[HN Gopher] 23andMe changed its terms of service to prevent hack... ___________________________________________________________________ 23andMe changed its terms of service to prevent hacked customers from suing Author : osmanbaskaya Score : 557 points Date : 2023-12-12 15:27 UTC (7 hours ago) (HTM) web link (www.engadget.com) (TXT) w3m dump (www.engadget.com) | adocomplete wrote: | Thanks for sharing. Will def opt out and roll into the class | action suits already filed. | | Take security seriously people. Especially when dealing with | super sensitive data. | brianwawok wrote: | Why did you send them your DNA? It was pretty obvious from day | 1 that sending some random startup on the internet my DNA was a | bad move. | mauvehaus wrote: | Not everyone opted in as such. My wife has an identical twin | who sent in a test. | midasuni wrote: | Presumably neither you, your kids, or your wife, has | grounds to sue them | hoosieree wrote: | You could try the old Monsanto/JohnDeere approach: | copyright your own DNA then sue them under DMCA. | 6177c40f wrote: | No, I don't think that that's obvious. At least in the US, | there are already protections for genetic information | (including but not limited to GINA [1]). | | In the long run, I think keeping your genetic information | private will be untenable- the potential benefits will | outweigh the drawbacks. Plus, anyone sufficiently motivated | could get your DNA somehow, you shed your DNA everywhere you | go, no getting around that. | | So what's left is to urge your representatives to maintain | and strengthen regulations on how that information can be | used, and in the long run we'll just have to trust that that | will be enough. | | [1] https://en.wikipedia.org/wiki/Genetic_Information_Nondisc | rim... | pavel_lishin wrote: | > _In the long run, I think keeping your genetic | information private will be untenable- the potential | benefits will outweigh the drawbacks._ | | Can you give an example? | | > _Plus, anyone sufficiently motivated could get your DNA | somehow, you shed your DNA everywhere you go, no getting | around that._ | | That assumes there's someone out to get _you_ specifically. | That 's like saying there's no point in having 2FA or | strong passwords, because the FSB, the FBI and Mossad can | get in anyway. Having my DNA because you vacuumed it up off | the subway floor is significantly less useful to anyone | without it being explicitly tied to me. | 6177c40f wrote: | > Can you give an example? | | See my other comment, but in short I essentially mean the | true realization of "precision medicine" and gaining a | greater understanding of how different genotypes result | in disease, information which can be used guide treatment | and to develop better treatments. | | > That assumes there's someone out to get you | specifically. | | Not entirely true- the ability to reconstruct genotypes | from environmental samples gets better all the time. I'd | imagine that even with current technology, a sufficiently | motivated organization could sample various locations to | reconstruct the genomes of people who often visit there. | With enough info, they could start building webs of | genetic relation. From there, all they'd need is access | to a database of samples from known individuals (which, | as we can see, already exists), can chances are they | could quickly deanonymize future samples. The only thing | that could stop such mass collection is proper | regulation. | | > That's like saying there's no point in having 2FA or | strong passwords, because the FSB, the FBI and Mossad can | get in anyway. | | Unlike your password, your DNA is unencrypted and gets | spread everywhere. | slingnow wrote: | >> That's like saying there's no point in having 2FA or | strong passwords, because the FSB, the FBI and Mossad can | get in anyway. | | > Unlike your password, your DNA is unencrypted and gets | spread everywhere. | | This doesn't address the point. In both cases, someone | sufficiently motivated could get what they want from you. | So by your argument, there's no point in maintaining | privacy for either piece of information (DNA / | passwords). | billyoyo wrote: | Clearly a bad faith argument. someone with your passwords | can do a lot more damage than someone with your DNA. | | I think DNA is probably sensitive on the level of someone | knowing your name and DOB. Not convinced it's much more | dangerous than that. | 6177c40f wrote: | > So by your argument, there's no point in maintaining | privacy for either piece of information (DNA / | passwords). | | The problem with privacy is that it's fragile. When your | info is leaked, you should assume it's out there for | good. | | I also think that while right now when you do the | cost/benefit analysis of having your DNA sequenced, you | think the cost outweights the benefit. Clearly my | personal calculus is different than yours, and that's ok. | But I would caution you that in the future that | calculation may be different for you. | | So I think people will either lose privacy, or | voluntarily give up some privacy for some benefit. In | either case, we will need something other than privacy to | protect ourselves. I think that well-enforced | legislation, legislation that limits the way genetic info | can be used and gives the individual more control over | their own info, is really the only thing that can help. | quantified wrote: | What benefit will there be? And why do you assume that it | won't be accompanied by negatives? The problem with all | tech is that people direct its use, and the sole agent of | evil in this world is people. | 6177c40f wrote: | > What benefit will there be? | | Knowing your genetic information is currently of limited | value for the majority of people, this I admit. I believe | that in the future, however, the promise of precision | medicine will be realized, and that having one's genetic | information readily available will be crucial to | receiving the best treatment possible for many diseases. | | For example, take Crohn's Disease (and other inflammatory | diseases more generally). The current thinking is that it | is highly influenced by genetics, and that a number of | different genotypes exist that can result in the | phenotype we refer to as Crohn's Disease. It's | conceivable that having a better understanding of | someone's specific genotype could lead to more precise | treatment of their condition. | | > And why do you assume that it won't be accompanied by | negatives? | | I explicitly don't assume this, I said that the benefits | will outweigh the drawbacks. | | > the sole agent of evil in this world is people. | | This is a specious argument. By that same measure, the | sole agent of _good_ in the world is also people. But | that 's irrelevant. Tech can be used both to harm and to | benefit, and I'm arguing that personal gene sequencing | can and will be used to provide more benefit than harm. | croes wrote: | >Plus, anyone sufficiently motivated could get your DNA | somehow, you shed your DNA everywhere you go, no getting | around that. | | But these people need to get close to you. 23andme made it | easy for someone who could have been on the other side of | the globe. | 6177c40f wrote: | I really don't see how this changes the threat model. If | anything, I'm less worried about someone on the other | side of the globe. | fkyoureadthedoc wrote: | And do what with it? | gosub100 wrote: | Fear of the unknown about your own body. Think of how many | people would sign up if you sold a service that scoured | secret files to "find out what people are saying about you". | Forget whether such a service could ever work, just the | combination of "unknown" + "about you" is irresistible to a | large segment of the population. It's the mother-of-all- | clickbait. | atemerev wrote: | Any other way to know the information they are offering? It | is hard to own your own sequencing machine. | duxup wrote: | For a lot of people it is a health decision. | | I go to a doctor, they have a ton of info on me. Who knows | what might happen with that data ... but I still go to the | doctor because it is a good idea for health reasons. | tamimio wrote: | Spot on! | alephnan wrote: | It was offered as a subsidized perk during my days as a | Google employee. | | The social aspect of other people at Google doing it made it | feel normal. | | In hindsight, I drank the Google kool-aid in more ways then | one. | | The sentiment of distrust towards tech companies and tech | companies being yet-another-corporation is really only | obvious in recent years. It wasn't the case a decade ago when | we were busy being judgemental of Wall Street. Ironically, | now it seems that Wall Street is more trustworthy because, at | the very least, they are forthrite about their motive to make | profit instead of all these lies about "changing the world". | krosaen wrote: | Didn't really feel like a random startup - felt like one of | the most innovative startups around, backed by impressive | investors including Google, co-founder married to Sergey | Brin... So perhaps in hindsight sending DNA to _anyone_ is a | bad idea, but if there were a startup one might have trusted, | this was it. | snapcaster wrote: | I'm not trying to be mean, but it's hard not to be angry at | people like you. Why would you send your DNA to a random | startup with no promises or guidelines on how the data could be | used? Do you have children? You just caused 50% of their DNA to | leak forever without consent. I hope you're reconsidering your | decision making around stuff like this now, but too late for | any of your descendants in next couple generations | micromacrofoot wrote: | Most of the time we're leaking our DNA all over the place by | existing | eimrine wrote: | The DNA we are leaking is impossible to copy unlike the DNA | we are sending to 23andme. | atemerev wrote: | You know, you can send other peoples DNA to sequencing | services too... | eimrine wrote: | Probably you can send to them anything else but how it | relates to my comment? | atemerev wrote: | Meaning that your DNA is not safe, even if you yourself | never send it. DNA is leaking everywhere, anyone could | collect it and send for analysis. | micromacrofoot