View this post on the web at [link removed]
Welcome to the Hotel California
On March 23, genomics pioneer 23andMe filed for Chapter 11 bankruptcy, and to be sure, the bankruptcy offers an opportunity to indulge our darkest fears about the digital world and to contemplate how individuals and institutions might handle private data going forward.
Once valued at more than $6 billion, 23andMe saw 99% of its market capitalization evaporate after medical applications failed to pan out and hackers in 2023 absconded with the data of 7 million clients. (23andMe had hoped its data would revolutionize patient-specific medical treatments [ [link removed] ], drug development [ [link removed] ] and preventative care [ [link removed] ].) Clients voluntarily gave 23andMe their genetic data, plus names, addresses, emails, birthdates, lifestyle info and medical and family health histories. The theft raised fears over how such data could be used to harm individuals, families and communities. The bankruptcy court will consider the disposition of data and algorithms, along with future privacy status. Time will tell whether legal guarantees of privacy mean anything.
Suggesting that I write this essay, a friend recently asked me:
Given the bankruptcy of 23andMe, I’m wondering what’s going to happen to all of their health data (including mine) that’s kicking around? Will someone buy it? Do clients like me have any rights?
My flip, sarcastic but absolutely sincere response went something like:
BAD NEWS: Your personal data will probably be bought and sold on the dark web now. ... GOOD NEWS: It was probably already on the dark web, so you’re no worse off than before.
Government officials are now urging 23andMe clients to delete their data before bankruptcy proceedings divvy up the company’s assets. I tell friends, “Go ahead and delete it. The data will still be there, but thinking you’ve deleted it may help you sleep.”
My recent essay, “Hey Siri—What Is Hell? [ [link removed] ],” was subtitled, “How privacy has vanished in a No Exit world of constant, relentless interconnectivity.” In response, one reader offered a telling anecdote:
[On] a 2015 business trip to the Facebook HQ, the front desk guy asked for my Facebook username. I told him I didn’t have one, having only briefly held an account before canceling it in 2007. He said, ‘wait a minute,’ tapped his keyboard and brought up my supposedly deleted account. ‘You can check out any time you like, but you can never leave,’ he smirked.
The receptionist’s wisecrack is the final line of “Hotel California”—an enigmatic song about a stranger in a place from which one cannot escape. Appropriately, Facebook and 23andMe are California-based.
Let’s explore what 23andMe is/was, its wonders, its worries and the gathering stampede to delete data.
Such a Lovely Place
Founded in 2006, 23andMe was the first company to offer direct-to-consumer DNA testing kits to analyze ancestry, health predispositions and genetic traits. Labs processed clients’ saliva to create personalized reports, delivered online to the client. The company conducted research on aggregated, supposedly anonymized genetic data from consenting users to catalyze medical and scientific discoveries. As a client, you could:
Learn good and bad things about your health and plan for future risks;
Understand certain genetic risks your children will face;
Provide data to medical providers for highly personalized treatments;
Connect with previously unknown relatives;
Learn the geographic origins of your family; and
Establish family connections with famous historical figures.
A reader and friend shared with me a heartwarming story from his own family. Michele Mordkoff and Allison Kanter were twins, born in 1964, and separated in infancy by an adoption agency conducting unethical social experiments. In 2018, 23andMe enabled them to find each other and reconnect [ [link removed] ]—three years before Mordkoff’s death.
DNA tests have solved historical mysteries. In 2015, 23andMe competitor AncestryDNA confirmed that James Blaesing’s mother was Warren Harding’s [ [link removed] ] out-of-wedlock daughter. 2013 DNA tests on descendants of Richard III’s sister confirmed that the body discovered beneath a car park in Leicester was the king—missing since 1485. DNA tests demonstrated familial links between Thomas Jefferson and Sally Hemings’ descendants, identified the Romanov family’s remains and confirmed the identities of the Lindbergh baby killer, the Boston Strangler and (maybe) Jack the Ripper. Since 1983, long before 23andMe, Dor Yeshorim [ [link removed] ] (a.k.a., the Committee for Prevention of Jewish Genetic Diseases) has screened religious Jews—enabling that community to avoid the dozen or so devastating recessive genetic diseases that have long been common to Ashkenazi Jews.
Wake You Up in the Middle of the Night
But from the start, there have been ethical and privacy concerns over large-scale genetic testing. Here are a few hypothetical scenarios to disturb your sleep:
Prospective employers discover you have a genetic predisposition for neurodegenerative illness, rendering you unemployable. Health, life, disability and long-term care insurers avoid covering you.
