Sign up FAST! Login

How to use 23andMe without giving up your genetic privacy

stewie privacy

You’ve probably caught at least some of the NSA news this summer. One big takeaway from the surveillance revelations is that private companies have to turn over customer information when the government asks. Customer information is whatever the company collects about you: emails, phone calls, and, yes, even your genetic code.


That’s why today’s prevailing big data business model (“let’s collect every byte of consumer data we can and figure out how to sell it later”) is fundamentally incompatible with privacy. And let’s not forget that Google, one of the biggest suppliers of data to the NSA and a PRISM company, is a lead investor in 23andMe. Note that some companies, like Wickr, DuckDuckGo, and Abine, (where I work) minimize that problem by either not collecting data at all, or encrypting data so it looks like nonsense to anyone looking at it without the password.

23andMe collects a whole lot of deeply personal information, the kind of stuff that not just marketers, but also insurers, doctors, potential dates, employers, and arch-nemeses would love to get their hands on. They have your entire genome (the sequence of nucleotides that make up your DNA), your browsing activity on their site, the information you provide when registering (like email and name), sex, date of birth, credit card number, the results of any health or behavior-related quizzes on their site (which can include disease conditions, ethnicity, and other health info), and more.

Not only do they collect a lot of personal information, but they share it in five broad situations, including with law enforcement (“Personal Information may be subject to disclosure pursuant to judicial or other government subpoenas, warrants, or orders, or in coordination with regulatory authorities.”)

That’s right: if the NSA comes knocking at 23andMe and wants your genetic code, they’re getting it. There’s a privacy exception–an NIH Confidentiality Certificate–if you’ve opted to participate in 23andMe’s IRB-approved research, but it’s sort of a catch-22: either share your info with the private sector (23andMe and their affiliates) and get more privacy protection from the government, or don’t share your info with the private sector but get less protection from the government.


Even though they offer you during the signup process the chance let them destroy your saliva sample, the company still has the digital record of your genome.

Likewise, the company isn’t clear about whether you can ever delete your data from their servers. They say you can delete your account by emailing customer support, but also say that they’ll “preserve and disclose any and all Personal Information to law enforcement agencies or others if required to do so by law or in the good faith belief that such preservation or disclosure is reasonably necessary.”

They also say they’ll tell you if law enforcement asked for your sample — that is, unless they’re under a gag order, which we now know is pretty common for the NSA.

Let’s summarize: 23andMe has a ton of data about you and they share it in various cases.

Read the whole post here:

The end result of my experiment? I got to find out a lot of interesting things about myself in exchange for giving 23andMe my genome. Because they don’t know it belongs to me personally, it’s of little use to them or any secret agents who come looking for it — although nothing is guaranteed, of course.

Privacy has become something we have to work for rather than something we expect by default, but I’m willing to put in the effort like I did with 23andMe for the peace of mind.

Stashed in: Privacy does not exist., Quantified Self, Big Data in Healthcare, Privacy, Self Test

To save this post, select a stash from drop-down menu or type in a new one:

You May Also Like: