23andMe changes arbitration terms after hack impacting millions
- Thread starter JournalBot
- Start date
I can't be arsed to try to find and compare myself, but I'd be interested in what the terms from say, 6 months ago looked like in this section compared to October 4. The filing with the SEC was made on October 10, and 23andMe knew about the breach on October 1. A few days is enough time to make a rushed cover-our-asses change to the terms with little-to-no notification to the users (using existing terms that give the company the "right" to make "minor" changes or some such wording and that users automatically accept them if they don't browse to that web page regularly to check for changes and send written objections within 3 days), and now they're just making the full changes that solidly and specifically protect themselves and sending out notification to make it look like they're being transparent about it.
It hardly even needs to be said that this is unethical behavior and ought to be illegal.
It hardly even needs to be said that this is unethical behavior and ought to be illegal.
Upvote
3
(3
/
0)
"We refer you to the reply given in the case of Arkell v. Pressdram." https://news.lettersofnote.com/p/arkell-v-pressdram
Upvote
0
(0
/
0)
What a dangerous precedent of this is allowed in court. Any company could slide this in and send out an email and screw people over. This is just disgusting.
Upvote
3
(3
/
0)
Binding arbitration isn't always anti-consumer.. It's often a much cheaper way to get redress for a complaint - say if you were screwed over by a medium sized business - suing them is really not feasible but entering arbitration can be.
What needs to change imo is making it illegal to carve out class actions. There's nothing incompatible with a consumer going into arbitration in a one on one situation, or choosing to join a class where the issue involves many consumers.. It's eliminating the possibility of the latter process in binding arbitration agreements where most of the harm is created (for society) - and so we should outlaw the practice..
Upvote
8
(9
/
-1)
Thank you for bringing this to the attention of your readers, I just sent my update in, wouldn'tve done it had I not read this!
Upvote
1
(1
/
0)
Team Tardigrade
Ars Centurion
I used these guys years ago (I know, I know...) and still get emails about sales, but nothing about a hack nor changes in ToS.
Upvote
0
(0
/
0)
Can I bury 23 and me in spam, squeeze in one "if you don't respond in 30 days you have agreed to forward me 100 million dollars" at the end of one and then get binding arbitration to enforce it?
Upvote
6
(6
/
0)
Beyond opting out of the updated ToC, it's not clear what remedies a compromised customer should seek, because they're not being forthright with what information has been compromised.
I have a affected family member. I'd love to see us get as close as possible to hitting 6.9 million arbitration claims 23andMe needs to defend against. But how do you even get an idea of what damage they've done to you?
I have a affected family member. I'd love to see us get as close as possible to hitting 6.9 million arbitration claims 23andMe needs to defend against. But how do you even get an idea of what damage they've done to you?
Upvote
0
(0
/
0)
Waivers of class action rights should not be contractually valid, similar to how you can't enforceably waive a number of fundamental human rights.
Upvote
1
(1
/
0)
I don't disagree, but slimeballs gotta attempt to slimeball.
There's also a question of was it a one-off transaction where 23andmeandpossiblyNorthKorea happened to keep your info (which would be my interpretation) or an ongoing service provision where terms can change subject to agreement.
Normally you'd expect a take it or leave it clause where if you don't agree you take your data and go somewhere else.
The fact that it appears you can write in and have the better old terms and stay a customer suggests that they are trying it on, or wriggling out of a class action.
IANAL, just a pundit in the peanut gallery etc etc.
Upvote
0
(0
/
0)
Rumors abound that 23andme execs SOLD the data to scammers and other parties. Either that or its just a coincidence they all now have offshore bank accounts containing millions of dollars each.
Upvote
-1
(0
/
-1)
My wife and I did this when we were younger and dumber. It shook out some very interesting things about us.
For me: It revealed that I'm almost certainly the descendant of a slave through my mother's side. It makes sense cause she's part Pamunkey, and they were known for buying African slaves off the English colonists.
For her: She found out her biological father was not the man on her birth certificate and that her mother's family probably were victims of the Japanese War Crimes in Korea.
Last edited:
Upvote
5
(5
/
0)
oh, I see that they patched the "mass arbitration" vulnerability in their ToS pretty quickly
if only they had the same responsiveness to security vulnerabilities
if only they had the same responsiveness to security vulnerabilities
Upvote
3
(3
/
0)
What about the class of people (me included) who did not use 23&me but have close relatives who did? It makes me readily identifiable from their DNA. Long-running fugitives from the law have been caught via this vector.
