This disaster is the perfect counter-argument to those always saying "why do you care so much about privacy. It doesn't affect you when I share things. You can just choose not to do it", except no, I can't choose when we're relatives and you chose to share our genome.
It is so obvious that your relatives sharing their genomic data with 23andMe reveals a lot of information about you. We can only hope people will realize that this also holds true for collecting behavioural data on other people sharing the same background as you.
> This disaster is the perfect counter-argument to those always saying "why do you care so much about privacy. It doesn't affect you when I share things. You can just choose not to do it"
While I agree it's a perfect counter-argument to that, is that what people always say? I'm not sure I've heard that argument as much as "why do you care so much about privacy?" full stop. As in, they don't really understand why anyone should care about privacy. And this isn't really a counter argument to that, any more than any other breach. And to be fair it's not really even a counter argument to that until you show the harm that came from it. What do you think will happen to people who had their ancestry data stolen here?
> This disaster is the perfect counter-argument to those always saying
Personally speaking, I think Equihax was the better counter-argument; at least with 23andme YOU as a customer had to DECIDE to use their services and weigh the pros-cons of doing so, with Equihax I was forced into a rating system to determine my eligibility in a system that hoovers up any and all data sold to them by 3rd parties and holds all my personal information in order to complete anything from a loan application to a job application.
And when found to have been breached no effective recourse was made, and instead of admitting fault to a very high probability of Identity theft being the end result a token 'credit system monitoring' service was offered, which once again relies on these credit agencies who share/distribute this information without my consent and created the problem are let off scot-free and never suffer any consequences.
In short, it's a naive argument made from often ignorant and self-defeating practices that make others worse off because of their complacency and refusal to take privacy serious.
I'm in favor of privacy, and I'm willing to go more out of my way to not share than the vast majority of people, but I'm also in favor of individual choice, and I can't think of a privacy model that would disallow other people from sharing their information just because you have some matching information.
To clarify, genomic data was not reported stolen. It sounds like the breach was about genealogical data.
The stolen data included the person’s name, birth year, relationship labels, the percentage of DNA shared with relatives, ancestry reports and self-reported location.
I guess I'm feeling a bit philosophical today, but in some sense, aren't we all part of a shared data structure given that we are all somewhat related? While there a few bits that make us individuals, there is much that is shared to the point that privacy doesn't seem truly possible.
Please provide one concrete example where this leaked information was used to materially impact someone's life that would not have otherwise been possible without the leak.
Absent that, the argument holds that screeching declarations about privacy tend to be overblown.
How much does that have to do with their TOS update which went out on thanksgiving DAY (the most perfect time to get lost in everyone’s inboxes). The TOS update somehow tries to forbid class actions, requires you to go through an “informal” 60 day process before any legal action, and forces you into binding arbitration.
Functionally you as a customer have next to no legal rights, according to 23andMe lawyers who cooked this up.
Just got an email update from them. It sounds like you can opt out of the new terms. Not sure what the consequences will be.
> We encourage you to read the new terms in full. Please notify us within 30 days of receiving this email if you do not agree to the terms, in which case you will remain subject to the current Terms of Service. If you do not notify us within 30 days, you will be deemed to have agreed to the new terms.
Does anyone think privacy of any real sort is maintainable going forward? Machine learning algorithms are learning to identify people just by their walk -- no face recognition required. Algorithms are moving toward being able to decipher text just by the audio of the keyboard being typed on.
In short, given a gestalt of ALL public data and sufficiently advanced algorithms is there really a way for people to maintain what we today consider reasonable privacy without extraordinary measures, unfailingly applied?
To be clear, I'm not value-judging the situation, just expressing what I think the ongoing trend is.
> Does anyone think privacy of any real sort is maintainable going forward
Probably not, but it doesn’t mean we can’t guide the conversations about how it looks in the future. Sitting idly by just means they win, but discussing it in the open means that we might be able to put some safe guards in place.
Oh, who am I kidding. We’re all screwed and evilCorp will win so we’re just wasting our energy and making ourselves crazy fighting. Resistance is futile
> Machine learning algorithms are learning to identify people just by their walk -- no face recognition required.
About a decade ago I knew people researching computer vision algorithms doing non-facial recognition (stuff like ear shape/gait/etc) because companies like Fortinet were
trying to build "automated doormans" to apartment/condo complexes where they would scan and analyze any humans walking by the cameras placed at the door.
