Ask HN: 23andMe has my data, am I screwed?
2 points by carimura 3 months ago | 9 comments "Thank you for your reply. Your inquiry has recently been
escalated to me for review. Please note that once you
confirm your request to delete your account, we will
delete your data from our systems within 30 days, unless
we are required by law or regulation to maintain limited
data for a given timeframe, as described in our Privacy
Statement.
For example, archival files of information needed to
satisfy state and federal legal requirements are retained,
such as those set by the U.S. Federal Clinical Laboratory
Improvement Amendments of 1988 (CLIA) and College of
American Pathologists accreditation requirements.
Your de-identified Genetic Information and a randomized
identifier are retained on secure servers as required by
law and any biobanked samples are discarded. The Genetic
Information is not accessed, used, or disclosed for any
purpose other than as needed to comply with the
requirements referenced above.
It is important to understand that the retained
information is distinct from the genotyped data available
within your account and is stripped from registration
information. This data has not been processed by our
interpretation software to produce your individual-level
genotyped data (in your account).
If you participated in telehealth services coordinated
through your 23andMe account, your Medical Record will be
retained in accordance with applicable law and is subject
to the Medical Record Privacy Notice.
You can read more about these retention requirements in
the Privacy Statement."
- toomuchtodo 3 months agoWhat is your threat model or the risk you are attempting to mitigate?
- carimura 3 months agonormal human threat model who cares that his and his families genetic information isn't sold around to the highest bidder.
- PaulHoule 3 months agoThe question is "what value does it have to an attacker?"
That kind of information can reveal you identity and who your relatives are. Somebody might find your relatives are not who you thought they were.
I got an early test that wasn't as good as the later tests, but I think the reason they're shutting down is that the health value of that data is highly limited. You might find you have a 50% elevated chance of getting Type 2 diabetes and you should do the same things everybody else should do to avoid getting Type 2 diabetes but it's just a little more urgent.
- PaulHoule 3 months ago
- firebaze 3 months agoHow can someone asking this question have so many karma points on HN?
- toomuchtodo 3 months agoDisclosure: 23andme has stored my genetic information since they first started offering genotyping, and I requested data deletion recently although some of my family members haven't and likely won't. Also interviewed and was offered a role at 23andme on their infra team (circa 2010), but declined.
I am not concerned about my genetic data being sold. I am not worried about it being public, it is, through Harvard's Personal Genome Project [1]. If you are going to harm me, you are likely going to use a method far easier than that which would require you have access to my genotyping data. There is also enough overlap with close genetic matches (2nd-4th cousin with hundreds of matches) that if my data is stored despite my deletion request, it would not change the risk assessment. It will take just a bit more legwork to tie a sequence of my DNA to me [2].
Hence my questions to better understand what OP is attempting to defend against. You can't propose mitigations or other recourse (legal and regulatory, primarily, in this case) if you don't know the risk you're attempting to manage, or the threat you're attempting to defend against.
[1] https://pgp.med.harvard.edu/
[2] https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu...
(day job is in risk management)
- PaulHoule 3 months ago1429 is not a lot. People ask how somebody who has as much karma as I do can post the things I post and maybe they have a point.
- toomuchtodo 3 months ago
- carimura 3 months ago
- DecentShoes 3 months agoWhat law requires them to keep genetic information?
- carimura 3 months agothey cite one of the laws in the response above....
- carimura 3 months ago
- JohnFen 3 months agoI don't know. I do know that I used their process to delete my data (and account), and they claimed they complied. Whether or not they did, I have no way to know.
I wonder, though, if what they're talking about is that they have to keep the data as long as you have an account with them. The fact that you can't delete your data and keep your account hints that may be the case.