I would expect the court would evaluate any breach under the TOS that was in effect at the time of the breach, rather than under a new (and arguably suspect one) that was put in place after it, arguably in an attempt to "rewrite history".
This is an attempt to undermine consumer protection laws, and the government should treat it as a direct attack. Other companies are watching. The government needs to send a clear message that this won't be tolerated before it spreads, becomes the status quo, and leaves many consumers believing that they don't have any rights or protections.
The head of legal should also be disbarred under American Bar Association rule 1.2(d):
> (d) A lawyer shall not counsel a client to engage, or assist a client, in conduct that the lawyer knows is criminal or fraudulent, but a lawyer may discuss the legal consequences of any proposed course of conduct with a client and may counsel or assist a client to make a good faith effort to determine the validity, scope, meaning or application of the law.
This reads as clear contract fraud in the factum [1]. Customers are told that they're bound by new contract terms, despite that 23andMe never got agreement, nor tried to get agreement, nor even know whether customers have read the new contract. I can't fathom any other reasonable interpretation of the situation. They created a fraudulent contract hoping to confuse other entrants to prior versions of the contract, and intend to benefit from that confusion. It seems clear to me. They are attempting to undermine the legal system, and the ABA needs to deal out swift punishment as one of the protectors of that system.
This is part of the legal system. It shouldn't be, but it is. If you can toss a hundred issues the other party has to refute, you drive up legal costs to where litigation is no longer practical. The other side loses by default of not being able to afford litigation.
The ABA is, indeed, one of the protectors of the legal system, and have no vested interested in undermining it. The system means their constituents, lawyers, make more money.
Footnote: The mistake you made is that 23andme isn't undermining the legal system, but rather, justice. The two are not the same.
I’m even more curious if the change of ToS alone could be grounds for a trial, even a class action—making the risk not even worth the try.
Even harder to swallow: discover that the lawyers using the class action got hold of the data from the leak and used that in their marketing.
I suspect that a competent lawyer could fairly easily argue that this "automatic opt-in" is the same thing in a slightly different format.
I don't know where you have been the last few years, but I am pretty sure things like that happen all the time, based on the emails I received regarding ToS updates. And I have never heard any company got into trouble in court. Maybe public opinion, but that's it.
Of course, if people don’t accept the new terms, they are still bound by the one ones. But if you don’t opt out…
This isn't a case of a minor change to consumer rights in the TOS like changing who would arbitrate a case. It's a significant restrictive change to the rights of the customer in favor of the company. And it was made after a security breach that affected a huge portion of the companies clients which is likely to trigger lawsuits of the form that the TOS now seeks to restrict.
This is clearly a case of attempting to close the barn door after the horse was spotted in the next county over.
You and a lot of the people who replied to you seem to be confusing what is unjust with what is illegal. You can't use one to deduce the other.
Again, IANAL. Just my opinion as a citizen, not legal advice. Seek competent legal advice before taking legal action.
[0] https://www.law.cornell.edu/wex/adhesion_contract_(contract_...
Would like a laywer to correct me if wrong, but these terms would only apply to any future events, not to the hacks that happened under the previous terms, for which they've already accrued the right to sue in a court (or whatever those terms said) regarding that hack, and 23andMe hasn't really implied otherwise just by updating its terms?
If they wanted that, they'd have to have explicitly included language like "by continuing to use our services after this notice, you covenant not to sue in court for any prior causes of action" or the like?
My point being that in Australia my vibe is that this will be looked upon in a very negative light by courts and any regulators.
I hate this timeline.
To Whom It May Concern:
My name is [name], and my 23andMe account is under the email [email]. I am writing to declare that I do not agree to the new terms of service at https://www.23andme.com/legal/terms-of-service/.
WTF. This is outrageous. And I had find that email in my spam after I read this comment. Hope this POS company goes down in flames after this.
Some companies require that. Here is PayPal's process for example: https://www.paypal.com/us/legalhub/useragreement-full#table-...
