[HN Gopher] 23andMe changed its terms of service to prevent hack...
___________________________________________________________________
23andMe changed its terms of service to prevent hacked customers
from suing
Author : osmanbaskaya
Score : 557 points
Date : 2023-12-12 15:27 UTC (7 hours ago)
(HTM) web link (www.engadget.com)
(TXT) w3m dump (www.engadget.com)
| adocomplete wrote:
| Thanks for sharing. Will def opt out and roll into the class
| action suits already filed.
|
| Take security seriously people. Especially when dealing with
| super sensitive data.
| brianwawok wrote:
| Why did you send them your DNA? It was pretty obvious from day
| 1 that sending some random startup on the internet my DNA was a
| bad move.
| mauvehaus wrote:
| Not everyone opted in as such. My wife has an identical twin
| who sent in a test.
| midasuni wrote:
| Presumably neither you, your kids, or your wife, has
| grounds to sue them
| hoosieree wrote:
| You could try the old Monsanto/JohnDeere approach:
| copyright your own DNA then sue them under DMCA.
| 6177c40f wrote:
| No, I don't think that that's obvious. At least in the US,
| there are already protections for genetic information
| (including but not limited to GINA [1]).
|
| In the long run, I think keeping your genetic information
| private will be untenable- the potential benefits will
| outweigh the drawbacks. Plus, anyone sufficiently motivated
| could get your DNA somehow, you shed your DNA everywhere you
| go, no getting around that.
|
| So what's left is to urge your representatives to maintain
| and strengthen regulations on how that information can be
| used, and in the long run we'll just have to trust that that
| will be enough.
|
| [1] https://en.wikipedia.org/wiki/Genetic_Information_Nondisc
| rim...
| pavel_lishin wrote:
| > _In the long run, I think keeping your genetic
| information private will be untenable- the potential
| benefits will outweigh the drawbacks._
|
| Can you give an example?
|
| > _Plus, anyone sufficiently motivated could get your DNA
| somehow, you shed your DNA everywhere you go, no getting
| around that._
|
| That assumes there's someone out to get _you_ specifically.
| That 's like saying there's no point in having 2FA or
| strong passwords, because the FSB, the FBI and Mossad can
| get in anyway. Having my DNA because you vacuumed it up off
| the subway floor is significantly less useful to anyone
| without it being explicitly tied to me.
| 6177c40f wrote:
| > Can you give an example?
|
| See my other comment, but in short I essentially mean the
| true realization of "precision medicine" and gaining a
| greater understanding of how different genotypes result
| in disease, information which can be used guide treatment
| and to develop better treatments.
|
| > That assumes there's someone out to get you
| specifically.
|
| Not entirely true- the ability to reconstruct genotypes
| from environmental samples gets better all the time. I'd
| imagine that even with current technology, a sufficiently
| motivated organization could sample various locations to
| reconstruct the genomes of people who often visit there.
| With enough info, they could start building webs of
| genetic relation. From there, all they'd need is access
| to a database of samples from known individuals (which,
| as we can see, already exists), can chances are they
| could quickly deanonymize future samples. The only thing
| that could stop such mass collection is proper
| regulation.
|
| > That's like saying there's no point in having 2FA or
| strong passwords, because the FSB, the FBI and Mossad can
| get in anyway.
|
| Unlike your password, your DNA is unencrypted and gets
| spread everywhere.
| slingnow wrote:
| >> That's like saying there's no point in having 2FA or
| strong passwords, because the FSB, the FBI and Mossad can
| get in anyway.
|
| > Unlike your password, your DNA is unencrypted and gets
| spread everywhere.
|
| This doesn't address the point. In both cases, someone
| sufficiently motivated could get what they want from you.
| So by your argument, there's no point in maintaining
| privacy for either piece of information (DNA /
| passwords).
| billyoyo wrote:
| Clearly a bad faith argument. someone with your passwords
| can do a lot more damage than someone with your DNA.
|
| I think DNA is probably sensitive on the level of someone
| knowing your name and DOB. Not convinced it's much more
| dangerous than that.
| 6177c40f wrote:
| > So by your argument, there's no point in maintaining
| privacy for either piece of information (DNA /
| passwords).
|
| The problem with privacy is that it's fragile. When your
| info is leaked, you should assume it's out there for
| good.
|
| I also think that while right now when you do the
| cost/benefit analysis of having your DNA sequenced, you
| think the cost outweights the benefit. Clearly my
| personal calculus is different than yours, and that's ok.
| But I would caution you that in the future that
| calculation may be different for you.
|
| So I think people will either lose privacy, or
| voluntarily give up some privacy for some benefit. In
| either case, we will need something other than privacy to
| protect ourselves. I think that well-enforced
| legislation, legislation that limits the way genetic info
| can be used and gives the individual more control over
| their own info, is really the only thing that can help.
| quantified wrote:
| What benefit will there be? And why do you assume that it
| won't be accompanied by negatives? The problem with all
| tech is that people direct its use, and the sole agent of
| evil in this world is people.
| 6177c40f wrote:
| > What benefit will there be?
|
| Knowing your genetic information is currently of limited
| value for the majority of people, this I admit. I believe
| that in the future, however, the promise of precision
| medicine will be realized, and that having one's genetic
| information readily available will be crucial to
| receiving the best treatment possible for many diseases.
|
| For example, take Crohn's Disease (and other inflammatory
| diseases more generally). The current thinking is that it
| is highly influenced by genetics, and that a number of
| different genotypes exist that can result in the
| phenotype we refer to as Crohn's Disease. It's
| conceivable that having a better understanding of
| someone's specific genotype could lead to more precise
| treatment of their condition.
|
| > And why do you assume that it won't be accompanied by
| negatives?
|
| I explicitly don't assume this, I said that the benefits
| will outweigh the drawbacks.
|
| > the sole agent of evil in this world is people.
|
| This is a specious argument. By that same measure, the
| sole agent of _good_ in the world is also people. But
| that 's irrelevant. Tech can be used both to harm and to
| benefit, and I'm arguing that personal gene sequencing
| can and will be used to provide more benefit than harm.
| croes wrote:
| >Plus, anyone sufficiently motivated could get your DNA
| somehow, you shed your DNA everywhere you go, no getting
| around that.
|
| But these people need to get close to you. 23andme made it
| easy for someone who could have been on the other side of
| the globe.
| 6177c40f wrote:
| I really don't see how this changes the threat model. If
| anything, I'm less worried about someone on the other
| side of the globe.
| fkyoureadthedoc wrote:
| And do what with it?
| gosub100 wrote:
| Fear of the unknown about your own body. Think of how many
| people would sign up if you sold a service that scoured
| secret files to "find out what people are saying about you".
| Forget whether such a service could ever work, just the
| combination of "unknown" + "about you" is irresistible to a
| large segment of the population. It's the mother-of-all-
| clickbait.
| atemerev wrote:
| Any other way to know the information they are offering? It
| is hard to own your own sequencing machine.
| duxup wrote:
| For a lot of people it is a health decision.
|
| I go to a doctor, they have a ton of info on me. Who knows
| what might happen with that data ... but I still go to the
| doctor because it is a good idea for health reasons.
| tamimio wrote:
| Spot on!
| alephnan wrote:
| It was offered as a subsidized perk during my days as a
| Google employee.
|
| The social aspect of other people at Google doing it made it
| feel normal.
|
| In hindsight, I drank the Google kool-aid in more ways then
| one.
|
| The sentiment of distrust towards tech companies and tech
| companies being yet-another-corporation is really only
| obvious in recent years. It wasn't the case a decade ago when
| we were busy being judgemental of Wall Street. Ironically,
| now it seems that Wall Street is more trustworthy because, at
| the very least, they are forthrite about their motive to make
| profit instead of all these lies about "changing the world".
| krosaen wrote:
| Didn't really feel like a random startup - felt like one of
| the most innovative startups around, backed by impressive
| investors including Google, co-founder married to Sergey
| Brin... So perhaps in hindsight sending DNA to _anyone_ is a
| bad idea, but if there were a startup one might have trusted,
| this was it.
| snapcaster wrote:
| I'm not trying to be mean, but it's hard not to be angry at
| people like you. Why would you send your DNA to a random
| startup with no promises or guidelines on how the data could be
| used? Do you have children? You just caused 50% of their DNA to
| leak forever without consent. I hope you're reconsidering your
| decision making around stuff like this now, but too late for
| any of your descendants in next couple generations
| micromacrofoot wrote:
| Most of the time we're leaking our DNA all over the place by
| existing
| eimrine wrote:
| The DNA we are leaking is impossible to copy unlike the DNA
| we are sending to 23andme.
| atemerev wrote:
| You know, you can send other peoples DNA to sequencing
| services too...
| eimrine wrote:
| Probably you can send to them anything else but how it
| relates to my comment?
| atemerev wrote:
| Meaning that your DNA is not safe, even if you yourself
| never send it. DNA is leaking everywhere, anyone could
| collect it and send for analysis.
| micromacrofoot wrote:
| Nanpore sequencing can be done with a device that can fit
| into your pocket, these devices can be found for less
| than $1000.
