This Engadget article reports on 23andMe's strategic modification of its terms of service designed to prevent data breach victims from pursuing class action lawsuits. The content advocates strongly for victims' rights to effective legal remedy (Article 8), fair and public hearings (Article 10), privacy protection (Article 12), and recognition before law, while exposing corporate attempts to shield itself from accountability through mandatory arbitration and automatic opt-in mechanisms.
I'm not a lawyer but I doubt that this will matter in the court because the time of actions matter; or in another words at the time when user registered they agreed to TOS A and later when 23andMe changed their TOS A to TOS B they achieved nothing because you can't unregister users and register them again and force them to agree to the new TOS B. I mean they can ask you to agree to new TOS but you don't have to because TOS is not a law, it is a voluntary legal agreement between a company and a customer. Retroactively enforcing something is not possible not even for the governments e.g. if I pay my corporate tax of let's say 20% in 2023 to the government, government can't say like 5 years later: you know what corporate tax is now 30%, compensate for all the differences in the past.
To duck out of the new ToS, just write this email to legal@23andme.com--
To Whom It May Concern:
My name is [name], and my 23andMe account is under the email [email]. I am writing to declare that I do not agree to the new terms of service at https://www.23andme.com/legal/terms-of-service/.
Automatically opting-in customers to a more restrictive TOS is pretty suspect, especially given the timing. IANAL, but I'm pretty sure that a court would not allow that, given that the TOS was changed AFTER the breach and it's pretty clear that the company is trying to avoid legal issues after-the-fact.
I would expect the court would evaluate any breach under the TOS that was in effect at the time of the breach, rather than under a new (and arguably suspect one) that was put in place after it, arguably in an attempt to "rewrite history".
I would have presumed that security-minded people, which includes those who work in tech, would not so easily give away their genome, and that most of 23andMe's customers are a slice of the general population. But then I read about things like WorldCoin and that people who go to startup parties jump at the chance to give away scans of their retinas and I'm befuddled. Why would anyone willingly do that?
Forcing customers to use arbitration hasn't always been in the companies interest - if only a fraction of the 7M effected customers started the arbitration process it could cost a lot more than a class action suit.
Didn't Uber drivers get a large payment from them in this way?
An alternative take is that they changed their terms of service so that if/when this happens again they'd have more control over the fallout. I think they're totally expecting to get railed for the last one and are preparing for it, but this doesn't mean they can't prepare for the future as well. I imagine other providers will also revise their TOS.
Which companies offer similar services sans all the bullshit and privacy issues? I'm not interested in finding long lost relatives and even less interested in having my data sold or shared with LEO.
I have tried to quickly diff the previous TOS with the new one and I wasn't able to identify any big changes. I would like to know what the actual changes are. I see a lot of articles criticizing the new TOS, but no one is showing the actual wording differences.
I interviewed for a security position there a few years ago, but they cut the role before the interview process was over. Kind of feels like they didn't prioritize security - you reap what you sow.
Gladly I never used any of these services, not just knowing my ancestors origins will add zero value to my life, but also I don’t trust any cloud services to store my passwords or notes, let alone a biometric I will never be able to change, alive or not.
In case anyone is interested I've been compiling as much factual information on arbitration here. Not yet complete but reasonably useful and well sourced
I honestly don't understand how "If you don't opt out within 30 days you'll be bound to the new TOS" works.
I have heard of two big "trends" of how people think about legal contracts:
[1] What is written there and what both parties agreed to is the truth.
[2] A contract is supposed to be a "meeting of the minds". If it's proven that one party was being deceitful, then the contract (or that part) doesn't hold.
If we go by [1], then the company can change the TOS by sending me a notice with "if you don't opt out, then you're bound by these terms"... but so should I. I should be able to send a letter to 23&me saying "if you don't disagree these are the new terms: if my information is ever hacked, you owe me 10M dollars in damages"
If we go by [2], then sending a notice like that is absolutely invalid. They have no way of proving that I read that notice within 30 days, so there was never a "meeting of the minds".
Exactly.this behavior is why I never gonna send my DNA to any of these services. Certainly not US. I hope than EU will have some regulations for this soon.
"reports revealing that attackers accessed personal information of nearly 7 million people — half of the company’s user base — in an October hack."
Breaking into a system should never provide access to 7 million people. The database should be divided up into multiple "cells" each with its own separate access restrictions.
It's the same idea that spy networks use to prevent one compromised spy from bringing down the whole system. Or you can think of it like watertight compartments in a battleship.