wrote: | Nanpore sequencing can be done with a device that can fit | into your pocket, these devices can be found for less | than $1000. | boringuser2 wrote: | Why do you care again? | | It's DNA, not your BitWarden password. | dekhn wrote: | No; this is factually wrong. | eimrine wrote: | And not even a bit of clarifying? If you can convert the | DNA sample into two DNA copies without destroying the | sample, probably you are a God. | dekhn wrote: | You said "The DNA we are leaking is impossible to copy | unlike the DNA we are sending to 23andme." | | I said it was wrong because if people collect | environmental human DNA samples and "copy" them (amplify | with PCR). | | Not sure what you mean about destroying the sample- you | typically take part of the sample and amplify it without | destroying the whole thing. | | I'm just unsure of what you are trying to say here; I'm | responding with purely factual answers based on modern | DNA technology. | croes wrote: | So you would be ok if governments around the world have | sample of yours and store it in a database? | drivers99 wrote: | Yes. What's the problem? | CyberDildonics wrote: | Prove it by copy and pasting your DNA in a reply. | hot_gril wrote: | Someone did it above. | dekhn wrote: | There is no practical way to prevent it, so yes, it's OK | because there is no reasonable alternative. | micromacrofoot wrote: | No, the company in question made promises about the | security of it and has broken those promises. Now their | customer's DNA is potentially available to anyone (not | just governments). They should pay dearly for breaking | these promises. This is not the point of my original | comment. | | The person I'm responding to is victim-blaming, and also | making the completely silly claim that it's irresponsible | to willingly "leak" DNA through some vague lens that it's | going to be used to harm your descendants for | generations. | | DNA sequencing is constantly becoming more affordable and | accessible. Unless regulated, this _will_ be data that | gets collected and abused en-masse. It 's a little | expensive now, but I could easily sequence just about | anyone's DNA today as long as I have some sort of | physical access to a space they use. If that's the | commenters concern, they'd be much better off focusing on | that rather than blaming people for expecting a company | to keep medical data secure. | Ensorceled wrote: | I continue to be surprised at the sheer number of people on | HN who are more enraged at the victims for their "stupidity" | than at the perpetrators (23andMe for ToS shenanigans and/or | the hackers for the hack). | snapcaster wrote: | How are you getting that i'm "more enraged" at the victims? | I'm not absolving the company of anything, I'm criticizing | people who give something like their DNA to a random | company naive and foolish | | edit: I would have the exact same stance (and did and | continue to) even if there was no hack | Ensorceled wrote: | Because your original comment was the only comment you | made on the thread. | | And you made NO mention of the real villains. | | And you accused these people of screwing over their kids | and all their descendants. | | And you only "not absolving" the real villains even now. | zlg_codes wrote: | With criteria like that, you may as well speak for him. | You're complaining he didn't say exactly what you wanted, | and then made an assumption on his stance. Stupid tribal | monkey behavior. | dgacmu wrote: | Well, let's see - because I wanted to have children, and I | didn't know who my biological father was, so I wanted to | understand if my wife and I were likely to carry any of the | same dangerous recessive genes? And I wanted to know if there | were likely any big, detectable gotchas coming up as I got | older. | | And because, in the process, I discovered a couple of half | brothers. | | My life is better because of the knowledge I got from genetic | testing. | | (It also wasn't a "random" startup to me; I had it | recommended by someone I trust who knows the founder.) | switchbak wrote: | Why would you be angry at someone that didn't do anything | that negatively affects you? Do you get mad at people that | eat unhealthy food? | snapcaster wrote: | Yes actually | micromacrofoot wrote: | Same, excited to receive my check for $0.25 in 3 years | (seriously though, I wonder if we should file in small claims | court or something as well?) | tuwtuwtuwtuw wrote: | Which super sensitive data was leaked? I have read | contradicting things. | skilled wrote: | The article doesn't add anything new from previous discussion, | | _23andMe updates their TOS to force binding arbitration_ | (https://news.ycombinator.com/item?id=38551890) - (372 points | 6 | days ago | 243 comments) | | One interesting thing about this story though is that it appears | that 23andMe is outright _refusing_ to make a comment to anyone. | Every single site that has covered the story and bothered to | email them have added a, "23andMe has declined to comment" | disclaimer. | | Pretty scummy. | kelthan wrote: | Yes, from the perspective of any user/consumer of the service. | But since they are facing litigation, any lawyer will tell you | that keeping your mouth shut until the action is adjudicated is | THE best course of action, regardless of what some politicians | and corporations may do these days. | | The only other thing that they could say would be "We do not | comment on matters involving pending litigation." But that's | just a longer way of saying "No comment." It's not any more | satisfying for the customers or partners understandably seeking | answers to what happened, how, and why. | aeurielesn wrote: | I don't understand how this is even legal but it has been | widespread adopted without a backlash. | scottLobster wrote: | The older I get, the more I learn that "legal" doesn't mean | what's on the books, it means what some entity cares to | enforce. | Maxion wrote: | And because court cases are so expensive, what really matters | is who has more money to spend on lawyers. | mrkramer wrote: | I'm not a lawyer but I doubt that this will matter in the court | because the time of actions matter; or in another words at the | time when user registered they agreed to TOS A and later when | 23andMe changed their TOS A to TOS B they achieved nothing | because you can't unregister users and register them again and | force them to agree to the new TOS B. I mean they can ask you to | agree to new TOS but you don't have to because TOS is not a law, | it is a voluntary legal agreement between a company and a | customer. Retroactively enforcing something is not possible not | even for the governments e.g. if I pay my corporate tax of let's | say 20% in 2023 to the government, government can't say like 5 | years later: you know what corporate tax is now 30%, compensate | for all the differences in the past. | onlyrealcuzzo wrote: | > I mean they can ask you to agree to new TOS but you don't | have to because TOS is not a law | | Aren't they forcing you to agree to the new TOS to continue | using the product? | mrkramer wrote: | Then pull out and sue them for maliciously enforcing new TOS. | People should collectively sue them. | freeAgent wrote: | Perhaps, but if someone ignores the email and never logs into | or interacts with 23andMe in the meantime, the post hoc | change in ToS should have no impact on their ability to join | a class action lawsuit. | corethree wrote: | You got it wrong. They can throw a big TOS in front of you next | time you login. Most users will just accept. | | Additionally they sent an email out saying that you have 30 | days yo tell them you want to "opt out" otherwise by default | they assume you accept the new TOS agreement. | verve wrote: | To duck out of the new ToS, just write this email to | legal@23andme.com-- | | To Whom It May Concern: | | My name is [name], and my 23andMe account is under the email | [email]. I am writing to declare that I do not agree to the new | terms of service at https://www.23andme.com/legal/terms-of- | service/. | bunnyfoofoo wrote: | Email is arbitrationoptout@23andme.com | verve wrote: | The email I got from 23andMe linked me to legal@23andme.com. | micromacrofoot wrote: | send it to both! | hughw wrote: | legal@23andme.com rejects my email with the message | "Account disabled". So yeah, definitely cc the other | address. | ceejayoz wrote: | Yeah, but the actual terms say | arbitrationoptout@23andme.com. I wouldn't put it past them | to say "ah but you didn't email the right address". | covercash wrote: | I emailed this one and cc'd the legal@ address just to be | sure. | jascination wrote: | Ah, bad news, you cc'd legal@, which technically isn't | directly emailing legal@. We have denied your claim and | you will be shot from a rocket directly into the sun next | Wednesday. | downWidOutaFite wrote: | Wow that is super hidden! They have a fake ToS to try to | stop you from seeing the real one. | basch wrote: | Deeper in it has the other one. | | I also set my future status to auto opt-out. | | "I opt out of the updated terms and will stick to the | current in place ones indefinitely, including any future | changes. I declare myself immune from having to do anything | like this again in the future and set my status to auto- | opt-out." | pc86 wrote: | Is this legally binding? I'm extremely skeptical any time | phrases like "immune" and "automatically" start making | their way into legalese as it's usually something like | those Facebook "don't use my photos" things your aunt | reposts every few months. | snovv_crash wrote: | Give them a 30 day notice that it is binding unless they | object? | jhardy54 wrote: | I don't give Facebook permission to use my pictures, my | information or my publications, both of the past and the | future, mine or those where I show up. By this statement, I | give my notice to Facebook it is strictly forbidden to | disclose, copy, distribute, give, sell my information, photos | or take any other action against me on the basis of this | profile and/or its contents. The content of this profile is | private and confidential information. The violation of privacy | can be punished by law (UCC 1-308-1 1 308-103 and the Rome | statute). Note: Facebook is now a public entity. All members | must post a note like this. If you prefer, you can copy and | paste this version. If you do not publish a statement at least | once, you have given the tacit agreement allowing the use of | your photos, as well as the information contained in the | updates of the state of the profile. Do not share. You have to | copy. | ceejayoz wrote: | Those notices are bullshit, but | https://www.23andme.com/legal/terms-of-service/#dispute- | reso... says emailing an opt-out is correct in this case. | | > 30 Day Right to Opt-Out. You have the right to opt-out and | not be bound by the arbitration and class action waiver | provisions set forth above by sending written notice of your | decision to opt-out by emailing us at | arbitrationoptout@23andme.com. The notice must be sent within | thirty (30) days of your first use of the Service, or the | effective date of the first set of Terms containing an | Arbitration and Class Action and Class Arbitration Waiver | section otherwise you shall be bound to arbitrate disputes in | accordance with the terms of those sections. If you opt out | of these arbitration provisions, we also will not be bound by | them. | kstrauser wrote: | The difference here being that 23 and me has communicated a | specific opt-out process. This isn't some sovereign citizen | nonsense the person you're replying to came up with on their | own. It's the official method you're suppose to use. | apwell23 wrote: | > If you do not notify us within 30 days, you will be deemed to | have agreed to the new terms. | | WTF. This is outrageous. And I had find that email in my spam | after I read this comment. Hope this POS company goes down in | flames after this. | klipt wrote: | Lol that surely can't be enforceable. Imagine "you agree to | give us your kidney if you don't opt out within 30 days" | sitting in your spam folder. How is this different? | dylan604 wrote: | The last time I went rooting around in my SPAM folder, I | came back a different person. I am forever changed by what | I saw in there. I consider email totally broken in today's | environment, but without a SPAM folder it would be closer | to totally useless. | | With the benefit of hindsight, the invention of SPAM should | have told us all we needed to know about the future of the | internet. A small percentage of users will do their | damnedest to ruin it for everyone else. It's a sign that | people cannot be trusted to _not_ use the tech for evil. I | 'm sure it foretold the corruption of social media as well. | It is all SPAM's fault! | Log_out_ wrote: | But they hold your DNA hostage. Don't you want this company | to exist on so nobody gets hurt. Oh, they peaked and leaked | that's why the users get TOSsed. Carry on, Sir, baldly into a | classy action lawsuit against a bankrupt company were some | zeroday employee will get the biggest payout by insurance | ever. | apwell23 wrote: | Too bad to fail ? | pbhjpbhj wrote: | Write back "you agree to pay me $10M in compensation unless | you reply in 30 days" ... | dylan604 wrote: | *auto-replies are not accepted as a valid response | willcipriano wrote: | I wonder if they can use things like opt out data to find a way | screen for genetic markers of "troublemakers" or similar. | | DNA driven targeted advertising that finds only the most docile | consumers. | oldgradstudent wrote: | They can't tell you your eye color from their DNA data with | any degree of confidence, and you seriously expect them to be | able to find a marker of something as vague as | "troublemakers" ?! | adam12 wrote: | >> I wonder if | salawat wrote: | ...And yet phrenology was a thing. | | https://en.m.wikipedia.org/wiki/Phrenology | | Never underestimate the willingness to engage in the days | new "not-yet-clearly-identified-as-quackery-pseudo science" | when there is a buck to be made. | VHRanger wrote: | ADHD has genetic markers for example | dekhn wrote: | https://pubmed.ncbi.nlm.nih.gov/19619260/ """Nevertheless, | it has been estimated that 74% of the variance in human eye | colour can be explained by one interval on chromosome 15 | that contains the OCA2 gene""" | | That's about blue/brown, and realistically, there are a | bunch of other genes which also have effects, as "eye | color" is really a collection of phenotypes, not just a | single one. | ballenf wrote: | I wonder what would happen if someone used one of the public | email dumps and automated a mass opt-out of every email ever | spotted in the wild. | neilv wrote: | 23andMe's ToS change right now seems in poor taste at best, | and I think they need to get smacked for that, by a judge | and/or the public. | | But I don't see how drunken anarchist tactics help, and that | noise seems like it would be a counterproductive diversion. | dylan604 wrote: | wow, that's probably one of the most brilliant altruistic | ideas I've read since buying other people's medical debt. | | this is probably why the unsubscribe links require some | interactive confirmation so that simply loading the page | doesn't actually unsubscribe. | | if this was doable, i'd put them above Troy Hunt in | contributions to humankind ;-) | 13of40 wrote: | Some email providers navigate to every URL you receive to | check them for phishing and malware. That doesn't play well | with one-click unsubscribe links. | dylan604 wrote: | sounds like the email providers are in the wrong here. | quit reading my mail. | alephnan wrote: | I am logging to my 23andme account to confirm my info and name | registered there. | | I forgot my password and did a password reset. They have | password requirement of 12 characters minimum. A bunch of | security theater just to get hacked anyways | brokencode wrote: | So as soon as a company gets hacked once, all of their | security measures get recategorized as security theater? | nofinator wrote: | I'm just surprised they aren't making you send a physical | letter via USPS. | | Some companies require that. Here is PayPal's process for | example: https://www.paypal.com/us/legalhub/useragreement- | full#table-... | tbalsam wrote: | They aren't the government, silly billy. Just because it's | written down doesn't mean that it has value, it's just an | (effectively unfortunate) deterrent, since oftentimes a court | has to decide that it's illegal. | | Hopefully our court system will get some more teeth vs other | corporations soon. | kelthan wrote: | Automatically opting-in customers to a more restrictive TOS is | pretty suspect, especially given the timing. IANAL, but I'm | pretty sure that a court would not allow that, given that the TOS | was changed AFTER the breach and it's pretty clear that the | company is trying to avoid legal issues after-the-fact. | | I would expect the court would evaluate any breach under the TOS | that was in effect at the time of the breach, rather than under a | new (and arguably suspect one) that was put in place after it, | arguably in an attempt to "rewrite history". | thereddaikon wrote: | And just because a TOS says something doesn't mean it will | necessarily hold up in court. They aren't law. | kelthan wrote: | Right. Also, the practice of having a sticker on a shrink- | wrapped box of software that read "By opening this package | you agree to the Terms of Service contained within", where | the TOS was inside the box that you needed to open the | package to read, was deemed unenforceable back in the 90's. | It's the reason that TOS' are now displayed as a pop-up | during installation. Not that many more people actually read | them before installing the software, but at least they are | given the option to. | | I suspect that a competent lawyer could fairly easily argue | that this "automatic opt-in" is the same thing in a slightly | different format. | dannyw wrote: | Federal Arbitration Act severely, and nearly completely, ties | courts hands around throwing out binding arbitrations. | | Of course, if people don't accept the new terms, they are still | bound by the one ones. But if you don't opt out... | kelthan wrote: | But having the company update a TOS that automatically | removes rights from the consumer, after the consumer already | agreed to a TOS that didn't previously restrict those rights | is likely not going to hold up in court, either. Especially | when the TOS changes were made after an event likely to | trigger litigation. | | This isn't a case of a minor change to consumer rights in the | TOS like changing who would arbitrate a case. It's a | significant restrictive change to the rights of the customer | in favor of the company. And it was made after a security | breach that affected a huge portion of the companies clients | which is likely to trigger lawsuits of the form that the TOS | now seeks to restrict. | | This is clearly a case of attempting to close the barn door | after the horse was spotted in the next county over. | BobaFloutist wrote: | The good news is binding arbitration has some significant | downsides for corporations - look up "mass arbitration". | throwaway092323 wrote: | They probably know that it doesn't hold water legally. The hope | is to victim blame as much as possible so that fewer people sue | them in the first place. The next step will be to "remind" | people about the TOS that they totally agreed to. | lp0_on_fire wrote: | Exactly. Same reason construction vehicles have "Stay back | 200 feet: not responsible for broken windshields" written on | the back. | constantly wrote: | Yep. A small tangent for anyone who has seen these: they're | very clearly not specifically enforceable. I got a window | banged up by things falling off a truck with this signage, | and the first thing they said when I called their "How Am I | Driving" number the first thing they said was that they | were not responsible citing this sign. Fortunately that | sign was non binding. :) | lelandfe wrote: | "If you can read this bumper sticker, the occupants of | your vehicle agree to..." | Rayhem wrote: | "Private sign, DO NOT READ" | jstarfish wrote: | Georgia (state) takes it a step further. They wrote an | exemption to the license plate law that allows dump truck | owners to display the plate only on the _front_ of the | vehicle. Makes it that much harder to