| boringuser2 wrote:
| Why do you care again?
|
| It's DNA, not your BitWarden password.
| dekhn wrote:
| No; this is factually wrong.
| eimrine wrote:
| And not even a bit of clarifying? If you can convert the
| DNA sample into two DNA copies without destroying the
| sample, probably you are a God.
| dekhn wrote:
| You said "The DNA we are leaking is impossible to copy
| unlike the DNA we are sending to 23andme."
|
| I said it was wrong because if people collect
| environmental human DNA samples and "copy" them (amplify
| with PCR).
|
| Not sure what you mean about destroying the sample- you
| typically take part of the sample and amplify it without
| destroying the whole thing.
|
| I'm just unsure of what you are trying to say here; I'm
| responding with purely factual answers based on modern
| DNA technology.
| croes wrote:
| So you would be ok if governments around the world have
| sample of yours and store it in a database?
| drivers99 wrote:
| Yes. What's the problem?
| CyberDildonics wrote:
| Prove it by copy and pasting your DNA in a reply.
| hot_gril wrote:
| Someone did it above.
| dekhn wrote:
| There is no practical way to prevent it, so yes, it's OK
| because there is no reasonable alternative.
| micromacrofoot wrote:
| No, the company in question made promises about the
| security of it and has broken those promises. Now their
| customer's DNA is potentially available to anyone (not
| just governments). They should pay dearly for breaking
| these promises. This is not the point of my original
| comment.
|
| The person I'm responding to is victim-blaming, and also
| making the completely silly claim that it's irresponsible
| to willingly "leak" DNA through some vague lens that it's
| going to be used to harm your descendants for
| generations.
|
| DNA sequencing is constantly becoming more affordable and
| accessible. Unless regulated, this _will_ be data that
| gets collected and abused en-masse. It 's a little
| expensive now, but I could easily sequence just about
| anyone's DNA today as long as I have some sort of
| physical access to a space they use. If that's the
| commenters concern, they'd be much better off focusing on
| that rather than blaming people for expecting a company
| to keep medical data secure.
| Ensorceled wrote:
| I continue to be surprised at the sheer number of people on
| HN who are more enraged at the victims for their "stupidity"
| than at the perpetrators (23andMe for ToS shenanigans and/or
| the hackers for the hack).
| snapcaster wrote:
| How are you getting that i'm "more enraged" at the victims?
| I'm not absolving the company of anything, I'm criticizing
| people who give something like their DNA to a random
| company naive and foolish
|
| edit: I would have the exact same stance (and did and
| continue to) even if there was no hack
| Ensorceled wrote:
| Because your original comment was the only comment you
| made on the thread.
|
| And you made NO mention of the real villains.
|
| And you accused these people of screwing over their kids
| and all their descendants.
|
| And you only "not absolving" the real villains even now.
| zlg_codes wrote:
| With criteria like that, you may as well speak for him.
| You're complaining he didn't say exactly what you wanted,
| and then made an assumption on his stance. Stupid tribal
| monkey behavior.
| dgacmu wrote:
| Well, let's see - because I wanted to have children, and I
| didn't know who my biological father was, so I wanted to
| understand if my wife and I were likely to carry any of the
| same dangerous recessive genes? And I wanted to know if there
| were likely any big, detectable gotchas coming up as I got
| older.
|
| And because, in the process, I discovered a couple of half
| brothers.
|
| My life is better because of the knowledge I got from genetic
| testing.
|
| (It also wasn't a "random" startup to me; I had it
| recommended by someone I trust who knows the founder.)
| switchbak wrote:
| Why would you be angry at someone that didn't do anything
| that negatively affects you? Do you get mad at people that
| eat unhealthy food?
| snapcaster wrote:
| Yes actually
| micromacrofoot wrote:
| Same, excited to receive my check for $0.25 in 3 years
| (seriously though, I wonder if we should file in small claims
| court or something as well?)
| tuwtuwtuwtuw wrote:
| Which super sensitive data was leaked? I have read
| contradicting things.
| skilled wrote:
| The article doesn't add anything new from previous discussion,
|
| _23andMe updates their TOS to force binding arbitration_
| (https://news.ycombinator.com/item?id=38551890) - (372 points | 6
| days ago | 243 comments)
|
| One interesting thing about this story though is that it appears
| that 23andMe is outright _refusing_ to make a comment to anyone.
| Every single site that has covered the story and bothered to
| email them have added a, "23andMe has declined to comment"
| disclaimer.
|
| Pretty scummy.
| kelthan wrote:
| Yes, from the perspective of any user/consumer of the service.
| But since they are facing litigation, any lawyer will tell you
| that keeping your mouth shut until the action is adjudicated is
| THE best course of action, regardless of what some politicians
| and corporations may do these days.
|
| The only other thing that they could say would be "We do not
| comment on matters involving pending litigation." But that's
| just a longer way of saying "No comment." It's not any more
| satisfying for the customers or partners understandably seeking
| answers to what happened, how, and why.
| aeurielesn wrote:
| I don't understand how this is even legal but it has been
| widespread adopted without a backlash.
| scottLobster wrote:
| The older I get, the more I learn that "legal" doesn't mean
| what's on the books, it means what some entity cares to
| enforce.
| Maxion wrote:
| And because court cases are so expensive, what really matters
| is who has more money to spend on lawyers.
| mrkramer wrote:
| I'm not a lawyer but I doubt that this will matter in the court
| because the time of actions matter; or in another words at the
| time when user registered they agreed to TOS A and later when
| 23andMe changed their TOS A to TOS B they achieved nothing
| because you can't unregister users and register them again and
| force them to agree to the new TOS B. I mean they can ask you to
| agree to new TOS but you don't have to because TOS is not a law,
| it is a voluntary legal agreement between a company and a
| customer. Retroactively enforcing something is not possible not
| even for the governments e.g. if I pay my corporate tax of let's
| say 20% in 2023 to the government, government can't say like 5
| years later: you know what corporate tax is now 30%, compensate
| for all the differences in the past.
| onlyrealcuzzo wrote:
| > I mean they can ask you to agree to new TOS but you don't
| have to because TOS is not a law
|
| Aren't they forcing you to agree to the new TOS to continue
| using the product?
| mrkramer wrote:
| Then pull out and sue them for maliciously enforcing new TOS.
| People should collectively sue them.
| freeAgent wrote:
| Perhaps, but if someone ignores the email and never logs into
| or interacts with 23andMe in the meantime, the post hoc
| change in ToS should have no impact on their ability to join
| a class action lawsuit.
| corethree wrote:
| You got it wrong. They can throw a big TOS in front of you next
| time you login. Most users will just accept.
|
| Additionally they sent an email out saying that you have 30
| days yo tell them you want to "opt out" otherwise by default
| they assume you accept the new TOS agreement.
| verve wrote:
| To duck out of the new ToS, just write this email to
| legal@23andme.com--
|
| To Whom It May Concern:
|
| My name is [name], and my 23andMe account is under the email
| [email]. I am writing to declare that I do not agree to the new
| terms of service at https://www.23andme.com/legal/terms-of-
| service/.
| bunnyfoofoo wrote:
| Email is arbitrationoptout@23andme.com
| verve wrote:
| The email I got from 23andMe linked me to legal@23andme.com.
| micromacrofoot wrote:
| send it to both!
| hughw wrote:
| legal@23andme.com rejects my email with the message
| "Account disabled". So yeah, definitely cc the other
| address.
| ceejayoz wrote:
| Yeah, but the actual terms say
| arbitrationoptout@23andme.com. I wouldn't put it past them
| to say "ah but you didn't email the right address".
| covercash wrote:
| I emailed this one and cc'd the legal@ address just to be
| sure.
| jascination wrote:
| Ah, bad news, you cc'd legal@, which technically isn't
| directly emailing legal@. We have denied your claim and
| you will be shot from a rocket directly into the sun next
| Wednesday.
| downWidOutaFite wrote:
| Wow that is super hidden! They have a fake ToS to try to
| stop you from seeing the real one.
| basch wrote:
| Deeper in it has the other one.
|
| I also set my future status to auto opt-out.
|
| "I opt out of the updated terms and will stick to the
| current in place ones indefinitely, including any future
| changes. I declare myself immune from having to do anything
| like this again in the future and set my status to auto-
| opt-out."
| pc86 wrote:
| Is this legally binding? I'm extremely skeptical any time
| phrases like "immune" and "automatically" start making
| their way into legalese as it's usually something like
| those Facebook "don't use my photos" things your aunt
| reposts every few months.
| snovv_crash wrote:
| Give them a 30 day notice that it is binding unless they
| object?
| jhardy54 wrote:
| I don't give Facebook permission to use my pictures, my
| information or my publications, both of the past and the
| future, mine or those where I show up. By this statement, I
| give my notice to Facebook it is strictly forbidden to
| disclose, copy, distribute, give, sell my information, photos
| or take any other action against me on the basis of this
| profile and/or its contents. The content of this profile is
| private and confidential information. The violation of privacy
| can be punished by law (UCC 1-308-1 1 308-103 and the Rome
| statute). Note: Facebook is now a public entity. All members
| must post a note like this. If you prefer, you can copy and
| paste this version. If you do not publish a statement at least
| once, you have given the tacit agreement allowing the use of
| your photos, as well as the information contained in the
| updates of the state of the profile. Do not share. You have to
| copy.
