23&Me Data Breach: UPDATE
This is an ongoing situation that is spiraling, on a course to disrupt several industries, including investigative genetic genealogy.
UPDATE: 23andMe, which was valued at $6 billion just a few years ago, is now facing both a possible delisting from Nasdaq and dozens class-action lawsuits.
_____
In October of 2023, 23andMe confirmed that a subset of its users’ data had been compromised. While the company said its systems were not breach, nevertheless attackers stole the data by guessing the login credentials of a group of users and then scraping more people’s information from a feature known as DNA Relatives (shared for others to see and do research with), a method called “credential stuffing.” The attackers claimed that the data contained 1 million data points exclusively about Ashkenazi Jews, hundreds of thousands of users of Chinese descent, and some tech celebrities, like Elon Musk and Mark Zuckerberg. Some of the data is already up for sale on the darkweb.
In a SEC filing, 23andMe said the breach directly affected about 14,000 customers but then later confirmed to investigative reporters that the attackers actually collected data from about 5.5 million people who had opted into DNA Relatives, in addition to 1.4 million DNA Relatives users who had their profile information accessed.
The blame cherry on top of this breachy hot-fudge sundae is that 23andMe is basically blaming its customers, saying they should have had better security. In a letter the company sent to a law firm handling an attempted lawsuit against it, 23andMe said:
“...users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe...Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures...”
Ever hear of making your customers use 2 factor authentication? That’s the response from the lawyers and some tech security specialists. The breach has political implications beyond the personal ones, with litigants saying the Jewish and Chinese customers were targeted. The company’s terms and conditions make it difficult to sue them, so the struggle continues.
What will this breach mean for a mainstay resource for investigative genetic genealogy?
FRE 702 Revision
In case you missed it, FRE 702 got a revision in 2022 (taking effect in December of 2023). The amendments were proposed by the Advisory Committee on Evidence Rules and subsequently approved by the US Judicial Conference and the Supreme Court and arise from committee’s concerns over courts’ permissiveness in vetting expert scientific evidence in criminal cases, most notably pattern evidence like firearms examination. For example, a 2019 case determined that firearms evidence did not meet the Daubert standards; there are others, like US v. Green. The amendments are arguably small but, as we know, small can matter. FRE 702 now reads (changes in bold italic):
Rule 702. Testimony by Expert Witnesses
A witness who is qualified as an expert by knowledge, skill, experience, training, or education may testify in the form of an opinion or otherwise if the proponent demonstrates to the court that it is more likely than not that:
(a) the expert’s scientific, technical, or other specialized knowledge will help the trier of fact to understand the evidence or to determine a fact in issue;
(b) the testimony is based on sufficient facts or data;
(c) the testimony is the product of reliable principles and methods; and
(d) the expert’s opinion reflects a reliable application of the principles and methods to the facts of the case.
702 now defines a preponderance of evidence (“more likely than not”) standard for demonstrating that the four options (a-d) have been satisfied. This goes to methodological reliability.
702(d) clarifies that it is not the expert’s reliable application that matters, but rather that “the expert’s opinion reflects a reliable application.” A judge can bar opinions that exceed what can be reasonably concluded from the methods and principles that were used.
As legal scholars have suggested,
The committee’s amendments are likely to affect a wide range of types of expert evidence. By clarifying the burden on the party seeking to introduce an expert and highlighting the need to assure reliable use of methods to reach conclusions, the committee’s concerns are particularly important in the context of forensic methods, like firearms evidence, that have grown out of the experience of practitioners but have never been carefully scientifically validated or subject to robust empirical testing.
I’m no lawyer but I’ll keep an eye on this.
The limits of justice
If evidence is lost, it cannot be retested. If case files are lost, a record of what was (or wasn’t) done cannot be verified. If innocent persons’ DNA is retained…why? What is a government’s responsibility to its citizens for this most intimate of information? Discuss.