Members of that class have been harmed and signed no ToS. Could be fun!
Members of that class have been harmed and signed no ToS. Could be fun!
Upvote
4
(4
/
0)
Your dna is going to be a standard part of medical treatment in the future. It will be out there anyway eventually. If not you, then your kids. That still doesn't excuse a data breach and dodgy handling.
But all of these folks thinking they'll never put it out there aren't realistic.
But all of these folks thinking they'll never put it out there aren't realistic.
Upvote
0
(2
/
-2)
Maybe I missed it in this article, but I thought I read somewhere that even if people opt out, there has to be a certain percentage of the total number of people affected by the breach to opt out, otherwise they still go through arbitration. I'll have to see if I can find that particular detail.
Upvote
0
(0
/
0)
I would certainly make the argument that the controlling language was the TOS in effect at the time of the breach.
Upvote
1
(1
/
0)
It's about time for all arbitration clauses to be banned from all contracts (and pseudo-contracts like terms of use) nationwide.
It's well past time, actually.
Time for me to make some effort and talk to my representative in Congress about it.
Time for you to do that, too.
It's well past time, actually.
Time for me to make some effort and talk to my representative in Congress about it.
Time for you to do that, too.
Upvote
2
(2
/
0)
Access it? Probably. At that point it's basically public record. Can they store and act on it? Depending on your state, probably not. California for example has a couple of laws on the books against genetic discrimination. (they have a long history of that kind of garbage informing those laws.)
Upvote
1
(1
/
0)
Except that they are, per scotus. Thanks to at&t almost 13 years ago: https://en.m.wikipedia.org/wiki/AT&T_Mobility_LLC_v._Concepcion
Upvote
1
(1
/
0)
There's a difference between your DNA being used for health care, and your DNA being in public record for all to see. It's the latter people care about.
Upvote
2
(2
/
0)
To be clear, 23andme exists so Mormons can baptize random people who are distantly related to them into the Church without their knowledge or consent.
I really wish that was hyperbole.
Upvote
4
(4
/
0)
Distantly related? Well, at least that's some improvement! /S
Mormons used to posthumously baptise even Jews who have been – including their whole families – murdered by Nazis in the Holocaust, and I am pretty sure Anne Frank didn't have any living relatives in Utah...
She was posthumously proxy baptised at least nine fucking times, even after the LDS leaders pledged to stop the practice of baptising dead Jews.
I really wish that was a hyperbole as well. The fucking cheek of that
LDS, AKA a child‑molesting, tax‑evading, forced prostitution ring. One now worth billions. Oh, and incidentally also a church, apparently.
Upvote
6
(6
/
0)
What dangerous incompetency? The TOS update is certainly self serving, but everyone keeps talking about this as if 23&Me was hacked. People reused passwords from other sites and hackers got those passwords and logged in to 23&Me with these ill gotten but legitimate credentials. I don't reuse passwords and my account was not accessed. It would be like suing your landlord because you lent your key to someone else and they made a copy and gave the copy to a thief. Could your landlord have hired security guards to stand at your door, sure, but how are you going to sue when you are the one giving out your key? As horrible of a decision this was for 23&Me, I understand not wanting to deal with completely unfounded lawsuits. How much money would they have to spend just to prove their innocence and have no ability to turn around and sue for false claims and recoup that money.
Upvote
-4
(0
/
-4)
Are you just dumb, an idiot, a troll or a paid dumb idiot troll? Please check any and all that apply.
Read the fucking article again and read the actual one about the hack before that, it's all linked in TFA.
Upvote
1
(1
/
0)
Did you miss the part where I said "should"? In a better world, the 4 dissenters would have been in the majority.
Upvote
0
(0
/
0)
I should have thought out the sentence more: "someone you previously sold someone something to one time" and "new terms that change the terms you previously agreed to about a one-time purchase."
