World

Eight years ago, my brother gave his DNA to 23andMe. We can’t take it back — and it may soon get sold


When I learnt this week the company 23andMe was facing bankruptcy and may sell its customers’ genetic data to the highest bidder, I had three thoughts:

  1. they have my brother’s genetic data
  2. can he delete it?
  3. why didn’t we see this coming?

The rise and fall of 23andMe is a story for our age — a time of the tech backlash, when many are reassessing their formerly relaxed and trusting relationship with big tech.

It’s the story of a Silicon Valley fairytale that’s crashed down to Earth.

From celebrity ‘spit parties’ to the verge of bankruptcy

Eight years ago, in what now seems like an act of reckless naivety, I bought my brother a 23andMe at-home DNA test for his birthday, partly as a joke.

The $US99 ($150) test would give clues to our suspected Neanderthal ancestry and potentially prove itself useful by flagging any genetic health problems.

What could go wrong?

Eight years ago, my brother gave his DNA to 23andMe. We can’t take it back — and it may soon get sold

A 2008 New York “spit party” to promote 23andMe’s saliva-based tests was attended by (left to right) Rupert Murdoch, Barry Diller, Anne Wojcicki, Diane von Furstenberg, Sergey Brin, Wendi Deng, Linda Avey and Harvey Weinstein. (Getty Images: Donald Bowers)

Looking back, July 2016 was the height of widespread techno-optimism, before many of us properly understood the risks embedded in the new digital technology. 

We hadn’t yet clocked how social media algorithms could radicalise users, or that targeted advertising was remaking the internet into a data-collection racket.

This was before scammers colonised social media and broke into our phone network, before Cambridge Analytica and Theranos became household names, and before ransomware and deepfakes made the news.

A man and woman standing on a stage.

23andMe’s co-founder, Anne Wojcicki, was married to Google co-founder Sergey Brin (right) from 2007 to 2015. (Getty Images: Stephen Jennings)

That summer of 2016, a 23andMe kit arrived in the mail at my brother’s San Francisco address. He spat in a tube and sent it back to the company, which was then valued at $US1 billion and one of Silicon Valley’s hottest startups.

23andMe’s co-founder Anne Wojcicki had recently divorced Google co-founder Sergey Brin.

The company extracted my brother’s DNA from the sample and, through a process known as genotyping, identified his unique genetic sequence. He shared the results with us, which contained few surprises, and then we mostly forgot about 23andMe.

But over the years, news articles about 23andMe gave me pause.

Around 2018, I read that insurers in the US could ask for genetic testing results, such as the kind from 23andMe, to determine coverage.

Then, in 2020, there was a story about US police tracking down a murderer through members of his family who had done at-home genetic testing.

This effectively meant I had dobbed in our entire extended family for past and future crimes.

In late 2023, hackers stole the profile and ethnicity information from millions of 23andMe users.

And now comes the big one.

Having been valued at $US6 billion in 2021, 23andMe is on the verge of bankruptcy.

Its CEO, Ms Wojcicki, is considering selling the company, which means the DNA of its 15 million customers would be up for sale, too.

‘Not the first company to do this’

Andelka Phillips, a technology law expert and research affiliate with Oxford University, winces when I tell her via Zoom about my brother’s genetic test.

For over a decade, Dr Phillips has warned sharing your genetic code with a private company through at-home DNA testing was very risky.

News of 23andMe potentially selling genetic data came as no surprise to her.

“It’s not the first company to do this,” she says.

Navigenics, another personal genomics company, was acquired by the biotech company Life Technologies in 2012, which was acquired by a larger biotech company, Thermo Fisher Scientific, two years later.

Customers’ genetic data was just another asset in those sales.

23andMe and its competitors sold at-home DNA tests to accumulate genetic data, which big pharma companies paid to access.

“They were never making a profit from the sales of the tests themselves,” Dr Phillips says.

A white and rainbow coloured product box for a 23andMe saliva-based DNA test kit.

23andMe’s saliva-based DNA test kit contained a plastic test tube and step-by-step instructions. (Supplied: 23andMe)

In 2018, pharmaceutical company GlaxoSmithKline paid $US300 million to access the test results of 5 million 23andMe customers, to design new drugs. All up, 23andMe entered into 15 partnerships with different drug companies.

“I think there’s always been the potential for slightly broader sharing [of genetic data] than consumers might necessarily anticipate,” Dr Phillips says.

“Most people are not reading the contracts and privacy policies.”

My brother’s 23andMe profile, linked to an abandoned Hotmail address and not accessed for 8 years, confirmed that long ago he consented to sharing his genetic data for research.

Reading the fine print

It turns out the terms and conditions my brother signed gave 23andMe remarkable powers.

One clause of the privacy policies allows the company to share his de-identified genetic data with third parties, “regardless of your consent status”.

Jan Charbonneau, a researcher with the centre for law and genetics at the University of Tasmania, says it is very likely the data had been sold to big pharmaceutical companies.

“The data is now integrated into the research of the big pharma company.

“And this is the problem — where is the data? Even if 23andMe says ‘We’ll take you out of our database,’ it’s been onsold to other companies.”

And there’s another problem. There’s a good chance that genetic data stripped of personal information such as name, address and date of birth can be linked back to the individual by combining it with other datasets.