hold them | accountable. | sonicanatidae wrote: | Its like they don't know drivers and their willingness to | make "for damn sure" the other side is made aware of | their displeasure. lol | arwhatever wrote: | "Not responsible for black eye if something falls from your | vehicle and damages my vehicle." | andrei_says_ wrote: | Except that the truck driver has zero fault for the | gravel on the road and the spacing between the tires and | the mud guard of the truck his employer maintains. | | Or did you mean you'd seek out the ceo of the truck | company and give them a black eye? | sithlord wrote: | This is usually related to drivers who do not use the | cover of their truck they are legally supposed to. So | rocks fly out the top. | Tempest1981 wrote: | Or dump trucks, which leak out the seams as they go over | bumps | arcanemachiner wrote: | Also mud flaps | londons_explore wrote: | And usually because the truck is over full too. For | almost any load, if you fill the truck to the brim you | have overloaded it. (Unless you're moving styrofoam) | 93po wrote: | A driver has a legal obligation to not drive a vehicle | that is spreading debris on the road, which they are | often doing and that debris often comes from their | construction sites. There are places that use track | washing stations at entrances and exits to prevent this. | wongarsu wrote: | If it's gravel they are transporting it's obviously their | fault, it's the responsibility of the driver to secure | the load (with some blame falling on truck companies for | providing insufficient equipment). | | If it's random gravel from the road it's more | understandable. But even then the driver is very much | responsible for the mud guards on the truck they are | operating, just as the police would write a ticket to the | driver for worn down tires or broken lights. | candiddevmike wrote: | Does this apply to shopping carts in parking lots? | eweise wrote: | At least in California, its illegal for anything to fall | from a vehicle except water and bird feathers so not sure | how that sign help them. | padjo wrote: | The point being that while it's not at all enforceable | there's a non zero number of people who will think it is | and not fight it | eshack94 wrote: | If I'm not mistaken, that's the point the person above | you was making. Those stickers on dump trucks that say | "Stay back 200 feet. Not responsible for broken | windshields" are worthless from a legal perspective. | | They do absolutely nothing to remove liability from the | truck driver/company. If a rock falls from their truck | and cracks your windshield, they absolutely are | responsible for any damages. | | Rather, their sole value is to _convince_ drivers that | the trucking companies aren 't at fault, so that drivers | whose vehicles are damaged from falling rocks erroneously | elect not to press charges or pursue damages. | quickthrower2 wrote: | What about fallen leaves? | dotnet00 wrote: | or the "Warranty void if removed" stickers on electronics, | which are not legally enforceable in the US. | dylan604 wrote: | This looks like a perfect class action case. There's really | no physical harm or financial harm to the users, but a class | action might be the only way for it to hurt. But IANAL, and | probably have it all wrong in my head??? | underwater wrote: | Why is it that in the US individuals have to band together | and privately launch a class action to stop these types of | parasitic behaviours. The government is supposed to | represent the interests of citizens. | dylan604 wrote: | Lobbying. Citizens United. Disinterested populace. | | Do you need a longer list? | alistairSH wrote: | That's exactly why - we have a largely dysfunctional | federal government (and most state governments aren't | much better). | | The biggest downside is the lawyers take a massive chunk | of any award and the actual victims are often left with | very little. Or, even worse, the victims get worthless | coupons (like with many credit/PII breaches - the award | will be 1-year of credit monitoring from the company that | allowed the breach in the first place). | BrandoElFollito wrote: | This credit score system in the US always made me | curious. Say some point I had a proposition to move to | the US and I asked the company offering the job how they | will ensure that I immediately get the best possible | score. They said it was not possible because it was a | personal score. | | I told them that I will certainly not start to build a | credit score at 40 yo so they will have to find someone | else. | dylan604 wrote: | I'm sure that as soon as they stopped crying and wiped | the tears away from their eyes, they had no problem | filling the spot. The question I have, were they crying | from laughing so hard at your retort. | losteric wrote: | It's not true that individuals need to band together. A | single individual can kick off a class action lawsuit, | private litigators can even kick start a lawsuit | themselves (though ultimately the lawsuit will bring in | impacted individuals). | | The idea of private litigators is to complement the | innate limitations of federal/state lawyers, by offering | profit as an incentive. | | Ideally yeah Americans would have stronger laws around | TOS, customer privacy, data handling and security, and | robustly funded state lawyers... but we don't. | | Practically speaking, such gaps are not unique to | technology. Every industry has this same problem, and | your awareness of those problems is reflective of the | general public's political engagement with this thread's | topic. So having gaps that private litigators address is | really quite normal and part of the incremental progress | of legislation and state enforcement. | wharvle wrote: | 1) Common law versus civil law. We rely a lot more on | private lawsuits than on regulator action. This is | probably a mistake, given that it _sure looks like_ it | adds costs to common law countries with little to no | benefit (and, arguably, harm) but it's what we have. | | 2) The consumer protection laws we do have, and the | bodies to enforce them, are relatively weak and | enforcement is spotty at best. The most recent serious | attempt to _kinda_ fix this is the formation of the CFPB, | and one of our two relevant political parties | deliberately prevents it from working when they hold the | White House (sample size of one, admittedly) and has been | trying to totally kill it, in the legislature or (better, | because it's popular and this is deniable) in the courts. | zlg_codes wrote: | > The government is supposed to represent the interests | of citizens. | | I'm not sure that's ever happened in this country. They | pay all sorts of lip service, but when challenged or | under pressure, the US makes a lot of excuses for leaving | its own people behind. | | Thankfully we can repay that favor and see how they like | it when there's nobody left to defend them. | baryphonic wrote: | Cornell's law school has a pretty good guide to these "adhesion | contracts" such as web TOS.[0] This alteration strikes me | (IANAL) as running the risk of being unconscionable. If the | contract change is unconscionable, then the new terms mandating | binding arbitration are void. | | Again, IANAL. Just my opinion as a citizen, not legal advice. | Seek competent legal advice before taking legal action. | | [0] | https://www.law.cornell.edu/wex/adhesion_contract_(contract_... | smcl wrote: | I'd say it's more than suspect, what's the point of agreeing to | a terms of service if they can change after you agree to them? | huytersd wrote: | They usually put that exact thing into the ToS. The right to | change it at any time. | smcl wrote: | Ahh ok this sounds like a thing that's OK in the USA but | not EU :-/ | raphman wrote: | Indeed. | | > "Besides the general requirements of 'good faith' and | 'balance', the EU rules contain a list of specific | contract terms that may be judged unfair. | | > Here are some situations where contract terms may be | judged unfair under EU rules: | | > [...] | | > - Terms which allow you to alter a contract | unilaterally unless the contract states a valid reason | for doing so." | | https://europa.eu/youreurope/business/dealing-with- | customers... | smcl wrote: | NOTE: instead of downvoting as a knee-jerk defense of | USA, just reflect on whether you'd benefit from some | slightly better consumer protection laws. | smcl wrote: | Ahh ok this sounds like a thing that's OK in the USA but | not EU :-/ | | NOTE: instead of downvoting as a knee-jerk defense of | USA, just reflect on whether you'd benefit from some | slightly better consumer protection laws. | wongarsu wrote: | Just because they write that doesn't make it legally | enforceable. You can't agree to terms you don't know. Which | is why many services will haunt you to explicitly agree to | the new ToS when you next log in. | | And even if you click agree there are legal questions about | how much that can change about your past relationship, and | what kind of changes you can legally make. | wackycat wrote: | Right! If this were a law rather than TOS it's the whole ex | post facto situation. | everforward wrote: | They ought to be evaluated as if no TOS exists. Given the clear | intent to defraud customers by misrepresenting the contract | they were bound by, the claims should be evaluated under the | TOS most favorable to the plaintiffs. The most favorable TOS is | the one that's invalid because 23andMe didn't get anyone to | actually agree, ergo the claims are evaluated as if no TOS | exists. | | This is an attempt to undermine consumer protection laws, and | the government should treat it as a direct attack. Other | companies are watching. The government needs to send a clear | message that this won't be tolerated before it spreads, becomes | the status quo, and leaves many consumers believing that they | don't have any rights or protections. | | The head of legal should also be disbarred under American Bar | Association rule 1.2(d): | | > (d) A lawyer shall not counsel a client to engage, or assist | a client, in conduct that the lawyer knows is criminal or | fraudulent, but a lawyer may discuss the legal consequences of | any proposed course of