No federal privacy law? After the 23andMe hack, it's time to take action

I get the need to tie in to a recent big news story for exposure reasons, but I think it would be good to be more explicit about the different problems.<p>We have businesses that are explicitly built on violating privacy.<p>We have businesses provide services that require them to collect some private info. I’d put 23andme in this bucket.<p>We have businesses that have lax security, and actually get their systems broken into.<p>We have businesses that have fine security, but don’t force users to have good, unique passwords and 2FA. 23andme is in this bucket, right?<p>The first, we should be happy to run them out of business, like we should actively write laws that try to destroy them.<p>The third, we should fine them to the point where skimping on security is never a rational decision (and if that runs companies out of business, fine).<p>The second seems not too bad, every medical-field-related service is going to have some private info necessarily (for example), as long as they don’t exploit it that seems fine.<p>The fourth seems not so bad, there are all sorts of services that are not so important. I don’t have 2FA on, like, random forums and video games, who cares?<p>Combining two and four is pretty bad though.

Just be sure to change you DNA if you were impacted by the hack.

&quot;taking action&quot; is personal: just don&#x27;t give personal information, like your DNA (!) to anyone.<p>You can&#x27;t control what your relatives do, unfortunately.

I&#x27;m aware HN has a dim view of the GDPR, but I previously worked in compliance and it was a sea change in how big corporations and organizations viewed data collection.<p>User PII and especially sensitive data suddenly was viewed as &quot;toxic&quot; and that having it around was something that could only bring them hassle.<p>California&#x27;s data privacy acts are similar (but much more narrowly focused).<p>Also, I always like to sum up what the intent of these acts typically are and what compliance means:<p>- Tell people what data you&#x27;re going to collect and, what you do with it, who you share it with<p>- Keep their data reasonably secure<p>- Delete it if they ask

The United States is unlikely to have a national privacy law in the foreseeable future due to the extensive lobbying by companies that depend on violating the privacy of its citizens. For the same reasons we are unlikely to have true Net Neutrality, there is too much money opposed to it.

Wasn&#x27;t it time to take action after the Equifax leak, or the facebook-cambridge leak? Yahoo? Marriott International? Yahoo again somehow?<p>Nothing will change.<p>Its time for people to stop expecting things from their corpo-overlords or the governments they&#x27;ve purchased.

No one will take action.<p>Outside Europe privacy isn’t a priority for politicians.

Why doesn&#x27;t this breach constitute some sort of HIPAA violation? I.e. exposure of personally identifiable information

If a cousin, aunt, or uncle used this service, does that automatically mean my DNA is visible&#x2F;accessible?

Good luck out-lobbying Google and Meta for privacy

using unique passwords would have prevented this from happening on the user side<p>but I agree with sensitive data 2fa should be mandatory

Thank you for calling this what it is - a hack - despite 23andme&#x27;s strenuous efforts to paint this as the fault of millions of users (see <a href="https:&#x2F;&#x2F;blog.23andme.com&#x2F;articles&#x2F;addressing-data-security-concerns" rel="nofollow noreferrer">https:&#x2F;&#x2F;blog.23andme.com&#x2F;articles&#x2F;addressing-data-security-c...</a>) rather than owning the vast technical or management failure that allowed this to continue undetected for months.<p><i>Without the risk of a giant fine or, say, jail time, many tech giants can and do get away with managing their data security badly.</i><p>That&#x27;s right. It&#x27;s happened before, and will continue to happen as long as there are no consequences.<p>Note that 23andMe is not the first online genealogy service to get hacked:<p>- In 2017, MyHeritage had 92 million accounts hacked <a href="https:&#x2F;&#x2F;www.hackread.com&#x2F;dna-testing-website-myheritage-hacked-user-accounts-stolen&#x2F;" rel="nofollow noreferrer">https:&#x2F;&#x2F;www.hackread.com&#x2F;dna-testing-website-myheritage-hack...</a>.<p>- In 2020, MyHeritage users were targeted in a separate phishing scheme. <a href="https:&#x2F;&#x2F;blog.myheritage.com&#x2F;2020&#x2F;07&#x2F;security-alert-malicious-phishing-attempt-detected-possibly-connected-to-gedmatch-breach&#x2F;" rel="nofollow noreferrer">https:&#x2F;&#x2F;blog.myheritage.com&#x2F;2020&#x2F;07&#x2F;security-alert-malicious...</a><p>- GEDmatch admitted “all user permissions were reset” in a 2020 attack. <a href="https:&#x2F;&#x2F;www.buzzfeednews.com&#x2F;article&#x2F;peteraldhous&#x2F;hackers-gedmatch-dna-privacy" rel="nofollow noreferrer">https:&#x2F;&#x2F;www.buzzfeednews.com&#x2F;article&#x2F;peteraldhous&#x2F;hackers-ge...</a><p>- Ancestry and Ancestry affiliated companies have had multiple security breaches over the past 10 years (<a href="https:&#x2F;&#x2F;www.hackread.com&#x2F;software-firm-leaks-ancestry-com-user-data&#x2F;" rel="nofollow noreferrer">https:&#x2F;&#x2F;www.hackread.com&#x2F;software-firm-leaks-ancestry-com-us...</a>)<p>- Ancestry has also destroyed people&#x27;s archives when it decided it was no longer profitable or important enough to keep them. <a href="https:&#x2F;&#x2F;slate.com&#x2F;technology&#x2F;2015&#x2F;04&#x2F;myfamily-shuttered-ancestry-com-deleted-10-years-of-my-family-history.html" rel="nofollow noreferrer">https:&#x2F;&#x2F;slate.com&#x2F;technology&#x2F;2015&#x2F;04&#x2F;myfamily-shuttered-ance...</a><p>- Last year, FamilySearch belatedly admitted a breach had exposed “users’ full names, genders, email addresses, birth dates, mailing addresses, phone numbers.” <a href="https:&#x2F;&#x2F;grahamcluley.com&#x2F;seven-months-after-it-found-out-familysearch-tells-users-their-personal-data-has-been-breached&#x2F;" rel="nofollow noreferrer">https:&#x2F;&#x2F;grahamcluley.com&#x2F;seven-months-after-it-found-out-fam...</a><p>These are incidents that have been made public as required by law. There are surely thousands of other smaller incidents that are not reported, as well as major breaches that the companies themselves don’t even know about yet. And it will continue for years to come until lawsuits or <i>brutal</i> regulations with teeth are enacted.

For the short term if you don&#x27;t want your data leaked, don&#x27;t give it away to others. For the long term support research into Homomorphic_encryption.