Millions of people have used its simple genetic testing service, which involves ordering a saliva test, spitting into a tube, and sending it back to the company for a detailed DNA analysis.

But now the company is on the brink of bankruptcy. This has raised concerns about what will happen to the troves of genetic data it has in its possession.

The company's chief executive, Anne Wojcicki, has said she is committed to customer privacy and will "maintain our current privacy policy".

But what can customers of 23andMe themselves do to make sure their highly personal genetic data is protected? And should we be concerned about other companies that also collect our DNA

What is 23andMe?

23andMe is one of the largest companies in the crowded marketplace for direct-to-consumer genetic testing. It was founded in 2006 in California, launching its spit test and Personal Genome Service the following year, at an initial cost of US$999. This test won Time magazine's Invention of the Year in 2008.

Customers eagerly took up the opportunity to order a saliva collection kit online, spit in the tube and mail it back. In a few weeks when the results were ready they could find out about their health, ancestry, and other things like food preferences, fear of public speaking and cheek dimples.

The price of testing kits dropped rapidly (it's now US$79). The company expanded globally and by 2015 had 1 million customers. The firm went public in 2021 and initially the stock price soared.

As of 2024, the company claims 14 million people have taken a 23andMe DNA test.]

23andMe rode the wave of popular excitement and investor interest in genetics. It wasn't alone. By 2022 the direct-to-consumer genetic testing market was valued at US$3 billion. The three largest players - 23andMe, AncestryDNA and MyHeritage - together hold the genetic data of almost 50 million people globally.

There are dozens of smaller players too, with some focusing on emerging markets such as MapMyGenome in India and 23mofang and WeGene in China.

What happened to 23andMe?

23andMe has had a rapid downfall after the 2021 high of its public listing.

Its value has dropped more than 97%. In 2023 it suffered a major data breach affecting almost seven million users, and settled a class action lawsuit for US$30 million.

Last month its seven independent directors resigned amid news the original founder is planning to take the company private once more. The company has never made a profit and is reportedly on the verge of bankruptcy.

What this might mean for its vast stores of genetic data is unclear.

When people sign up for a 23andMe test the company assures them: "your privacy comes first". It promises it will never share people's DNA data with employers, insurance companies or public databases without consent.

It puts choice in the hands of consumers about whether their spit sample is kept by the company, and whether their de-identified genetic and other data is used in research. Four in five people who bought a 23andMe test have agreed to their data being used in research.

However, if you dig a bit deeper, it's clear that 23andMe uses people's data in many different ways, such as sharing it with service providers. Perhaps most importantly, if the company goes bankrupt or is sold, people's information might be "accessed, sold or transferred" as well.

In a statement to The Conversation, a 23andMe spokesperson said Wojcicki is "not open to considering third-party takeover proposals".

She also said that in the event of any future ownership change, the company's existing data privacy agreements with customers "would remain in place unless and until customers are presented with, and agree to, new terms and statements - and only after receiving appropriate notice of any new terms, under applicable data protection laws".

Tips for people to protect their genetic data

With 23andMe in the spotlight, people might want to take steps to protect their genetic data (although experts say there's not really any more risk now than there has always been).

The simplest thing is to delete your account, which opts you out of any future research and discards your saliva sample. But if your data has already been de-identified and used in research, it can't be retrieved.

And even if you delete your account, 23andMe says it will keep hold of information including your genetic data, date of birth and sex, to comply with its own legal obligations.

Buying a DNA test online might feel fun and rewarding and it's certainly been marketed that way. There are plenty of good news stories about how getting those test results has helped people to connect with lost family or understand more about their health risks.

People just need to buy tests with their eyes open about what this might mean.

First, the results might not be all positive. Finding out about health risks without guidance from a health professional can be scary. Learning that the person you thought was your mum or dad actually isn't, is an outcome for as many as 1 in 20 people who've bought a DNA test online.

Second, every company selling DNA tests does so with lots of legal conditions attached. People click through these without a second thought but researchers have shown it is worth taking a closer look.

Consider what the company says about what it will do with your data and your sample, how long they will keep it, who else can access it, and how easy it will be to delete later.

There are guidelines from organisations like Australian Genomics that can help. And bear in mind that if a company holding your DNA profile is sold, it might be hard to make sure that data is protected.

So maybe reconsider giving a DNA test as a Christmas gift.

• First published in The Conversation
• Finlay Macdonald is the New Zealand editor of The Conversation

In July 2021, Monsignor Jeffrey Burrill resigned from his post as the general secretary of the USCCB ahead of a report by The Pillar alleging that he had engaged in inappropriate behaviour and frequent use of Grindr.

The app advertises itself as "the largest social networking app for gay, bi, trans, and queer people." Its geolocation feature is popularly known to facilitate sex hookups between gay men.

Read More

That's especially true for "AI girlfriends" or "AI boyfriends," according to new research.

An analysis into 11 so-called romance and companion chatbots, published on Wednesday by the Mozilla Foundation, has found a litany of security and privacy concerns with the bots.

Collectively, the apps, which have been downloaded more than 100 million times on Android devices, gather huge amounts of people's data.

They use trackers that send information to Google, Facebook, and companies in Russia and China; allow users to use weak passwords; and lack transparency about their ownership and the AI models that power them.

Since OpenAI unleashed ChatGPT on the world in November 2022, developers have raced to deploy large language models and create chatbots that people can interact with and pay to subscribe to.

Mozilla research

The Mozilla research provides a glimpse into how this gold rush may have neglected people's privacy, and into tensions between emerging technologies and how they gather and use data.