| ceejayoz wrote:
| Those notices are bullshit, but
| https://www.23andme.com/legal/terms-of-service/#dispute-
| reso... says emailing an opt-out is correct in this case.
|
| > 30 Day Right to Opt-Out. You have the right to opt-out and
| not be bound by the arbitration and class action waiver
| provisions set forth above by sending written notice of your
| decision to opt-out by emailing us at
| arbitrationoptout@23andme.com. The notice must be sent within
| thirty (30) days of your first use of the Service, or the
| effective date of the first set of Terms containing an
| Arbitration and Class Action and Class Arbitration Waiver
| section otherwise you shall be bound to arbitrate disputes in
| accordance with the terms of those sections. If you opt out
| of these arbitration provisions, we also will not be bound by
| them.
| kstrauser wrote:
| The difference here being that 23 and me has communicated a
| specific opt-out process. This isn't some sovereign citizen
| nonsense the person you're replying to came up with on their
| own. It's the official method you're suppose to use.
| apwell23 wrote:
| > If you do not notify us within 30 days, you will be deemed to
| have agreed to the new terms.
|
| WTF. This is outrageous. And I had find that email in my spam
| after I read this comment. Hope this POS company goes down in
| flames after this.
| klipt wrote:
| Lol that surely can't be enforceable. Imagine "you agree to
| give us your kidney if you don't opt out within 30 days"
| sitting in your spam folder. How is this different?
| dylan604 wrote:
| The last time I went rooting around in my SPAM folder, I
| came back a different person. I am forever changed by what
| I saw in there. I consider email totally broken in today's
| environment, but without a SPAM folder it would be closer
| to totally useless.
|
| With the benefit of hindsight, the invention of SPAM should
| have told us all we needed to know about the future of the
| internet. A small percentage of users will do their
| damnedest to ruin it for everyone else. It's a sign that
| people cannot be trusted to _not_ use the tech for evil. I
| 'm sure it foretold the corruption of social media as well.
| It is all SPAM's fault!
| Log_out_ wrote:
| But they hold your DNA hostage. Don't you want this company
| to exist on so nobody gets hurt. Oh, they peaked and leaked
| that's why the users get TOSsed. Carry on, Sir, baldly into a
| classy action lawsuit against a bankrupt company were some
| zeroday employee will get the biggest payout by insurance
| ever.
| apwell23 wrote:
| Too bad to fail ?
| pbhjpbhj wrote:
| Write back "you agree to pay me $10M in compensation unless
| you reply in 30 days" ...
| dylan604 wrote:
| *auto-replies are not accepted as a valid response
| willcipriano wrote:
| I wonder if they can use things like opt out data to find a way
| screen for genetic markers of "troublemakers" or similar.
|
| DNA driven targeted advertising that finds only the most docile
| consumers.
| oldgradstudent wrote:
| They can't tell you your eye color from their DNA data with
| any degree of confidence, and you seriously expect them to be
| able to find a marker of something as vague as
| "troublemakers" ?!
| adam12 wrote:
| >> I wonder if
| salawat wrote:
| ...And yet phrenology was a thing.
|
| https://en.m.wikipedia.org/wiki/Phrenology
|
| Never underestimate the willingness to engage in the days
| new "not-yet-clearly-identified-as-quackery-pseudo science"
| when there is a buck to be made.
| VHRanger wrote:
| ADHD has genetic markers for example
| dekhn wrote:
| https://pubmed.ncbi.nlm.nih.gov/19619260/ """Nevertheless,
| it has been estimated that 74% of the variance in human eye
| colour can be explained by one interval on chromosome 15
| that contains the OCA2 gene"""
|
| That's about blue/brown, and realistically, there are a
| bunch of other genes which also have effects, as "eye
| color" is really a collection of phenotypes, not just a
| single one.
| ballenf wrote:
| I wonder what would happen if someone used one of the public
| email dumps and automated a mass opt-out of every email ever
| spotted in the wild.
| neilv wrote:
| 23andMe's ToS change right now seems in poor taste at best,
| and I think they need to get smacked for that, by a judge
| and/or the public.
|
| But I don't see how drunken anarchist tactics help, and that
| noise seems like it would be a counterproductive diversion.
| dylan604 wrote:
| wow, that's probably one of the most brilliant altruistic
| ideas I've read since buying other people's medical debt.
|
| this is probably why the unsubscribe links require some
| interactive confirmation so that simply loading the page
| doesn't actually unsubscribe.
|
| if this was doable, i'd put them above Troy Hunt in
| contributions to humankind ;-)
| 13of40 wrote:
| Some email providers navigate to every URL you receive to
| check them for phishing and malware. That doesn't play well
| with one-click unsubscribe links.
| dylan604 wrote:
| sounds like the email providers are in the wrong here.
| quit reading my mail.
| alephnan wrote:
| I am logging to my 23andme account to confirm my info and name
| registered there.
|
| I forgot my password and did a password reset. They have
| password requirement of 12 characters minimum. A bunch of
| security theater just to get hacked anyways
| brokencode wrote:
| So as soon as a company gets hacked once, all of their
| security measures get recategorized as security theater?
| nofinator wrote:
| I'm just surprised they aren't making you send a physical
| letter via USPS.
|
| Some companies require that. Here is PayPal's process for
| example: https://www.paypal.com/us/legalhub/useragreement-
| full#table-...
| tbalsam wrote:
| They aren't the government, silly billy. Just because it's
| written down doesn't mean that it has value, it's just an
| (effectively unfortunate) deterrent, since oftentimes a court
| has to decide that it's illegal.
|
| Hopefully our court system will get some more teeth vs other
| corporations soon.
| kelthan wrote:
| Automatically opting-in customers to a more restrictive TOS is
| pretty suspect, especially given the timing. IANAL, but I'm
| pretty sure that a court would not allow that, given that the TOS
| was changed AFTER the breach and it's pretty clear that the
| company is trying to avoid legal issues after-the-fact.
|
| I would expect the court would evaluate any breach under the TOS
| that was in effect at the time of the breach, rather than under a
| new (and arguably suspect one) that was put in place after it,
| arguably in an attempt to "rewrite history".
| thereddaikon wrote:
| And just because a TOS says something doesn't mean it will
| necessarily hold up in court. They aren't law.
| kelthan wrote:
| Right. Also, the practice of having a sticker on a shrink-
| wrapped box of software that read "By opening this package
| you agree to the Terms of Service contained within", where
| the TOS was inside the box that you needed to open the
| package to read, was deemed unenforceable back in the 90's.
| It's the reason that TOS' are now displayed as a pop-up
| during installation. Not that many more people actually read
| them before installing the software, but at least they are
| given the option to.
|
| I suspect that a competent lawyer could fairly easily argue
| that this "automatic opt-in" is the same thing in a slightly
| different format.
| dannyw wrote:
| Federal Arbitration Act severely, and nearly completely, ties
| courts hands around throwing out binding arbitrations.
|
| Of course, if people don't accept the new terms, they are still
| bound by the one ones. But if you don't opt out...
| kelthan wrote:
| But having the company update a TOS that automatically
| removes rights from the consumer, after the consumer already
| agreed to a TOS that didn't previously restrict those rights
| is likely not going to hold up in court, either. Especially
| when the TOS changes were made after an event likely to
| trigger litigation.
|
| This isn't a case of a minor change to consumer rights in the
| TOS like changing who would arbitrate a case. It's a
| significant restrictive change to the rights of the customer
| in favor of the company. And it was made after a security
| breach that affected a huge portion of the companies clients
| which is likely to trigger lawsuits of the form that the TOS
| now seeks to restrict.
|
| This is clearly a case of attempting to close the barn door
| after the horse was spotted in the next county over.
| BobaFloutist wrote:
| The good news is binding arbitration has some significant
| downsides for corporations - look up "mass arbitration".
| throwaway092323 wrote:
| They probably know that it doesn't hold water legally. The hope
| is to victim blame as much as possible so that fewer people sue
| them in the first place. The next step will be to "remind"
| people about the TOS that they totally agreed to.
| lp0_on_fire wrote:
| Exactly. Same reason construction vehicles have "Stay back
| 200 feet: not responsible for broken windshields" written on
| the back.
| constantly wrote:
| Yep. A small tangent for anyone who has seen these: they're
| very clearly not specifically enforceable. I got a window
| banged up by things falling off a truck with this signage,
| and the first thing they said when I called their "How Am I
| Driving" number the first thing they said was that they
| were not responsible citing this sign. Fortunately that
| sign was non binding. :)
| lelandfe wrote:
| "If you can read this bumper sticker, the occupants of
| your vehicle agree to..."