23andMe’s privacy policy also allows the company to sell customers’ genetic data if the company goes bankrupt, is merged or acquired.

In fact, such an event has happened once already.

In 2021, 23andMe merged with a company owned by Richard Branson’s Virgin Group. For eight months, before the company was listed on the stock market, the English billionaire effectively owned much of 23andMe, including my brother’s genetic code.

Now, with 23andMe facing bankruptcy, the genetic data could be sold again. If this happened, it may be whisked from public view, buried deep in the vaults of a laboratory.

If that happened, the data’s odyssey through the corporate world could continue forever.

And unlike passwords, phone numbers, email addresses and many other kinds of personal data, raw DNA data can never be changed.

“Things like drivers licenses and passports, they can be replaced. It’s a time and money issue,” Dr Charbonneau says.

“The issue with genetic data is it can’t be replaced. It can’t be changed.

“Once it’s breached, it’s breached.”

How to delete your data

Deleting the data seemed simple, but we soon hit a snag.

The process is as follows:

  • go to your 23andMe online profile
  • click on the “settings” tab
  • find the button, right at the bottom, that reads “permanently delete data”.
Lots of words on a screen with a button named 'permanantely delete data'.

A screenshot from the 23andMe website, showing the button for deleting user data. (Supplied: 23andMe)

When clicked, you receive a confirmation email. This includes a worrying caveat:

23andMe and the contracted genotyping laboratory will retain your genetic Information, date of birth, and sex as required for compliance with legal obligations, pursuant to the federal Clinical Laboratory Improvement Amendments of 1988 and California laboratory regulations.

This effectively means you can delete your 23andMe account from the site, but the data will remain on the company’s records.

 23andMe says it holds onto the data for three years before deleting to comply with “legal obligations”. Until then, your genetic data remains its property.

Three years is a long time. The company could change its privacy policy (a clause gives the company the right do this at any time), which might affect how the data is used, or the data could be sold with the company.

Depending on the buyer, it may be hard to keep tabs on what data gets deleted.

Australians trying to delete their 23andMe data will run into the same issues, Dr Charbonneau says.

“We have legislation that looks specifically at genetic data privacy, but the legislation only has jurisdiction here in Australia.

“If 23andMe don’t delete the data, what would you be able to do about it? It would be quite a battle.”

And in any case, she says, it’s probably already been sold.

My brother takes the news well.

“I would be more worried about it, but I get emails all the time that someone has stolen my data,” he tells me.

“It seems like a pointless thing to worry about.”

Why ‘the future of medicine’ struggled to turn a profit

23andMe has dramatically failed to live up to the expectations of its launch in 2006.

Back then, in the heyday of Silicon Valley’s get-rich-quick entrepreneur scene, the biotech startup seemed another hot prospect.

It told big-name investors such as Google that direct-to-consumer genetic testing was “the future of medicine”.

“The marketing was hard to deny,” Dr Charbonneau recalls.

“Why shouldn’t you have your own genetic result? Who else should have them? Why can’t you be in control of you?”

But the rhetoric concealed a sleight of hand, she says. Users who did the saliva-based tests were really giving up control of their data.

“Once the DNA is extracted from the spit, it’s just data.”

Matthew Rimmer, a professor of intellectual property law at the Queensland University of Technology, has followed the fortunes of 23andMe since 2006.

He says the company had the “move fast and break things” philosophy of tech startups such as Facebook and Uber, prioritising speed and experimentation over regulation and safety.

But unlike most other tech companies, which faced little regulation, 23andMe worked in a highly regulated area: healthcare.

Genetic data is also fundamentally different to the demographic and consumer data companies such as Facebook collect.

“This added an extra layer of risk and vulnerability and danger,” Professor Rimmer says.

The company struggled to find ways to get customers to pay for services after they’d done their initial test and received the result.

In 2023, its data-sharing deal with GlaxoSmithKline was not renewed and, months later, it emerged hackers had stolen nearly 7 million people’s data.

The company’s share price plunged.

A large building with a logo for 23andme on the front.

23andme went through several rounds of redundancies in 2023.

 

  (Getty Images: Sundry Photography)

Last month, seven members of 23andMe’s board resigned, leaving the CEO and co-founder, Anne Wojcicki, the only remaining member.

Ms Wojcicki has been trying to take the company private by acquiring all outstanding shares not owned by her or her affiliates.

But the former board members said this buyout was “not in the best interests” of shareholders.

If the company can’t raise the necessary funds, it’ll be declared bankrupt and stripped of its assets including the “treasure trove” of genetic data, Professor Rimmer says.

“The company has reached a crossroads.”

Data never dies

23andMe’s decline marks the end of a long honeymoon period for the tech industry.

Since “googling” became a verb around the mid-noughties, tech companies have broadly enjoyed a trusting public and light regulation.

Now, that’s changing. The US and European Union in particular are cracking down on big tech monopolies in publishing, advertising and app sales, as well as tax avoidance and data collection practices.

The Australian government last month introduced new laws giving the media watchdog greater powers to pressure tech companies to address misinformation and disinformation on their platforms.

Many of us are now realising the value of the private data we freely gave to data-collecting tech companies.

And while companies can fail, the data they collect lives on long after they’re gone.

“23andMe came on with a big splash,” Dr Charbonneau says.

“We’ve been wondering how long it would last. And now we know.”


Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *