23andMe changed its terms of service to prevent hacked customers from suing

They ought to be evaluated as if no TOS exists. Given the clear intent to defraud customers by misrepresenting the contract they were bound by, the claims should be evaluated under the TOS most favorable to the plaintiffs. The most favorable TOS is the one that's invalid because 23andMe didn't get anyone to actually agree, ergo the claims are evaluated as if no TOS exists.

This is an attempt to undermine consumer protection laws, and the government should treat it as a direct attack. Other companies are watching. The government needs to send a clear message that this won't be tolerated before it spreads, becomes the status quo, and leaves many consumers believing that they don't have any rights or protections.

The head of legal should also be disbarred under American Bar Association rule 1.2(d):

> (d) A lawyer shall not counsel a client to engage, or assist a client, in conduct that the lawyer knows is criminal or fraudulent, but a lawyer may discuss the legal consequences of any proposed course of conduct with a client and may counsel or assist a client to make a good faith effort to determine the validity, scope, meaning or application of the law.

This reads as clear contract fraud in the factum [1]. Customers are told that they're bound by new contract terms, despite that 23andMe never got agreement, nor tried to get agreement, nor even know whether customers have read the new contract. I can't fathom any other reasonable interpretation of the situation. They created a fraudulent contract hoping to confuse other entrants to prior versions of the contract, and intend to benefit from that confusion. It seems clear to me. They are attempting to undermine the legal system, and the ABA needs to deal out swift punishment as one of the protectors of that system.

1: https://en.wikipedia.org/wiki/Fraud_in_the_factum

They probably know that it doesn't hold water legally. The hope is to victim blame as much as possible so that fewer people sue them in the first place. The next step will be to "remind" people about the TOS that they totally agreed to.

And just because a TOS says something doesn't mean it will necessarily hold up in court. They aren't law.

"a court would not allow that"

I don't know where you have been the last few years, but I am pretty sure things like that happen all the time, based on the emails I received regarding ToS updates. And I have never heard any company got into trouble in court. Maybe public opinion, but that's it.

I'd say it's more than suspect, what's the point of agreeing to a terms of service if they can change after you agree to them?

Federal Arbitration Act severely, and nearly completely, ties courts hands around throwing out binding arbitrations.

Of course, if people don’t accept the new terms, they are still bound by the one ones. But if you don’t opt out…

> IANAL, but I'm pretty sure that a court would not allow that

You and a lot of the people who replied to you seem to be confusing what is unjust with what is illegal. You can't use one to deduce the other.

Cornell's law school has a pretty good guide to these "adhesion contracts" such as web TOS.[0] This alteration strikes me (IANAL) as running the risk of being unconscionable. If the contract change is unconscionable, then the new terms mandating binding arbitration are void.

Again, IANAL. Just my opinion as a citizen, not legal advice. Seek competent legal advice before taking legal action.

[0] https://www.law.cornell.edu/wex/adhesion_contract_(contract_...

Have they ever implied this would apply to accrued causes of action though?

Would like a laywer to correct me if wrong, but these terms would only apply to any future events, not to the hacks that happened under the previous terms, for which they've already accrued the right to sue in a court (or whatever those terms said) regarding that hack, and 23andMe hasn't really implied otherwise just by updating its terms?

If they wanted that, they'd have to have explicitly included language like "by continuing to use our services after this notice, you covenant not to sue in court for any prior causes of action" or the like?

Yep. Having defended contracts that legally the company could novate the circumstances that lead to the notation had to be either outside of our control with a third party changing our underlying costs or the first and second parties failing to agree a new contract and a standard contract that was already defined being put in place. This was later deemed unfair and the standard contract was made much cheaper. Ha!

My point being that in Australia my vibe is that this will be looked upon in a very negative light by courts and any regulators.

Any contract that can be changed at the whim of one party should automatically be invalid

That should be a crime in itself. Looks a lot like fraud.