conduct with a client and may counsel or | assist a client to make a good faith effort to determine the | validity, scope, meaning or application of the law. | | This reads as clear contract fraud in the factum [1]. Customers | are told that they're bound by new contract terms, despite that | 23andMe never got agreement, nor tried to get agreement, nor | even know whether customers have read the new contract. I can't | fathom any other reasonable interpretation of the situation. | They created a fraudulent contract hoping to confuse other | entrants to prior versions of the contract, and intend to | benefit from that confusion. It seems clear to me. They are | attempting to undermine the legal system, and the ABA needs to | deal out swift punishment as one of the protectors of that | system. | | 1: https://en.wikipedia.org/wiki/Fraud_in_the_factum | pbhjpbhj wrote: | That should be a crime in itself. Looks a lot like fraud. | sonicanatidae wrote: | I would like to think they will be nailed to the wall, but the | current is that they will get a pittance fine, at best, before | accepting their well earned bonuses. | | I hate this timeline. | lozenge wrote: | > IANAL, but I'm pretty sure that a court would not allow that | | You and a lot of the people who replied to you seem to be | confusing what is unjust with what is illegal. You can't use | one to deduce the other. | Affric wrote: | Yep. Having defended contracts that legally the company could | novate the circumstances that lead to the notation had to be | either outside of our control with a third party changing our | underlying costs or the first and second parties failing to | agree a new contract and a standard contract that was already | defined being put in place. This was later deemed unfair and | the standard contract was made much cheaper. Ha! | | My point being that in Australia my vibe is that this will be | looked upon in a very negative light by courts and any | regulators. | amelius wrote: | What if they sell their entire business to a subsidiary? | d3w4s9 wrote: | "a court would not allow that" | | I don't know where you have been the last few years, but I am | pretty sure things like that happen all the time, based on the | emails I received regarding ToS updates. And I have never heard | any company got into trouble in court. Maybe public opinion, | but that's it. | d2049 wrote: | I would have presumed that security-minded people, which includes | those who work in tech, would not so easily give away their | genome, and that most of 23andMe's customers are a slice of the | general population. But then I read about things like WorldCoin | and that people who go to startup parties jump at the chance to | give away scans of their retinas and I'm befuddled. Why would | anyone willingly do that? | xvector wrote: | I am a security engineer. When I signed up for 23andme, I | assumed with certainty that it would be hacked and all data | leaked at some point. I balanced that with the value of knowing | potentially important health/genetic bio markers. | | In the end, I valued knowing these bio markers above the | privacy of my genome. The former is actionable and I can use it | to optimize my health and longevity; the latter is of vague | value and not terribly exploitable outside of edge-case threat | models. | smarkov wrote: | Exactly my thoughts. | | I'd be more upset if a combination of my name and email/phone | number got leaked than if my DNA was made available public. | tuwtuwtuwtuw wrote: | Why would you be upset if your name+phone combo was leaked? | Mine is all over internet so wonder why you feel it would | be bad. | smarkov wrote: | I simply don't want to deal with spam or scams. If I'm | exposing my contact details it would be a separate set | that is dedicated to dealing with communication coming | from the public. | c7b wrote: | In retrospect, how do you so far value the utility of the | data you got? Did you take any actions based on them, do you | think you will be doing so in the future? | logifail wrote: | > I can use it to optimize my health and longevity | | Q: Is it a HN thing to be (obsessively?) interested in health | and longevity? | | Dying is a natural process. Sorry. | rfrey wrote: | It's a human thing. Not all humans, but many. | | > Dying is a natural process. Sorry. | | Avoiding dying, as best one can, is also a natural | behaviour. | averageRoyalty wrote: | We fight all sorts of natural processes. Most common forms | of death from a couple of centuries ago are solved. Our | average lifespan has increased dramatically. We fly around | in planes, travel to space, grow fruit out of season and | build giant cities. | | As a species, we're excellent at working around or ignoring | what's "natural". | basch wrote: | Or the reality is, if someone wants your dna they will follow | you around and grab a coffee cup. | mrweasel wrote: | Yes, yours specifically, but what if I want like 200.000 | people so I can find one that has a DNA profile similar to | mine, who could serve as a escape-goat or victim? | | Maybe I want to steal a kidney, or a child that could | reasonably pass as my own? | searine wrote: | >but what if I want like 200.000 people so I can find one | that has a DNA profile similar to mine | | There are already literally entire databases of millions of | peoples DNA freely available for scientific research. | mrweasel wrote: | Not with names and contact information I assume? | searine wrote: | If you were smart enough to hack 23andMe to get genetic | data to find a specific person, you'd be smart enough to | reconstruct identities from publicly available data. | You'd just have to cross-reference public anonymous | databases with public non-anonymous ones. Both of which | exist, and are free. | | So far, the only real use-case for doing this is people | trying to identify criminals from just DNA. | slingnow wrote: | You realize this data is often available for purchase or | eventually publicly leaked, right? You don't have to be | "smart enough" to do the hacking to benefit from it. | VBprogrammer wrote: | In the US, the bad actor here is much more likely to be | insurance companies who can tune their secret algorithms to | make sure no one with a gene tied to an illness which | blooms later in life can get affordable heath care. | tfehring wrote: | In the US, health insurers can only price based on age, | location, and tobacco use. Setting health insurance | premiums or denying coverage based on any health-related | factors has been illegal for over a decade, and changing | that would be totally unviable politically. | | However, it's a significant risk for other types of | insurance including life, disability, and long term care. | imiric wrote: | Just because it's illegal, doesn't mean health insurance | companies don't find loopholes, and consider fines when | they get caught as the cost of doing business. See this | series of articles[1] for some of their criminal | shenanigans. | | It's more than likely that they would use genetic data to | deny insurance, and then settle the cases in court if | they happen to get sued, which statistically is probably | a rare occurrence. | | [1]: https://www.propublica.org/series/uncovered | joshstrange wrote: | > escape-goat | | Unless this is an online joke I don't get, I think you mean | "scapegoat". | mongol wrote: | Seems to be the same thing. | | "The concept comes from an ancient Jewish ritual | described in the Bible, specifically in Leviticus 16. | During the Day of Atonement (Yom Kippur), two goats were | chosen: one to be sacrificed and the other to be sent | into the wilderness, symbolically carrying away the sins | of the community. This second goat was called the | "Azazel" or the "scapegoat". | | Over time, the term "scapegoat" evolved to have a more | general meaning in English. It came to refer to a person | or group that is unjustly blamed for the problems or | misfortunes of others, reflecting the original ritual in | which the goat was symbolically burdened with the sins of | others before being sent away. " | FireBeyond wrote: | > But then I read about things like WorldCoin and that people | who go to startup parties jump at the chance to give away scans | of their retinas | | Well, in the case of WorldCoin, I think there's still some | pretty significant questions of why they made Africa a | prominent launch market (well, there are some reasons), but in | some places they repeatedly increased incentives until they | were offering people there _up to a month 's income_ to give | their scans. That might not be a lot of money to a big startup, | but is telling that they had to offer that much to get some | people to "opt" in. | mrweasel wrote: | The same people believed crypto-currency, infinite growth, | social media and many other things. At least 23andMe provided | actual value, to some at least. | | What I find strange is that 23andMe did not automatically | delete data after 30 days, or at the very least took it | offline, only to be available on request. Notify people that | their results are available and inform them that the data will | be available for 30 days after the first download. This is | potentially really sensitive data and based on 23andMe's | response, they seem to be aware of that fact. So why would they | keep the data around? That seem fairly irresponsible and | potentially dangerous to the company. | geoelectric wrote: | Their service is selling you a dashboard over your genetic | data that's continually updated for new gene correlation | studies and ancestry matches. It's not really the one and | done "Promethease" style analysis service you're thinking of. | vik0 wrote: | What actual value did 23andMe and similar services offer in | the first place? | | Quenching someone's curiosity about where their ancestors are | from? Do we even know how accurate it is at doing that? | jstarfish wrote: | Ancestry data, but also health markers. I.e. you're | probably going to get macular degeneration, Tay-Sachs and | cervical cancer. | | Once I enabled the social graph thing I was immediately | hounded by distant relatives who I assume want to chop me | up for parts. | | > Do we even know how accurate it is at doing that? | | The police have closed a few cold murder cases based on | adjacency (once Parabon got their hands on samples), so it | must be pretty accurate. | | Anecdotally, my profile told a radically different story | about our ancestry than my family's vague lore led me to | believe. 