| Rayhem wrote:
| "Private sign, DO NOT READ"
| jstarfish wrote:
| Georgia (state) takes it a step further. They wrote an
| exemption to the license plate law that allows dump truck
| owners to display the plate only on the _front_ of the
| vehicle. Makes it that much harder to hold them
| accountable.
| sonicanatidae wrote:
| Its like they don't know drivers and their willingness to
| make "for damn sure" the other side is made aware of
| their displeasure. lol
| arwhatever wrote:
| "Not responsible for black eye if something falls from your
| vehicle and damages my vehicle."
| andrei_says_ wrote:
| Except that the truck driver has zero fault for the
| gravel on the road and the spacing between the tires and
| the mud guard of the truck his employer maintains.
|
| Or did you mean you'd seek out the ceo of the truck
| company and give them a black eye?
| sithlord wrote:
| This is usually related to drivers who do not use the
| cover of their truck they are legally supposed to. So
| rocks fly out the top.
| Tempest1981 wrote:
| Or dump trucks, which leak out the seams as they go over
| bumps
| arcanemachiner wrote:
| Also mud flaps
| londons_explore wrote:
| And usually because the truck is over full too. For
| almost any load, if you fill the truck to the brim you
| have overloaded it. (Unless you're moving styrofoam)
| 93po wrote:
| A driver has a legal obligation to not drive a vehicle
| that is spreading debris on the road, which they are
| often doing and that debris often comes from their
| construction sites. There are places that use track
| washing stations at entrances and exits to prevent this.
| wongarsu wrote:
| If it's gravel they are transporting it's obviously their
| fault, it's the responsibility of the driver to secure
| the load (with some blame falling on truck companies for
| providing insufficient equipment).
|
| If it's random gravel from the road it's more
| understandable. But even then the driver is very much
| responsible for the mud guards on the truck they are
| operating, just as the police would write a ticket to the
| driver for worn down tires or broken lights.
| candiddevmike wrote:
| Does this apply to shopping carts in parking lots?
| eweise wrote:
| At least in California, its illegal for anything to fall
| from a vehicle except water and bird feathers so not sure
| how that sign help them.
| padjo wrote:
| The point being that while it's not at all enforceable
| there's a non zero number of people who will think it is
| and not fight it
| eshack94 wrote:
| If I'm not mistaken, that's the point the person above
| you was making. Those stickers on dump trucks that say
| "Stay back 200 feet. Not responsible for broken
| windshields" are worthless from a legal perspective.
|
| They do absolutely nothing to remove liability from the
| truck driver/company. If a rock falls from their truck
| and cracks your windshield, they absolutely are
| responsible for any damages.
|
| Rather, their sole value is to _convince_ drivers that
| the trucking companies aren 't at fault, so that drivers
| whose vehicles are damaged from falling rocks erroneously
| elect not to press charges or pursue damages.
| quickthrower2 wrote:
| What about fallen leaves?
| dotnet00 wrote:
| or the "Warranty void if removed" stickers on electronics,
| which are not legally enforceable in the US.
| dylan604 wrote:
| This looks like a perfect class action case. There's really
| no physical harm or financial harm to the users, but a class
| action might be the only way for it to hurt. But IANAL, and
| probably have it all wrong in my head???
| underwater wrote:
| Why is it that in the US individuals have to band together
| and privately launch a class action to stop these types of
| parasitic behaviours. The government is supposed to
| represent the interests of citizens.
| dylan604 wrote:
| Lobbying. Citizens United. Disinterested populace.
|
| Do you need a longer list?
| alistairSH wrote:
| That's exactly why - we have a largely dysfunctional
| federal government (and most state governments aren't
| much better).
|
| The biggest downside is the lawyers take a massive chunk
| of any award and the actual victims are often left with
| very little. Or, even worse, the victims get worthless
| coupons (like with many credit/PII breaches - the award
| will be 1-year of credit monitoring from the company that
| allowed the breach in the first place).
| BrandoElFollito wrote:
| This credit score system in the US always made me
| curious. Say some point I had a proposition to move to
| the US and I asked the company offering the job how they
| will ensure that I immediately get the best possible
| score. They said it was not possible because it was a
| personal score.
|
| I told them that I will certainly not start to build a
| credit score at 40 yo so they will have to find someone
| else.
| dylan604 wrote:
| I'm sure that as soon as they stopped crying and wiped
| the tears away from their eyes, they had no problem
| filling the spot. The question I have, were they crying
| from laughing so hard at your retort.
| losteric wrote:
| It's not true that individuals need to band together. A
| single individual can kick off a class action lawsuit,
| private litigators can even kick start a lawsuit
| themselves (though ultimately the lawsuit will bring in
| impacted individuals).
|
| The idea of private litigators is to complement the
| innate limitations of federal/state lawyers, by offering
| profit as an incentive.
|
| Ideally yeah Americans would have stronger laws around
| TOS, customer privacy, data handling and security, and
| robustly funded state lawyers... but we don't.
|
| Practically speaking, such gaps are not unique to
| technology. Every industry has this same problem, and
| your awareness of those problems is reflective of the
| general public's political engagement with this thread's
| topic. So having gaps that private litigators address is
| really quite normal and part of the incremental progress
| of legislation and state enforcement.
| wharvle wrote:
| 1) Common law versus civil law. We rely a lot more on
| private lawsuits than on regulator action. This is
| probably a mistake, given that it _sure looks like_ it
| adds costs to common law countries with little to no
| benefit (and, arguably, harm) but it's what we have.
|
| 2) The consumer protection laws we do have, and the
| bodies to enforce them, are relatively weak and
| enforcement is spotty at best. The most recent serious
| attempt to _kinda_ fix this is the formation of the CFPB,
| and one of our two relevant political parties
| deliberately prevents it from working when they hold the
| White House (sample size of one, admittedly) and has been
| trying to totally kill it, in the legislature or (better,
| because it's popular and this is deniable) in the courts.
| zlg_codes wrote:
| > The government is supposed to represent the interests
| of citizens.
|
| I'm not sure that's ever happened in this country. They
| pay all sorts of lip service, but when challenged or
| under pressure, the US makes a lot of excuses for leaving
| its own people behind.
|
| Thankfully we can repay that favor and see how they like
| it when there's nobody left to defend them.
| baryphonic wrote:
| Cornell's law school has a pretty good guide to these "adhesion
| contracts" such as web TOS.[0] This alteration strikes me
| (IANAL) as running the risk of being unconscionable. If the
| contract change is unconscionable, then the new terms mandating
| binding arbitration are void.
|
| Again, IANAL. Just my opinion as a citizen, not legal advice.
| Seek competent legal advice before taking legal action.
|
| [0]
| https://www.law.cornell.edu/wex/adhesion_contract_(contract_...
| smcl wrote:
| I'd say it's more than suspect, what's the point of agreeing to
| a terms of service if they can change after you agree to them?
| huytersd wrote:
| They usually put that exact thing into the ToS. The right to
| change it at any time.
| smcl wrote:
| Ahh ok this sounds like a thing that's OK in the USA but
| not EU :-/
| raphman wrote:
| Indeed.
|
| > "Besides the general requirements of 'good faith' and
| 'balance', the EU rules contain a list of specific
| contract terms that may be judged unfair.
|
| > Here are some situations where contract terms may be
| judged unfair under EU rules:
|
| > [...]
|
| > - Terms which allow you to alter a contract
| unilaterally unless the contract states a valid reason
| for doing so."
|
| https://europa.eu/youreurope/business/dealing-with-
| customers...
| smcl wrote:
| NOTE: instead of downvoting as a knee-jerk defense of
| USA, just reflect on whether you'd benefit from some
| slightly better consumer protection laws.
| smcl wrote:
| Ahh ok this sounds like a thing that's OK in the USA but
| not EU :-/
|
| NOTE: instead of downvoting as a knee-jerk defense of
| USA, just reflect on whether you'd benefit from some
| slightly better consumer protection laws.
| wongarsu wrote:
| Just because they write that doesn't make it legally
| enforceable. You can't agree to terms you don't know. Which
| is why many services will haunt you to explicitly agree to
| the new ToS when you next log in.
|
| And even if you click agree there are legal questions about
| how much that can change about your past relationship, and
| what kind of changes you can legally make.
| wackycat wrote:
| Right! If this were a law rather than TOS it's the whole ex
| post facto situation.
| everforward wrote:
| They ought to be evaluated as if no TOS exists. Given the clear
| intent to defraud customers by misrepresenting the contract
| they were bound by, the claims should be evaluated under the
| TOS most favorable to the plaintiffs. The most favorable TOS is
| the one that's invalid because 23andMe didn't get anyone to
| actually agree, ergo the claims are evaluated as if no TOS
| exists.
|
| This is an attempt to undermine consumer protection laws, and
| the government should treat it as a direct attack. Other
| companies are watching. The government needs to send a clear
| message that this won't be tolerated before it spreads, becomes
| the status quo, and leaves many consumers believing that they
| don't have any rights or protections.