Hopefully our court system will get some more teeth vs other corporations soon.
But I don't see how drunken anarchist tactics help, and that noise seems like it would be a counterproductive diversion.
this is probably why the unsubscribe links require some interactive confirmation so that simply loading the page doesn't actually unsubscribe.
if this was doable, i'd put them above Troy Hunt in contributions to humankind ;-)
DNA driven targeted advertising that finds only the most docile consumers.
I forgot my password and did a password reset. They have password requirement of 12 characters minimum. A bunch of security theater just to get hacked anyways
> 30 Day Right to Opt-Out. You have the right to opt-out and not be bound by the arbitration and class action waiver provisions set forth above by sending written notice of your decision to opt-out by emailing us at arbitrationoptout@23andme.com. The notice must be sent within thirty (30) days of your first use of the Service, or the effective date of the first set of Terms containing an Arbitration and Class Action and Class Arbitration Waiver section otherwise you shall be bound to arbitrate disputes in accordance with the terms of those sections. If you opt out of these arbitration provisions, we also will not be bound by them.
Please let me know in technical terms, combined with rational argument, why what I did was unwise. Presume I already know all the common arguments, evaluated them using my background knowledge (which includes a PhD in biology, extensive experience in human genome analysis, and years of launching products in tech).
I've been asking people to come up with coherent arguments for genome secrecy (given the technical knowledge we have of privacy, both in tech and medicine) and nobody has managed to come up with anything that I hadn't heard before, typically variations on "well, gattaca, and maybe something else we can't predict, or insurance, or something something".
2) It's a risk for anything that's DNA-based. For example, your data can be used to create false evidence for crimes irrelevant to you. You don't even need to be a target for that. You can just be an entry in a list of available DNA profiles. I'm not sure how much DNA can be manufactured based on full genome data, but with CRISPR and everything I don't think we're too far away either. You can even experience that accidentally because the data is out there and mistakes happen.
3) You can't be famous. If you're famous, you'd be target of endless torrent of news based on your DNA bits. You'd be stigmatized left and right.
4) You can't change your DNA, so when it's leaked, you can't mitigate the future risks that doesn't exist today. For example, DNA-based biometrics, or genome simulation to a point where they can create an accurate lookalike of you. They're not risks today, doesn't mean they're not tomorrow.
There are also additional risks involved based on the country you're living in. So, you might be living in a country that protects your rights and privacy, but it's not the case with the others.
So let's assume you committed to publishing your genome in advance regardless of result. Sounds like you spun the barrel and dry snapped to demonstrate that russian roulette is safe for everybody.
Tell us about how differing views on this to yours would influence opinion about your products you've launched in tech given your extensive experience in human genome analysis. Not at all?
This really may not be a case of being unable to understand something one's paycheck depends on not understanding at all but we can't know that yet.
One risk if you have PII+genome is that a technically sophisticated entity can determine if you've physically been in a location. Also with an extensive PII+genome database they could find your family, for example for blackmail purposes.
Another risk is that a health insurance provider could deny you based on potential health issues they find in your genome.
Sure, if you don't believe in any of the potential negative scenarios, anything goes. You could also post your full name, SSN, DOB, address, etc. here if you are secure in the knowledge that no harm could ever come of it.
But that is a value judgement, and I believe it is one that comes at a great cost to society- I wouldn't be surprised if >50% of the cost of medical care is directly or indirectly due to this attitude, and that medical progress has been slowed immensely for the same reason.
If we could make medical data more open, it would greatly benefit the vast majority of people. OF COURSE it is true that some smaller number of other people/patients are helped by the existing medical secrecy system. I fully admit this is a trade-off, where we have to decide what values are more important.
(source: Am medical doctor)
I think actuaries will care an awful lot about this data and could use it to negatively influence your risk factor, and thus insurance premiums.