Not a lick of ethics from anyone involved.
What we need is rabid legislation that encodes a right to be forgotten, because clearly an expectation of privacy isn't enough. I don't think there's anything inherently wrong with automating identification, but I do think there's a lot wrong with companies trying to do it for every human being that they can possibly find without any consent.
Agreed, but also "privacy" is an abstraction that layers over the actual thing that people are worried about.
Any answer to why do you care about hiding this information? can all be boiled down to the fear that "[person or group] might use [private data item] to create [bad outcome] for me."
So the thing people actually care about is the risk of bad outcome, not the actual data itself.
If your theory is correct, then the focus should be on the prevention of asymmetric power imbalances in societal transactions that can even create [bad outcome].
I personally don’t. I used to lose my mind over the thought of my confidential documents being leaked. Then after seeing how poorly personal information is handled, I realised it’s almost a guarantee. A few things from Australia (which has good privacy laws) that made me recognise the futility of it all:
1) the large hack of Optus in which about half of the population had their credit card details stolen.
2) the large hack of Medibank in which the details of a large portion of private health insurance customer details were stolen.
3) I applied for a mortgage and found out every 2-bit mortgage broker is emailed 100s if not 1000s of sensitive ID documents every year and they definitely do not go through their email and delete them after the closure of deals.
4) Most companies in Australia only require a name, address, and, birth date to verify identity which is easily found with five minutes of searching most of the time.
5) I set up a pin with Telstra that should have blocked administrative changes on my account for years. One day I called in, got my password ready, and they didn’t ask for it. They just did it anyway. It was entirely futile.
IMO the only way that privacy will ever become respected is if we move the onus for fraud onto the actual victims of fraud: the companies. This is the whole ancient joke about someone’s identity being “stolen”. It wasn’t stolen, your verification procedures ultimately failed as a business and you are trying to divert responsibility to avoid having to suffer a loss. This is one of the reasons I use my credit card exclusively these days - if it used fraudulently I know that I can charge back, and that’s about the only mechanism I can use to truly prevent unauthorised access to my money.
Yes, it's absolutely possible. What's not possible is the society respecting privacy. As a whole, nobody respects it anymore, some even engage in half-assed devil's advocating about it.
People are easy to mislead and so that's what's been done. In the future, privacy will have to be enforced through jammers and Faraday cages.
None of the gait and keyboard detection attempts work in field conditions.
Privacy is a policy issue, not a technical issue. We need to focus on advocating for more useful and effective privacy protections as citizens, instead of focusing on technical evasion strategies. Because as you're pointing out, that is a losing strategy in the long run.
Something super creepy that happened to me recently: a hospital where I've been to a few months ago called me and asked me to participate in some DNA analysis program.
They said "oh and the best part? You don't need to do anything! We will use blood samples we collected the last time."
I obviously declined, but it was a huge wtf to me - they stored biological samples associated with me without informing me and can do a post hoc DNA analysis. This is just insane and a proof of how non existent any privacy laws in the US are.
(In EU they cannot freeze any samples without consent and unfrozen ones are ok for at most a few days)
Predictably?, amusingly? police never had access to this data, until a government minister was murdered in 2003, when a sample from the suspect was retrieved. From what we know it has not been used since. So we can be cynical, but under the circumstances, the police use of the registry has not yet taken hold and is guarded by the courts..
"23andMe said the data breach was caused by customers reusing passwords"
Yet 14,000 accounts were breached in one go? Where did these passwords come from? Maybe there was another related breach (something like lastpass can explain this)?
Also, using the "DNA Relatives" features the hackers were able to access personal information relating to 6.9 million individuals. That means each one of the original 14,000 accounts had about 492 unique relatives. What am I missing?
I never seriously considered using 23 and me. Not because of hackers, but rather what government would do with that information. I don't want to be responsible for some random relative getting charged with a crime just because I was curious about my family tree.
Small world. Only yesterday I read that great comment from user
adameasterling about credential stuffing in another thread [1]
> Troy Hunt is such a treasure. And for us web application developers, there is no excuse for not having protection against credential stuffing! While the best defense is likely two-factor, checking against Hunt's hashed password database is also very good and requires no extra work for users!
That user even listed 23andMe [2] as an example but it's from 60 days ago. This incident is referenced on the techcrunch article.
