When the American Genetic Testing Company, 23andMe, filed for Bankruptcy in the United States last month, it might not have registered on the local news agenda but for some people it could spark serious concerns around their data security.
The company provides genetic analysis services, meaning customers would send in a sample of their DNA to find out personal details such as where you come from, your genetic makeup, and what health complications you may have later in life. The site could link customers up with other family members across the world too.
However, with the company now facing bankruptcy its assets could be sold off to pay creditors.
Brent Homan, the Commissioner of Guernsey’s Office of the Data Protection Authority, warns genetic data is an asset itself.
“It’s immutable. So what does that mean? It means that it’s as unique to you as your fingerprint it is you,” he said.
“It’s absolutely useful as a tool, in terms of, ‘I want to get a sense of my history’ or ‘I want to get a sense of whether or not there are certain medical ailments or conditions that I might be more susceptible to’. (These are) excellent, excellent uses, but at the same time, there’s opportunities for misuse when it comes to genetic information, if it’s accidentally disclosed,” he warned.
Mr Homan explained what we can do if we’re concerned about privacy and data relating to 23andMe specifically.
He also said we need to understand the potential risks and complications around disclosure, and the current landscape of wider Genetic DNA testing.
“Genetic information can be used in nefarious cases such as discrimination, theoretically, in terms of using for evidence, or to plant evidence I guess, and it can be used to make determinations about somebody, if it’s actually used by a third party.
“It’s not necessarily harmonious. It’s not everyone that use these type of services. So if you look at it together, it might not be representative of the population.”
Ways to use and misuse a new found technology can be an uneven, but well trodden ground.
With more than 20 years experience tackling conundrums of data and its obvious sensitivities, Mr Homan was able to provide Express with some examples, including a company called Clearview.
“This is an investigation that when I was in Canada as Deputy Privacy Commissioner of Canada, overseeing enforcement that carried out, and it related to this company called Clearview that scraped billions of images from different platforms around the world, and then what they do is they take these images and use facial recognition technology to identify individuals, and then they looked at using this database and making it available, either for enforcement agencies or potentially as well, for commercial enterprises.
“Well, we found that that fell foul of the law, and many privacy authorities around the world found the same thing, because you haven’t consented for this company to scrape information to use and put you in a essentially a 24-hour police line up 365-days a week. There was no consent there!”
The Clearview case would likely have impacted you, if you or your family members have a social media presence. A Facebook account with family photos, a Twitter feed with your political opinions, or your LinkedIn account with your employment history, were all at risk of data scraping.
“If you’re on social media, there’s a good chance that you’re in that database. So our investigation basically said this was not collected with consent, and so it was unlawful at the time.
“Basically we said, ‘hey, you know, in order to enforce the law, you can’t break the law by using facial recognition technology’.
“The thing about facial recognition technology is it’s not always completely accurate. In fact, there’s biases at the time, and as technology evolves it gets better, but at the time it did lead to kind of bias and discrimination in that it may be better at identifying certain individuals rather than others. For example, it was not very good or accurate at identifying and biased against females of colour.”
The oblivious flaws, and breaches in peoples’ personal rights and freedoms were rightly dealt with by Canadian data protection officers, however it’s not an example of data analysis being used in nefarious ways.
It was used by a border force to deal with someone at Canadian immigration, prompting an investigation which found issues with consent, and the use of a commercial testing company as a state tool.
“Another genetic testing company, it’s called Family Tree DNA, Canadian Border Services were engaging with an individual that they had to decide whether or not to deport or not,” said Mr Homan. “And so what they did is, they used Family Tree DNA in order to try to determine where the individual came from.
“This individual complained and said, ‘my consent for them, their use, was either was under duress and wasn’t informed’, and then complained about them using this information. So we investigated it, and we came to a few conclusions.
“We found that there was contraventions of the law, and that the Border Services should have gotten effective consent, that they should have been able to communicate to the individual that by checking with this Family Tree DNA, this site, that others may know about this individual’s information, and then, thirdly, that it wasn’t really described as something that they would use as a tool.
“So that’s just to show you another way that that this type of information and these sites, which are very powerful because it’s genetic information of ourselves, but can be used and potentially misused.”
23andMe
Returning to 23andMe, although it filed for bankruptcy this year, its problems actually date back 15 months to a hack, said Mr Homan.
“Back in I believe it was around October of 2023 there was a hack, and a hacker got into the personal information of seven million individuals on the platform. From what I understand from the investigation is that there was a joint investigation, that’s still ongoing, between the privacy Commission of Canada and the UK Information Office.
“In that hack, there was no actual genetic information compromised, but what was compromised was usernames, passwords and some genetic results, like inputs.
“So what happens then they have this information the hacker in terms of usernames, passwords, the genetic output results, not the genetic information itself, and what they can do is then carry out what’s called a credential stuffing attack. That’s where you take the information you have and you attack and look at other platforms to see if you can hack into other platforms as well.”
That technique effectively produces a similar end result to that of phishing, a common hacking practice which seeks exactly this kind of information.
Passwords, usernames, and personal information are what these people are after. Now the damage to the reputation of 23andMe is clear just by looking at how its financials seemed to slump following the hack.
According to its own public financial reports, it had a “solid balance sheet with cash of $387 million at year end” for the financial year 2023. It ended December 31, 2024 with cash and cash equivalents of $79.4 million. That’s a drop of $307,600,000.
The administrators had already been selling off assets and equipment to try and steady the boat too.
If you’re impacted by 23andMe entering bankruptcy there is some good news with legislation giving you the right to have your information deleted and wiped from company data base.
“That option exists, individuals that use it can still, from what I understand, go into their login page, and then it’s a pretty simple process to go in and decide,” explained Mr Homan.
“It is absolutely an option and a right for those people that think, ‘Okay, do you know what this doesn’t feel right time for me to get out’.”
This means that you can at any time, just opt out.
If you’re concerned with how your data is being used and utilised, or concerned that in this specific case, the financial value of your genetic data may be used as an asset in bankruptcy bargaining, there are steps to follow.
“Most of the organisations under law need to have an erasure and a deletion kind of aspect to them. There is generally options with social network sites to go in and delete your account and delete the data that’s on it.
“I think even on, you know, the more professional the professional sites like LinkedIn accounts and stuff like that, there’s also the ability to kind of control how much information you share or not. What we like to advise individuals is to familiarise yourself with the aspects of the website that allow you to control your information.
“Think about what you’re going to put on a site because, notwithstanding the fact that you might be able to delete your account, delete your information, that doesn’t stop people now, or before, from taking screenshots. You can delete your information, but always think about it as being out there somewhere for good. That’s a good practice. So that you think about ensuring that you protect your reputation, not only now but in the future.”
LISTEN:
Mr Homan added that anyone can reach out to the ODPA at any time if you’re concerned about something like this. He said this is part of their mission.
“Through this bankruptcy process, data protection laws still exist, and anybody that’s a potential purchaser of this data must comply with those and comply with the privacy policies that are in place.
“We understand that with a change situation, individuals may want to remove themselves, that is their option, that is their right in terms of erasure and deletion. And to do that, go on your site, if you’re if you use 23andMe log in and you’re able to delete that data.”
If you’ve been impacted by the 23andMe bankruptcy, or the 2023 hack, and would like to speak to Express email editor@bailiwickexpress.com.
You can reach out to the ODPA online through their website HERE.