While genetic information is not yet understood well enough by masses to be abused in stereotyping and rejecting and — indeed — "cancelling", there is a huge potential to do so. This especially holds true for gender, racial, national differentiation, genetic disease potential and health profiling — all accessible through a full genome (even if some of the indicators are not with 100% confidence). Lots of this can also be used to start linking genome data to an actual person (helped with data from other contexts), which is where it starts to become risky according to known risk profiles.
Unsurprisingly, someone who is likely a white male (I could have checked using your genome too, but loading up your profile above confirms that) with "no credible genetic risk factors" is a lot less concerned about opening up their genome to the public: you are unlikely to get discriminated against. With that said, even you can get potentially ignored for your privilege: even I just engaged in that — somewhat discounting a part of your experience/claim because you are a white male. Part of that is also education: your extensive experience in the field allows you to make an educated choice. Many can't attain that much knowledge before they decide whether to share their genome or not.
This opens up the question similar to that entire face recognition fiasco — how will unprivileged be affected by the privileged being mostly used to train the models on and do research on?
So the question is how do we ensure enough anonymity to make everyone happy to contribute to the world knowledge, but reduce chances of linking data back to actual people? I know nebula.org is doing something of the sort (though mostly just guaranteeing that they will remove the data at your request, and not share it without your permission), but we could have one genome produce a bunch of part-genomes, still allowing causation/correlation research, but none of them having the full picture.
That would disable some of the groundwork research (is there a correlation/causation only visible in the full genome or larger part of it?), so it's a tricky balance to find.
And finally, I always like to make this choice a bit personal: how would you feel about your child being linked to a criminal case due to your genome being publicly available?
In the end, I valued knowing these bio markers above the privacy of my genome. The former is actionable and I can use it to optimize my health and longevity; the latter is of vague value and not terribly exploitable outside of edge-case threat models.
I'd be more upset if a combination of my name and email/phone number got leaked than if my DNA was made available public.
Q: Is it a HN thing to be (obsessively?) interested in health and longevity?
Dying is a natural process. Sorry.
I'm befuddled that anyone thinks Sam Altman is the least bit trustworthy after WorldCoin.
Genomic data doesn't have the same risk factors--at least at the moment. I think that the point many are trying to make here is that there may be risk vectors available at some point in the future that aren't known now. A couple of theoretical examples:
* You had to give a blood sample rather than other biometric data like a retina scan.
* Spoofing DNA evidence. That would be very/prohibitively expensive/difficult at the moment, but I suppose could become as easy as 3d printing at some point in the future.
What I find strange is that 23andMe did not automatically delete data after 30 days, or at the very least took it offline, only to be available on request. Notify people that their results are available and inform them that the data will be available for 30 days after the first download. This is potentially really sensitive data and based on 23andMe's response, they seem to be aware of that fact. So why would they keep the data around? That seem fairly irresponsible and potentially dangerous to the company.
Quenching someone's curiosity about where their ancestors are from? Do we even know how accurate it is at doing that?
It's all in the fine print. The labs will keep the genetic information as well as at least your DOB and sex for at least 10 years (CLIA requirements), and 23andMe will keep your identifying information (such as your email address) and account deletion request ID for some undefined period of time. Yes, this will remove some links (and birthday paradox works in user's favor), but this is certainly not a full and complete removal.
That doesn't stop my family from doing so, but I sure as hell will never.
Well, in the case of WorldCoin, I think there's still some pretty significant questions of why they made Africa a prominent launch market (well, there are some reasons), but in some places they repeatedly increased incentives until they were offering people there up to a month's income to give their scans. That might not be a lot of money to a big startup, but is telling that they had to offer that much to get some people to "opt" in.
Maybe they accept the possibility that they die one day?
Is this actually happening, or is that just what the stories say?
The only missing piece is a way to scan your DNA as part of a login form.
Maybe I want to steal a kidney, or a child that could reasonably pass as my own?
Take security seriously people. Especially when dealing with super sensitive data.
In the long run, I think keeping your genetic information private will be untenable- the potential benefits will outweigh the drawbacks. Plus, anyone sufficiently motivated could get your DNA somehow, you shed your DNA everywhere you go, no getting around that.