"Luckily we are now offering a genome monitoring service. For only $79.99 per month you can be sure that you're alerted any time someone tries to access your genetic record!" - 23andMe
"What do you have to fear if you have nothing to hide?"
I fear stupid people in places of power. DNA-matching as a crime solving technique always was problematic.
Given the nature of the service, you should probably treat it as inherently pseudonymous. You're handing over irrevocable genetic data which will link you to relatives. Whatever their data protection assurances are, you have to imagine the worst case scenario - massive data leakage. And if this happens then you will in all likelihood be identifiable.
there was a craze for DNA analysis 10+ years ago, the idea being 'if we can analyze e-commerce transactions, why not the human DNA!' The UPS being mostly around Health than Ancestry. That's flopped in my view.
Recent Gnome sequencing research is revealing that actually a Gene (downstream) doesn't necessitate a Health/Medical Condition (upstream) [1]. I think we need highest security measures, user education and Regulation when it comes to DNA, medical records, and biometric data (face, finger, iris, voice etc).
Charles Darwin & Co documented their theory of evolution well, there's enough ancestry there for most i think, at least as a solid starting point / platform. My guess would be if there was more education around theory of evolution (science), there would be less interest in Ancestry services (DNA based), leaving only a Medical case for them, and hence demanding greater protection/security.
>“We believe that the threat actor may have then, in violation of our terms of service, accessed 23andme.com accounts without authorization and obtained information from those accounts.”
It's funny that they had to note "without authorization".
I was thinking about getting a DNA testing kit for my parents and my conclusion was that I'd have to advise them that they'd need to be comfortable with their genome being public because over time leaks are inevitable. As the UK marches on towards increased fascism the chances a Tory government will demand access to such data "for security purposes" gets higher.
Im sure someone just gave them access... Given the number of SE attacks on dumbass SaaS companies, seems easy when they all cut corners and overwork everyone...
So people in my family have used 23andMe but I'm assuming my data is also compromised. I've never used the service because I think it's kind of weird and gross. But it probably doesn't matter that much if both of my parents and my brother have. Health insurance companies in the future can still charge me different prices based on my risk profile.
[+] [-] skummetmaelk|2 years ago|reply
It is so obvious that your relatives sharing their genomic data with 23andMe reveals a lot of information about you. We can only hope people will realize that this also holds true for collecting behavioural data on other people sharing the same background as you.
[+] [-] losvedir|2 years ago|reply
While I agree it's a perfect counter-argument to that, is that what people always say? I'm not sure I've heard that argument as much as "why do you care so much about privacy?" full stop. As in, they don't really understand why anyone should care about privacy. And this isn't really a counter argument to that, any more than any other breach. And to be fair it's not really even a counter argument to that until you show the harm that came from it. What do you think will happen to people who had their ancestry data stolen here?
[+] [-] Melting_Harps|2 years ago|reply
Personally speaking, I think Equihax was the better counter-argument; at least with 23andme YOU as a customer had to DECIDE to use their services and weigh the pros-cons of doing so, with Equihax I was forced into a rating system to determine my eligibility in a system that hoovers up any and all data sold to them by 3rd parties and holds all my personal information in order to complete anything from a loan application to a job application.
And when found to have been breached no effective recourse was made, and instead of admitting fault to a very high probability of Identity theft being the end result a token 'credit system monitoring' service was offered, which once again relies on these credit agencies who share/distribute this information without my consent and created the problem are let off scot-free and never suffer any consequences.
In short, it's a naive argument made from often ignorant and self-defeating practices that make others worse off because of their complacency and refusal to take privacy serious.
[+] [-] fsckboy|2 years ago|reply
[+] [-] adolph|2 years ago|reply
The stolen data included the person’s name, birth year, relationship labels, the percentage of DNA shared with relatives, ancestry reports and self-reported location.
[+] [-] mejutoco|2 years ago|reply
I think it is difficult for some people to think about abstract ideas. When you bring it to the physical world everyone understands it is vexing.
[+] [-] hotpotamus|2 years ago|reply
[+] [-] spacebacon|2 years ago|reply
[+] [-] WendyTheWillow|2 years ago|reply
Absent that, the argument holds that screeching declarations about privacy tend to be overblown.
[+] [-] unknown|2 years ago|reply
[deleted]
[+] [-] ekianjo|2 years ago|reply
[+] [-] taurath|2 years ago|reply
Functionally you as a customer have next to no legal rights, according to 23andMe lawyers who cooked this up.
[+] [-] martin_a|2 years ago|reply
At least in Germany any contracts that are heavily in favor of one side will be declared void if it comes to court.
[+] [-] y-c-o-m-b|2 years ago|reply
> We encourage you to read the new terms in full. Please notify us within 30 days of receiving this email if you do not agree to the terms, in which case you will remain subject to the current Terms of Service. If you do not notify us within 30 days, you will be deemed to have agreed to the new terms.
Notification email: [email protected]
[+] [-] helsinkiandrew|2 years ago|reply
[+] [-] gcanyon|2 years ago|reply
Does anyone think privacy of any real sort is maintainable going forward? Machine learning algorithms are learning to identify people just by their walk -- no face recognition required. Algorithms are moving toward being able to decipher text just by the audio of the keyboard being typed on.
In short, given a gestalt of ALL public data and sufficiently advanced algorithms is there really a way for people to maintain what we today consider reasonable privacy without extraordinary measures, unfailingly applied?
To be clear, I'm not value-judging the situation, just expressing what I think the ongoing trend is.
[+] [-] dylan604|2 years ago|reply
Probably not, but it doesn’t mean we can’t guide the conversations about how it looks in the future. Sitting idly by just means they win, but discussing it in the open means that we might be able to put some safe guards in place.
Oh, who am I kidding. We’re all screwed and evilCorp will win so we’re just wasting our energy and making ourselves crazy fighting. Resistance is futile
[+] [-] duped|2 years ago|reply
About a decade ago I knew people researching computer vision algorithms doing non-facial recognition (stuff like ear shape/gait/etc) because companies like Fortinet were trying to build "automated doormans" to apartment/condo complexes where they would scan and analyze any humans walking by the cameras placed at the door.
Not a lick of ethics from anyone involved.
What we need is rabid legislation that encodes a right to be forgotten, because clearly an expectation of privacy isn't enough. I don't think there's anything inherently wrong with automating identification, but I do think there's a lot wrong with companies trying to do it for every human being that they can possibly find without any consent.
[+] [-] agnosticmantis|2 years ago|reply
Turns out the UK government was working on privacy-preserving walks decades ago: https://youtu.be/eCLp7zodUiI
[+] [-] pembrook|2 years ago|reply
Any answer to why do you care about hiding this information? can all be boiled down to the fear that "[person or group] might use [private data item] to create [bad outcome] for me."
So the thing people actually care about is the risk of bad outcome, not the actual data itself.
If your theory is correct, then the focus should be on the prevention of asymmetric power imbalances in societal transactions that can even create [bad outcome].
[+] [-] StopHammoTime|2 years ago|reply
1) the large hack of Optus in which about half of the population had their credit card details stolen. 2) the large hack of Medibank in which the details of a large portion of private health insurance customer details were stolen. 3) I applied for a mortgage and found out every 2-bit mortgage broker is emailed 100s if not 1000s of sensitive ID documents every year and they definitely do not go through their email and delete them after the closure of deals. 4) Most companies in Australia only require a name, address, and, birth date to verify identity which is easily found with five minutes of searching most of the time. 5) I set up a pin with Telstra that should have blocked administrative changes on my account for years. One day I called in, got my password ready, and they didn’t ask for it. They just did it anyway. It was entirely futile.
IMO the only way that privacy will ever become respected is if we move the onus for fraud onto the actual victims of fraud: the companies. This is the whole ancient joke about someone’s identity being “stolen”. It wasn’t stolen, your verification procedures ultimately failed as a business and you are trying to divert responsibility to avoid having to suffer a loss. This is one of the reasons I use my credit card exclusively these days - if it used fraudulently I know that I can charge back, and that’s about the only mechanism I can use to truly prevent unauthorised access to my money.
[+] [-] zlg_codes|2 years ago|reply
People are easy to mislead and so that's what's been done. In the future, privacy will have to be enforced through jammers and Faraday cages.
None of the gait and keyboard detection attempts work in field conditions.
[+] [-] wimp|2 years ago|reply
[+] [-] bartwr|2 years ago|reply
[+] [-] kzrdude|2 years ago|reply
Predictably?, amusingly? police never had access to this data, until a government minister was murdered in 2003, when a sample from the suspect was retrieved. From what we know it has not been used since. So we can be cynical, but under the circumstances, the police use of the registry has not yet taken hold and is guarded by the courts..
