For sale of DNA, eliminate calls, a new market panic born


Signaling at 23 Headquarters in Sunnyvale, California, USA, on Wednesday, January 27, 2021.

David Paul Morris | Bloomberg | Getty images

DNA tests have become a valuable tool for novice fans and genealogists. For some, learn that they are the tenth of Paul Revere or the 15 great nephew eliminated four times from the last king of Prussia, it is worth the perceived risk of sharing a DNA sample. But what happens when the company that collects the DNA declares bankruptcy?

That was the question that was raised for millions of Americans last week when 23 Andme, the company that popularized the genetic evidence of the consumer and had an early support of Google, declared bankruptcy, which led to a wave of calls to the Americans to eliminate their DNA from the company's database.

While it is not 100 percent clear if the calls to “eliminate their DNA” were justified, the privacy experts are alarmed and the Americans who had taken the genetic test took the advice seriously.

According to the data of the online traffic analysis, Similingweb, on March 24, on bankruptcy announcement, 23Andme received 1.5 million visits to its website, a 526% increase from a previous day. According to SimilarWeb, 376,000 visits were made to help the pages specifically related to data elimination, and 30,000 were made to the customer service for the closure of the account. The next day, that figure increased to 1.7 million visits, and Rrafic for the Delete help page data around 480,000.

Margaret Hu, law professor and director of the Digital Democracy Laboratory at the Law Faculty of William & Mary, believes that the Americans made the correct movement. “This development is a disaster for data privacy,” Hu said. In his opinion, bankruptcy 23 Andme should serve as a warning of why the federal government needs strong data protection laws.

In some states, Hu said, the government is assuming an active role in consumer advice. The California Attorney General's Office urges Californians to eliminate their data and that 23As destroy saliva samples. But hu says that this is not enough, and this guide must be provided to all US citizens.

The possible national security implications of the 23 Andme data that fall into the wrong hands are not new. In fact, the Pentagon had previously warned of military personnel that these DNA kits could represent a risk to national security.

Exposing the consumer collected DNA is not a new problem for 23 Andme. In 2023, almost 7 million people who took the genetic test were already exposed in an important 23Andme data violation. The company signed an agreement that involved a $ 30 million agreement and a three -year security monitoring promise.

But Hu says that bankruptcy makes the company and its data, especially vulnerable now.

Drug research and genetic test data

One of the notable things about the mentality of consumers in the first years of the popularization of genetic tests was that most users chose to share their DNA for research purposes, up to 80% in the years in which 23Andme was growing rapidly. Then, as the market for the sale of the consumer of the popular DNA test kits reached saturation before expected, 23Andme focused more on research and development associations with pharmaceutical companies as a way of diversifying their income.

Currently, when 23Andme sells genetic data to other research companies, most are used at an added level, as part of millions of data points that are analyzed as a whole. The company also eliminates the identification of genetic data data, and registration information (such as a name or email) is not included. Data researchers need, such as the date of birth, are stored separately from genetic data and are shared with random assigned IDS.

HU is among the experts interested in that these practices could change below 23Andme or any new buyer. “In a moment of financial vulnerability, companies such as pharmaceutical companies could see the opportunity to exploit the benefits of research of genetic data,” said Hu, and added that they could try to renegotiate previous contracts to extract more company data. “Will the next company buy 23 do that?” Hu said about its privacy policies.

In recent days, 23Andme has said that he will try to find a buyer who shares his privacy values.

23Andme did not respond to a request for comments.

Anne Wojcicki, co -founder and executive director of 23Andme presses the button, remotely playing the Nasdaq opening bell at the headquarters of the DNA 23Andme Technology Company in Sunnyvale, California, USA, UU., June 17, 2021.

Peter Dasilva | Reuters

Over the years since the 23Andme Foundation in 2006, many clients were willing to send a swab to learn more about their family history. Lansing, Michigan's resident, Elaine Brockhaus, 70, and her family were excited to learn more about her lineage when they presented samples of her DNA to 23andme. But with the company now staggering in bankruptcy and privacy experts worried about what happens to millions of people with stored DNA samples, Brockhaus says that everything has “caused a little fuss in my family.”