So what's left is to urge your representatives to maintain and strengthen regulations on how that information can be used, and in the long run we'll just have to trust that that will be enough.
[1] https://en.wikipedia.org/wiki/Genetic_Information_Nondiscrim...
I go to a doctor, they have a ton of info on me. Who knows what might happen with that data ... but I still go to the doctor because it is a good idea for health reasons.
The social aspect of other people at Google doing it made it feel normal.
In hindsight, I drank the Google kool-aid in more ways then one.
The sentiment of distrust towards tech companies and tech companies being yet-another-corporation is really only obvious in recent years. It wasn't the case a decade ago when we were busy being judgemental of Wall Street. Ironically, now it seems that Wall Street is more trustworthy because, at the very least, they are forthrite about their motive to make profit instead of all these lies about "changing the world".
Aren't they forcing you to agree to the new TOS to continue using the product?
Additionally they sent an email out saying that you have 30 days yo tell them you want to "opt out" otherwise by default they assume you accept the new TOS agreement.
For those who do not know, her sister is a longtime Google marketing person since 1999, who worked on AdWords, AdSense, DoubleClick, GoogleAnalytics and the money-losing data collection and advertising subsidiary YouTube.
It seems personal data collection for profit runs in the family.
Does anyone have an actual diff?
https://www.23andme.com/legal/terms-of-service/full-version/...
https://www.23andme.com/legal/terms-of-service/full-version/
two things jump out at me, as a layman:
insertion into the middle of Limitation of Liability "WITHIN THE LIMITS ALLOWED BY APPLICABLE LAWS, YOU EXPRESSLY ACKNOWLEDGE AND AGREE THAT 23ANDME SHALL NOT BE LIABLE FOR ANY DAMAGES"
Lots of changes to the Dispute Resolution, and new content re: Mass Arbitration. However, the previous ToS still had binding arbitration clauses, and stuff about class actions.
In case the older version goes away, here is the archive.org version from October 25, 2023:
https://web.archive.org/web/20231025013949/https://www.23and...
Didn't Uber drivers get a large payment from them in this way?
https://www.reuters.com/legal/litigation/uber-loses-appeal-b...
Breaking into a system should never provide access to 7 million people. The database should be divided up into multiple "cells" each with its own separate access restrictions.
It's the same idea that spy networks use to prevent one compromised spy from bringing down the whole system. Or you can think of it like watertight compartments in a battleship.
Didn't use ancestry feature, but from what I understood my data has been leaked as well.
I have heard of two big "trends" of how people think about legal contracts:
[1] What is written there and what both parties agreed to is the truth.
[2] A contract is supposed to be a "meeting of the minds". If it's proven that one party was being deceitful, then the contract (or that part) doesn't hold.
If we go by [1], then the company can change the TOS by sending me a notice with "if you don't opt out, then you're bound by these terms"... but so should I. I should be able to send a letter to 23&me saying "if you don't disagree these are the new terms: if my information is ever hacked, you owe me 10M dollars in damages"
If we go by [2], then sending a notice like that is absolutely invalid. They have no way of proving that I read that notice within 30 days, so there was never a "meeting of the minds".
However, I'm not sure if that's ever been tested in court as a valid theory, and regardless it certainly shouldn't be legal (any more than noncompetes).
It would be really funny if 23andMe got dragged to the arbitrator a million times.
Newer arbitration clauses that I've seen now cover this scenario. Something like "If many identical cases come forward at the same time, you agree to combine your cases in a single arbitration action"
Looks like CR wrote about it:
https://www.consumerreports.org/money/contracts-arbitration/...
I hope that I would have cause to go after them if they leaked DNA from a relative, and that DNA was used to cause harm to me.
23andMe updates their TOS to force binding arbitration (https://news.ycombinator.com/item?id=38551890) - (372 points | 6 days ago | 243 comments)
One interesting thing about this story though is that it appears that 23andMe is outright refusing to make a comment to anyone. Every single site that has covered the story and bothered to email them have added a, "23andMe has declined to comment" disclaimer.