"In October, the San Francisco-based genetic testing company headed by Anne Wojcicki announced that hackers had accessed sensitive user information including photos, full names, geographical location, information related to ancestry trees, and even names of related family members."
For those who do not know, her sister is a longtime Google marketing person since 1999, who worked on AdWords, AdSense, DoubleClick, GoogleAnalytics and the money-losing data collection and advertising subsidiary YouTube.
It seems personal data collection for profit runs in the family.
I am a security engineer. When I signed up for 23andme, I assumed with certainty that it would be hacked and all data leaked at some point. I balanced that with the value of knowing potentially important health/genetic bio markers.
In the end, I valued knowing these bio markers above the privacy of my genome. The former is actionable and I can use it to optimize my health and longevity; the latter is of vague value and not terribly exploitable outside of edge-case threat models.
They probably know that it doesn't hold water legally. The hope is to victim blame as much as possible so that fewer people sue them in the first place. The next step will be to "remind" people about the TOS that they totally agreed to.
Trying or arbitrating a large number of cases individually is far more expensive than litigating a class action suit. But only if the people pushing the arbitration hold firm, rather than agreeing to the initial settlement offering.
The same people believed crypto-currency, infinite growth, social media and many other things. At least 23andMe provided actual value, to some at least.
What I find strange is that 23andMe did not automatically delete data after 30 days, or at the very least took it offline, only to be available on request. Notify people that their results are available and inform them that the data will be available for 30 days after the first download. This is potentially really sensitive data and based on 23andMe's response, they seem to be aware of that fact. So why would they keep the data around? That seem fairly irresponsible and potentially dangerous to the company.
They ought to be evaluated as if no TOS exists. Given the clear intent to defraud customers by misrepresenting the contract they were bound by, the claims should be evaluated under the TOS most favorable to the plaintiffs. The most favorable TOS is the one that's invalid because 23andMe didn't get anyone to actually agree, ergo the claims are evaluated as if no TOS exists.
This is an attempt to undermine consumer protection laws, and the government should treat it as a direct attack. Other companies are watching. The government needs to send a clear message that this won't be tolerated before it spreads, becomes the status quo, and leaves many consumers believing that they don't have any rights or protections.
The head of legal should also be disbarred under American Bar Association rule 1.2(d):
> (d) A lawyer shall not counsel a client to engage, or assist a client, in conduct that the lawyer knows is criminal or fraudulent, but a lawyer may discuss the legal consequences of any proposed course of conduct with a client and may counsel or assist a client to make a good faith effort to determine the validity, scope, meaning or application of the law.
This reads as clear contract fraud in the factum [1]. Customers are told that they're bound by new contract terms, despite that 23andMe never got agreement, nor tried to get agreement, nor even know whether customers have read the new contract. I can't fathom any other reasonable interpretation of the situation. They created a fraudulent contract hoping to confuse other entrants to prior versions of the contract, and intend to benefit from that confusion. It seems clear to me. They are attempting to undermine the legal system, and the ABA needs to deal out swift punishment as one of the protectors of that system.
The slightly annoying thing with this data, though, is that even if you don't provide your data your privacy can be violated via any relatives' data that did decide to use the service.
You got it wrong. They can throw a big TOS in front of you next time you login. Most users will just accept.
Additionally they sent an email out saying that you have 30 days yo tell them you want to "opt out" otherwise by default they assume you accept the new TOS agreement.
I was 24 in 2015 and not in tech or as security minded as I am now when I received the test as a Christmas present. Obviously now I wouldn’t have dared do it, but it’s too late. Lacked the foresight at the time.
I'm familiar with security (I keep a copy of Applied Cryptography on my shelf for "fun reading") and tech, here's a copy of my whole genome:
https://my.pgp-hms.org/profile/hu80855C
Note it's a full human genome, far more data than a 23&Me report. You can download the data yourself and try to find risk factors (at the time, the genetic counsellors were surprised to find that I had no credible genetic risk factors).
Please let me know in technical terms, combined with rational argument, why what I did was unwise. Presume I already know all the common arguments, evaluated them using my background knowledge (which includes a PhD in biology, extensive experience in human genome analysis, and years of launching products in tech).
I've been asking people to come up with coherent arguments for genome secrecy (given the technical knowledge we have of privacy, both in tech and medicine) and nobody has managed to come up with anything that I hadn't heard before, typically variations on "well, gattaca, and maybe something else we can't predict, or insurance, or something something".