Right! If this were a law rather than TOS it's the whole ex post facto situation.

What if they sell their entire business to a subsidiary?

I would like to think they will be nailed to the wall, but the current is that they will get a pittance fine, at best, before accepting their well earned bonuses.

I hate this timeline.

> If you do not notify us within 30 days, you will be deemed to have agreed to the new terms.

WTF. This is outrageous. And I had find that email in my spam after I read this comment. Hope this POS company goes down in flames after this.

I'm just surprised they aren't making you send a physical letter via USPS.

Some companies require that. Here is PayPal's process for example: https://www.paypal.com/us/legalhub/useragreement-full#table-...

I wonder what would happen if someone used one of the public email dumps and automated a mass opt-out of every email ever spotted in the wild.

Email is arbitrationoptout@23andme.com

I wonder if they can use things like opt out data to find a way screen for genetic markers of "troublemakers" or similar.

DNA driven targeted advertising that finds only the most docile consumers.

I am logging to my 23andme account to confirm my info and name registered there.

I forgot my password and did a password reset. They have password requirement of 12 characters minimum. A bunch of security theater just to get hacked anyways

You have to specifically opt out of the arbitration clause and class action waiver.

fwiw the correct email for this is arbitrationoptout@23andme.com

I don't give Facebook permission to use my pictures, my information or my publications, both of the past and the future, mine or those where I show up. By this statement, I give my notice to Facebook it is strictly forbidden to disclose, copy, distribute, give, sell my information, photos or take any other action against me on the basis of this profile and/or its contents. The content of this profile is private and confidential information. The violation of privacy can be punished by law (UCC 1-308-1 1 308-103 and the Rome statute). Note: Facebook is now a public entity. All members must post a note like this. If you prefer, you can copy and paste this version. If you do not publish a statement at least once, you have given the tacit agreement allowing the use of your photos, as well as the information contained in the updates of the state of the profile. Do not share. You have to copy.

I'm familiar with security (I keep a copy of Applied Cryptography on my shelf for "fun reading") and tech, here's a copy of my whole genome: https://my.pgp-hms.org/profile/hu80855C Note it's a full human genome, far more data than a 23&Me report. You can download the data yourself and try to find risk factors (at the time, the genetic counsellors were surprised to find that I had no credible genetic risk factors).

Please let me know in technical terms, combined with rational argument, why what I did was unwise. Presume I already know all the common arguments, evaluated them using my background knowledge (which includes a PhD in biology, extensive experience in human genome analysis, and years of launching products in tech).

I've been asking people to come up with coherent arguments for genome secrecy (given the technical knowledge we have of privacy, both in tech and medicine) and nobody has managed to come up with anything that I hadn't heard before, typically variations on "well, gattaca, and maybe something else we can't predict, or insurance, or something something".

I am a security engineer. When I signed up for 23andme, I assumed with certainty that it would be hacked and all data leaked at some point. I balanced that with the value of knowing potentially important health/genetic bio markers.

In the end, I valued knowing these bio markers above the privacy of my genome. The former is actionable and I can use it to optimize my health and longevity; the latter is of vague value and not terribly exploitable outside of edge-case threat models.

>But then I read about things like WorldCoin and that people who go to startup parties jump at the chance to give away scans of their retinas and I'm befuddled.

I'm befuddled that anyone thinks Sam Altman is the least bit trustworthy after WorldCoin.

The same people believed crypto-currency, infinite growth, social media and many other things. At least 23andMe provided actual value, to some at least.

What I find strange is that 23andMe did not automatically delete data after 30 days, or at the very least took it offline, only to be available on request. Notify people that their results are available and inform them that the data will be available for 30 days after the first download. This is potentially really sensitive data and based on 23andMe's response, they seem to be aware of that fact. So why would they keep the data around? That seem fairly irresponsible and potentially dangerous to the company.

