‘There are no serious guarantees’: can 23andMe be trusted with our DNA?
WWhat’s next for 23andMe? Most people know the biotech company as a genetic testing service. Stories of people mailing in their cheek swabs only to discover that the parent who raised them is not their biological parent have become something of a millennial horror genre. Of course, most 23andMe experiences aren’t that dramatic: The company says more than 14 million people have used the service in hopes of learning more about their ancestry.
But this month 23andMe revealed it is facing major financial problems, and more information emerged about a devastating security breach at the company last year. Now customers may be wondering: can they trust 23andMe with their DNA?
The DNA ‘bait-and-switch’
Last week, 23andMe reported dismal fiscal third-quarter results, sending the company’s shares plummeting. CNBC reports this. The financial problems are due to a sustainability problem: the company’s most famous offering, the DNA ancestry test, is a one-time deal. After taking the test, there is no reason for consumers to continue spending money on 23andMe, which has led to something of a plateau.
Nevertheless, the company’s CEO, Anne Wojcicki, said Wired she remains “optimistic” about 23andMe’s future.
Home DNA tests are so ubiquitous that you can order one for a dog. 23andMe was the first company to offer this (human) service, in 2007, and now an estimated one in five Americans has tried genetic testing at home. Some customers handed over personal data that Wojcicki and co used for purposes other than family reunions.
From 2018 to 2023, 23andMe worked with pharmaceutical giant GlaxoSmithKline, using customers’ genetic information to help develop drug targets. (A drug target is a molecule that plays a role in a disease; researchers use them to develop therapies for certain diseases.) This year, the partnership became non-exclusive, meaning 23andMe can make deals with more pharmaceutical companies to raise more money to deserve. from its DNA source.
“It’s a real resource that we could leverage at a number of different organizations for their own drug discovery,” Wojcicki said, adding that 23andMe was interested in studying inflammatory immunology, specifically asthma.
23andMe already has two cancer drugs currently in testing; those drugs came from users’ genetic data. But 23andMe users may not understand that the spit they gave the company months or years ago is being used to make more money.
Like health reporter Kristen V Brown wrote for Bloomberg in 2021: “It wouldn’t be surprising if the 8.8 million 23andMe customers who once absentmindedly checked a box and said, yes, of course, use my data for whatever, feel like they’ve been taken for a ride have made the switch as their genes lay the foundation for potential cancer treatments.†(As of 2021, the number of customers who checked that box has risen to 10 million, per Wired.)
Customers can withdraw their consent
Americans tend to believe that their health information is covered by Hipaa, the healthcare privacy law. 23andMe, with its official-looking cheek swabs and remote labs, certainly must be too. But 23andMe is not a healthcare provider. Same rules does not apply.
“There are no serious safeguards, no regulations around the collection and sale of really sensitive personal data,” said Suzanne Bernstein, a law student at the Electronic Privacy Information Center. “For 23andMe, the nefarious (data) leak is a security problem, but that also applies to the company that shares your data with a party you knew nothing about. Customers can technically consent to their data being shared by accepting the terms and conditions, but they are very long and many people don’t read them.â€
Some people may find it honorable that their genes are used for cancer research. Others may feel ripped off: They paid about $229 for a DNA testing kit, but 23andMe uses their health data for free. Thorin Klosowski, a security and privacy activist at the Electronic Frontier Foundation, says 23andMe could do more to ensure customers better understand these dynamics before signing up.
“The number of people who are surprised by the amount of data going elsewhere is a sign that 23andMe isn’t explaining things very clearly,” he says.
Klosowski added that while users can opt out of 23andMe using their data long after they submit their DNA swab, their information may already have been used for research purposes. “You can ask 23andMe to stop using your data, but you can’t ask for data to be removed from a listing once it’s sold,” he said.
For its part, 23andMe maintains that users are asked to opt-in to research at the time of purchase, and that all personal data is stripped of identifying information before being sent for analysis. Data will not be used without this consent and consent can be withdrawn. The company’s research department is also overseen by an “independent, impartial” review board. (23andMe did not respond to a request for comment.)
Data breach leads to class action lawsuit
The 23andMe security breach is also still top of mind for many customers. Last year, almost seven million customer profiles were hacked. Over the course of five months, hackers gained access to medical records, including carrier status reports, and personal information of up to 5.5 million people who signed up for one of 23andMe’s signature features: the chance to find relatives.
Customers of Chinese and Ashkenazi Jewish descent appeared to be targeted in the breach and had their information sold on the dark web, the New York Times reported. Some of these users recently filed a class action lawsuit against the company, saying 23andMe failed to notify them of the exposure.
As the Guardian reported Thursday, 23andMe downplayed its responsibility for the hack in a letter to customers, arguing that the health information accessed “cannot be used for any evil†. It also blamed customers for “carelessly reusing their passwords and failing to update their passwords,” a response that one former customer criticized as “morally and politically very stupid.”
Wojcicki did not speak directly about the breach due to ongoing litigation, but she told Wired that 23andMe had introduced two-factor authentication and had customers reset their passwords. “Data privacy and security has always been and remains a high priority for the company and something we will continue to invest in,” she said.
Are 23andMe’s security issues the death knell for a company that Time once referred to as the ‘invention of the year€ ? Whether or not concerns about customer privacy are well-founded, the company’s financial fall has been swift, and CNN reports it could be delisted from Nasdaq if its stock price doesn’t rise.
Dominic Sellitto, a clinical assistant professor at the University at Buffalo who focuses on digital privacy, believes that if 23andMe survives this year, it will be thanks to data mining. “There is a lot of demand and money for data, especially high-value healthcare data,” he said. “If 23andMe continues to make money from this, this will be their golden ticket in 2024.”