts with that "terminate" promise. It says 23andMe and whichever contracted genotyping laboratory worked on a customer's samples will still hold on to the customer's sex, date of birth and genetic information, even after they're "deleted." The reason? The company cites "legal obligations," including federal laboratory regulations and California lab rules. The federal program, which sets quality standards for laboratories, requires that labs hold on to patient test records for at least two years; the California rule, part of the state's Business and Professions Code, requires three. When SFGATE asked 23andMe vice president of communications Katie Watson about the retention mandates, she said 23andMe does delete the genetic data after the three-year period, where applicable...
Before it's finally deleted, the data remains 23andMe property and is held under the same rules as the company's privacy policy, Watson added. If that policy changes, customers are supposed to be informed and asked for their consent. In the meantime, a hack is unfortunately always possible. Another 23andMe spokesperson, Andy Kill, told SFGATE that [CEO Anne] Wojcicki is "committed to customers' privacy and pledges to retain the current privacy policy in force for the foreseeable future, including after the acquisition she is currently pursuing."
An Electronic Frontier Foundation privacy lawyer tells SFGate there's no information more personal than your DNA. "It is like a Social Security number, it can't be changed. But it's not just a piece of paper, it's kind of you."
He urged 23andMe to leave customers' data out of any acquisition deals, and promise customers they'd avoid takeover attempts from companies with bad security — or with ties to law enforcement.
But can you actually do that? 23andMe makes it easy to feel like you've protected your genetic footprint. In their account settings, customers can download versions of their data to a computer and choose to delete the data attached to their 23andMe profile. An email then arrives with a big pink button: "Permanently Delete All Records." Doing so, it promises, will "terminate your relationship with 23andMe and irreversibly delete your account and Personal Information."
But there's another clause in the email that conflicts with that "terminate" promise. It says 23andMe and whichever contracted genotyping laboratory worked on a customer's samples will still hold on to the customer's sex, date of birth and genetic information, even after they're "deleted." The reason? The company cites "legal obligations," including federal laboratory regulations and California lab rules. The federal program, which sets quality standards for laboratories, requires that labs hold on to patient test records for at least two years; the California rule, part of the state's Business and Professions Code, requires three. When SFGATE asked 23andMe vice president of communications Katie Watson about the retention mandates, she said 23andMe does delete the genetic data after the three-year period, where applicable...
Before it's finally deleted, the data remains 23andMe property and is held under the same rules as the company's privacy policy, Watson added. If that policy changes, customers are supposed to be informed and asked for their consent. In the meantime, a hack is unfortunately always possible. Another 23andMe spokesperson, Andy Kill, told SFGATE that [CEO Anne] Wojcicki is "committed to customers' privacy and pledges to retain the current privacy policy in force for the foreseeable future, including after the acquisition she is currently pursuing."
An Electronic Frontier Foundation privacy lawyer tells SFGate there's no information more personal than your DNA. "It is like a Social Security number, it can't be changed. But it's not just a piece of paper, it's kind of you."
He urged 23andMe to leave customers' data out of any acquisition deals, and promise customers they'd avoid takeover attempts from companies with bad security — or with ties to law enforcement.
Slimy (Score:5, Insightful)
This was clearly intended for medical lab data, not recreational testing. Calling their customers "patients" in this context is dubious.
Not a chance (Score:3)
That data is (Score:4, Insightful)
This is like demanding that google or zuckerberg give up the extensive file they have on you that’s stuffed with info on every piece of the internet you’ve ever touched. That’s how they make their money. They would go out of business before giving up that data, because without that data, they’re out of business anyways.
DNA can be edited (Score:3)
Leave it on their and edit your DNA with CRISPR.
All your DNA are belong to US! (Score:2)
you signed away your rights when ticking that checkbox and pushing the 'Agree' button.
No information more personal? (Score:3)
The EFF is often right, but they're wrong here. You leave DNA everywhere -- on the surfaces you touch and even billowing behind you in the wind like a cloud. To call that information personal is like saying the imprint on the bottom of your shoe is personal: it's totally at odds with the base facts in physical reality.
To be sure, maybe it would be nice to say otherwise -- that one's genome is super private, revealed only to a select few. That would be a nicer match to the ideals of personal privacy and biological self-determination, but alas, it just ain't so.
Re: (Score:3)
Perhaps this is being pedantic, but saying something is personal does not necessarily equate to saying that something is private. The two concepts are frequently linked, but, as you point out in this case, they don't have to be.
Unless you have an identical twin (or triplet, ...), your genome is unique, and something that is unique to you could be considered personal. Even if you have an identical sibling, there are some (relatively) small number of mutations that make you different from your sibling. Sim
Re: (Score:3)
You leave DNA everywhere -- on the surfaces you touch and even billowing behind you in the wind like a cloud. To call that information personal is like saying the imprint on the bottom of your shoe is personal: it's totally at odds with the base facts in physical reality.
To be sure, maybe it would be nice to say otherwise -- that one's genome is super private, revealed only to a select few. That would be a nicer match to the ideals of personal privacy and biological self-determination, but alas, it just ain't so.
You leave fingerprints on everything you touch too, but if an organisation is storing your fingerprints in a database there are still some very strict rules they have to follow.
Re: (Score:2)
It's identifying information that you cannot change.
I can buy new shoes, now I have a new shoe print, which also happens to be shared by millions of others with the same shoe.
It also contains information about you that you may not even know.
How would you like it if your insurance company denied a health insurance claim because of a preexisting condition you didn't know you had? Sorry, no cover for that because it's genetic and you've had it your whole life, before your policy started.
Same goes with finger p
This is Why (Score:3)
Re: (Score:2, Insightful)
law enforcement... (Score:2)
"He urged 23andMe to leave customers' data out of any acquisition deals, and promise customers they'd avoid takeover attempts from companies with bad security — or with ties to law enforcement."
Every DNS company is in a supplier relationship with law enforcement, (What'st he plural of law enforcement?)
Re: (Score:2)
This guy hasn't heard of how they caught the "Golden State Killer"
He's not the only one and won't be the last.
These criminals didn't even send their DNA off to be tested. some of their relatives did.
What, you no want cloned illegitimate offspring? (Score:3)
Re: (Score:2)
Who says all this data wasn't already sold as it came in?
I assume it was hoovered up by health insurance companies years ago, and is being used to deny claims and jack up premiums right now... sorry, I mean "increase value to the shareholders of the insurance companies."
Re: (Score:2)
You are correct. They were already selling customer DNA profiles. That's why the service was so cheap.
I could be wrong.... (Score:1)
Re: (Score:2)
but I remember uncle Sam used to swab soldiers in the 90's and collected DNA as well.
Sure, but soldiers already literally give Uncle Sam the power of life and death over them. And at least the soldiers get a paycheck, room and board in return.
Re: (Score:2)
And that's only the beginning of what in payment for their service. There's the GI Bill education benefits and lifetime medical care through the VA and that's just the start.
DNA compromise is significantly worse than an SSN (Score:1)