I was 24 in 2015 and not in tech or as security minded as I am now when I received the test as a Christmas present. Obviously now I wouldn’t have dared do it, but it’s too late. Lacked the foresight at the time.

It will be a cold day in hell before I ever submit to dna analysis of this nature.

That doesn't stop my family from doing so, but I sure as hell will never.

> But then I read about things like WorldCoin and that people who go to startup parties jump at the chance to give away scans of their retinas

Well, in the case of WorldCoin, I think there's still some pretty significant questions of why they made Africa a prominent launch market (well, there are some reasons), but in some places they repeatedly increased incentives until they were offering people there up to a month's income to give their scans. That might not be a lot of money to a big startup, but is telling that they had to offer that much to get some people to "opt" in.

Poor and desperate people don't have the luxury thinking of these first world privacy issues. There a reasin Altman and launched it where they did.

What's the implication here, that tech people should know better? I just don't care a ton about my privacy. At least that makes me not a hypocrite for working at a company that profits from user data (like many tech ones do).

> Why would anyone willingly do that?

Maybe they accept the possibility that they die one day?

> I read about things like WorldCoin and that people who go to startup parties jump at the chance to give away scans of their retinas

Is this actually happening, or is that just what the stories say?

You didn't need to supply accurate information, this isn't a bank here with any validation of your identity.

Or the reality is, if someone wants your dna they will follow you around and grab a coffee cup.

I know someone who is very security-minded, but also he was born to parents misplaced due to a war and they didn't know where they come from (their adoptive parents would only know a region, but not for sure). At the time it was an easy option to learn something about his heritage to him. His curiosity was satisfied.

The long term premise of WorldCoin is to not store retina scans in any way, and scanning stations in the US already do not do so.

thank you this is really helpful!

Why did you send them your DNA? It was pretty obvious from day 1 that sending some random startup on the internet my DNA was a bad move.

Which super sensitive data was leaked? I have read contradicting things.

Same, excited to receive my check for $0.25 in 3 years (seriously though, I wonder if we should file in small claims court or something as well?)

> I mean they can ask you to agree to new TOS but you don't have to because TOS is not a law

Aren't they forcing you to agree to the new TOS to continue using the product?

You got it wrong. They can throw a big TOS in front of you next time you login. Most users will just accept.

Additionally they sent an email out saying that you have 30 days yo tell them you want to "opt out" otherwise by default they assume you accept the new TOS agreement.

"I am altering the deal. Pray I do not alter it any further."

She was also married to Sergey Brin for 8 years.

Comparing:

https://www.23andme.com/legal/terms-of-service/full-version/...

https://www.23andme.com/legal/terms-of-service/full-version/

two things jump out at me, as a layman:

insertion into the middle of Limitation of Liability "WITHIN THE LIMITS ALLOWED BY APPLICABLE LAWS, YOU EXPRESSLY ACKNOWLEDGE AND AGREE THAT 23ANDME SHALL NOT BE LIABLE FOR ANY DAMAGES"

Lots of changes to the Dispute Resolution, and new content re: Mass Arbitration. However, the previous ToS still had binding arbitration clauses, and stuff about class actions.

Why do the actual work when you can just come to the HN comment section and rant about what you think it means!

Could have been that they found someone internally.

Trying or arbitrating a large number of cases individually is far more expensive than litigating a class action suit. But only if the people pushing the arbitration hold firm, rather than agreeing to the initial settlement offering.

Arbitration almost always favors the company, why else would they push for arbitration instead of respecting your rights?

What if you want to run a query to compare your DNA to everyone else’s to see if you have any relatives that are registered already? Wouldn’t that need access to the entire database and essentially be a point of weakness?

The slightly annoying thing with this data, though, is that even if you don't provide your data your privacy can be violated via any relatives' data that did decide to use the service.