You’re not a 23andMe client, but you face such job and insurance discrimination because your relatives are clients and exhibit that neurodegenerative predisposition. Ethicists debated over whether to analyze DNA from bloodstained artifacts of the Lincoln assassination; some suspect he had genetic abnormalities (e.g., MEN2B, Marfan syndrome), and such findings could affect Lincoln’s living relatives.
23andMe data indicate that you fathered a child out of wedlock—or were yourself sired under such circumstances. In 2014, a biologist gave his parents 23andMe kits for fun. The data showed that his father had fathered a child in the course of a long-ago extramarital affair—thereby destroying his parents’ marriage. He told the story in “With Genetic Testing, I Gave My Parents the Gift of Divorce [ [link removed] ].” Reader’s Digest [ [link removed] ], Bored Panda [ [link removed] ] and others have collected and published countless stories of DNA dredging up family secrets—some joyful, some tragic.
A blackmailer threatens to reveal your genetic risks or embarrassing family history. Perhaps he learned of your vulnerabilities from the data of your brother—or of a relative you’ve never even heard of.
Researchers use your genetic code to conduct scientific experiments without your consent. For antecedent, Henrietta Lacks was an African American woman who died in Baltimore in 1951. Her cells were found to possess a remarkable “immortality,” and decades later, her family became embroiled in disputes as to who “owned” her tissue. In 2013, German scientists published parts of her genetic code—raising a new dispute over property rights. The scientists and the Lacks family signed a usage agreement [ [link removed] ], but ethics and legalities remain unresolved.
23andMe promises to keep your data anonymous, but a future owner of that data fails to respect that promise. That owner could be a pharmaceutical company, a buyer of 23andMe’s assets or a hacker.
Law enforcement officials use your sister’s data to name you as a suspect in criminal activities.
In the future, a nefarious government seeks to harm individuals belonging to specific ethnic groups—and repurposed 23andMe data supercharge the effort. In 20th-century Virginia [ [link removed] ], state officials built massive genealogical records to manage racial segregation and forced sexual sterilizations. In the 1930s, Connecticut entertained plans [ [link removed] ] to sterilize people related to individuals with visual problems. Nazi Germany [ [link removed] ] harnessed IBM technology to construct genealogies for managing the roundup and murder of Jews. 23andMe data and algorithms could replicate those tasks at lightning speed. Many “white” Americans have learned from 23andMe that they have sub-Saharan African ancestry. A century ago, that discovery would have put their ancestors at great risk.
In California, some advocates of race-based reparations have suggested DNA testing as a criterion [ [link removed] ] for determining who should receive and who should pay for reparations. In the case of Dor Yeshorim, some Jewish ethicists worried whether genetic screening for marriage could revive eugenics. My essay, “Prometheus and the Worried Well [ [link removed] ],” cites how excessive DNA testing can generate hypochondria, false positives and unnecessary medical treatments.
Prisoners Here of Our Own Device
News of 23andMe’s bankruptcy has public officials and technology pundits imploring clients to head for the exit signs. In California, Attorney General Rob Bonta [ [link removed] ] “urgently” implored 23andMe clients “to delete their data and destroy any samples of genetic material held by the company.” He added that California’s privacy law “permits California consumers to revoke consent that they provided a genetic testing company to collect, use, and disclose genetic data and to store biological samples after the initial testing has been completed.”
New York Attorney General Letitia James issued a similar alert [ [link removed] ]. Both attorneys general provided instructions for deleting data, as did Fortune [ [link removed] ], Wired [ [link removed] ], The Washington Post [ [link removed] ], The New York Times [ [link removed] ], The Mirror [ [link removed] ] and Quartz [ [link removed] ]. Some sites urged people to ask relatives to delete data, as well.
The effectiveness of deletions is dubious, however, because:
Though ostensibly medical, 23andMe data don’t enjoy HIPAA protections;
Privacy laws differ across states;
Some data (ostensibly anonymized) have already been sold to pharmaceutical companies and other researchers;
Data from the 2023 breach are likely still out there; and
There’s the timeless question of whether anything, anywhere, is ever truly deleted in a massively interconnected world.
While I can only offer a layman’s conjecture, I suspect it’s wise to hit “delete” but not to count on the success of that deletion. Your data likely resided on multiple machines, and hitting “delete” often hides data without eradicating it. Given the technology, a legal right to delete your 23andMe data may prove as meaningful as a legal right to erase indelible ink with a pencil eraser. The episode does suggest the wisdom of thinking long and hard about which personal information you provide to strangers with server farms. When asked why I never signed up for 23andMe, I sometimes respond with the following internet meme:
Unsubscribe [link removed]?