23andMe's data made way more sense. | dekhn wrote: | If you go back in time, 23andMe was founded to collect | genetic data with the goal of using that data to improve | the health condition of humanity. | | Over time it became clear that 23andMe's data set had | limited predictive ability for health for a number of | technical reasons (previously, dahinds, one of their | statistical geneticists, has defended the quality of their | predictions on HN, you can search for his comments. I | suspect he can no longer comment on HN because of 23&Me's | security debacle). | | However, around that same time, 23&Me's dataset turned out | to be excellent for ancestry analysis. It's generally | considered fairly accurate (not just 23&Me- the entire | process of ancestry through snp genotyping workings really | well). | | I never did 23&Me but my dad did- and he learned he has | children all around the US (half brothers and sisters of | mine) from some samples he provided some 45+ years ago. | Both my dad and those people gained value from making that | connection. It's interesting because my dad had already | done most of the paper research (including going to SLC to | visit the Mormon archives) to identify our obvious | ancestors, and these relatives would never have shown up. | BobaFloutist wrote: | Locating secret/hidden family is kinda nice. | cookie_monsta wrote: | I just wanted to confirm my connection to royalty because | I've always felt, y'know... special | Dma54rhs wrote: | Poor and desperate people don't have the luxury thinking of | these first world privacy issues. There a reasin Altman and | launched it where they did. | barbazoo wrote: | That explains the WorldCoin but not 23andme, people | _voluntarily_ paid for that so they couldn 't have been that | poor. | switchbak wrote: | You didn't need to supply accurate information, this isn't a | bank here with any validation of your identity. | bogwog wrote: | You can at least change your name. You can't change your DNA, | so when companies start selling that data it will be easy to | detect when you give out fake information. | | The only missing piece is a way to scan your DNA as part of a | login form. | hot_gril wrote: | What good is my DNA without a real identity attached to it? | PH95VuimJjqBqy wrote: | It will be a cold day in hell before I ever submit to dna | analysis of this nature. | | That doesn't stop my family from doing so, but I sure as hell | will never. | weebull wrote: | So they've basically done it for you. Primary sensitive | information is about is predisposition to hereditary disease. | That's the same for you and your siblings. | PH95VuimJjqBqy wrote: | I understand that but I can't control them so I must draw | the line where I'm able. | 93po wrote: | The long term premise of WorldCoin is to not store retina scans | in any way, and scanning stations in the US already do not do | so. | itronitron wrote: | 'long term premise' | latentcall wrote: | I was 24 in 2015 and not in tech or as security minded as I am | now when I received the test as a Christmas present. Obviously | now I wouldn't have dared do it, but it's too late. Lacked the | foresight at the time. | hot_gril wrote: | What's the implication here, that tech people should know | better? I just don't care a ton about my privacy. At least that | makes me not a hypocrite for working at a company that profits | from user data (like many tech ones do). | dekhn wrote: | I'm familiar with security (I keep a copy of Applied | Cryptography on my shelf for "fun reading") and tech, here's a | copy of my whole genome: https://my.pgp- | hms.org/profile/hu80855C Note it's a full human genome, far | more data than a 23&Me report. You can download the data | yourself and try to find risk factors (at the time, the genetic | counsellors were surprised to find that I had no credible | genetic risk factors). | | Please let me know in technical terms, combined with rational | argument, why what I did was unwise. Presume I already know all | the common arguments, evaluated them using my background | knowledge (which includes a PhD in biology, extensive | experience in human genome analysis, and years of launching | products in tech). | | I've been asking people to come up with coherent arguments for | genome secrecy (given the technical knowledge we have of | privacy, both in tech and medicine) and nobody has managed to | come up with anything that I hadn't heard before, typically | variations on "well, gattaca, and maybe something else we can't | predict, or insurance, or something something". | yborg wrote: | >well, gattaca, and maybe something else we can't predict, or | insurance, or something something | | Sure, if you don't believe in any of the potential negative | scenarios, anything goes. You could also post your full name, | SSN, DOB, address, etc. here if you are secure in the | knowledge that no harm could ever come of it. | dekhn wrote: | I think we already know for sure that posting a combination | of full name, SSN, DOB, and address is a reliable way to | provide scammers with the necessary information to commit | fraud. | BobaFloutist wrote: | I think what they're saying is that name (probably not), | SSN (almost definitely), DOB (maybe?) and address | (probably) have _known_ , _confirmed_ risks. There are | current ways that bad actors can abuse that information. | | Genome is still pretty theoretical, except getting caught | for committing crimes. | dekhn wrote: | I just checked, and using my True Name | (https://en.wikipedia.org/wiki/True_Names) I can easily | find my DOB, prior addresses and phone numbers, and using | that information, it's likely I could make a reasonable | guess for the SSN. | BobaFloutist wrote: | _it 's likely I could make a reasonable guess for the | SSN._ | | It _is_? I mean then why are we bothering to protect | anything, this shit is all super available for any given | person. | dekhn wrote: | SSNs are fairly predictable- if you know region of birth | and DOB you can get awfully close, for a wide range of | the population. | | https://www.pnas.org/doi/10.1073/pnas.0904891106 | | Konerding's 12th law, amended: "There is no bit of | pseudonymized data which cannot be de-anonymized by a | sufficiently motivated MIT grad student" (not entirely | joking; see https://archive.nytimes.com/bits.blogs.nytime | s.com/2015/01/2...) | rfrey wrote: | The question is, what _are_ the potential negative | scenarios. | BobaFloutist wrote: | I'm gonna start making clones of you. | dekhn wrote: | I'm fine with that, but merely having my genome sequence | doesn't enable you to do that. | mtremsal wrote: | For one thing, this leaks a portion of the genome of your | relatives, which is a clear breach of their privacy. Whether | you personally deem it sensitive or not, genetic data is | meant to remain confidential. | dekhn wrote: | I don't believe making my genome available, which contains | similarity to my relatives, is a breach of their privacy. | | I think part of my point is that DNA, by its nature, simply | cannot remain confidential, and that thinking we can keep | it that way is just going to lead to inevitable | disappointment. | mtremsal wrote: | First, some people extend your argument from DNA to | everything and say "I believe that privacy in the modern | world is unrealistic"; that doesn't make the argument | applicable to the rest of us. | | Second, whether DNA can or cannot remain confidential is | yet to be seen, but feasibility is certainly orthogonal | to whether it ought to be, which is the point at hand. | | Third, whether you believe it's a breach of privacy to | leak part of your relatives' DNA is besides the point. | It's their decision to make, since it's their personal | data and deemed confidential under most privacy | frameworks, and therefore a breach. | dekhn wrote: | To your first point: Yes, I generally extend my argument | to more or less everything in the modern world. Put your | garbage out on the street: reporters can rifle through it | looking for evidence. | | To your second point: we already know DNA can't remain | confidential (there is no practical mechanism by which | even a wealthy person could avoid a sufficiently | motivated adversary who wanted to expose their DNA). | That's just a fact, we should adjust our understanding | based on that fact. | | Most important: sharing _my_ genomic information with the | world is not a breach of any privacy framework I 'm aware | of and subject to (US laws). Do you have a specific | framework or country in mind? | downWidOutaFite wrote: | That's not the same risk because 23andme also has name, | address, email. | | One risk if you have PII+genome is that a technically | sophisticated entity can determine if you've physically been | in a location. Also with an extensive PII+genome database | they could find your family, for example for blackmail | purposes. | | Another risk is that a health insurance provider could deny | you based on potential health issues they find in your | genome. | hiatus wrote: | Technically, even without PII an adversary could determine | that you have been in a physical place, they just wouldn't | know what to call you. | dekhn wrote: | Yes, but technically sophisticated entities can also use | methods that require less effort. | | https://xkcd.com/538/ | zlg_codes wrote: | That's your defense? You asked for actual risks and when | shown real, plausible ones recede into XKCD quotes. | Clearly just a spoiler. | dekhn wrote: | What real, actual risks which I didn't already know about | have been shown in this thread? | | The point is that while you can use DNA to identify | people in most cases, sufficiently motivated adversaries | have more effective, cheaper, lower-technology approaches | that they will use first. | hot_gril wrote: | One non-theoretical risk is that you or a relative leaves DNA | on the scene of a crime you didn't commit (or?), and this | makes you a suspect. This is also assuming a real identity