I am not familiar with either offering but this was on HN a few days ago: https://news.ycombinator.com/item?id=38578951

The older I get, the more I learn that "legal" doesn't mean what's on the books, it means what some entity cares to enforce.

yes, companies can change TOS when they want regardless of what happened before, so long as they weren't legally prevented from doing so.

The theory is that you start the contract with the terms specifying that changes put forward by the company (but not the user) are automatically accepted with 30 days' notice. That's where the meeting of the minds occurs: in theory, from that point on, you've agreed that the terms can change.

However, I'm not sure if that's ever been tested in court as a valid theory, and regardless it certainly shouldn't be legal (any more than noncompetes).

I’ll give you a upvote if you link it!

I think there was a general pattern of people striking back against mass forced arbitration by saying "ok, that's fine, we'll all go to arbitration at once". And companies ended up having to foot the bill for hundreds or thousands of arbitration cases...

Newer arbitration clauses that I've seen now cover this scenario. Something like "If many identical cases come forward at the same time, you agree to combine your cases in a single arbitration action"

Looks like CR wrote about it:

https://www.consumerreports.org/money/contracts-arbitration/...

Yes, from the perspective of any user/consumer of the service. But since they are facing litigation, any lawyer will tell you that keeping your mouth shut until the action is adjudicated is THE best course of action, regardless of what some politicians and corporations may do these days.

The only other thing that they could say would be "We do not comment on matters involving pending litigation." But that's just a longer way of saying "No comment." It's not any more satisfying for the customers or partners understandably seeking answers to what happened, how, and why.

Worth noting that 23andMe, plus many other low cost genealogy/health-focused companies do not sequence your DNA.

Instead, they perform what is called a genotyping microarray test, which looks at less than 0.1% of your genome.

To quote from 23andMe: "In order to be genotyped, the amplified DNA is “cut” into smaller pieces, which are then applied to our DNA chip (also known as a microarray), a small glass slide with millions of microscopic “beads” on its surface. Each bead is attached to a “probe," a bit of DNA that matches one of the genetic variants that we test. The cut pieces of your DNA stick to the matching DNA probes. A fluorescent label on each probe identifies which version of that genetic variant your DNA corresponds to."

Source: https://customercare.23andme.com/hc/en-us/articles/227968028...

Changes to the consumer law in Norway tries to account for digital services that a product you bought had at the time of purchase and that no longer work. Also where a lack of an update has caused something to not work an expected.

The actual ramifications of this are yet to be seen, since the changes come into effect from next year. It will be interesting if this means that apps need to be updated to support new iOS and android versions, or if phones will need to get security updates, or if cloud services must be available, or if a feature can be removed from an app or not.

> Huge HIPPA violation as well.

It's HIPAA.

IANAL: And unless 23andMe meets the HIPAA definition of a "covered entity", which I'm not sure they do, they're not going to be covered by HIPAA.

> If capitalism is so great why is it so incompatible with being a good and honest person?

Capitalism was never about that. It was about having acting in their own self-interest as to maximize economic efficiency. That model works great when you are selling commodities and physical products.

Capitalism in the era of personal information as currency is a entirely different beast that needs to be reworked.

> I wonder how on earth the US legal system could deteriorate so much that such a story becomes possible.

My impression is that everything in the USA has become lawyerized. Politicians are all lawyers. If you have assets of more than a mill, you have a legal team. You can't move for lawyers. I'm watching stories about a man facing 90 charges, who is still running for president (and has a good chance of winning). All of his co-accused are lawyers.

Youd think that, with so many lawyers around, it should be really quick to get justice. But it's the opposite; apparently, the more lawyers are involved, the longer justice is delayed.

The real issue is that lawyer can “try” anything with almost no consequences.

I doubt this will work. But there’s “no harm in trying.”

Do you feel bad for people who had relatives use the service without them knowing, making them party even though they did not consent?

By that logic no privately owned company would ever be held accountable for anything they did wrong.

23andMe thanks you for your lack of sympathy for their victims.