Privacy Advocates Urge 23andMe Customers to Delete Their Data. But Can They? (sfgate.com) 45
"Some prominent privacy advocates are encouraging customers to pull their data" from 23andMe, reports SFGate.
But can you actually do that? 23andMe makes it easy to feel like you've protected your genetic footprint. In their account settings, customers can download versions of their data to a computer and choose to delete the data attached to their 23andMe profile. An email then arrives with a big pink button: "Permanently Delete All Records." Doing so, it promises, will "terminate your relationship with 23andMe and irreversibly delete your account and Personal Information."
But there's another clause in the email that conflicts with that "terminate" promise. It says 23andMe and whichever contracted genotyping laboratory worked on a customer's samples will still hold on to the customer's sex, date of birth and genetic information, even after they're "deleted." The reason? The company cites "legal obligations," including federal laboratory regulations and California lab rules. The federal program, which sets quality standards for laboratories, requires that labs hold on to patient test records for at least two years; the California rule, part of the state's Business and Professions Code, requires three. When SFGATE asked 23andMe vice president of communications Katie Watson about the retention mandates, she said 23andMe does delete the genetic data after the three-year period, where applicable...
Before it's finally deleted, the data remains 23andMe property and is held under the same rules as the company's privacy policy, Watson added. If that policy changes, customers are supposed to be informed and asked for their consent. In the meantime, a hack is unfortunately always possible. Another 23andMe spokesperson, Andy Kill, told SFGATE that [CEO Anne] Wojcicki is "committed to customers' privacy and pledges to retain the current privacy policy in force for the foreseeable future, including after the acquisition she is currently pursuing."
An Electronic Frontier Foundation privacy lawyer tells SFGate there's no information more personal than your DNA. "It is like a Social Security number, it can't be changed. But it's not just a piece of paper, it's kind of you."
He urged 23andMe to leave customers' data out of any acquisition deals, and promise customers they'd avoid takeover attempts from companies with bad security — or with ties to law enforcement.
But can you actually do that? 23andMe makes it easy to feel like you've protected your genetic footprint. In their account settings, customers can download versions of their data to a computer and choose to delete the data attached to their 23andMe profile. An email then arrives with a big pink button: "Permanently Delete All Records." Doing so, it promises, will "terminate your relationship with 23andMe and irreversibly delete your account and Personal Information."
But there's another clause in the email that conflicts with that "terminate" promise. It says 23andMe and whichever contracted genotyping laboratory worked on a customer's samples will still hold on to the customer's sex, date of birth and genetic information, even after they're "deleted." The reason? The company cites "legal obligations," including federal laboratory regulations and California lab rules. The federal program, which sets quality standards for laboratories, requires that labs hold on to patient test records for at least two years; the California rule, part of the state's Business and Professions Code, requires three. When SFGATE asked 23andMe vice president of communications Katie Watson about the retention mandates, she said 23andMe does delete the genetic data after the three-year period, where applicable...
Before it's finally deleted, the data remains 23andMe property and is held under the same rules as the company's privacy policy, Watson added. If that policy changes, customers are supposed to be informed and asked for their consent. In the meantime, a hack is unfortunately always possible. Another 23andMe spokesperson, Andy Kill, told SFGATE that [CEO Anne] Wojcicki is "committed to customers' privacy and pledges to retain the current privacy policy in force for the foreseeable future, including after the acquisition she is currently pursuing."
An Electronic Frontier Foundation privacy lawyer tells SFGate there's no information more personal than your DNA. "It is like a Social Security number, it can't be changed. But it's not just a piece of paper, it's kind of you."
He urged 23andMe to leave customers' data out of any acquisition deals, and promise customers they'd avoid takeover attempts from companies with bad security — or with ties to law enforcement.
Slimy (Score:5, Insightful)
This was clearly intended for medical lab data, not recreational testing. Calling their customers "patients" in this context is dubious.
Re:Slimy (Score:5, Informative)
Oh! Wait this is an area I've actually worked in the past. Data retention at a genetic analysis company. And I know exactly the laws they're talking about!
So here's what the laws on the books say: any clinical* test run on a patient that uses a computer to generate the result legally has to be re-runnable for 15 years, in case a software defect* is found, and a patient wants to have their test re-run with the bugs fixed. At the genetics company I worked at this could be done two ways: 1. keep the physical sample from the patient in the deep freeze. 2. Keep the very first digitized result without any processing done from the sequencing machines on a hard drive.