|
| The head of legal should also be disbarred under American Bar
| Association rule 1.2(d):
|
| > (d) A lawyer shall not counsel a client to engage, or assist
| a client, in conduct that the lawyer knows is criminal or
| fraudulent, but a lawyer may discuss the legal consequences of
| any proposed course of conduct with a client and may counsel or
| assist a client to make a good faith effort to determine the
| validity, scope, meaning or application of the law.
|
| This reads as clear contract fraud in the factum [1]. Customers
| are told that they're bound by new contract terms, despite that
| 23andMe never got agreement, nor tried to get agreement, nor
| even know whether customers have read the new contract. I can't
| fathom any other reasonable interpretation of the situation.
| They created a fraudulent contract hoping to confuse other
| entrants to prior versions of the contract, and intend to
| benefit from that confusion. It seems clear to me. They are
| attempting to undermine the legal system, and the ABA needs to
| deal out swift punishment as one of the protectors of that
| system.
|
| 1: https://en.wikipedia.org/wiki/Fraud_in_the_factum
| pbhjpbhj wrote:
| That should be a crime in itself. Looks a lot like fraud.
| sonicanatidae wrote:
| I would like to think they will be nailed to the wall, but the
| current is that they will get a pittance fine, at best, before
| accepting their well earned bonuses.
|
| I hate this timeline.
| lozenge wrote:
| > IANAL, but I'm pretty sure that a court would not allow that
|
| You and a lot of the people who replied to you seem to be
| confusing what is unjust with what is illegal. You can't use
| one to deduce the other.
| Affric wrote:
| Yep. Having defended contracts that legally the company could
| novate the circumstances that lead to the notation had to be
| either outside of our control with a third party changing our
| underlying costs or the first and second parties failing to
| agree a new contract and a standard contract that was already
| defined being put in place. This was later deemed unfair and
| the standard contract was made much cheaper. Ha!
|
| My point being that in Australia my vibe is that this will be
| looked upon in a very negative light by courts and any
| regulators.
| amelius wrote:
| What if they sell their entire business to a subsidiary?
| d3w4s9 wrote:
| "a court would not allow that"
|
| I don't know where you have been the last few years, but I am
| pretty sure things like that happen all the time, based on the
| emails I received regarding ToS updates. And I have never heard
| any company got into trouble in court. Maybe public opinion,
| but that's it.
| d2049 wrote:
| I would have presumed that security-minded people, which includes
| those who work in tech, would not so easily give away their
| genome, and that most of 23andMe's customers are a slice of the
| general population. But then I read about things like WorldCoin
| and that people who go to startup parties jump at the chance to
| give away scans of their retinas and I'm befuddled. Why would
| anyone willingly do that?
| xvector wrote:
| I am a security engineer. When I signed up for 23andme, I
| assumed with certainty that it would be hacked and all data
| leaked at some point. I balanced that with the value of knowing
| potentially important health/genetic bio markers.
|
| In the end, I valued knowing these bio markers above the
| privacy of my genome. The former is actionable and I can use it
| to optimize my health and longevity; the latter is of vague
| value and not terribly exploitable outside of edge-case threat
| models.
| smarkov wrote:
| Exactly my thoughts.
|
| I'd be more upset if a combination of my name and email/phone
| number got leaked than if my DNA was made available public.
| tuwtuwtuwtuw wrote:
| Why would you be upset if your name+phone combo was leaked?
| Mine is all over internet so wonder why you feel it would
| be bad.
| smarkov wrote:
| I simply don't want to deal with spam or scams. If I'm
| exposing my contact details it would be a separate set
| that is dedicated to dealing with communication coming
| from the public.
| c7b wrote:
| In retrospect, how do you so far value the utility of the
| data you got? Did you take any actions based on them, do you
| think you will be doing so in the future?
| logifail wrote:
| > I can use it to optimize my health and longevity
|
| Q: Is it a HN thing to be (obsessively?) interested in health
| and longevity?
|
| Dying is a natural process. Sorry.
| rfrey wrote:
| It's a human thing. Not all humans, but many.
|
| > Dying is a natural process. Sorry.
|
| Avoiding dying, as best one can, is also a natural
| behaviour.
| averageRoyalty wrote:
| We fight all sorts of natural processes. Most common forms
| of death from a couple of centuries ago are solved. Our
| average lifespan has increased dramatically. We fly around
| in planes, travel to space, grow fruit out of season and
| build giant cities.
|
| As a species, we're excellent at working around or ignoring
| what's "natural".
| basch wrote:
| Or the reality is, if someone wants your dna they will follow
| you around and grab a coffee cup.
| mrweasel wrote:
| Yes, yours specifically, but what if I want like 200.000
| people so I can find one that has a DNA profile similar to
| mine, who could serve as a escape-goat or victim?
|
| Maybe I want to steal a kidney, or a child that could
| reasonably pass as my own?
| searine wrote:
| >but what if I want like 200.000 people so I can find one
| that has a DNA profile similar to mine
|
| There are already literally entire databases of millions of
| peoples DNA freely available for scientific research.
| mrweasel wrote:
| Not with names and contact information I assume?
| searine wrote:
| If you were smart enough to hack 23andMe to get genetic
| data to find a specific person, you'd be smart enough to
| reconstruct identities from publicly available data.
| You'd just have to cross-reference public anonymous
| databases with public non-anonymous ones. Both of which
| exist, and are free.
|
| So far, the only real use-case for doing this is people
| trying to identify criminals from just DNA.
| slingnow wrote:
| You realize this data is often available for purchase or
| eventually publicly leaked, right? You don't have to be
| "smart enough" to do the hacking to benefit from it.
| VBprogrammer wrote:
| In the US, the bad actor here is much more likely to be
| insurance companies who can tune their secret algorithms to
| make sure no one with a gene tied to an illness which
| blooms later in life can get affordable heath care.
| tfehring wrote:
| In the US, health insurers can only price based on age,
| location, and tobacco use. Setting health insurance
| premiums or denying coverage based on any health-related
| factors has been illegal for over a decade, and changing
| that would be totally unviable politically.
|
| However, it's a significant risk for other types of
| insurance including life, disability, and long term care.
| imiric wrote:
| Just because it's illegal, doesn't mean health insurance
| companies don't find loopholes, and consider fines when
| they get caught as the cost of doing business. See this
| series of articles[1] for some of their criminal
| shenanigans.
|
| It's more than likely that they would use genetic data to
| deny insurance, and then settle the cases in court if
| they happen to get sued, which statistically is probably
| a rare occurrence.
|
| [1]: https://www.propublica.org/series/uncovered
| joshstrange wrote:
| > escape-goat
|
| Unless this is an online joke I don't get, I think you mean
| "scapegoat".
| mongol wrote:
| Seems to be the same thing.
|
| "The concept comes from an ancient Jewish ritual
| described in the Bible, specifically in Leviticus 16.
| During the Day of Atonement (Yom Kippur), two goats were
| chosen: one to be sacrificed and the other to be sent
| into the wilderness, symbolically carrying away the sins
| of the community. This second goat was called the
| "Azazel" or the "scapegoat".
|
| Over time, the term "scapegoat" evolved to have a more
| general meaning in English. It came to refer to a person
| or group that is unjustly blamed for the problems or
| misfortunes of others, reflecting the original ritual in
| which the goat was symbolically burdened with the sins of
| others before being sent away. "
| FireBeyond wrote:
| > But then I read about things like WorldCoin and that people
| who go to startup parties jump at the chance to give away scans
| of their retinas
|
| Well, in the case of WorldCoin, I think there's still some
| pretty significant questions of why they made Africa a
| prominent launch market (well, there are some reasons), but in
| some places they repeatedly increased incentives until they
| were offering people there _up to a month 's income_ to give
| their scans. That might not be a lot of money to a big startup,
| but is telling that they had to offer that much to get some
| people to "opt" in.
| mrweasel wrote:
| The same people believed crypto-currency, infinite growth,
| social media and many other things. At least 23andMe provided
| actual value, to some at least.
|
| What I find strange is that 23andMe did not automatically
| delete data after 30 days, or at the very least took it
| offline, only to be available on request. Notify people that
| their results are available and inform them that the data will
| be available for 30 days after the first download. This is
| potentially really sensitive data and based on 23andMe's
| response, they seem to be aware of that fact. So why would they
| keep the data around? That seem fairly irresponsible and
| potentially dangerous to the company.
| geoelectric wrote:
| Their service is selling you a dashboard over your genetic
| data that's continually updated for new gene correlation
| studies and ancestry matches. It's not really the one and
| done "Promethease" style analysis service you're thinking of.
| vik0 wrote:
| What actual value did 23andMe and similar services offer in
| the first place?
|
| Quenching someone's curiosity about where their ancestors are
| from? Do we even know how accurate it is at doing that?
| jstarfish wrote:
| Ancestry data, but also health markers. I.e. you're
| probably going to get macular degeneration, Tay-Sachs and
| cervical cancer.
|
| Once I enabled the social graph thing I was immediately
| hounded by distant relatives who I assume want to chop me
| up for parts.
|
| > Do we even know how accurate it is at doing that?