is | tied to the DNA. | drcode wrote: | Fully agree with you here. I can understand why people argue | "We must do everything possible that no human being ever | finds out anything medical-related about another human being, | ever" | | But that is a value judgement, and I believe it is one that | comes at a great cost to society- I wouldn't be surprised if | >50% of the cost of medical care is directly or indirectly | due to this attitude, and that medical progress has been | slowed immensely for the same reason. | | If we could make medical data more open, it would greatly | benefit the vast majority of people. OF COURSE it is true | that some smaller number of other people/patients are helped | by the existing medical secrecy system. I fully admit this is | a trade-off, where we have to decide what values are more | important. | | (source: Am medical doctor) | zlg_codes wrote: | This is disgusting. You want people knowing the maladies | they got treated, and how? | | There's the old saying of knowledge being power. If you | want this information about people being spread, then | you're advocating having power over these people over that | information. | | It takes very little imagination to see how humans would | misuse this data. | zlg_codes wrote: | Why do you think people are entitled to have genome data on | you? The morality is flipped. Privacy is recognized as a | core, natural right. Others have to prove their onus for | wanting your biological data. Trusting others is a moral and | character weakness, because you have no guarantees as to how | that data will be used. Or more specifically, what new ways | to analyze and take advantage of that data will become. | | I think actuaries will care an awful lot about this data and | could use it to negatively influence your risk factor, and | thus insurance premiums. | dekhn wrote: | I think if your prior includes "trusting others is a moral | and character weakness" then I don't think it's useful for | us to discuss this topic further. | | As for actuaries, in the US, the GINA law prevents health | insurance companies from using this data. I think legal | protection is much more important than attempting to hide | my DNA. | zlg_codes wrote: | > I think if your prior includes "trusting others is a | moral and character weakness" then I don't think it's | useful for us to discuss this topic further. | | I agree, if you can't justify trust with reason then it's | hard to trust your argument that relies on trust. Trust | can be broken, and your stance doesn't address that | concern. | sunnybeetroot wrote: | The law could change, allowing the usage of your data | without your consent. | sedatk wrote: | 1) You can be subject to discrimination based on your | ethnicity, race, or health related factors. That's especially | a problem when the data leaks at scale as in 23andme's case | because that motivates the development of easy-to-search | databases sold in hacking forums. The data you presented here | would be harder to find, but not the case with mass leaks. | | 2) It's a risk for anything that's DNA-based. For example, | your data can be used to create false evidence for crimes | irrelevant to you. You don't even need to be a target for | that. You can just be an entry in a list of available DNA | profiles. I'm not sure how much DNA can be manufactured based | on full genome data, but with CRISPR and everything I don't | think we're too far away either. You can even experience that | accidentally because the data is out there and mistakes | happen. | | 3) You can't be famous. If you're famous, you'd be target of | endless torrent of news based on your DNA bits. You'd be | stigmatized left and right. | | 4) You can't change your DNA, so when it's leaked, you can't | mitigate the future risks that doesn't exist today. For | example, DNA-based biometrics, or genome simulation to a | point where they can create an accurate lookalike of you. | They're not risks today, doesn't mean they're not tomorrow. | | There are also additional risks involved based on the country | you're living in. So, you might be living in a country that | protects your rights and privacy, but it's not the case with | the others. | rand1239 wrote: | > Why would anyone willingly do that? | | Maybe they accept the possibility that they die one day? | p_j_w wrote: | >But then I read about things like WorldCoin and that people | who go to startup parties jump at the chance to give away scans | of their retinas and I'm befuddled. | | I'm befuddled that anyone thinks Sam Altman is the least bit | trustworthy after WorldCoin. | akira2501 wrote: | > I read about things like WorldCoin and that people who go to | startup parties jump at the chance to give away scans of their | retinas | | Is this actually happening, or is that just what the stories | say? | josefritz wrote: | There is no retcon possible from a TOS update. They're a soft | target for a class action lawsuit right now and they know it. | kryptiskt wrote: | I have a vague recollection that some company fairly recently | squirmed when it got tons of arbitration cases. | | It would be really funny if 23andMe got dragged to the arbitrator | a million times. | nielsbot wrote: | I think there was a general pattern of people striking back | against mass forced arbitration by saying "ok, that's fine, | we'll _all_ go to arbitration at once ". And companies ended up | having to foot the bill for hundreds or thousands of | arbitration cases... | | Newer arbitration clauses that I've seen now cover this | scenario. Something like "If many identical cases come forward | at the same time, you agree to combine your cases in a single | arbitration action" | | Looks like CR wrote about it: | | https://www.consumerreports.org/money/contracts-arbitration/... | darklycan51 wrote: | I don't feel bad for anyone who sent their dna to a private | capitalistic company. It was always obvious this was gonna | happen. Especially when these companies paid so much to | politicians like Bernie Sanders to appear on their ads to seem | "benign". | nazgulsenpai wrote: | Do you feel bad for people who had relatives use the service | without them knowing, making them party even though they did | not consent? | RIMR wrote: | 23andMe thanks you for your lack of sympathy for their victims. | helsinkiandrew wrote: | Forcing customers to use arbitration hasn't always been in the | companies interest - if only a fraction of the 7M effected | customers started the arbitration process it could cost a lot | more than a class action suit. | | Didn't Uber drivers get a large payment from them in this way? | | https://www.reuters.com/legal/litigation/uber-loses-appeal-b... | kelthan wrote: | Trying or arbitrating a large number of cases individually is | far more expensive than litigating a class action suit. But | only if the people pushing the arbitration hold firm, rather | than agreeing to the initial settlement offering. | freeAgent wrote: | I once looked into arbitration against a local company based | on their ToS. Initiating arbitration would have cost me | several hundred dollars, not to mention time, which was more | than my dispute was worth. | zlg_codes wrote: | Arbitration almost always favors the company, why else would | they push for arbitration instead of respecting your rights? | someotherperson wrote: | An alternative take is that they changed their terms of service | so that if/when this happens again they'd have more control over | the fallout. I think they're totally expecting to get railed for | the last one and are preparing for it, but this doesn't mean they | can't prepare for the future as well. I imagine other providers | will also revise their TOS. | tjpnz wrote: | Which companies offer similar services sans all the bullshit and | privacy issues? I'm not interested in finding long lost relatives | and even less interested in having my data sold or shared with | LEO. | emddudley wrote: | I have tried to quickly diff the previous TOS with the new one | and I wasn't able to identify any big changes. I would like to | know what the actual changes are. I see a lot of articles | criticizing the new TOS, but no one is showing the actual wording | differences. | | Does anyone have an actual diff? | slingnow wrote: | Why do the actual work when you can just come to the HN comment | section and rant about what you think it means! | e28eta wrote: | Comparing: | | https://www.23andme.com/legal/terms-of-service/full-version/... | | https://www.23andme.com/legal/terms-of-service/full-version/ | | two things jump out at me, as a layman: | | insertion into the middle of Limitation of Liability "WITHIN | THE LIMITS ALLOWED BY APPLICABLE LAWS, YOU EXPRESSLY | ACKNOWLEDGE AND AGREE THAT 23ANDME SHALL NOT BE LIABLE FOR ANY | DAMAGES" | | Lots of changes to the Dispute Resolution, and new content re: | Mass Arbitration. However, the previous ToS still had binding | arbitration clauses, and stuff about class actions. | tokai wrote: | Meh not really binding in the EU, as its not done in good faith | and it disadvantage consumers. I see no reason to write them and | tell them you don't agree, if you are a EU citizen. | pizzalife wrote: | I interviewed for a security position there a few years ago, but | they cut the role before the interview process was over. Kind of | feels like they didn't prioritize security - you reap what you | sow. | tamimio wrote: | Gladly I never used any of these services, not just knowing my | ancestors origins will add zero value to my life, but also I | don't trust any cloud services to store my passwords or notes, | let alone a biometric I will never be able to change, alive or | not. | TheBlight wrote: | The slightly annoying thing with this data, though, is that | even if you don't provide your data your privacy can be | violated via any relatives' data that did decide to use the | service. | FredPret wrote: | Reminds me of Paypal that keeps spamming me with Terms of Service | update emails. It doesn't exactly build trust. | SpaceManNabs wrote: | What exactly was breached isn't clear... Very worrying | eadler wrote: | In case anyone is interested I've been compiling as much factual | information on arbitration here. Not yet complete but