I don't know where you have been the last few years, but I am pretty sure things like that happen all the time, based on the emails I received regarding ToS updates. And I have never heard any company got into trouble in court. Maybe public opinion, but that's it.
>But then I read about things like WorldCoin and that people who go to startup parties jump at the chance to give away scans of their retinas and I'm befuddled.
I'm befuddled that anyone thinks Sam Altman is the least bit trustworthy after WorldCoin.
insertion into the middle of Limitation of Liability "WITHIN THE LIMITS ALLOWED BY APPLICABLE LAWS, YOU EXPRESSLY ACKNOWLEDGE AND AGREE THAT 23ANDME SHALL NOT BE LIABLE FOR ANY DAMAGES"
Lots of changes to the Dispute Resolution, and new content re: Mass Arbitration.
However, the previous ToS still had binding arbitration clauses, and stuff about class actions.
What if you want to run a query to compare your DNA to everyone else’s to see if you have any relatives that are registered already? Wouldn’t that need access to the entire database and essentially be a point of weakness?
Could have been that they found someone internally.
Editorial Channel
What the content says
+0.70
Article 8Right to Remedy
High Advocacy
Editorial
+0.70
SETL
+0.59
CORE PROVISION: Article 8 (right to effective remedy) is the article's central focus. It strongly advocates for this right by exposing 23andMe's explicit prevention of remedy through class action bans, mandatory arbitration, and automatic opt-in.
Observable Facts
Headline explicitly names the issue: 'prevent hacked customers from suing'
Article documents the company's stated motive to 'streamline arbitration proceedings' rather than enable collective remedy
Article reports customers must affirmatively opt out within 30 days or lose choice
Inferences
The article strongly advocates for Article 8 by documenting systematic denial of remedy mechanisms
By publicizing the company's strategy, the article creates a path to remedy through public pressure and informed legal action
+0.60
Article 10Fair Hearing
High Advocacy
Editorial
+0.60
SETL
+0.49
Article advocates for Article 10 (fair and public hearing by independent tribunal) by criticizing 23andMe's shift to private arbitration that 'hides information about the proceedings from the public.'
Observable Facts
Article states arbitration 'hides information about the proceedings from the public'
Article cites legal expert Nancy Kim providing independent judgment on enforceability
Article includes quoted customer reactions from social media (Daniel Arroyo, Paul Duke)
Inferences
The article advocates for public proceedings and judicial transparency as essential to fairness
By exposing private arbitration mechanisms, the article supports the principle of open justice
+0.50
PreamblePreamble
High Advocacy
Editorial
+0.50
SETL
+0.45
Article advocates for the preamble's principles of 'equal rights' and 'dignity' by exposing how 23andMe denies customers equal access to justice and remedy following a massive privacy breach.
Observable Facts
Headline frames 23andMe's action as 'frantically changed its terms of service to prevent hacked customers from suing'
Article reports 'attackers accessed personal information of nearly 7 million people — half of the company's user base'
Article documents that customers are 'automatically opted in' to new terms unless they email within 30 days
Inferences
The article advocates for equal treatment by documenting how the company is denying equal legal standing to harmed customers
By exposing the automatic opt-in mechanism, the article supports the principle that persons retain equal dignity and choice
+0.50
Article 19Freedom of Expression
High Advocacy
Editorial
+0.50
SETL
+0.32
The article itself is an exercise of Article 19 (free expression). It freely reports facts, expresses critique, and publishes customer and expert commentary without editorial restriction.
Observable Facts
Article includes identified byline (Pranav Dixit, Senior Editor) with publication date and update
Article quotes customer criticism directly: 'they first screw up and then they try to screw their users by being shady'
Article includes expert legal analysis from Nancy Kim challenging the company's position
Inferences
The article exercises free expression to criticize corporate misconduct and challenge power
The platform's publication of diverse viewpoints (customers, experts, company silence) supports free expression principle
+0.45
Article 6Legal Personhood
High Advocacy
Editorial
+0.45
SETL
+0.40
Article advocates for Article 6 (recognition as person before law) by exposing how 23andMe's ToS denies customers equal legal standing and agency to pursue collective claims.
