Why Privacy matters
The right of privacy is a human right endorsed by the United Nations.
Sloppy business practices originating from the mind-set of Silicon Valley has for many years ignored this right. They choose to maximize profits at the cost of your safety. In their mind issuing a privacy statement on their homepage that claims they intend to respect this right is enough to calm down any critique of this practice. By them doing this you may draw the conclusion that their claims are sincere.
In the best of worlds this may be true.
But, when companies merge or fail, where do your personal data end up?
Let’s begin with the definition of personal identifiable information at Wikipedia. From this what we can deduce:
Data that can identify who you are on-line are:
* Privately issued ID credentials:
Employee benefits participation number,
Private health care authorization,
access, and identification number
* Transactional financial account numbers:
Bank account number, Credit or debit card, account number,
Personal identification number (PIN), and taxpayer identification number
* Biometric identifiers:
Fingerprint or voiceprint, Iris or retina scans, and DNA
* Health or medical information:
National Health certificate number
* Electronic identification credentials:
Digital certificates and Passwords
* Full Date of Birth:
Birthdate - Month, day and year
* European-defined sensitive data:
Treated as PID globally, not just for citizens of the EU:
Ethnic origin, Political opinion, Religious belief or
philosophical beliefs, Trade-union membership, Health or Sex life,
Offenses, Criminal convictions or Security measures and Proceedings
from crimes or offenses
Recently, the commercial DNA hoarding company 23andMe filed for bankruptcy. This highlights once again the importance of holding on to your personal identifiable information.
23andMe was popular some years ago when friends and family bought a DNA-sample kit from them. This kit opens up the possibility to find out if you have any Viking-blood in you, or if your great grandfather was a Mongolian emperor. It also created headlines when it was used for tracking down some really bad criminals.
According to 23andMe’s privacy statement, this is the information they collect:
* Registration Information:
information you provide during account registration or when purchasing
the Services, such as a name, user ID, password, date of birth, billing
address, shipping address, payment information (e.g., credit card),
account authentication information, or contact information (e.g., email,
phone number).
* Genetic Information:
information regarding your genotype (e.g., the As, Ts, Cs, and Gs at
particular locations in your DNA). Genetic Information includes the
23andMe genetic data and reports provided to you as part of our Services.
* Sample Information:
information regarding any sample, such as a saliva sample, that you
submit for processing to be analyzed to provide you with Genetic
Information, laboratory values or other data provided through our Services.
* Self-Reported Information:
information you provide to 23andMe including your gender, disease
conditions, health-related information, traits, ethnicity, family history,
or anything else you provide to us within our Service(s).
* Biometric information:
certain Self-Reported Information you provide to us or our service
providers to verify your identity using biological characteristics.
* User Content:
information, data, text, software, music, audio, photographs, graphics,
video, messages, or other materials, other than Genetic Information and
Self-Reported Information, generated by users of 23andMe Services and
transmitted, whether publicly or privately, to or through 23andMe.
For example, User Content includes comments posted on our Blog or
messages you send through our Services.
* Web-Behavior Information:
information on how you use our Services or about the way your devices use
our Services is collected through log files, cookies, web beacons, and
similar technologies (e.g., device information, device identifiers, IP
address, browser type, location, domains, page views).
In a blog-post from 404media, they state data for 15 million people is now for sale. This follows the lost of 7 million records from a data breach in 2023.
This is a reminder that sharing personal identifiable information must be kept to a minimum. There is no way of knowing if this information end up being used by bad actors to get a leverage over their victims while conducting frauds.
By contacting the company it may be possible to ask them to remove data about you. But there are no guarantees that the deletion will be carried out.
When you sign up for a service, question every data point they want to collect from you. Leave out as much information as possible. Only supply relevant data. If you question it’s relevance and it’s mandatory, reach out to the company and question this practice.
If they fail to help you, you can enter false information that you store in your password manager, provided you don’t break any laws by doing this. If you feel bad giving false information, reduce information given. For instance, only enter the initials for first and last name if this is allowed.
Look for alternative services that has less stringent data collection. Finally, ask yourself if you really need the service at all.
Remember, data shared can never be un-shared.
Data not shared does not exist.
Update: If you have used the service here is an instruction on how to remove your data from 23andMe: How to delete account
Insight to personal data exposure: The Silent Cybersecurity Threat That You Need to Address
Related article: Open Source Genetic Database Shuts Down to Protect Users From ‘Authoritarian Governments’