reasonably | useful and well sourced | | https://grimreaper.github.io/arbitration/docs/problems/ | ashtronaut wrote: | thank you this is really helpful! | robg wrote: | Just email to say you opt out. | TheCaptain4815 wrote: | I almost laughed out loud when I got the email a few days after | the leak. There's no way a company can just change the TOS AFTER | a major leak, right? | dekhn wrote: | yes, companies can change TOS when they want regardless of what | happened before, so long as they weren't legally prevented from | doing so. | Fischgericht wrote: | As someone living in the EU, these kind of things puzzle me a | lot. | | How can a legal system exist, where it's possible to deny a | (consumer) contract party access to the legal system and law of | the land? | | (In the EU we do have arbitrations clauses, but they are only | legal between businesses and tightly regulated. Arbitration | "courts" must be neutral. And you can not put them into ToS.) | | Also, I was under the impression that all sane legal systems on | this planet are based on the broad principle of "pacta sunt | servanda" = "agreements must be kept". One party of a contract | never can change the contract without consent from the other | party. | | We do have the concept of "silent approval" for consumers over | here, too, but that only applies to minor changes to terms that | are not a "surprising" change to the consumer. It recently was | ruled that for example Netflix increasing prices without active | consent is not legal in the EU. There is not much that is not | regarded as "surprising" by courts here. "You are not allowed to | sue us after having lost your personal data, then lying about it" | clearly would be regarded as surprising. | | Im summary: Every aspect of that whole 23andMe story would be | impossible in the EU. The amount of data they collected, the way | they stored it, the way they tried to hide the breach, and them | trying to prevent their customers to get access to the law. | | I wonder how on earth the US legal system could deteriorate so | much that such a story becomes possible. | | [Disclaimer: I am not bragging about living in the EU. I did not | have any influence on my place of birth. I do not wish to imply | that the EU is "superior" to the US. I am just trying to give an | outside perspective.] | pyuser583 wrote: | The real issue is that lawyer can "try" anything with almost no | consequences. | | I doubt this will work. But there's "no harm in trying." | Fischgericht wrote: | Over here there are "consumer associations" that have the | right to sue in such cases in the name of all consumers. That | works quite well. | | Due to this traditionally those things are not even tried. | | That has changed with (mostly US) businesses entering the EU. | A good example is booking.com, who again and again and again | invented new dark patterns to then get sued for it, making it | clear those are illegal. | | We had the same with the airline industry with their | advertised prices not matching the actual final price with | all taxes and made-up fees. But by now even Ryanair has given | up and no longer tries those tactics. | | But there are no big financial penalties for losing such | cases in court. I guess it's the bad PR these court cases | generate every time that makes those businesses after a while | giving up trying to screw over consumers... | denton-scratch wrote: | > I wonder how on earth the US legal system could deteriorate | so much that such a story becomes possible. | | My impression is that everything in the USA has become | lawyerized. Politicians are all lawyers. If you have assets of | more than a mill, you have a legal team. You can't move for | lawyers. I'm watching stories about a man facing 90 charges, | who is still running for president (and has a good chance of | winning). All of his co-accused are lawyers. | | Youd think that, with so many lawyers around, it should be | _really quick_ to get justice. But it 's the opposite; | apparently, the more lawyers are involved, the longer justice | is delayed. | jakedata wrote: | 23andMe would like to point out that hackers already have access | to 99.9% of your DNA right now. That means they are at most only | 0.1% at fault for anything else. | lowbloodsugar wrote: | Ok, but where is the class action? | jbombadil wrote: | I honestly don't understand how "If you don't opt out within 30 | days you'll be bound to the new TOS" works. | | I have heard of two big "trends" of how people think about legal | contracts: | | [1] What is written there and what both parties agreed to is the | truth. | | [2] A contract is supposed to be a "meeting of the minds". If | it's proven that one party was being deceitful, then the contract | (or that part) doesn't hold. | | If we go by [1], then the company can change the TOS by sending | me a notice with "if you don't opt out, then you're bound by | these terms"... but so should I. I should be able to send a | letter to 23&me saying "if you don't disagree these are the new | terms: if my information is ever hacked, you owe me 10M dollars | in damages" | | If we go by [2], then sending a notice like that is absolutely | invalid. They have no way of proving that I read that notice | within 30 days, so there was never a "meeting of the minds". | pkilgore wrote: | Exporting raw genetic data is conveniently "temporarily | unavailable" at the time time this bullshit is happening, which | is something I'm almost certain discovery would prove is an | intentional choice by them. | stuaxo wrote: | Will this work I wonder ? | theGnuMe wrote: | Huge HIPPA violation as well. | deathanatos wrote: | > _Huge HIPPA violation as well._ | | It's _HIPAA_. | | IANAL: And unless 23andMe meets the HIPAA definition of a | "covered entity", which I'm not sure they do, they're not going | to be covered by HIPAA. | theGnuMe wrote: | Right but the hackers are not covered entities. | deathanatos wrote: | That's not how HIPAA works. 23andme would be, or would not | be, the covered entity, and the entity bound by HIPAA. | deegles wrote: | I got downvoted in another thread for suggesting that a company | might do exactly this | master_crab wrote: | I'll give you a upvote if you link it! | hsuduebc2 wrote: | Exactly.this behavior is why I never gonna send my DNA to any of | these services. Certainly not US. I hope than EU will have some | regulations for this soon. | henry2023 wrote: | About 5 or 6 years ago, I thought about sequencing my DNA with | them. I'm glad I didn't seriously consider it or actually go | through with it. | benchtobedside wrote: | Worth noting that 23andMe, plus many other low cost | genealogy/health-focused companies do not sequence your DNA. | | Instead, they perform what is called a genotyping microarray | test, which looks at less than 0.1% of your genome. | | To quote from 23andMe: "In order to be genotyped, the amplified | DNA is "cut" into smaller pieces, which are then applied to our | DNA chip (also known as a microarray), a small glass slide with | millions of microscopic "beads" on its surface. Each bead is | attached to a "probe," a bit of DNA that matches one of the | genetic variants that we test. The cut pieces of your DNA stick | to the matching DNA probes. A fluorescent label on each probe | identifies which version of that genetic variant your DNA | corresponds to." | | Source: https://customercare.23andme.com/hc/en- | us/articles/227968028... | bulbosaur123 wrote: | As a customer from EU who has been affected by this, how do I sue | them? Can I join the class action? | | Didn't use ancestry feature, but from what I understood my data | has been leaked as well. | Imnimo wrote: | Well at least, 23andMe promises that it also can't participate in | a class-action lawsuit against me. So that's pretty fair. | WalterBright wrote: | "reports revealing that attackers accessed personal information | of nearly 7 million people -- half of the company's user base -- | in an October hack." | | Breaking into a system should _never_ provide access to 7 million | people. The database should be divided up into multiple "cells" | each with its own separate access restrictions. | | It's the same idea that spy networks use to prevent one | compromised spy from bringing down the whole system. Or you can | think of it like watertight compartments in a battleship. | TaylorAlexander wrote: | I haven't logged in in years. Is it possible for me to cancel my | service without agreeing to updated terms? | jnsaff2 wrote: | Sociopaths. | b800h wrote: | I'm in the UK and I've not received a notification that the terms | have changed. Is this because our law is more consumer-friendly? | 1vuio0pswjnm7 wrote: | "In October, the San Francisco-based genetic testing company | headed by Anne Wojcicki announced that hackers had accessed | sensitive user information including photos, full names, | geographical location, information related to ancestry trees, and | even names of related family members." | | For those who do not know, her sister is a longtime Google | marketing person since 1999, who worked on AdWords, AdSense, | DoubleClick, GoogleAnalytics and the money-losing data collection | and advertising subsidiary YouTube. | | It seems personal data collection for profit runs in the family. | zlg_codes wrote: | I'm getting to a point where I automatically assume any business | is both taking my money and trying to totally fuck other parts of | my life behind my back to make more money. | | If capitalism is so great why is it so incompatible with being a | good and honest person? | alephnan wrote: | > If capitalism is so great why is it so incompatible with | being a good and honest person? | | Capitalism was never about that. It was about having acting in | their own self-interest as to maximize economic efficiency. | That model works great when you are selling commodities and | physical products. | | Capitalism in the era of personal information as currency is a | entirely different beast that needs to be reworked. | happytiger wrote: | There's a word for changing the terms after a deal is signed to | benefit one party over the other: fraud. ___________________________________________________________________ (page generated 2023-12-12 23:00 UTC)