Observable Facts
Article quotes new terms forbidding 'class action or collective action or class arbitration'
Automatic opt-in structure removes customer choice to consent
Inferences
Forced individual arbitration treats customers as unequal before law, denying their collective legal personhood
The automatic opt-in further undermines customers' agency and recognition as volitional legal subjects
+0.45
Article 12Privacy
High Advocacy
Editorial
+0.45
SETL
+0.45
Article documents violation of Article 12 (privacy from arbitrary interference) through the breach affecting millions, and advocates for remedy by exposing the harm and company's evasion tactics.
Observable Facts
Article lists compromised data in detail: 'photos, full names, geographical location, information related to ancestry trees, and even names of related family members'
Article reports 'hackers put up profiles of hundreds of thousands of Ashkenazi Jews and Chinese people for sale'
Article quantifies harm: 'nearly 7 million people — half of the company's user base'
Inferences
The article documents massive arbitrary interference with personal privacy through unauthorized data access
Advocacy for remedy is implicit in exposing both the breach and the company's evasion of accountability
+0.40
Article 1Freedom, Equality, Brotherhood
High Advocacy
Editorial
+0.40
SETL
+0.35
Article supports Article 1 (equal and inalienable rights) by criticizing 23andMe's attempt to selectively deny some customers their right to collective legal action.
Observable Facts
New terms state 'each party may bring disputes against the other party only in an individual capacity and not as a class action'
Article notes this change occurred 'days after reports revealing' the breach
Timing and motive (prevent lawsuits) suggest deliberate denial of equal rights
+0.40
Article 29Duties to Community
High Advocacy
Editorial
+0.40
SETL
+0.35
Article advocates for Article 29 (duties to community) by exposing 23andMe's dual failure: first to protect user data, then to accept responsibility and remedy.
Observable Facts
Article states the breach affected 'nearly 7 million people — half of the company's user base'
Article reports '23andMe did not respond to a request for comment from Engadget'
Article documents the company's attempt to legally shield itself from liability
Inferences
The article documents a company's failure in duties to protect and support its user community
By exposing both the breach and the liability evasion, the article advocates for corporate accountability to community
+0.35
Article 3Life, Liberty, Security
High Advocacy
Editorial
+0.35
SETL
+0.35
Article documents violation of Article 3 (right to life, liberty, security of person) through the data breach, and advocates for remedy by exposing how 23andMe's ToS compounds the injury.
Observable Facts
Breach compromised 'photos, full names, geographical location, information related to ancestry trees, and even names of related family members'
Article reports 'hackers put up profiles of hundreds of thousands of Ashkenazi Jews and Chinese people for sale on the internet'
Inferences
The article documents severe violation of persons' security and bodily/informational integrity
The coverage implicitly advocates for victims' right to remedy by exposing corporate attempts to evade accountability
+0.35
Article 28Social & International Order
Medium Advocacy
Editorial
+0.35
SETL
+0.30
Article relates to Article 28 (social and international order based on rights) by exposing institutional failure—corporate exploitation of legal gaps—and implicitly advocating for stronger protections.
Observable Facts
Article documents that 'multiple class action claims have already been against the company'
Expert legal analysis challenges the validity of the company's terms
Inferences
The article documents how corporate power can exploit institutional gaps, undermining social order
By publicizing this evasion attempt, the article advocates for stronger institutional accountability
+0.30
Article 7Equality Before Law
Medium Advocacy
Editorial
+0.30
SETL
+0.24
Article relates to Article 7 (equal protection under law) by exposing 23andMe's attempt to provide unequal legal protection through private arbitration versus public legal remedies.
Observable Facts
Article states arbitration 'hides information about the proceedings from the public'
Expert Nancy Kim is quoted questioning the enforceability of the new terms
Inferences
Private arbitration denies equal protection by removing public scrutiny and accountability
The article's documentation supports principle of equal protection through transparency
+0.25
Article 17Property
Medium Advocacy
Editorial
+0.25
SETL
+0.25
Article relates to Article 17 (property rights) insofar as genetic data and family genealogy constitute personal property; the article documents unauthorized access and commercial sale of this information.
Observable Facts
Article reports hackers 'put up profiles of hundreds of thousands of Ashkenazi Jews and Chinese people for sale on the internet'
Compromised data includes 'information related to ancestry trees, and even names of related family members'
Inferences
The article documents appropriation of property-like personal and genealogical information without consent
The commercial sale of this data violates property rights as well as privacy
+0.20
Article 26Education
Low Advocacy
Editorial
+0.20
SETL
+0.14
Article tangentially relates to Article 26 (education) by educating readers about legal rights, corporate accountability mechanisms, and arbitration versus public litigation.