 ⚠️ 23andMe just sent out an email trying to trick customers into accepting a TOS change that will prevent you from suing them after they literally lost your genome ro thieves. Do what it says in the email and email arbitrationoptout@23andme.com that you do not agree with the new terms of service and opt out of arbitration. If you have an account with them, do this right now. Here’s an email template for what to write: https://www.patreon.com/posts/94164861 132 comments
@thomasfuchs Holy shit, in a world that seems to be providing new and interesting (read: shitty) business practices on a daily basis, this...this stands out. What a bunch of assholes.
@thomasfuchs they were hacked ? I read that it was customers reusing passwords that were stolen on other sites. (disclosure : worked there eons ago, but they took security incredibly seriously).  @thomasfuchs @pjohanneson Maybe fine point none of their security was compromised. 14,000 users with same password and email reused on multiple sites were accessed. If you use same password in 12 places and one of the sites get compromised , I don’t consider the other 11 sites to be “hacked”. What amplified the damage was people sharing their DNA with others so more genomes were exposed, but again the users all agreed to share. @pjohanneson @thomasfuchs and ps you have copies of your DNA lying around everywhere all the time. I can’t get too outraged. The quiet TOS update seems line maybe their lawyers giving them bad advice though.  @dplattsf @pjohanneson @thomasfuchs credential stuffing is a standard attack. not protecting against it, then lying about how many people were affected, then back-door changing their TOS to disallow compensation, those are reasons they should be pilloried and compensate people affected. @dko @dplattsf @pjohanneson @thomasfuchs yeah the "crime" here is the legal coverup. this is some serious dark pattern stuff here. @dko @pjm @dplattsf @pjohanneson @thomasfuchs The healthcare point is interesting. I would like to think that any healthcare organisation using unverified, stolen data to make decisions about a client would themselves be subject to massive class actions... @pjohanneson @dko @thomasfuchs have you been to haveibeenpwned lately? The only thing that distinguishes this from a typical day on the internet is that it has the word dna in it and they didn’t even get hacked. Going to save up my outrage .. @dko @thomasfuchs @pjohanneson same reason your bank is still using sms for 2fa. people get upset if you force them to do it the right way. and they get outraged if you don’t. This would be the perfect setup for #GWAS on #password and #2fa hygiene @dplattsf @thomasfuchs @pjohanneson again, who are you arguing for here? companies with shitty policies? companies that leak DNA data? why are you just naming bad practices as if they justify more bad practices? "bad things have happened and unconcerned people are responsible" is not a defense for bad engineering that endangers your users. @dko @thomasfuchs @pjohanneson just trying to understand the outrage and indignation here - again they’re well within the norm for orgs and they also didn’t get any of their systems breached so saying they were hacked is misinformation. They have normal users doing normal bad things. but it’s dna so .. .. .. must be so much worse ? People need recalibration. @dko @dplattsf @pjohanneson @thomasfuchs If they cared about their users data, they would have implemented MFA to minimise 'weakest link' vector.  @dplattsf @pjohanneson @thomasfuchs You don't have sequenced DNA lying around all the time. And MFA is a pretty standard guard against credential stuffing that it's a pretty terrifying idea that instead of attempting to use that... they're trying to TOS their way out of liability. @dplattsf @pjohanneson @thomasfuchs Also, while 14K accounts were accessed by credential stuffing...that led to them leaking 5.5 million users information via linked data. Which meant for every credential stuffed, they made a system that allowed that user to steal ~392 users information. @AT1ST @thomasfuchs @pjohanneson users share pretty widely and that doesn’t feel like something sinister they dod People enjoy interacting and learning about relatedness. Feels healthy to me. @AT1ST @dplattsf @pjohanneson @thomasfuchs It’s overblown. On the site I can see lots of DNA relatives and a very tiny bit about them, for those relatives who opted in to letting strangers like me see them appear in that list. If one of my unknown relatives reused passwords, then someone who I don’t know could use the credentials of the relative I don’t know to see a little bit about me. Don’t reuse passwords. @hunterhacker @dplattsf @pjohanneson @thomasfuchs Here's the thing - the information a relative can learn about another relative, to a stranger, is pretty powerful stuff. Could I, hypothetically, learn your mother's maiden name by logging is as one of your DNA relatives, or a stranger's account that was credential stuffed and could see that relative? @hunterhacker @dplattsf @pjohanneson @thomasfuchs (Because I'll note, while I'm pretty sure this is no longer a valid security question in most contexts, that would be information enough to go from "I know this unrelated person's password and username" to "I don't need to know this other person's password, because I know their username, and I can try to reset it instead of breaking it.". Or they can do that with your birthday, etc.) @hunterhacker @dplattsf @pjohanneson @thomasfuchs Which is a long way of saying; TL:DR; don't over share your information with strangers, and enable MFA already on anything you can't afford to lose. @AT1ST @dplattsf @pjohanneson @thomasfuchs Good points. The fact a mother’s maiden name is considered a security secret is crazy. Birthdays too. (But to be safe, I get my Facebook birthday greetings on the wrong day. Everyone should have a real birthday and a social media public birthday.) 🎂 @hunterhacker @dplattsf @pjohanneson @thomasfuchs I mean, part of what likely made one's mother's maiden name a go-to security question is that historically, at least among British/American/Canadian/German culture that I'm aware of, it's effectively destructing information; like DRM, it became harder and harder to find documentation on what it was, especially if you weren't part of the family in question...which still has the name. What's made it less secure is making it more easily traceable - @hunterhacker @dplattsf @pjohanneson @thomasfuchs - not that that's a bad thing, it just...removes the "Something only you or people who have authorization to use your bank account information would likely know." property. @hunterhacker @dplattsf @pjohanneson @thomasfuchs (Though that reminds me of how SINs are social insurance numbers...used to identify you. It wasn't intended to be used that way, but...people did, because it effectively had that same property. "Who else but yourself and people who are authorized to act on your behalf are going to actually memorize that string of numbers?", effectively.) @hunterhacker @dplattsf @pjohanneson @thomasfuchs (On that note, I once put a joke answer as an answer to a security question...and then regretted it when I needed to return the joke answer to the question to the one party that I needed to give it to, because I instead kept giving them the non-joke answer...before realizing "Oh right; you're the people I gave an incorrect answer to that question,my bad, it's this other thing because of this other thing.". I may have repeated that since then.)  @dplattsf @thomasfuchs @pjohanneson The company hid the extent of the breach. Th ere was also some early implication it was some kind of anti-semitic attack, a rumor which flourished because of the small apparent size of the attack. @dplattsf @thomasfuchs @pjohanneson It wasn't DNA that was shared, it was "DNA relatives”, higher-level relatedness and genetic background, like “28.8% Western European”, etc.   @thomasfuchs @iaintshootinmis Can I opt out if my dna was contributed by relatives?  @thomasfuchs Gets even more interesting. In the terms of service, they say you must opt out by emailing arbitrationoptout@23andme.com, and if you don’t, you agree to arbitration. They could argue writing only to legal@ (which is the what the “notify us” link does) is not enough.  @thomasfuchs @bob_zim might wanna edit that detail into your post, so folks can see the discrepancy without clicking through to replies. @thomasfuchs  @bob_zim @thomasfuchs @Peace_out_art @thomasfuchs Sure, but that’s a whole separate issue. I’m only pointing out the email’s description of how to opt out is inconsistent with the terms of service’s description of how to opt out. This could be accidental, or it could be deceptive. It’s also possible they expect you to email arbitrationoptout@ just for arbitration and legal@ to opt out of any other updates to the ToS. @bob_zim @thomasfuchs That seems like the sort of deceptive trade practice that someone should mention to the FTC.  @bob_zim @thomasfuchs I'm always surprised by the customer hostility of US laws but that can't possibly be legal. Normally the process is that you have to accept new terms of service explicitly, not that you have to jump through hoops to keep the old ones. @thomasfuchs @HoustonDog oh wow what an evil slimy move…
Ps: this doesn’t matter in the EU, GDPR trumps that in particular with what is considered health-related data    @thomasfuchs@hachyderm.io  @thomasfuchs they are effectively owned by google, founder of 23 and me is married to a google founder. I am pretty sure google now owns them or at least controlling interest @MarkRNay they’re divorced, and it’s a public company, major shareholders are various funds https://finance.yahoo.com/quote/ME/holders/ @thomasfuchs it is fucked up that an implicit acceptance like this is even valid. this wouldn't stand in court if someone like you or i did it.
