CHRISTINE: I’m Christine Cyr Clisset.
CAIRA: I’m Caira Blackwell.
ROSIE: I’m Rosie Guerin and you’re listening to The Wirecutter Show.
Caira, Christine, we are popping in for a quick bonus episode this week to talk about some news that broke about the DNA genetic testing company, 23andMe, it filed for bankruptcy.
CAIRA: So bad.
CHRISTINE: Yeah. It has a lot of knockdown effects for people who’ve taken these tests.
ROSIE: It’s scary and it’s a lot of information, arguably the most vital, private, important information any person has access to, your genetic makeup.
CHRISTINE: Have you guys taken a DNA test?
ROSIE: I just, funnily enough, got my results back from 23andMe last week.
CAIRA: Oh my God.
CHRISTINE: What timing? Wow.
ROSIE: Bizarre timing. We knew when we opted into doing it that there was a chance that bankruptcy could happen because it’s been in the news for months, but it was still important for a variety of reasons to do it. But we went back and forth for a long time questioning the safety versus the benefits of getting some information. I was adopted, it was a closed adoption. I don’t have family history and I don’t have health history, which I’m sorry to have to tell you this, I’m not actually getting any younger.
CHRISTINE: No way.
ROSIE: I know. I know. I’m shocked too. So the older I get, the more important it becomes to get some access to my health history.
CAIRA: And that puts you in such a vulnerable position because you have to trust this company to handle your very precious information.
ROSIE: It was a choice, for sure.
CAIRA: I remember my parents did a 23andMe, both of them about two years ago, and all of us kids rioted because many black people have trust issues with stuff like that. Genetic history is really important and it’s been used against us for law enforcement.
CHRISTINE: It’s been misused left and right.
CAIRA: Yeah. It’s so scary.
ROSIE: Also, if your parents did it. That necessarily means your genetic information to a certain extent is also-
CAIRA: We’re all implicated.
ROSIE: …implicated. Yeah.
CHRISTINE: Well we have covered these DNA test kits for years at Wirecutter and it’s been kind of controversial even internally for us. I mean we obviously, we reviewed them, we did a very, very rigorous job, but we’ve always had data privacy, security questions about DNA kits, right? Once you send off that information, it’s out there, a company owns it, and you kind of don’t know what’s going to happen afterwards. And this is what we’re going to talk about today because there’s been some news this week about 23andMe. There are reasons why if you have used the service or anyone in your family has used the service, you probably want to think about deleting your information. So we got in touch with Max Eddy, who’s a writer for Wirecutter covering privacy, security and software. He knows a lot about data privacy. And Rosie, I think you’re going to take it away and find out what people need to know.
ROSIE: Yeah, I want to talk to Max about what happened, what’s at stake, what are the risks, and how to go about deleting the data. So we’re going to take a quick break and Max will be with me on the other side.
ROSIE: Max, thanks for joining us. Thanks for jumping on.
MAX: Glad to be here.
ROSIE: So 23andMe was in the news this week as we know. What happened?
MAX: So this week, 23andMe filed for chapter 11 bankruptcy and they’re currently looking for a buyer to take over the company. This was not a surprise. The company had been in decline for quite some time. There was a data breach in 2023, which exposed the information of 7 million customers and it has just been down since then. In fact, talk of a sale started last year. So again, this is not really a surprise.
ROSIE: So 23andMe filed for bankruptcy. We knew that was a possibility. It’s happened. What are the tangible risks for customers who’ve used the product?
MAX: So the concern here is that there’s not a lot of regulations around the kind of data that 23andMe and other companies like it are holding. This information is not covered by HIPAA, which is legislation that limits how far medical information could be spread. And that’s not the case here. So all those customers who signed up with this service thinking one thing might find out that their information is being used for another thing if it’s purchased by another company. And we have to assume that the data that is held by 23andMe is a primary asset of the company. People are not going to be buying this for the brand. They’re probably going to be buying it, at least in part for access to that information. And the information that 23andMe holds is deeply, deeply personal. There’s perhaps nothing more personal than your genetic information.
ROSIE: It’s personal as it gets.
MAX: Yeah, it’s immutable. You can’t change it, and it links back to one specific person, you, and that is a big concern. And it’s also a concern because even if you haven’t submitted your genetic information to 23andMe or a company like it, if someone in your extended family has, you can still be linked to them. So there’s an enormous network effect here of not just the individuals who could be affected, but everyone that they’re related to. And I believe that 23andMe has something like 15 million customers. That’s a lot of people.
ROSIE: Yeah, it’s definitely scary. Your piece that you reported, and is up on the Wirecutter site right now, is called 23andMe Just Filed for Bankruptcy. You Should Delete Your Data Now. With a period at the end. That’s pretty strong. Why delete data?
MAX: Well, I should say that this is not just me and the people at Wirecutter who believe this, many others have come forward. Most notably, the California Attorney General actually put out a consumer warning a few days before bankruptcy was declared just because it was possible that this would happen. And I think that that really underlines like the concern that is felt across the board about this information suddenly being up for grabs. We should say that to the company’s credit, they have said that they intend to be transparent about the process and to follow the existing rules and regulations, but it’s still going to be a new company that takes it over. And what happens next is unclear.
ROSIE: Max, I know this is a little bit of a theoretical question, but I am curious, what is the worst that could happen if you don’t delete your data?