Pretty scummy.
The only other thing that they could say would be "We do not comment on matters involving pending litigation." But that's just a longer way of saying "No comment." It's not any more satisfying for the customers or partners understandably seeking answers to what happened, how, and why.
Instead, they perform what is called a genotyping microarray test, which looks at less than 0.1% of your genome.
To quote from 23andMe: "In order to be genotyped, the amplified DNA is “cut” into smaller pieces, which are then applied to our DNA chip (also known as a microarray), a small glass slide with millions of microscopic “beads” on its surface. Each bead is attached to a “probe," a bit of DNA that matches one of the genetic variants that we test. The cut pieces of your DNA stick to the matching DNA probes. A fluorescent label on each probe identifies which version of that genetic variant your DNA corresponds to."
Source: https://customercare.23andme.com/hc/en-us/articles/227968028...
Did 23andme not expect themselves to be hacked?
why can't i be locked into what i chose to purchase?
The actual ramifications of this are yet to be seen, since the changes come into effect from next year. It will be interesting if this means that apps need to be updated to support new iOS and android versions, or if phones will need to get security updates, or if cloud services must be available, or if a feature can be removed from an app or not.
It's HIPAA.
IANAL: And unless 23andMe meets the HIPAA definition of a "covered entity", which I'm not sure they do, they're not going to be covered by HIPAA.
If capitalism is so great why is it so incompatible with being a good and honest person?
Capitalism was never about that. It was about having acting in their own self-interest as to maximize economic efficiency. That model works great when you are selling commodities and physical products.
Capitalism in the era of personal information as currency is a entirely different beast that needs to be reworked.
How can a legal system exist, where it's possible to deny a (consumer) contract party access to the legal system and law of the land?
(In the EU we do have arbitrations clauses, but they are only legal between businesses and tightly regulated. Arbitration "courts" must be neutral. And you can not put them into ToS.)
Also, I was under the impression that all sane legal systems on this planet are based on the broad principle of "pacta sunt servanda" = "agreements must be kept". One party of a contract never can change the contract without consent from the other party.
We do have the concept of "silent approval" for consumers over here, too, but that only applies to minor changes to terms that are not a "surprising" change to the consumer. It recently was ruled that for example Netflix increasing prices without active consent is not legal in the EU. There is not much that is not regarded as "surprising" by courts here. "You are not allowed to sue us after having lost your personal data, then lying about it" clearly would be regarded as surprising.
Im summary: Every aspect of that whole 23andMe story would be impossible in the EU. The amount of data they collected, the way they stored it, the way they tried to hide the breach, and them trying to prevent their customers to get access to the law.
I wonder how on earth the US legal system could deteriorate so much that such a story becomes possible.
[Disclaimer: I am not bragging about living in the EU. I did not have any influence on my place of birth. I do not wish to imply that the EU is "superior" to the US. I am just trying to give an outside perspective.]
My impression is that everything in the USA has become lawyerized. Politicians are all lawyers. If you have assets of more than a mill, you have a legal team. You can't move for lawyers. I'm watching stories about a man facing 90 charges, who is still running for president (and has a good chance of winning). All of his co-accused are lawyers.
Youd think that, with so many lawyers around, it should be really quick to get justice. But it's the opposite; apparently, the more lawyers are involved, the longer justice is delayed.
I doubt this will work. But there’s “no harm in trying.”
Due to this traditionally those things are not even tried.
That has changed with (mostly US) businesses entering the EU. A good example is booking.com, who again and again and again invented new dark patterns to then get sued for it, making it clear those are illegal.
We had the same with the airline industry with their advertised prices not matching the actual final price with all taxes and made-up fees. But by now even Ryanair has given up and no longer tries those tactics.
But there are no big financial penalties for losing such cases in court. I guess it's the bad PR these court cases generate every time that makes those businesses after a while giving up trying to screw over consumers...
