The Background
On October 6, the world witnessed crucial data disaster. 23andMe is a popular consumer genetics and biotechnology company that offers genetic testing and analysis services to individuals by way of genetic ancestry, health predispositions, and various genetic traits which faced this massive data breach. As a result of it, the hackers are making available compiled genetic data for purchase, featuring extensive lists encompassing thousands of individuals. Among the evidences and arguments that who hacked the servers, whose data is at stake, it’s highly probable that the popular motive is to make us believe that this data leakage is just another data breach and thereby eventually distracting us from navigating the vulnerabilities of inter related data and the liability of such corporations. As a consequence of this data breach, those included in the lists including Ashkenazi Jewish, now face an elevated vulnerability to potential discrimination or harassment, as the exposed data contains their names and locations. Simply put, this worrisome scenario could potentially extend to individuals with genetic predispositions for conditions like type 2 diabetes, Parkinson’s disease, or dementia, all of which 23andMe assesses. This undoubtedly places them at risk of various negative consequences, ranging from increased insurance premiums to potential discrimination in employment. Therefore, no matter how conveniently the company is trying to present and tackle this leakage, this incident surely prompts us to re-evaluate our perspectives on privacy, data protection, and the responsibility of corporations in the information-driven economy.
Huge cost to find relatives
Among the other things, the company provides “DNA Relative” service which has been a principal element of this hue and cry. This service allows users to discover and connect with other individuals who share segments of their DNA. Although this service has been encapsulated in just one sentence but it is not as simple as it seems. Here is how the DNA Relative service works. 23andMe, the company, compares DNA, when a consumer opts-in for DNA Relative service with that of other users in its database, who have also opted in for “DNA Relative service” to identify segments of shared genetic material and when there is a significant overlap between a consumer’s DNA and the other user’s DNA in the database, the company will classify that individual as a “DNA Relative.” Once a match is identified, 23andMe provides users with a list of their DNA Relatives, ranked by the degree of genetic relatedness. The platform typically shows the approximate degree of relatedness, such as “second cousin” or “third cousins”. Subsequently, the user can choose to connect and share their genetic information with these DNA Relatives, provided both parties consent to the sharing. Interestingly, some users are interested in connecting with long-lost relatives, exploring their family history, or confirming their genealogy. Till this point, there were no apprehensions and surprisingly the company itself did not know that access to one user’s data will open a Pandora’s box for them. As it has been confirmed by the company itself that it was not the servers which were hacked but the hackers targeted hundreds of individual user accounts — allegedly those that had weak or repeated passwords. In a nutshell, when hacker gets access to an individual data then, it will lead him to access another user’s data automatically provided that they both have opted in for “DNA Relative” services and it is immaterial whether they encashed the benefits of DNA Relative service or not. Thus, this access to hundreds of users’ data will progress geometrically and will eventually lead to access to the data of thousands of individuals, simply because they opted in for DNA Relative option. This inter-twinning of data can lead to indirect harm to third parties which underscores the collective impact of individual data decisions. Hence, a user’s inability to think of a strong password has the capacity of breaching the data of another, which apparently, is not a reasonable cost which any third party would like to pay to find his DNA relatives.
Crosshairs of Liability and Legality
According to company’s claim, it wasn’t the servers which were hacked but the hackers targeted individual accounts especially those which had comparatively weaker or repeated passwords. To counteract this breach and avoid prospective data breaches, the company has asked the users to enable multi-factor authentication and opt-out the DNA Relative service, if they don’t intend to avail this service. There is no doubt that 23andMe is one of the better actors in this sphere but putting the burden on users and alleging that it was user’s inability to use strong password, using repeated passwords and not opting into multi factor authentication, which has led to this breach, is a very unfortunate and casual remark by the company that handles highly sensitive data. Therefore, instead of blaming it all on its customers, 23andMe should make default protections stronger and its high time that it should resort to frequent privacy check-up reminders.
Collective Risks and the Call for Stronger Privacy Laws
Along the same lines, we cannot ignore the interrelatedness nature of this data breach because in circumstances like these, we often fail to acknowledge the Data’s collective risks. Thus, this incident is a crucial opportunity to underscore this anomaly and to see how information economy operates. Situation like these allows companies to utilize one person’s consent to justify data practices that affect others. Legal requirements for companies to secure individual agreements for data collection often overlook the broader interests that extend beyond the consenting individual. Thus, granting consent on behalf of others, as was done by 23andMe users when they clicked “I agree,” would be considered illegitimate when viewed through any substantial understanding of consent, which eventually becomes a major equity issue. Therefore, to combat this illegitimate function of information economy and to contain such group data harms that this breach has produced, we need robust privacy laws attuned to the regulation of information economy and such substantive rules which specifically lay down what companies can and can’t do because encashing the benefits of their services and simultaneously evading the liability in times of breaches, such corporations cannot have best of both the worlds.