What's the significance to 23 and me? Welllllllllll. First, 23 and me has gone way the fuck out of their way to avoid making any clinically significant analyses from their sequencing, precisely because they wanted to avoid this kind of legal responsibility (until it could be used as a dodge for people demanding it be deleted, of course). They did things like remove assessments of risks of diseases, remove predictions of lifespans, etc. 23 and me is trying to play both sides against the middle.
Second, they don't need to keep your aligned, analyzed genomes for this kind of retention law. They could just keep the unaligned raw base-pair confidence assessments, and that's pretty hard to do anything nefarious with without re-running the whole sequencing operation. They could even just keep DNA samples on deep freeze and keep no data. Again, they're lying about their exact obligations.
*Term with precise legal definition
Re: (Score:2)
any clinical* test run on a patient that uses a computer to generate the result legally has to be re-runnable for 15 years
Wow. Thank you for the information.
They'll be lucky if any digital information from 15 years ago is even readable, much less usable. I work with professional DBAs and I heard concerns that pulling up 10+ year old backup is an uncertain proposition.
Re: (Score:2)
Just store it in raw sql insert statements :D
Re: (Score:3)
Keeping the data wasn't the hard part. "have backups and make sure you can still access the non-backed up version every year" is relatively easy by IT standards.
The hard part was guaranteeing the clinical software could still be executed 15 years later. Anyone who's tried to run a 5 year old python script knows the risk there. We were really banking on docker images to provide platform consistency.
Not a chance (Score:4, Interesting)
Re: (Score:1)
No, that would be AncestryDNA, not 23andMe.
That data is (Score:5, Insightful)
This is like demanding that google or zuckerberg give up the extensive file they have on you that’s stuffed with info on every piece of the internet you’ve ever touched. That’s how they make their money. They would go out of business before giving up that data, because without that data, they’re out of business anyways.
DNA can be edited (Score:4, Funny)
Leave it on their and edit your DNA with CRISPR.
Re:DNA can be edited (Score:4, Informative)
Editing cells’ genomes with CRISPR-Cas9 might increase the risk that the altered cells, intended to treat disease, will trigger cancer, two studies published on Monday warn—a potential game-changer for the companies developing CRISPR-based therapies.
In the studies, published in Nature Medicine, scientists found that cells whose genomes are successfully edited by CRISPR-Cas9 have the potential to seed tumors inside a patient. That could make some CRISPR’d cells ticking time bombs, according to researchers from Sweden’s Karolinska Institute and, separately, Novartis.
CRISPR has already dodged two potentially fatal bullets—a 2017 claim that it causes sky-high numbers of off-target effects was retracted in March, and a report of human immunity to Cas9 was largely shrugged off as solvable. But experts are taking the cancer-risk finding seriously.
The CEO of CRISPR Therapeutics, Sam Kulkarni, told STAT the results are “plausible.” Although they likely apply to only one of the ways that CRISPR edits genomes (replacing disease-causing DNA with healthy versions) and not the other (just excising DNA), he said, “it’s something we need to pay attention to, especially as CRISPR expands to more diseases. We need to do the work and make sure edited cells returned to patients don’t become cancerous.”
Another leading CRISPR scientist, who asked not to be named because of involvement with genome-editing companies, called the new data “pretty striking,” and raised concerns that a potential fatal flaw in some uses of CRISPR had “been missed.”
On the other hand, the Novartis paper has been available in preliminary form since last summer, and CRISPR experts “haven’t freaked out,” said Erik Sontheimer of the University of Massachusetts Medical School, whose CRISPR research centers on novel enzymes and off-target effects. “This is something that bears paying attention to, but I don’t think it’s a deal-breaker” for CRISPR therapies.
The Karolinska and Novartis groups tested CRISPR on different kinds of human cells—retinal cells and pluripotent stem cells, respectively. But they found essentially the same phenomenon. Standard CRISPR-Cas9 works by cutting both strands of the DNA double helix. That injury causes a cell to activate a biochemical first-aid kit orchestrated by a gene called p53, which either mends the DNA break or makes the cell self-destruct.
Whichever action p53 takes, the consequence is the same: CRISPR doesn’t work, either because the genome edit is stitched up or the cell is dead. (The Novartis team calculated that p53 reduces CRISPR efficiency in pluripotent stem cells seventeenfold.) That might explain something found over and over: CRISPR is woefully inefficient, with only a small minority of cells into which CRISPR is introduced, usually by a virus, actually having their genomes edited as intended.