“We enjoy some aspects of 23 and me,” Brockhaus said. “They continually refined and updated our heritage as more people joined, and could identify genetically related groups,” Brockhaus said. She could learn more about the health risk factors that were present or not present in her past.

Now, his family has completed the circle in the 23Andme experience: some members were initially reluctant to accompany, and now, Brockhaus says, everyone has eliminated their accounts.

A collapse of a unique company, but cybernetic cybernetic risks

But Brockhaus continues to see me 23 within a larger consumer health market where the risks are not new, and health information is shared in all types of environments where security problems could arise. “Anyone who sends Colloguard or receives medical results through the mail is risking the exposure,” Brockhaus said. “Our own identities can be stolen with some clips of keys. Of course, this does not mean that we should raise our hands and accept being victims, but unless we want to dig holes and live in them we have to be attentive, proactive, but not panic,” he added.

Jon Clay, vice president of threat intelligence from the cybersecurity firm, Trend Micro, says that 23Andme consumers need to see bankruptcy as a threat. In any sales process, if the data is not transferred and protect as much as possible, “it is at risk of being used by malicious actors for several dire purposes,” he said.

Clay believes that 23Andme's data are incredibly valuable for cybercriminals, not only because it is permanent and identifiable personally, but also because it can be exploited by identity theft, blackmail or even medical fraud.

“Cybercriminals can use it to attack consumers with convincing and tactical scams of social engineering, such as fraudulently affirming that someone is a blood in relation to another person or to send deceptive messages about their possible health risks,” Clay said. “Organizations that are declared bankrupt must ensure that the security and privacy of their customers are critical, and any exchange or sale of data to others should not be done,” he added.

But other experts say that the 23Andme lesson is less about the company's collapse and the threat of privacy that was created that serve as a reminder about cybernetic risks cootters related to personal information.

“When people begin to talk about personal data, they forget where their data is already sitting,” says Rob Lee, head of research and head of the Sans Institute Faculty, who specializes in helping companies with information security and cyber problems. Whether you are sending a blood sample to a private laboratory or getting rid of a laptop to update a new one, “their digital footprints are being left there so that people find it,” Lee said. “People do not understand the scope, so there is a bigger discussion out there, specifically about where the data are going?”

With DNA information, there are certain basic legal factors that people should weigh before hitting themselves and send the sample.

According to Lynn Sessions, an expert in health privacy and digital assets and partner in the Bakerhosteler law firm, the federal law that covers the privacy of patient's information, Hipa, does not apply to this situation, and 23 will not be considered an entity covered with hypa, or one commercial associate of one. But there are state laws that apply to the genetic information that would be at stake, as in California.

Meredith Schnur, managing director and cybersecurity leader of the Marsh insurance company, believes that the risk of 23 Andme bankruptcy for the people who sent their swabs is relatively low. “It does not cause any additional dismay or stomach acidity,” said Schnur. “I just don't think it opens any additional risk that no longer exists,” he said, adding that the information of many people “already outside.”

Last week, a co -founder of 23Andme, Linda Avey, criticized the leadership of the company. “Without the continuous development of consumer -centered products, and without governance, 23Andme lost its course, and society lost a key opportunity to promote the idea of ​​personalized health,” Avey wrote in a publication on social networks. “There are many warning stories buried in the history of 23 Andme,” said Avey.

Banking itself is the problem that is now difficult to ignore for consumers, and until the sales process is completed, the questions will remain.

“When you are in bankruptcy, data privacy values ​​are not in what you are really thinking. You are thinking of selling your company to the highest bidder,” Hu said. That best bidder, says Hu, could take genetic data and consumer profile data and link them by selling them to others.

And that initial sale that includes the DNA of millions of people can only be the first of many transactions.

“I could sell it, piece by piece, indiscriminately. And the buyer of that data could be a foreign adversary,” Hu said. “That is why this is not just a data privacy disaster. It is also a national security disaster.”

scroll to top