|
| The police have closed a few cold murder cases based on
| adjacency (once Parabon got their hands on samples), so it
| must be pretty accurate.
|
| Anecdotally, my profile told a radically different story
| about our ancestry than my family's vague lore led me to
| believe. 23andMe's data made way more sense.
| dekhn wrote:
| If you go back in time, 23andMe was founded to collect
| genetic data with the goal of using that data to improve
| the health condition of humanity.
|
| Over time it became clear that 23andMe's data set had
| limited predictive ability for health for a number of
| technical reasons (previously, dahinds, one of their
| statistical geneticists, has defended the quality of their
| predictions on HN, you can search for his comments. I
| suspect he can no longer comment on HN because of 23&Me's
| security debacle).
|
| However, around that same time, 23&Me's dataset turned out
| to be excellent for ancestry analysis. It's generally
| considered fairly accurate (not just 23&Me- the entire
| process of ancestry through snp genotyping workings really
| well).
|
| I never did 23&Me but my dad did- and he learned he has
| children all around the US (half brothers and sisters of
| mine) from some samples he provided some 45+ years ago.
| Both my dad and those people gained value from making that
| connection. It's interesting because my dad had already
| done most of the paper research (including going to SLC to
| visit the Mormon archives) to identify our obvious
| ancestors, and these relatives would never have shown up.
| BobaFloutist wrote:
| Locating secret/hidden family is kinda nice.
| cookie_monsta wrote:
| I just wanted to confirm my connection to royalty because
| I've always felt, y'know... special
| Dma54rhs wrote:
| Poor and desperate people don't have the luxury thinking of
| these first world privacy issues. There a reasin Altman and
| launched it where they did.
| barbazoo wrote:
| That explains the WorldCoin but not 23andme, people
| _voluntarily_ paid for that so they couldn 't have been that
| poor.
| switchbak wrote:
| You didn't need to supply accurate information, this isn't a
| bank here with any validation of your identity.
| bogwog wrote:
| You can at least change your name. You can't change your DNA,
| so when companies start selling that data it will be easy to
| detect when you give out fake information.
|
| The only missing piece is a way to scan your DNA as part of a
| login form.
| hot_gril wrote:
| What good is my DNA without a real identity attached to it?
| PH95VuimJjqBqy wrote:
| It will be a cold day in hell before I ever submit to dna
| analysis of this nature.
|
| That doesn't stop my family from doing so, but I sure as hell
| will never.
| weebull wrote:
| So they've basically done it for you. Primary sensitive
| information is about is predisposition to hereditary disease.
| That's the same for you and your siblings.
| PH95VuimJjqBqy wrote:
| I understand that but I can't control them so I must draw
| the line where I'm able.
| 93po wrote:
| The long term premise of WorldCoin is to not store retina scans
| in any way, and scanning stations in the US already do not do
| so.
| itronitron wrote:
| 'long term premise'
| latentcall wrote:
| I was 24 in 2015 and not in tech or as security minded as I am
| now when I received the test as a Christmas present. Obviously
| now I wouldn't have dared do it, but it's too late. Lacked the
| foresight at the time.
| hot_gril wrote:
| What's the implication here, that tech people should know
| better? I just don't care a ton about my privacy. At least that
| makes me not a hypocrite for working at a company that profits
| from user data (like many tech ones do).
| dekhn wrote:
| I'm familiar with security (I keep a copy of Applied
| Cryptography on my shelf for "fun reading") and tech, here's a
| copy of my whole genome: https://my.pgp-
| hms.org/profile/hu80855C Note it's a full human genome, far
| more data than a 23&Me report. You can download the data
| yourself and try to find risk factors (at the time, the genetic
| counsellors were surprised to find that I had no credible
| genetic risk factors).
|
| Please let me know in technical terms, combined with rational
| argument, why what I did was unwise. Presume I already know all
| the common arguments, evaluated them using my background
| knowledge (which includes a PhD in biology, extensive
| experience in human genome analysis, and years of launching
| products in tech).
|
| I've been asking people to come up with coherent arguments for
| genome secrecy (given the technical knowledge we have of
| privacy, both in tech and medicine) and nobody has managed to
| come up with anything that I hadn't heard before, typically
| variations on "well, gattaca, and maybe something else we can't
| predict, or insurance, or something something".
| yborg wrote:
| >well, gattaca, and maybe something else we can't predict, or
| insurance, or something something
|
| Sure, if you don't believe in any of the potential negative
| scenarios, anything goes. You could also post your full name,
| SSN, DOB, address, etc. here if you are secure in the
| knowledge that no harm could ever come of it.
| dekhn wrote:
| I think we already know for sure that posting a combination
| of full name, SSN, DOB, and address is a reliable way to
| provide scammers with the necessary information to commit
| fraud.
| BobaFloutist wrote:
| I think what they're saying is that name (probably not),
| SSN (almost definitely), DOB (maybe?) and address
| (probably) have _known_ , _confirmed_ risks. There are
| current ways that bad actors can abuse that information.
|
| Genome is still pretty theoretical, except getting caught
| for committing crimes.
| dekhn wrote:
| I just checked, and using my True Name
| (https://en.wikipedia.org/wiki/True_Names) I can easily
| find my DOB, prior addresses and phone numbers, and using
| that information, it's likely I could make a reasonable
| guess for the SSN.
| BobaFloutist wrote:
| _it 's likely I could make a reasonable guess for the
| SSN._
|
| It _is_? I mean then why are we bothering to protect
| anything, this shit is all super available for any given
| person.
| dekhn wrote:
| SSNs are fairly predictable- if you know region of birth
| and DOB you can get awfully close, for a wide range of
| the population.
|
| https://www.pnas.org/doi/10.1073/pnas.0904891106
|
| Konerding's 12th law, amended: "There is no bit of
| pseudonymized data which cannot be de-anonymized by a
| sufficiently motivated MIT grad student" (not entirely
| joking; see https://archive.nytimes.com/bits.blogs.nytime
| s.com/2015/01/2...)
| rfrey wrote:
| The question is, what _are_ the potential negative
| scenarios.
| BobaFloutist wrote:
| I'm gonna start making clones of you.
| dekhn wrote:
| I'm fine with that, but merely having my genome sequence
| doesn't enable you to do that.
| mtremsal wrote:
| For one thing, this leaks a portion of the genome of your
| relatives, which is a clear breach of their privacy. Whether
| you personally deem it sensitive or not, genetic data is
| meant to remain confidential.
| dekhn wrote:
| I don't believe making my genome available, which contains
| similarity to my relatives, is a breach of their privacy.
|
| I think part of my point is that DNA, by its nature, simply
| cannot remain confidential, and that thinking we can keep
| it that way is just going to lead to inevitable
| disappointment.
| mtremsal wrote:
| First, some people extend your argument from DNA to
| everything and say "I believe that privacy in the modern
| world is unrealistic"; that doesn't make the argument
| applicable to the rest of us.
|
| Second, whether DNA can or cannot remain confidential is
| yet to be seen, but feasibility is certainly orthogonal
| to whether it ought to be, which is the point at hand.
|
| Third, whether you believe it's a breach of privacy to
| leak part of your relatives' DNA is besides the point.
| It's their decision to make, since it's their personal
| data and deemed confidential under most privacy
| frameworks, and therefore a breach.
| dekhn wrote:
| To your first point: Yes, I generally extend my argument
| to more or less everything in the modern world. Put your
| garbage out on the street: reporters can rifle through it
| looking for evidence.
|
| To your second point: we already know DNA can't remain
| confidential (there is no practical mechanism by which
| even a wealthy person could avoid a sufficiently
| motivated adversary who wanted to expose their DNA).
| That's just a fact, we should adjust our understanding
| based on that fact.
|
| Most important: sharing _my_ genomic information with the
| world is not a breach of any privacy framework I 'm aware
| of and subject to (US laws). Do you have a specific
| framework or country in mind?
| downWidOutaFite wrote:
| That's not the same risk because 23andme also has name,
| address, email.
|
| One risk if you have PII+genome is that a technically
| sophisticated entity can determine if you've physically been
| in a location. Also with an extensive PII+genome database
| they could find your family, for example for blackmail
| purposes.
|
| Another risk is that a health insurance provider could deny
| you based on potential health issues they find in your
| genome.
| hiatus wrote:
| Technically, even without PII an adversary could determine
| that you have been in a physical place, they just wouldn't
| know what to call you.
| dekhn wrote:
| Yes, but technically sophisticated entities can also use
| methods that require less effort.
|
| https://xkcd.com/538/
| zlg_codes wrote:
| That's your defense? You asked for actual risks and when
| shown real, plausible ones recede into XKCD quotes.
| Clearly just a spoiler.
| dekhn wrote:
| What real, actual risks which I didn't already know about
| have been shown in this thread?
|
| The point is that while you can use DNA to identify
| people in most cases, sufficiently motivated adversaries
| have more effective, cheaper, lower-technology approaches
| that they will use first.
| hot_gril wrote:
| One non-theoretical risk is that you or a relative leaves DNA
| on the scene of a crime you didn't commit (or?), and this
| makes you a suspect. This is also assuming a real identity is
| tied to the DNA.
