Controversial DNA analytics company 23andMe, which gets its name from the fact that most people have 23 pairs of DNA-carrying chromosomes in their cells, is going bust.
At its peak valuation just over four years ago, the company’s shares traded at about $320, but it’s been largely downhill from there, with shares listed today for less than a dollar each.
Some analysts note, with 20-20 hindsight, that it’s difficult to see how a consumer-focused company that pitched itself as a way to find out about your ancestry, or to learn if you had any genetic predisposition to certain health problems, could win repeat business.
After all, once you’ve uncovered your ancestry, and perhaps received a health scare that prompted you to consult trained medics at a real hospital…
…what more would you need to know?
The thing about your ancestry, as the word makes clear, is that it’s quite literally set in the past.
Once you’ve found out that you could be 25% Mexican or 12% Welsh, which you might very well already have known or guessed (and for all that it matters anyway), that’s not going to change.
23andMe’s real value proposition was to sell on the data it collected to researchers and engineers who might be willing to pay to access it for analytical purposes.
Obvious people you might expect to be interested include medical and pharameutical researchers, but that market apparently did not materialize.
But what about targeted marketers looking to profile their sales pitches in some way?
As convenient and as pertinent as it might seem at first glance, you’d rightly feel discomfited if you found out that the hair coloring promotions you just saw, or the skin-care creams that were promoted in your online feeds, were decided by racial or ethnic assumptions derived from your own genetic samples.
What about law enforcement looking for leads in cold cases and hoping for at least a partial match, given that close family members have more similarities in their DNA than strangers?
You could end up under wrongful suspicion yourself, just because someone you are related to, but do not know and have never met (someone just as innocent as you), once sent their DNA to a testing company like 23andMe.
What about undemocratic governments looking to zoom in on people with the “wrong” ethnicity to act against them in some way?
What about cybercriminals looking to acquire yet more deeply personal information about you in the hope of using it for social engineering purposes, or for cyberblackmail, or for other identity-related scams?
As David Emerson, CTO and Head of Operations at SolCyber, pointed out in a recent TALES FROM THE SOC podcast about the unavoidable long-term risks of collecting ever more personal data in the hope of commercializing it in the future:
DAVID. [Companies tend to] worry about how [data] will be used, or whether it ought to be collected at all, [too late] in the product lifecycle.
DUCK. When it can be quite hard to remember where it went.
And also, you have that problem of what if the company that collected it in good faith gets bought up by a company that’s maybe in a different jurisdiction, and has different regulations.
DAVID. That [is] the concern around 23andMe!
DUCK. Absolutely, yes, that’s a good example.
DAVID. We all gave our DNA to 23andMe.
That wasn’t the thing you were thinking of when you were swabbing your cheek.
It probably wasn’t the thing they were thinking of when they were collecting your entire genome and sequencing it.
The dilemma we were concerned about in that podcast has now arrived, with 23andMe officially filing for Chapter 11 bankruptcy protection in the US.
Long-term CEO Anne Wojcicki is stepping down, to be replaced as interim CEO by Joe Selsavage, previously CFO.
The company’s own press release says:
If approved by the Court, the Company, with the assistance of an independent investment banker, would actively solicit qualified bids over a 45-day process.
If multiple qualified bids are submitted during the Court-supervised sale process, the Company plans to conduct an auction to maximize the value of its assets.
Any buyer will be required to comply with applicable law with respect to the treatment of customer data and any transaction will be subject to customary regulatory approvals, including, as applicable, approvals under the Hart-Scott-Rodino Act and the Committee on Foreign Investment in the United States.
For UK and Commonwealth readers, Chapter 11 is similar to administration, where a company is reorganized with the hope of reinventing it in some other form so it can continue trading. A more dramatic bankruptcy exit is Chapter 7, which is similar to liquidation, where the company is largely considered a lost cause, and thus gets shut down and sold off in job lots.
Firstly, because 23andMe is a California company, California’s Attorney General has understandably advised users to delete their data explicitly from the service as soon as they can, given that the data may soon change hands:
Given 23andMe’s reported financial distress, I remind Californians to consider invoking their rights and directing 23andMe to delete their data and destroy any samples of genetic material held by the company.
That’s sound advice, given that it now seems that the deeply personal data customers shared with the company is now almost certain to be sold off and therefore to come under new owners with new ideas on what to do with it.
The uses to which that data will be put in the future are likely to be very different from what 23andMe originally had in mind, given that the company wasn’t able to commercialize it in accordance with the use cases it originally pitched.
Secondly, bear in mind the simple advice about sharing personal data of any sort, whether it’s as intimate as your DNA or as basic as your date of birth or your employment history: If in doubt, don’t give it out.
And thirdly, if you’re a CTO, or a CMO, or a CRO looking for data to collect just in case you might be able to commercialize it in the future, bear in mind the hidden costs of filling up your data lakes with information that you don’t have a clear and present need for.
Listen to our excellent podcast The Illness of Excess (S1 Ep008), featuring Paul Ducklin and David Emerson:
If the media player above doesn’t work in your browser,
try clicking here to listen in a new browser tab.
LISTEN IN YOUR FAVORITE APP
Find Tales from the SOC on Apple Podcasts, Audible, Spotify, Podbean, or via our RSS feed if you use your own audio app.
Or download this episode as an MP3 file and listen offline in any audio or video player.
By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.
