23andme compromises information of customers

The 23andme privacy policy reads: 

“We may share anonymized and aggregate information with third-parties; anonymized and aggregate information is any information that has been stripped of your name and contact information and aggregated with information of others or anonymized so that you cannot reasonably be identified as an individual.”


Spit in a cup, ship it off to a laboratory and learn all about one’s ancestral history and genetic makeup six to eight weeks later, all for $99. Sounds simple, right?

Not so fast: despite over 12 years of existence and a quarter of a billion dollars in investment from venture capitalists, 23andme and similar genetic testing services neglect to inform customers about what their genetic material is actually used for.

For those who may not know, Deoxyribonucleic acid–DNA for short–is what makes life happen. Its 3.2 billion base pairs are copied, translated and replicated hundreds of thousands of times per second in order to generate proteins for basic life function. It also holds hereditary information, and 23andme focuses on small sections of one’s DNA strand to find sequences that are common to particular cultures and locations. For example, a specific variant in a gene on the far end of chromosome 2 could mean that someone is Finnish, and someone of Ashkenazi Jewish descent probably has a certain base pair difference in the SMPD1 gene. Instead of discarding the DNA sequence with the saliva, the company stores it on small electronic chips and sells large batches of customers’ sequences to government agencies, research programs and biotech companies for thousands of dollars.

In a sense, by spitting in that cup, the customer becomes not the consumer, but the product. According to sciencemag.org,  genetic information sold by 23andme could be used by other businesses to create new pharmaceuticals, study the sources of particular diseases or find genetic markers for cancer in cultural groups, but it could also have more sinister uses. Life insurance companies can use certain predispositions for diseases like Alzheimer’s and Parkinson’s to decide whether to insure someone or not. Police agencies can use DNA samples to track a suspect’s relatives. Hackers who find that a well-known politician has an 80 percent chance of developing Age-Related Macular Degeneration could easily sell the information to a competing candidate or nation. Imagine what a racist, homicidal government could do with the knowledge of the heredity of its citizens down to the tenth of a percent. 23andme may say that one’s sample “is stripped of personally identifying information” and is “assigned a randomized research identification number,” but even this is shoddy protection: a 2013 study was able to find the surname, age and state of a man just by matching sections of his Y chromosome with public genetic databases. Legislation is slow to pass and hard to implement, so this quasi-lawless frontier is ripe for rogues to abuse and for companies to make money off of.

This is nothing new, however. The same lawlessness that once haunted the Internet is now the center of attention for genetic privacy issues, only now the players are smarter and their loopholes and workarounds more sophisticated. The use of customer data as a moneymaker is far from a novel invention as well. Google uses search history and web analytics to create specific target audiences for ad placement. Facebook can monitor what its over 2 billion users look at–and even for how long–in order to gauge the success of political campaigns’ newest slogans or influence purchase decisions. The list goes on. Selling this data is a lucrative business, and companies know it.

And as the amount of human beings capable of accessing the world wide web increases, so too does the amount of raw, unfiltered data available for enterprising businesses to exploit and sell. This is why 23andme is such a success, and why its public relations representatives are paid so well. If potential customers were shown advertisements about how the company profits off of selling genetic information to third-party companies rather than those about a happy man in a kilt learning that his happy family is not German but Scottish, then 41-year-old CEO Anne Wojcicki would have to find another job.

Maybe this is wrong. Maybe security is such a priority to Wojcicki that she keeps her virtual gold mine of information under a stagnant pool of goodwill. Maybe she just really does not like making millions of dollars for her company. If not her, then her investors do; if not her investors, then other firms that are not quite so dollar-phobic may be tempted to tap into such a large profit opportunity. After all, Wojcicki is the ex-wife of Google cofounder Sergey Brin and the sister of the CEO of Youtube, and her hereditary information shows a predisposition to selling personal information to third-party companies.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s