Ask HN: 23andMe has my data, am I screwed?

2 points by carimura 3 months ago | 9 comments
I'm quite concerned about 23andme. I deleted my account a year ago, but deep in their privacy statements they say they must retain data due to regulatory obligations. I've exchanged multiple emails with them asking what it means. I'll post their response below. Am I / are we... up a creek with no recourse?

  "Thank you for your reply. Your inquiry has recently been 
  escalated to me for review. Please note that once you 
  confirm your request to delete your account, we will 
  delete your data from our systems within 30 days, unless 
  we are required by law or regulation to maintain limited 
  data for a given timeframe, as described in our Privacy 
  Statement.
  
  For example, archival files of information needed to   
  satisfy state and federal legal requirements are retained, 
  such as those set by the U.S. Federal Clinical Laboratory 
  Improvement Amendments of 1988 (CLIA) and College of 
  American Pathologists accreditation requirements.
  
  Your de-identified Genetic Information and a randomized 
  identifier are retained on secure servers as required by 
  law and any biobanked samples are discarded. The Genetic 
  Information is not accessed, used, or disclosed for any 
  purpose other than as needed to comply with the 
  requirements referenced above.

  It is important to understand that the retained 
  information is distinct from the genotyped data available 
  within your account and is stripped from registration 
  information. This data has not been processed by our 
  interpretation software to produce your individual-level 
  genotyped data (in your account).

  If you participated in telehealth services coordinated 
  through your 23andMe account, your Medical Record will be 
  retained in accordance with applicable law and is subject 
  to the Medical Record Privacy Notice.
  
  You can read more about these retention requirements in 
  the Privacy Statement."
  • toomuchtodo 3 months ago
    What is your threat model or the risk you are attempting to mitigate?
    • carimura 3 months ago
      normal human threat model who cares that his and his families genetic information isn't sold around to the highest bidder.
      • PaulHoule 3 months ago
        The question is "what value does it have to an attacker?"

        That kind of information can reveal you identity and who your relatives are. Somebody might find your relatives are not who you thought they were.

        I got an early test that wasn't as good as the later tests, but I think the reason they're shutting down is that the health value of that data is highly limited. You might find you have a 50% elevated chance of getting Type 2 diabetes and you should do the same things everybody else should do to avoid getting Type 2 diabetes but it's just a little more urgent.

      • firebaze 3 months ago
        How can someone asking this question have so many karma points on HN?
        • toomuchtodo 3 months ago
          Disclosure: 23andme has stored my genetic information since they first started offering genotyping, and I requested data deletion recently although some of my family members haven't and likely won't. Also interviewed and was offered a role at 23andme on their infra team (circa 2010), but declined.

          I am not concerned about my genetic data being sold. I am not worried about it being public, it is, through Harvard's Personal Genome Project [1]. If you are going to harm me, you are likely going to use a method far easier than that which would require you have access to my genotyping data. There is also enough overlap with close genetic matches (2nd-4th cousin with hundreds of matches) that if my data is stored despite my deletion request, it would not change the risk assessment. It will take just a bit more legwork to tie a sequence of my DNA to me [2].

          Hence my questions to better understand what OP is attempting to defend against. You can't propose mitigations or other recourse (legal and regulatory, primarily, in this case) if you don't know the risk you're attempting to manage, or the threat you're attempting to defend against.

          [1] https://pgp.med.harvard.edu/

          [2] https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu...

          (day job is in risk management)

          • PaulHoule 3 months ago
            1429 is not a lot. People ask how somebody who has as much karma as I do can post the things I post and maybe they have a point.
        • DecentShoes 3 months ago
          What law requires them to keep genetic information?
          • carimura 3 months ago
            they cite one of the laws in the response above....
          • JohnFen 3 months ago
            I don't know. I do know that I used their process to delete my data (and account), and they claimed they complied. Whether or not they did, I have no way to know.

            I wonder, though, if what they're talking about is that they have to keep the data as long as you have an account with them. The fact that you can't delete your data and keep your account hints that may be the case.