[+] [-] me_me_me|2 years ago|reply
But assuming they obey the law they did not used your samples.
So there are privacy laws in place? Also they could have been cleaning old results/samples and this was one step.
[+] [-] yoaviram|2 years ago|reply
"23andMe said the data breach was caused by customers reusing passwords"
Yet 14,000 accounts were breached in one go? Where did these passwords come from? Maybe there was another related breach (something like lastpass can explain this)?
Also, using the "DNA Relatives" features the hackers were able to access personal information relating to 6.9 million individuals. That means each one of the original 14,000 accounts had about 492 unique relatives. What am I missing?
[+] [-] mikewarot|2 years ago|reply
[+] [-] madethemcry|2 years ago|reply
> Troy Hunt is such a treasure. And for us web application developers, there is no excuse for not having protection against credential stuffing! While the best defense is likely two-factor, checking against Hunt's hashed password database is also very good and requires no extra work for users!
That user even listed 23andMe [2] as an example but it's from 60 days ago. This incident is referenced on the techcrunch article.
[1] https://news.ycombinator.com/item?id=38521106
[2] https://news.ycombinator.com/item?id=37794379
[+] [-] yashasolutions|2 years ago|reply
[+] [-] 23B1|2 years ago|reply
[+] [-] lesostep|2 years ago|reply
>> DNA Evidence is Not as Reliable as Many Believe it to Be https://www.lexology.com/library/detail.aspx?g=2800ffc0-c286...
>>The False Promise of DNA Testing https://www.theatlantic.com/magazine/archive/2016/06/a-reaso...
>>How Forensic DNA Evidence Can Lead to Wrongful Convictions https://daily.jstor.org/forensic-dna-evidence-can-lead-wrong...
[+] [-] solardev|2 years ago|reply
[+] [-] agnosticmantis|2 years ago|reply
We haven't signed any licensing agreements with 23&me waiving our privacy, so presumably we still have some rights?
[+] [-] mrtksn|2 years ago|reply
How feasible it is to use a payment and an address that doesn't directly connect you to your samples?
[+] [-] shatnersbassoon|2 years ago|reply
[+] [-] al_be_back|2 years ago|reply
Recent Gnome sequencing research is revealing that actually a Gene (downstream) doesn't necessitate a Health/Medical Condition (upstream) [1]. I think we need highest security measures, user education and Regulation when it comes to DNA, medical records, and biometric data (face, finger, iris, voice etc).
Charles Darwin & Co documented their theory of evolution well, there's enough ancestry there for most i think, at least as a solid starting point / platform. My guess would be if there was more education around theory of evolution (science), there would be less interest in Ancestry services (DNA based), leaving only a Medical case for them, and hence demanding greater protection/security.
[1] A biological relativity view of the relationships between genomes and phenotypes, Denis Noble - https://doi.org/10.1016/j.pbiomolbio.2012.09.004
[+] [-] dang|2 years ago|reply
23andMe hackers accessed a whole lot of personal data - https://news.ycombinator.com/item?id=38519466 - Dec 2023 (36 comments)
Hacker leaks millions more 23andMe user records on cybercrime forum - https://news.ycombinator.com/item?id=37931383 - Oct 2023 (394 comments)
23andMe Sued over Hack of Genetic Data Affecting Thousands - https://news.ycombinator.com/item?id=37895586 - Oct 2023 (20 comments)
23andMe Accounts Hijacked and Data Put Up for Sale on Hacker Forum - https://news.ycombinator.com/item?id=37810755 - Oct 2023 (2 comments)
23andMe says user data stolen in credential stuffing attack - https://news.ycombinator.com/item?id=37794379 - Oct 2023 (298 comments)
[+] [-] hirvi74|2 years ago|reply
[+] [-] ratsmack|2 years ago|reply
It's funny that they had to note "without authorization".
[+] [-] pbhjpbhj|2 years ago|reply
In this case the data is your genome.
I was thinking about getting a DNA testing kit for my parents and my conclusion was that I'd have to advise them that they'd need to be comfortable with their genome being public because over time leaks are inevitable. As the UK marches on towards increased fascism the chances a Tory government will demand access to such data "for security purposes" gets higher.
[+] [-] spacecadet|2 years ago|reply
[+] [-] AndyMcConachie|2 years ago|reply