Due to recent press coverage, I sent the following to 23andme’s help desk:
Recent press reports suggest that you are selling my genetic data, and the genetic data of my minor son, to drug companies. Is this true? If so, I ask you 1) to stop immediately 2) give me a full list of all entities other than 23andme and me that have had access to my data and my son’s data, 3) outline my options for preventing such behind-my-back selling in the future, 4) promise me to never do that again unless you have my consent in writing.
After a few days, this is what I got back. The annotations are mine:
Hugh, Jul 7, 2:13 PM PDT:
Thank you for contacting the 23andMe Team. 23andMe recognizes the importance of privacy and respects your desire to store and access your information in a secure manner. We do not sell, lease, or rent your individual-level Personal Information without your explicit consent.
This seems double-speak for “we confirm that we sell, lease and/or rent your Personal Information other than what we decide to label ‘individual-level'”. We get to what that might be in a second.
We are committed to providing a secure, user-controlled environment for our Services.
No idea what that is supposed to mean.
23andMe will ask for your consent to share individual-level Genetic Information or Self-Reported Information with any third-party, other than our service providers as necessary for us to provide the Services to you.
“Will ask”? Does that mean they haven’t so far? Perhaps just a slip of the tongue.
Per our Privacy Statement, we may share aggregate information with third-parties, which is any information that has been stripped of your Registration Information (e.g., your name and contact information) and aggregated with information of others so that you cannot reasonably be identified as an individual (“Aggregate Information”).
This Aggregate Information is different from “individual-level” information. Individual-level Genetic Information or Self-Reported Information consists of data about a single individual’s genotypes, diseases or other traits/characteristics information.
For example, Aggregate Information may include a statement that “30% of our female users share a particular genetic trait,” without providing any data or testing results specific to any individual user. We may provide such Aggregate Information in commercial arrangements with our business partners.
The key phrase here is “aggregated … so that you cannot reasonably be identified as an individual”, and the key word is “reasonably”. No further detail is provided. Given how easy it has been to de-anonymize taxi drivers and their celebrity customers, and other cases like that I’m too lazy to dig up right now, is that supposed to reassure me?
“Reasonably” according to whom? Have you been audited by somebody “reasonably” competent? If so, where’s the report?
The example of “30% of our female users” is intended to imply that the data sets being aggregated are really large, like across all of their female users, which may be about half of them. But there is no actual statement about how small the sets can be, and whether somebody can correlate several aggregates, or correlate 23andme aggregates with other information from outside of 23andme, which would make deanonymization much easier than some “reasonable” people might expect.
Sorry, 23andme, this is not good enough.
Due to confidentiality obligations, we cannot provide a list of our partners who may access this Aggregated Data.
Isn’t great that the commercial “partners” are protected by confidentiality, but I’m not. Nor my minor son.
If the same rules applied, they would say “We have X companies we sell the data to. Y percent share the following trait: based in China. Z percent share the following trait: not in the healthcare business”.
Now I hope that Y and Z are zero. But then, I don’t know and they won’t tell. After all, aggregates are harmless, aren’t they?
As for non-Aggregated Data, that information is not shared with partners without your explicit consent.
You can find links to our Terms of Service, Privacy Statement and Consent Form at the bottom of each page on our website. The links are provided below for your reference:
Terms of Service: https://www.23andme.com/about/tos/
Privacy Statement: https://www.23andme.com/about/privacy/
Consent Form: https://www.23andme.com/about/consent/
Please let us know if you have any additional questions.
Actually, I just have the original questions. Let’s see which ones were answered:
Q: Is it true you are selling my data? A: Yes. Not in all forms, but probably as much as we can to as many people as we can.
Q: I ask you to stop. A: No answer. Presumably: “No, we won’t”
Q: Who got my data? A: Won’t tell.
Q: Who got my minor son’s data? A: Won’t tell.
Q: How do I prevent this in the future? A: not directly answer, but presumably “Ha, you can’t”
Q: Promise not to ever do that again. A: didn’t.
Is it worth my time asking them to delete my account and all associated data pertaining to me?
The 23andMe Team
Dear 23andme, your pitch is that you are analyzing my genome so *I* know more about myself than I did before. For example, your website pitches “We bring the world of genetics to you” today, in big friendly letters. That’s why I was comfortable giving you money. You offered a service *to me* that I paid for.
Now I find out that you making — probably more — money selling my data to 3rd parties I don’t know and you won’t tell me about, and won’t stop. If that is what you are doing, you should be giving the sequencing away and stop pretending that it is all *for me* and that you are in the fee-for-service business. Because you are not. Instead, you are now in the surveillance business, like unfortunately so many businesses these days, and you might as well acknowledge that up front.
Of course far fewer “customers” would pay you then, so pitching one thing and then doing another, while only pointing to the fine print once caught, is probably more profitable. In the short term. Because I doubt that your market grows to what it could grow to if you aren’t more honest in your dealings.
Somebody who could have been a repeat customer who actually considered buying lots of more kits for extended family members as presents.
Addition: Just read this phrase on your website today: “You are in control. You choose how your personal genetic information is used and shared.” In light of your answers to my questions, this statement seems to be 100% false.