MAX: It’s really hard to look at theoreticals, right? Because anything could happen. Perhaps the most likely bad outcome would be that this data is purchased by a company that just has radically different views about how to handle it and what to do with it. Like a real out there possibility. I don’t know, maybe they’re going to make bioweapons with it or something. And you don’t want your data used for that. It could be used for tracking individuals, tying it to law enforcement databases. It’s so hard to say because we don’t know the terms of any potential sale. We don’t know what kind of safeguards are going to be put around the data and what safeguards currently exists around the data.
The main thing that people should consider is that they opted into this service under one set of expectations, that their data would be handled in a specific way, that they would be able to remove it, that they would be able to have it destroyed, and that they would be able to opt out of research, and that there would be certain considerations given to interacting with law enforcement, and that that may not be true in the future. And by deleting it now, you are doing the most that you can to keep control over how that information is used.
ROSIE: What exact steps do folks need to take to delete their data? If they’re concerned, what do you do?
MAX: First off, when you go to delete your data, you will have the opportunity to download it. So if this is something that’s deeply important to you and you’re interested in the science, perhaps you can get a copy of it. I have seen some people complaining that the size of the file may be significant, so it could take a while.
ROSIE: That was our experience. It took almost the entire evening
MAX: Goodness.
ROSIE: There were a lot of screenshots involved. Their website was really, really laggy, but it obviously was important that we did it and downloaded that information for future use.
MAX: Yeah, yeah, it’s great to get that, right? Like if you’ve already invested the time and effort to get yourself checked out like this, having that is valuable. So the instructions as we understand them, so you’re going to go and you’re going to log into the site, you’re going to navigate to settings. At the bottom of the page, you’re going to see an option that says 23andMe data and then view. You’re going to click view, that is your opportunity to download it and that might take a while. You’re then going to select delete data and then click permanently delete. At this point, the company is probably going to send you an email asking for additional authentication and confirmation from you. So you’re going to need your password, you’re going to need some more information about your account, and you’re going to need to follow the instructions that come in an email after the fact.
My understanding is that unless you complete the instructions in the email, your data may not be deleted. Once you’ve done that, take a look at the section called product consents and from there, you can revoke consent for future research using your genetic material. It’s important to understand that if you already opted in to have your genetic information used in research, it cannot be retroactively taken away. That research is done, it’s already been included in there. This is only going forward. Additionally, in the settings section of the site, you’ll be able to opt to have your sample destroyed.
ROSIE: Okay, so once your data is deleted, you get the confirmations, you’ve gone through all the steps, should you consider yourself in the clear and good to go now?
MAX: That’s a really good question. The thing that’s interesting about this privacy problem around not just 23andMe, but services like it is those knock-on effects, that your genetic information affects not just you, but everyone that you’re related to. And it can be used in a variety of different ways. Even when it’s been anonymized, obviously it still links back directly to you. So it’s more like a lot of opportunities for there to be privacy problems in the future with this. And I think it’s an opportunity to consider how much medical and personal information people are willing to share with companies. This is, as we said, deeply personal information. So I think this is a question that people should be asking, not just now, but going forward when they have the opportunity to do something similar in the future.
ROSIE: Yeah, it’s a personal choice that we sort of reminded for a very, very long time and happened to have this bizarro timing as the company is dissolving. But yeah, I mean part of the reason why it took so long was there are lots of considerations when you are giving such personal, the most personal, as you said, information to a company you don’t have control over. I’m wondering from you, is there anything else folks should know or consider or even keep an eye out for?
MAX: So two things actually. First off, I want to stress that while there’s a clutch of people out there who believe in privacy, maximalism and will look down on people that do anything that exposes any part of their privacy as that that’s a foolish thing. Or that people who use these services are following a fad and they’re just being very cavalier with their personal information. But I don’t think that’s true. Obviously, this provides value to people and it’s a personal decision. So I just want to underline that people who use this service are not foolish and they haven’t made a mistake. This is an unusual situation and everyone is trying to figure it out going forward.
These services offer not just information about your health potentially, but also people’s backgrounds. It can reconnect people with family that they might not have had access to, and it can complete their knowledge of their family history, which not everyone has. So I just want to underline that. The other thing is that we’ve seen examples of how genetic information uploaded to services like 23andMe can be used by law enforcement. There’s a very great example. In 2018, the so-called Golden State Killer was found after 40 years using a combination of genetic information and traditional genealogical research using open source information. So building family trees, linking that to publicly available genetic information in order to locate an individual. This is obviously like a good story, right? We want to see bad people brought to justice, but in privacy and security issues, we should always be thinking about the context.
When you change the context slightly, it might not seem so great know, would we be comfortable with the same technique used to track down people who have parking violations or were in a protest. So it’s important to understand how these connect with law enforcement. 23andMe, to its credit, was one of the few services that did not proactively cooperate with law enforcement. They required a warrant for any information. The people who wrote our guide at Wirecutter did an incredible job of breaking down the privacy and security considerations of these services. If you go there, you can see their rundown of the whole thing. So that’s the other aspect of this. It’s not just the sort of amorphous privacy discussions. There’s also some very real connections to very real consequences.
ROSIE: Max Eddy, staff writer at Wirecutter, really, really appreciate you joining us. Appreciate your reporting. Thank you. If you want to find out exactly how to delete your data, you can check out Max’s coverage on the Wirecutter website. Of course, you can check out Wirecutter’s Guide to Home DNA Kits. Lots of great information there and that’s on the site. We’ll link it in our show notes as well. Max, thank you so, so much.
MAX: Thanks for having me.