@thomasfuchs@hachyderm.io Even a bad lawyer will successfully argue that that's unenforceable.   @thomasfuchs Thanks for the alert. I wonder if one does not agree and sends a notice to them, what happens next. I have a hunch they'll drop you as a customer rather than track who is managed by what ToC version.  @andbenn @thomasfuchs This is very likely as there is nothing more for them to gain from that „customer relationship“. They already got the DNA sample. @thomasfuchs Thanks for bringing this up. I just emailed them NOT agreeing.  @thomasfuchs thank you - my partner in crime didn't see the email because it was deemed "unimportant" @thomasfuchs Also, save a copy of the sent email in case you need to prove you sent it @webuiltthiscity @thomasfuchs may as well e-mail them your own terms of service which they automatically accept after 30 days  @thomasfuchs  @thomasfuchs Is it even legal to just assume agreement to new contract terms? Seems like they should need explicit agreement.   @thomasfuchs It'll probably end up being class action so...more for those that don't fall for it?  @kegill @thomasfuchs It sounds like a sovereign citizen gambit (foisted contract) on page 101 (pdf page 106) of 2012 abqb 571 https://www.canlii.org/en/ab/abqb/doc/2012/2012abqb571/2012abqb571.pdf Worth noting: An arbitration clause was in effect at least as early as September 30, 2019. It’s changed meaningfully since, but isn’t itself new. Opting out now may still be advisable (since it seems to add significantly different mass arbitration and collective/class action waivers), but would likely only be useful for the specific new terms, not arbitration generally. (IANAL….) https://www.23andme.com/legal/terms-of-service/full-version/3.4/ @thomasfuchs Can you share the links please Thomas, to the new terms, and was there more to this email also? Here is the link to 23andMe's new terms. I received the email on Dec. 4th, 2023: Here is what my email content included in its entirety: @thomasfuchs Would we need to join a class action lawsuit in order to receive proceeds? If so, how do we know when a class has been initiated so that we can join?  @thomasfuchs those of us whose moron relatives do business with them, even if we don't, well, I guess we're fuk't. THANKS, MISSY, YOU FUCKING MORON WHO MARRIED MY STUPID NEPHEW!!! @thomasfuchs@hachyderm.io Nice try, but such changes need explicit consent (BGH XI ZR 26/20) in the EU and you can't put terms in your contract that are unfair, unbalanced or not in good faith (https://europa.eu/youreurope/citizens/consumers/unfair-treatment/unfair-contract-terms/index_en.htm) They aren't getting good legal advice. That's like saying, "I'm going to send you notice that, in 30 days, I'm going to take your property unless you send us notice during the 30 period that you disagree." There no acceptance. It's not binding on you. @thomasfuchs TOS changes that remove rights from customers should be opt-in, not opt-out. How is that even a legally binding TOS at that point? @thomasfuchs I suspect the "data breach by thieves" narrative is a cover story and that the data was probably long ago handed over to the spooks and cops. I don't buy many of the big data breach news stories. They smell like cover stories for government exfiltration of data.  @thomasfuchs @Daojoan I haven’t read your thing but I would add a note that says: This is just a bit of fun. @thomasfuchs The "notify us" link in my email went to legal@23andMe.com. I find that interesting. I have to admit I'm feeling a bit paranoid about this though. :)  @thomasfuchs Best way to avoid losing your genome to thieves is not giving it to 23andMe. Fundamentally it's just a scam to collect genetic data to sell to pharmaceutical companies. @thomasfuchs Always wonder if those american conditions of "you can't sue us because we said so" would hold up in international courts? @thomasfuchs I just told them that I decline and I change the terms now too. I told them to forfeit in perpetuity any access to my data, and they remain responsible for not protecting it. It won't work, but it made me laugh. I also included that I shouldn't need a lawyer on retainer to keep up with their random changes because of one decision I made many years ago. I wish this part would be true. 30 days for new contracts is bullshit @thomasfuchs Strange, the email I received from them matches the text in your screenshot, but it asks me to email legal@23andme.com and not the email address you list here. Ironically today, I just listened to a Radio Station in Ottawa (CFRA 580) doing an Infomercial on how interesting it was to ask for a kit, send it and have it analyzed, "to connect with people similar to you". @thomasfuchs@hachyderm.io I just need to remember to delete my account this weekend in addition to opting out. I keep forgetting to do the former. @thomasfuchs You can infer acceptance through lack of response? I've got to add that clause to my job applications. @thomasfuchs is there a version of the letter template that isn't behind a paywall?  @thomasfuchs My brother signed us up for that thing years ago over my protest. The email I received had a mailto link for legal@23andme.com instead of the arbitrationoptout@23andme.com in your post and the Patreon page, which notes > A reader points out that while the email directs recipients to "notify us" at "legal@23andme.com" the text of new the TOS says you must email "arbitrationoptout@23andme.com" I'm sending to both on the same message just in case. |
Gregory's Server
Needless to say, them wanting to pre-empt a class action suit means that most likely there’s way worse revelations yet to come.