“We found that cutting the genome with CRISPR-Cas9 induced the activation of p53,” said Emma Haapaniemi, the lead author of the Karolinska study. That “makes editing much more difficult.”
The flip side of p53 repairing CRISPR edits, or killing cells that accept the edits, is that cells that survive with the edits do so precisely because they have a dysfunctional p53 and therefore lack this fix-it-or-kill-it mechanism.
The reason why that could be a problem is that p53 dysfunction can cause cancer. And not just occasionally. P53 mutations are responsible for nearly half of ovarian cancers; 43 percent of colorectal cancers; 38 percent of lung cancers; nearly one-third of pancreatic, stomach, and liver cancers; and one-quarter of breast cancers, among others.
https://www.scientificamerican... [scientificamerican.com]
Re: (Score:2)
According to what I've read (a lot older than last Monday thuugh) the process is:
step 1: Edit the cell's DNA.
step 2: Grow lots of copies.
step 3: check the copies for excessive proliferation.
Yes, step 1 is likely to vastly increase the chances of cancer. But you screen against that in step 3.
This *does* argue against in-situ modification, however.
All your DNA are belong to US! (Score:2)
you signed away your rights when ticking that checkbox and pushing the 'Agree' button.
No information more personal? (Score:3)
The EFF is often right, but they're wrong here. You leave DNA everywhere -- on the surfaces you touch and even billowing behind you in the wind like a cloud. To call that information personal is like saying the imprint on the bottom of your shoe is personal: it's totally at odds with the base facts in physical reality.
To be sure, maybe it would be nice to say otherwise -- that one's genome is super private, revealed only to a select few. That would be a nicer match to the ideals of personal privacy and biological self-determination, but alas, it just ain't so.
Re:No information more personal? (Score:5, Insightful)
Perhaps this is being pedantic, but saying something is personal does not necessarily equate to saying that something is private. The two concepts are frequently linked, but, as you point out in this case, they don't have to be.
Unless you have an identical twin (or triplet, ...), your genome is unique, and something that is unique to you could be considered personal. Even if you have an identical sibling, there are some (relatively) small number of mutations that make you different from your sibling. Simple/cheap tests will usually miss these differences, but (at the other extreme) a full sequence would show them. Generally, it's not necessary to go that far to prove that differences exist.
While your DNA may not be private in the sense that it can be collected by others without your consent or knowledge, I think a lot of people would consider DNA to be something that is private in the sense that they would object to it being used in certain ways without their express consent. Using DNA to make decisions on things like employment and insurance is just one example of this.
Re: (Score:2)
LINE-1 (L1) elements can be active during certain stages of development, although their activity is tightly regulated. Here are some key points regarding their activity during development:
Developmental Stages
L1 elements are most active during early developmental stages, particularly in the germ line and in embryonic tissues. For example, in mouse brain corticogenesis, L1 RNAs are induced and play a crucial role in regulating the balance between neuronal progenitors and differentiation, as well as the migration of post-mitotic neurons.
Neuronal Development
During the development of the cerebral cortex, L1 RNAs are expressed and contribute to the regulation of neuronal differentiation and migration. Their expression increases progressively during the transition from early to late maturation stages of neuronal development.
Epigenetic Regulation
The activity of L1 elements during development is also regulated by epigenetic mechanisms. For instance, the expression of L1 RNAs in neuronal maturation is associated with decreased deposition of H3K9me3 and lower methylation levels of L1 promoters, indicating that epigenetic changes facilitate their activation during these stages
More information on mobile elements in DNA (LINE, SINE, HERV etc) https://www.ncbi.nlm.nih.gov/p... [nih.gov]
Re:No information more personal? (Score:5, Insightful)
You leave DNA everywhere -- on the surfaces you touch and even billowing behind you in the wind like a cloud. To call that information personal is like saying the imprint on the bottom of your shoe is personal: it's totally at odds with the base facts in physical reality.
To be sure, maybe it would be nice to say otherwise -- that one's genome is super private, revealed only to a select few. That would be a nicer match to the ideals of personal privacy and biological self-determination, but alas, it just ain't so.
You leave fingerprints on everything you touch too, but if an organisation is storing your fingerprints in a database there are still some very strict rules they have to follow.
Re: (Score:2)
It's identifying information that you cannot change.
I can buy new shoes, now I have a new shoe print, which also happens to be shared by millions of others with the same shoe.
It also contains information about you that you may not even know.
How would you like it if your insurance company denied a health insurance claim because of a preexisting condition you didn't know you had? Sorry, no cover for that because it's genetic and you've had it your whole life, before your policy started.
Same goes with finger p
This is Why (Score:4, Informative)
Re:This is Why (Score:4, Insightful)
Re: (Score:2)
It's true, if law enforcement wants to track you down via DNA, they don't need *your* DNA, just one or more relatives, as distant as 3rd or 4th cousin.
But what is it exactly, that makes these relatives gullible?
YOU, and everybody else who uses slashdot, leaves electronic identifying information all over the internet, accessible to every website you visit. This is far more promiscuous sharing of your identifying information, than getting a DNA test. Few companies or bad actors will spend the money needed to
Re: (Score:2)
I'm trying to imagine what specific harm is done by 23andMe possessing your DNA profile.
Identity thieves can't use it, because identity verification for business purposes, never uses DNA.
Law enforcement doesn't have access to it without a court order (warrant).
Insurance companies and other businesses are prohibited by law, from using your genetic information to, for example, charge you higher insurance premiums.
What specifically should 23andMe customers be worried about, other than a vague notion that their
law enforcement... (Score:2)
"He urged 23andMe to leave customers' data out of any acquisition deals, and promise customers they'd avoid takeover attempts from companies with bad security — or with ties to law enforcement."
Every DNS company is in a supplier relationship with law enforcement, (What'st he plural of law enforcement?)
Re: (Score:2)
This guy hasn't heard of how they caught the "Golden State Killer"
He's not the only one and won't be the last.
These criminals didn't even send their DNA off to be tested. some of their relatives did.
Re: (Score:2)
There are many people who actively choose to share their DNA with law enforcement, in hopes of helping them search for criminals. About 80% of new GedMatch users *opt in* to law enforcement access to their own DNA. https://www.criminallegalnews.... [criminallegalnews.org]). As a GedMatch user myself, I can verify that this opt-in process is very clear, these people are not being tricked into opting in.
Re: (Score:2)
No one said anyone was being tricked into anything
Re: (Score:2)
My point was that many people support law enforcement use of DNA to catch criminals, and will go out of their way to help police in this way. This is a far more common attitude than is commonly seen on slashdot, which apparently views law enforcement as "the enemy."
Re: (Score:3)
Every DNS company is in a supplier relationship with law enforcement
Well, I can't exactly expect Level3, Cloudflare, Quad9, or Google to explicitly refuse to resolve domain names for police departments....
What, you no want cloned illegitimate offspring? (Score:2, Funny)
Re: (Score:2)
Who says all this data wasn't already sold as it came in?
I assume it was hoovered up by health insurance companies years ago, and is being used to deny claims and jack up premiums right now... sorry, I mean "increase value to the shareholders of the insurance companies."
Re: (Score:1)
Re: (Score:2)
You are correct. They were already selling customer DNA profiles. That's why the service was so cheap.
I could be wrong.... (Score:1)
Re: (Score:2)
but I remember uncle Sam used to swab soldiers in the 90's and collected DNA as well.
Sure, but soldiers already literally give Uncle Sam the power of life and death over them. And at least the soldiers get a paycheck, room and board in return.
Re: (Score:2)
And that's only the beginning of what in payment for their service. There's the GI Bill education benefits and lifetime medical care through the VA and that's just the start.
DNA compromise is significantly worse than an SSN (Score:1)
Re: (Score:2)
Unlike SSN, DNA is *much* harder to actually use in an identity theft scheme.
No such thing as 'delete' (Score:2)
Even if you bombed a data center where your data is supposedly stored, there's no guarantee that there aren't backup copies stored somewhere else, and even legal documents swearing data has been destroyed does not prevent people from lying about deleting it.
DNA data sold to enemy countries is dangerous (Score:1)
Re: (Score:2)
>> Do you really want China or Russia to hold all this DNA data?
$1 says they've got it already (and have had for a long time).
Re: (Score:2)
If an enemy country wants to genetically target *you*, they're going to get you with or without your DNA. If they are trying to target a gene or a race, they don't need you for your DNA, there are plenty of other people they can collect it from.
Um... wrong concern (Score:2)
...or with ties to law enforcement.
Red herring. We should all be concerned about the medical insurance industry. Use of DNA in law enforcement has largely been a treasure trove of exculpatory evidence in wrongful convictions.
California law (Score:1)