| drcode wrote:
| Fully agree with you here. I can understand why people argue
| "We must do everything possible that no human being ever
| finds out anything medical-related about another human being,
| ever"
|
| But that is a value judgement, and I believe it is one that
| comes at a great cost to society- I wouldn't be surprised if
| >50% of the cost of medical care is directly or indirectly
| due to this attitude, and that medical progress has been
| slowed immensely for the same reason.
|
| If we could make medical data more open, it would greatly
| benefit the vast majority of people. OF COURSE it is true
| that some smaller number of other people/patients are helped
| by the existing medical secrecy system. I fully admit this is
| a trade-off, where we have to decide what values are more
| important.
|
| (source: Am medical doctor)
| zlg_codes wrote:
| This is disgusting. You want people knowing the maladies
| they got treated, and how?
|
| There's the old saying of knowledge being power. If you
| want this information about people being spread, then
| you're advocating having power over these people over that
| information.
|
| It takes very little imagination to see how humans would
| misuse this data.
| zlg_codes wrote:
| Why do you think people are entitled to have genome data on
| you? The morality is flipped. Privacy is recognized as a
| core, natural right. Others have to prove their onus for
| wanting your biological data. Trusting others is a moral and
| character weakness, because you have no guarantees as to how
| that data will be used. Or more specifically, what new ways
| to analyze and take advantage of that data will become.
|
| I think actuaries will care an awful lot about this data and
| could use it to negatively influence your risk factor, and
| thus insurance premiums.
| dekhn wrote:
| I think if your prior includes "trusting others is a moral
| and character weakness" then I don't think it's useful for
| us to discuss this topic further.
|
| As for actuaries, in the US, the GINA law prevents health
| insurance companies from using this data. I think legal
| protection is much more important than attempting to hide
| my DNA.
| zlg_codes wrote:
| > I think if your prior includes "trusting others is a
| moral and character weakness" then I don't think it's
| useful for us to discuss this topic further.
|
| I agree, if you can't justify trust with reason then it's
| hard to trust your argument that relies on trust. Trust
| can be broken, and your stance doesn't address that
| concern.
| sunnybeetroot wrote:
| The law could change, allowing the usage of your data
| without your consent.
| sedatk wrote:
| 1) You can be subject to discrimination based on your
| ethnicity, race, or health related factors. That's especially
| a problem when the data leaks at scale as in 23andme's case
| because that motivates the development of easy-to-search
| databases sold in hacking forums. The data you presented here
| would be harder to find, but not the case with mass leaks.
|
| 2) It's a risk for anything that's DNA-based. For example,
| your data can be used to create false evidence for crimes
| irrelevant to you. You don't even need to be a target for
| that. You can just be an entry in a list of available DNA
| profiles. I'm not sure how much DNA can be manufactured based
| on full genome data, but with CRISPR and everything I don't
| think we're too far away either. You can even experience that
| accidentally because the data is out there and mistakes
| happen.
|
| 3) You can't be famous. If you're famous, you'd be target of
| endless torrent of news based on your DNA bits. You'd be
| stigmatized left and right.
|
| 4) You can't change your DNA, so when it's leaked, you can't
| mitigate the future risks that doesn't exist today. For
| example, DNA-based biometrics, or genome simulation to a
| point where they can create an accurate lookalike of you.
| They're not risks today, doesn't mean they're not tomorrow.
|
| There are also additional risks involved based on the country
| you're living in. So, you might be living in a country that
| protects your rights and privacy, but it's not the case with
| the others.
| rand1239 wrote:
| > Why would anyone willingly do that?
|
| Maybe they accept the possibility that they die one day?
| p_j_w wrote:
| >But then I read about things like WorldCoin and that people
| who go to startup parties jump at the chance to give away scans
| of their retinas and I'm befuddled.
|
| I'm befuddled that anyone thinks Sam Altman is the least bit
| trustworthy after WorldCoin.
| akira2501 wrote:
| > I read about things like WorldCoin and that people who go to
| startup parties jump at the chance to give away scans of their
| retinas
|
| Is this actually happening, or is that just what the stories
| say?
| josefritz wrote:
| There is no retcon possible from a TOS update. They're a soft
| target for a class action lawsuit right now and they know it.
| kryptiskt wrote:
| I have a vague recollection that some company fairly recently
| squirmed when it got tons of arbitration cases.
|
| It would be really funny if 23andMe got dragged to the arbitrator
| a million times.
| nielsbot wrote:
| I think there was a general pattern of people striking back
| against mass forced arbitration by saying "ok, that's fine,
| we'll _all_ go to arbitration at once ". And companies ended up
| having to foot the bill for hundreds or thousands of
| arbitration cases...
|
| Newer arbitration clauses that I've seen now cover this
| scenario. Something like "If many identical cases come forward
| at the same time, you agree to combine your cases in a single
| arbitration action"
|
| Looks like CR wrote about it:
|
| https://www.consumerreports.org/money/contracts-arbitration/...
| darklycan51 wrote:
| I don't feel bad for anyone who sent their dna to a private
| capitalistic company. It was always obvious this was gonna
| happen. Especially when these companies paid so much to
| politicians like Bernie Sanders to appear on their ads to seem
| "benign".
| nazgulsenpai wrote:
| Do you feel bad for people who had relatives use the service
| without them knowing, making them party even though they did
| not consent?
| RIMR wrote:
| 23andMe thanks you for your lack of sympathy for their victims.
| helsinkiandrew wrote:
| Forcing customers to use arbitration hasn't always been in the
| companies interest - if only a fraction of the 7M effected
| customers started the arbitration process it could cost a lot
| more than a class action suit.
|
| Didn't Uber drivers get a large payment from them in this way?
|
| https://www.reuters.com/legal/litigation/uber-loses-appeal-b...
| kelthan wrote:
| Trying or arbitrating a large number of cases individually is
| far more expensive than litigating a class action suit. But
| only if the people pushing the arbitration hold firm, rather
| than agreeing to the initial settlement offering.
| freeAgent wrote:
| I once looked into arbitration against a local company based
| on their ToS. Initiating arbitration would have cost me
| several hundred dollars, not to mention time, which was more
| than my dispute was worth.
| zlg_codes wrote:
| Arbitration almost always favors the company, why else would
| they push for arbitration instead of respecting your rights?
| someotherperson wrote:
| An alternative take is that they changed their terms of service
| so that if/when this happens again they'd have more control over
| the fallout. I think they're totally expecting to get railed for
| the last one and are preparing for it, but this doesn't mean they
| can't prepare for the future as well. I imagine other providers
| will also revise their TOS.
| tjpnz wrote:
| Which companies offer similar services sans all the bullshit and
| privacy issues? I'm not interested in finding long lost relatives
| and even less interested in having my data sold or shared with
| LEO.
| emddudley wrote:
| I have tried to quickly diff the previous TOS with the new one
| and I wasn't able to identify any big changes. I would like to
| know what the actual changes are. I see a lot of articles
| criticizing the new TOS, but no one is showing the actual wording
| differences.
|
| Does anyone have an actual diff?
| slingnow wrote:
| Why do the actual work when you can just come to the HN comment
| section and rant about what you think it means!
| e28eta wrote:
| Comparing:
|
| https://www.23andme.com/legal/terms-of-service/full-version/...
|
| https://www.23andme.com/legal/terms-of-service/full-version/
|
| two things jump out at me, as a layman:
|
| insertion into the middle of Limitation of Liability "WITHIN
| THE LIMITS ALLOWED BY APPLICABLE LAWS, YOU EXPRESSLY
| ACKNOWLEDGE AND AGREE THAT 23ANDME SHALL NOT BE LIABLE FOR ANY
| DAMAGES"
|
| Lots of changes to the Dispute Resolution, and new content re:
| Mass Arbitration. However, the previous ToS still had binding
| arbitration clauses, and stuff about class actions.
| tokai wrote:
| Meh not really binding in the EU, as its not done in good faith
| and it disadvantage consumers. I see no reason to write them and
| tell them you don't agree, if you are a EU citizen.
| pizzalife wrote:
| I interviewed for a security position there a few years ago, but
| they cut the role before the interview process was over. Kind of
| feels like they didn't prioritize security - you reap what you
| sow.
| tamimio wrote:
| Gladly I never used any of these services, not just knowing my
| ancestors origins will add zero value to my life, but also I
| don't trust any cloud services to store my passwords or notes,
| let alone a biometric I will never be able to change, alive or
| not.
| TheBlight wrote:
| The slightly annoying thing with this data, though, is that
| even if you don't provide your data your privacy can be
| violated via any relatives' data that did decide to use the
| service.
| FredPret wrote:
| Reminds me of Paypal that keeps spamming me with Terms of Service
| update emails. It doesn't exactly build trust.
| SpaceManNabs wrote:
| What exactly was breached isn't clear... Very worrying
| eadler wrote:
| In case anyone is interested I've been compiling as much factual
| information on arbitration here. Not yet complete but reasonably
| useful and well sourced
|
| https://grimreaper.github.io/arbitration/docs/problems/
| ashtronaut wrote:
| thank you this is really helpful!
