The 23andMe bankruptcy: Privacy considerations and a call to action (Part 2)
After Part 1 of this series was published, 23andMe dropped its bid for an independent customer data representative and agreed to the appointment of a privacy ombudsman.
According to the agreement, which was presented to the bankruptcy court during a hearing on April 29, the privacy ombudsman will investigate and report to the court on the security program of the buyer, the potential costs and benefits of the sale to customers, and whether the sale is consistent with 23andMe’s privacy policies and applicable laws. The privacy ombudsman also will identify for the court any changes to the transaction that would mitigate potential privacy losses and other costs to customers.
One detail that should pique the interest of the privacy ombudsman, as well as the FTC, is the buyer’s position on investigative genetic genealogy. This technique involves uploading a DNA file of an unknown perpetrator to a commercial database for genetic relation identification. The database uses proprietary algorithms to identify the perpetrator’s genetic relatives (often far away) among customers. These relative-match results, along with other public information, are then used to create a family tree which includes the unknown perpetrator. Finally, suspect leads are identified based on relationship and case information, and the leads are investigated using traditional police methods.
Since 2018, investigative genetic genealogy has helped solve hundreds of homicide and sexual assault cases. It has also helped identify hundreds unidentified human remains, and exonerated several people convicted for crimes they did not commit. One misconception is about where it’s done. Investigations into genetic genealogy are currently limited to commercial databases which accept DNA files developed by third parties, usually another direct-to consumer genetics company. Databases that accept DNA file uploads include the GEDmatch and FamilyTreeDNA databases, which allow investigative genetic genealogy consistent with customer permissions, as well as the MyHeritage database, which does not allow investigative genetic genealogy but nevertheless has been used for this purpose by law enforcement.
Unlike these databases, the 23andMe database doesn’t accept any uploads of DNA files. The only way to join the 23andMe is to purchase genetic testing directly from their company. This requirement has protected 23andMe so far from investigative genetic genealogy. It is in line with the company’s policy of not allowing forensic use of its products or services. Since 2015, 23andMe also has published a “Transparency Report” stating that it has never provided customer information in response to a request from law enforcement.
Nevertheless, some outlets have suggested–incorrectly–that the 23andMe database is currently an active site for investigative genetic genealogy and even was used to help identify the “Golden State Killer.” This misinformation obscures existing privacy-promoting features of 23andMe’s business that the privacy ombudsman can and should consider in their investigation and recommendations to the court. Similarly, the FTC can and should scrutinize the proposed sale for departures from these features.
After the sale is complete, the buyer can change its privacy policies and data practices. Any changes made will be subjected to federal and state laws on consumer protection and data privacy. The FTC, for example, can take legal action against a buyer who makes material changes without providing customers with sufficient notice or using inadequate consent procedures.
While not entirely unexpected, the news of 23andMe’s impending sale has brought uncertainty to a dynamic consumer market that has been marked with controversy. Customers who don’t think they will gain anything from a continued relationship with 23andMe, or its successor, and want peace of mind can delete their data. This option is available to each customer in their account settings. Many online articles provide step-by-step instructions on how to use it. 23andMe has increased resources to handle the increased traffic after the bankruptcy announcement. Court filings show that some customers had difficulty deleting their data. 23andMe’s support page explains that deleting a customer’s information cannot be undone, withdrawn or reversed. Genetic genealogists advise customers who decide to leave 23andMe to first download their reports and data if they think they may need it in the future. Customers who previously consented for their data to be used in research also are reminded that their deleted data will not be used in future research but cannot be removed from ongoing or completed studies.
Another option for customers is to postpone a decision to delete until they have more information. Wait-and-see might be a good option for those who are concerned about who will buy the company’s data. If Anne Wojcicki is the only or highest-qualified bidder, and she resigned from her position as CEO of 23andMe to bid for the company, customers who don’t trust her leadership, or intentions, may be concerned. It could be reassuring for other customers if Anne Wojcicki pledges to offer the same products and service that they value, under the same privacy conditions with which they feel comfortable. These products and services are useful for serious genealogy researchers, and those who are investigating specific mysteries within their family tree. They often participate in multiple commercial genealogical databases to increase their chances to learn useful information. These customers may be hesitant to make a decision unless they have more information about the buyer or terms of sale. This is especially true if they are concerned that they might regret their decision if they delete data now.
Each client will make the decision that is most in line with their values and preferences, their goals and their assessment of risks and benefits. Their decision will also be shaped by information they have available. In the days and weeks ahead, customers will be able to make informed decisions about their data if they receive accurate, thorough and sober reporting regarding the 23andMe bankruptcy. This will also help ensure that public discussions about digital data privacy policy and broader issues are constructive and clear-eyed. Before 23andMe filed bankruptcy, scholars were already paying attention to legal gaps which expose customer data to serious risk when sold or transferred. The 23andMe bankruptcy could be the stimulus needed to finally close them.
About the authors
Christi Guerrini
, JD, MPH, is Associate Professor in the Center for Medical Ethics and Health Policy at Baylor College of Medicine.
Amy McGuire, JD, PhD, is the Leon Jaworski Professor of Biomedical Ethics and Director of the Center for Medical Ethics and Health Policy at Baylor College of Medicine.
Any opinions, conclusions, and recommendations expressed in this article are those of the authors and do not represent the views of Baylor College of Medicine.