Upvote
0
(0
/
0)
Everyone affected needs to file an arbitration claim on them. It’s $2-5k per claim and even if they win all of them it’s far more expensive than litigation and in the T&C it usually says the company will pay. Get a 100,000 people to do it that’s $200 million at minimum plus their costs for actually fighting each claim and any damages on top. They’ll be begging for a class action
Upvote
1
(1
/
0)
You've got to be a moron to give your info to these companies. Yet ANOTHER Millennial moron failure
Upvote
-5
(0
/
-5)
Each of them inherited a random 50% of each parent's DNA (plus any unique mutations, perhaps). One child might get a bad gene from the parent, and the other not.It's funny you say this. My little sister did one of these services (thanks sis! you just gave away everything for the entire family blood line). My other brothers and sisters were so excited about the results that they submitted their dna too. In the back of my mind I was wondering, 'do you expect it to be anything different??? we have the same mom and dad'
Upvote
2
(2
/
0)
BTW, you have zero idea if your account information hasn't been accessed. From TFA, reportedly using just 1,400 stolen credentials, the hackers accessed plenty of PII of at least 6.9 million (!) of other users whose accounts weren't ever compromised in the way you surmise.
Including, per TFA, "name, birth year, relationship labels, the percentage of DNA shared with relatives, ancestry reports, and self-reported location".
Snug you may be, but are you really sure your PII wasn't part of that leak? Because statistically, it most likely was, as it's over a half of 23me users' data at the time...
Your really dumb landlord example would be better if you just said that you gave AirBnB your holiday cottage keys and agreed to let only vetted renters in, only to find out all of them were hacked, their keys stolen, all your PII kept in the bedroom now being on the open market and your rented out cottage full of some shady drug characters dealing drugs out of it...
Upvote
0
(0
/
0)
My late dad asked me to do a genetic check on my son. I chose the anonymous option, and the results for him from our mixed marriage were mostly what we expected.
The idea that 23 and me who holds intensely personal data, would not anonymize and protect it, should be a company killer.
Upvote
3
(3
/
0)
If any of you need an email template, here's what I wrote:
Pursuant to Section 5, Paragraph i, I, <name>, of the account for ***************@gmail.com, hereby opt-out of your arbitrary and stupid "arbitration and class action waiver provisions" as set forth in your TOS update dated November 30, 2023.
Do better by your customers and secure your data please.
<me>
(Source: I am a lawyer and I hate this stupid crap done by these companies)
Pursuant to Section 5, Paragraph i, I, <name>, of the account for ***************@gmail.com, hereby opt-out of your arbitrary and stupid "arbitration and class action waiver provisions" as set forth in your TOS update dated November 30, 2023.
Do better by your customers and secure your data please.
<me>
(Source: I am a lawyer and I hate this stupid crap done by these companies)
Upvote
2
(2
/
0)
I don’t want your smelly check for $0.35. The point was for the company to feel our rage in the wallet. If companies are going to cut off legal repercussions for sleazy actions, We are just going to take those issues to congress.
Instead of a slap on the wrist fee, they can defend the legality of the entire business models.
Instead of a slap on the wrist fee, they can defend the legality of the entire business models.
Upvote
0
(0
/
0)
The company can't really feel anything. How about we penalize the executives that made the decisions that led to this point? Although I'm sure some guy in IT would ultimately get stuck with the blame.
Upvote
0
(0
/
0)
Oh, they definitely got my information, at least the information that I also publicly share on a half dozen various genealogical sites. So going back to your "dumb Airbnb" example, it's more like the neighbors Airbnb was hacked and the drug dealers came into my yard and looked through my windows. They could have learned more about me by looking at my LinkedIn profile. Already this year, an escheatment services provider for one of my financial institutions (escheatment reporting is required by law), was hacked. Well guess what information of mine was stolen... my full name, date of birth, list of prior and current addresses, phone number, social security number, and mother's maiden name. It only took a week and someone was already trying to commit Medicaid fraud with my information. Comparing that to losing already public information or to people hacked because they reused passwords is an apples to oranges comparison.
Upvote
0
(0
/
0)
A lot of people end up getting the shock of their lives with these tests NOT being consistent with the familial structure they expected. There's a reason little Susie bears a resemblance to the mailman.It's funny you say this. My little sister did one of these services (thanks sis! you just gave away everything for the entire family blood line). My other brothers and sisters were so excited about the results that they submitted their dna too. In the back of my mind I was wondering, 'do you expect it to be anything different??? we have the same mom and dad'
Upvote
0
(0
/
0)