| robg wrote:
| Just email to say you opt out.
| TheCaptain4815 wrote:
| I almost laughed out loud when I got the email a few days after
| the leak. There's no way a company can just change the TOS AFTER
| a major leak, right?
| dekhn wrote:
| yes, companies can change TOS when they want regardless of what
| happened before, so long as they weren't legally prevented from
| doing so.
| Fischgericht wrote:
| As someone living in the EU, these kind of things puzzle me a
| lot.
|
| How can a legal system exist, where it's possible to deny a
| (consumer) contract party access to the legal system and law of
| the land?
|
| (In the EU we do have arbitrations clauses, but they are only
| legal between businesses and tightly regulated. Arbitration
| "courts" must be neutral. And you can not put them into ToS.)
|
| Also, I was under the impression that all sane legal systems on
| this planet are based on the broad principle of "pacta sunt
| servanda" = "agreements must be kept". One party of a contract
| never can change the contract without consent from the other
| party.
|
| We do have the concept of "silent approval" for consumers over
| here, too, but that only applies to minor changes to terms that
| are not a "surprising" change to the consumer. It recently was
| ruled that for example Netflix increasing prices without active
| consent is not legal in the EU. There is not much that is not
| regarded as "surprising" by courts here. "You are not allowed to
| sue us after having lost your personal data, then lying about it"
| clearly would be regarded as surprising.
|
| Im summary: Every aspect of that whole 23andMe story would be
| impossible in the EU. The amount of data they collected, the way
| they stored it, the way they tried to hide the breach, and them
| trying to prevent their customers to get access to the law.
|
| I wonder how on earth the US legal system could deteriorate so
| much that such a story becomes possible.
|
| [Disclaimer: I am not bragging about living in the EU. I did not
| have any influence on my place of birth. I do not wish to imply
| that the EU is "superior" to the US. I am just trying to give an
| outside perspective.]
| pyuser583 wrote:
| The real issue is that lawyer can "try" anything with almost no
| consequences.
|
| I doubt this will work. But there's "no harm in trying."
| Fischgericht wrote:
| Over here there are "consumer associations" that have the
| right to sue in such cases in the name of all consumers. That
| works quite well.
|
| Due to this traditionally those things are not even tried.
|
| That has changed with (mostly US) businesses entering the EU.
| A good example is booking.com, who again and again and again
| invented new dark patterns to then get sued for it, making it
| clear those are illegal.
|
| We had the same with the airline industry with their
| advertised prices not matching the actual final price with
| all taxes and made-up fees. But by now even Ryanair has given
| up and no longer tries those tactics.
|
| But there are no big financial penalties for losing such
| cases in court. I guess it's the bad PR these court cases
| generate every time that makes those businesses after a while
| giving up trying to screw over consumers...
| denton-scratch wrote:
| > I wonder how on earth the US legal system could deteriorate
| so much that such a story becomes possible.
|
| My impression is that everything in the USA has become
| lawyerized. Politicians are all lawyers. If you have assets of
| more than a mill, you have a legal team. You can't move for
| lawyers. I'm watching stories about a man facing 90 charges,
| who is still running for president (and has a good chance of
| winning). All of his co-accused are lawyers.
|
| Youd think that, with so many lawyers around, it should be
| _really quick_ to get justice. But it 's the opposite;
| apparently, the more lawyers are involved, the longer justice
| is delayed.
| jakedata wrote:
| 23andMe would like to point out that hackers already have access
| to 99.9% of your DNA right now. That means they are at most only
| 0.1% at fault for anything else.
| lowbloodsugar wrote:
| Ok, but where is the class action?
| jbombadil wrote:
| I honestly don't understand how "If you don't opt out within 30
| days you'll be bound to the new TOS" works.
|
| I have heard of two big "trends" of how people think about legal
| contracts:
|
| [1] What is written there and what both parties agreed to is the
| truth.
|
| [2] A contract is supposed to be a "meeting of the minds". If
| it's proven that one party was being deceitful, then the contract
| (or that part) doesn't hold.
|
| If we go by [1], then the company can change the TOS by sending
| me a notice with "if you don't opt out, then you're bound by
| these terms"... but so should I. I should be able to send a
| letter to 23&me saying "if you don't disagree these are the new
| terms: if my information is ever hacked, you owe me 10M dollars
| in damages"
|
| If we go by [2], then sending a notice like that is absolutely
| invalid. They have no way of proving that I read that notice
| within 30 days, so there was never a "meeting of the minds".
| pkilgore wrote:
| Exporting raw genetic data is conveniently "temporarily
| unavailable" at the time time this bullshit is happening, which
| is something I'm almost certain discovery would prove is an
| intentional choice by them.
| stuaxo wrote:
| Will this work I wonder ?
| theGnuMe wrote:
| Huge HIPPA violation as well.
| deathanatos wrote:
| > _Huge HIPPA violation as well._
|
| It's _HIPAA_.
|
| IANAL: And unless 23andMe meets the HIPAA definition of a
| "covered entity", which I'm not sure they do, they're not going
| to be covered by HIPAA.
| theGnuMe wrote:
| Right but the hackers are not covered entities.
| deathanatos wrote:
| That's not how HIPAA works. 23andme would be, or would not
| be, the covered entity, and the entity bound by HIPAA.
| deegles wrote:
| I got downvoted in another thread for suggesting that a company
| might do exactly this
| master_crab wrote:
| I'll give you a upvote if you link it!
| hsuduebc2 wrote:
| Exactly.this behavior is why I never gonna send my DNA to any of
| these services. Certainly not US. I hope than EU will have some
| regulations for this soon.
| henry2023 wrote:
| About 5 or 6 years ago, I thought about sequencing my DNA with
| them. I'm glad I didn't seriously consider it or actually go
| through with it.
| benchtobedside wrote:
| Worth noting that 23andMe, plus many other low cost
| genealogy/health-focused companies do not sequence your DNA.
|
| Instead, they perform what is called a genotyping microarray
| test, which looks at less than 0.1% of your genome.
|
| To quote from 23andMe: "In order to be genotyped, the amplified
| DNA is "cut" into smaller pieces, which are then applied to our
| DNA chip (also known as a microarray), a small glass slide with
| millions of microscopic "beads" on its surface. Each bead is
| attached to a "probe," a bit of DNA that matches one of the
| genetic variants that we test. The cut pieces of your DNA stick
| to the matching DNA probes. A fluorescent label on each probe
| identifies which version of that genetic variant your DNA
| corresponds to."
|
| Source: https://customercare.23andme.com/hc/en-
| us/articles/227968028...
| bulbosaur123 wrote:
| As a customer from EU who has been affected by this, how do I sue
| them? Can I join the class action?
|
| Didn't use ancestry feature, but from what I understood my data
| has been leaked as well.
| Imnimo wrote:
| Well at least, 23andMe promises that it also can't participate in
| a class-action lawsuit against me. So that's pretty fair.
| WalterBright wrote:
| "reports revealing that attackers accessed personal information
| of nearly 7 million people -- half of the company's user base --
| in an October hack."
|
| Breaking into a system should _never_ provide access to 7 million
| people. The database should be divided up into multiple "cells"
| each with its own separate access restrictions.
|
| It's the same idea that spy networks use to prevent one
| compromised spy from bringing down the whole system. Or you can
| think of it like watertight compartments in a battleship.
| TaylorAlexander wrote:
| I haven't logged in in years. Is it possible for me to cancel my
| service without agreeing to updated terms?
| jnsaff2 wrote:
| Sociopaths.
| b800h wrote:
| I'm in the UK and I've not received a notification that the terms
| have changed. Is this because our law is more consumer-friendly?
| 1vuio0pswjnm7 wrote:
| "In October, the San Francisco-based genetic testing company
| headed by Anne Wojcicki announced that hackers had accessed
| sensitive user information including photos, full names,
| geographical location, information related to ancestry trees, and
| even names of related family members."
|
| For those who do not know, her sister is a longtime Google
| marketing person since 1999, who worked on AdWords, AdSense,
| DoubleClick, GoogleAnalytics and the money-losing data collection
| and advertising subsidiary YouTube.
|
| It seems personal data collection for profit runs in the family.
| zlg_codes wrote:
| I'm getting to a point where I automatically assume any business
| is both taking my money and trying to totally fuck other parts of
| my life behind my back to make more money.
|
| If capitalism is so great why is it so incompatible with being a
| good and honest person?
| alephnan wrote:
| > If capitalism is so great why is it so incompatible with
| being a good and honest person?
|
| Capitalism was never about that. It was about having acting in
| their own self-interest as to maximize economic efficiency.
| That model works great when you are selling commodities and
| physical products.
|
| Capitalism in the era of personal information as currency is a
| entirely different beast that needs to be reworked.
| happytiger wrote:
| There's a word for changing the terms after a deal is signed to
| benefit one party over the other: fraud.
___________________________________________________________________
(page generated 2023-12-12 23:00 UTC)