It also indicates how people's chat messages could be abused by hackers.

Many "AI girlfriend" or romantic chatbot services look similar. They often feature AI-generated images of women which can be sexualized or sit alongside provocative messages.

Mozilla's researchers looked at a variety of chatbots including large and small apps, some of which purport to be "girlfriends." Others offer people support through friendship or intimacy, or allow role-playing and other fantasies.

"These apps are designed to collect a ton of personal information," says Jen Caltrider, the project lead for Mozilla's Privacy Not Included team, which conducted the analysis.

"They push you toward role-playing, a lot of sex, a lot of intimacy, a lot of sharing."AI chatbot

For instance, screenshots from the EVA AI chatbot show text saying "I love it when you send me your photos and voice," and asking whether someone is "ready to share all your secrets and desires."

Concerns mount up

Caltrider says there are multiple issues with these apps and websites.

Many of the apps may not be clear about what data they are sharing with third parties, where they are based, or who creates them, Caltrider says.

She adds that some allow people to create weak passwords, while others provide little information about the AI they use. The apps analyzed all had different use cases and weaknesses.

Take Romantic AI, a service that allows you to "create your own AI girlfriend." Promotional images on its homepage depict a chatbot sending a message saying,"Just bought new lingerie. Wanna see it?"

The app's privacy documents, according to the Mozilla analysis, say it won't sell people's data.

However, when the researchers tested the app, they found it "sent out 24,354 ad trackers within one minute of use."

Romantic AI, like most of the companies highlighted in Mozilla's research, did not respond to WIRED's request for comment. Other apps monitored had hundreds of trackers.

Lack of clarity

In general, Caltrider says, the apps are not clear about what data they may share or sell, or exactly how they use some of that information.

"The legal documentation was vague, hard to understand, not very specific—kind of boilerplate stuff," Caltrider says, adding that this may reduce the trust people should have in the companies.

It is unclear who owns or runs some of the companies behind the chatbots.

The website for one app, called Mimico—Your AI Friends, includes only the word "Hi."

Others do not list their owners or where they are located, or just include generic help or support contact email addresses.

"These were very small app developers that were nameless, faceless, placeless," Caltrider adds. Read more

• Matt Burgess is a senior writer at WIRED focused on information security, privacy, and data regulation in Europe.

But some experts say the level of detail included in the story suggests that whoever provided the information has access to large datasets and methods of analysis that could have cost hundreds of thousands of dollars—or more.

"When I first heard that this was happening, my mouth hit the floor," Zach Edwards, the founder of the boutique analytics firm Victory Medium, told America.

A data expert, Mr Edwards previously helped a Norwegian consumer rights group bring a complaint against Grindr in 2020 that alleged that the gay hookup app violated European privacy laws by leaking users' personal data.

The company was eventually fined more than $11 millionearlier this year by the Norwegian Data Protection Authority.

Mr Edwards described the level of detail revealed in the data points included in The Pillar article as "alarming."

Zach Edwards the founder of the boutique analytics firm Victory Medium, described the level of detail revealed in the data points included in The Pillar article as "alarming."

The Pillar has not said where it obtained the data about Msgr Jeffrey Burrill, who resigned shortly before the story about his use of the app was published.

The editors of The Pillar, J. D Flynn and Ed Condon, did not reply to an email from America asking who provided the data.

Mr Edwards said that acquiring data that appears to have been collected over at least three years could be costly and may have required a team of researchers to sort through it to identify specific individuals tied to the data.

He estimated that the "database and deanonymization efforts" used to obtain details about Monsignor Burrill could have "run into the hundreds of thousands if not millions of dollars."

The article in The Pillar contained allegations that a phone associated with Monsignor Burrill regularly logged onto Grindr, a dating app used by gay men, during periods of several months in 2018, 2019 and 2020 from his home and office in Washington, D.C., as well as from a family lake house in Wisconsin and from other cities, including Las Vegas.

"The inclusion of [Monsignor Burrill's vacation destinations] speaks to a level of tracking obsession," Mr Edwards said.

"Every Catholic should hope that's the case because that is the only scenario that's not a dystopian nightmare."

It is possible, he said, that a person or organization held a grudge against Monsignor Burrill and tracked only his data.

But he worries that the data appears to have been shopped around since 2018 and that whoever has access to it now probably has more information to release.

Mr Edwards estimated that the "database and deanonymization efforts" used to obtain details about Monsignor Burrill could have "run into the hundreds of thousands if not millions of dollars."

"It either is a larger organization tracking multiple priests and we have more shoes that are going to be dropping" or it was focused only on Monsignor Burrill, he said. He can imagine a situation in which the data could be used to blackmail or extort church leaders.

The specificity of geography included in The Pillar story suggests that whoever provided the information to the publication had access to an unusually comprehensive dataset that would have gone beyond what is normally available to advertising firms.

"That's a really expensive, dangerous data sale," he said.

Large, "deidentified" data sets like this—information that does not contain names or phone numbers—are often sold in aggregate for advertising purposes or even to track mass travel during epidemics.

The data used as the basis for The Pillar story appears to have tracked Monsignor Burill through a process known as re-identification, which some experts said may have violated contracts from third-party vendors, who routinely prohibit the practice.

Yves-Alexandre de Montjoye, an applied mathematics professor at Imperial College, London, who has studied the ease with which individuals can be identified through supposedly pseudonymized data, told America the report in The Pillar was "quite vague on the technical details."

But he said that, in general, a researcher or team of analysts can identify an individual with access to just a few data points.

He gave as an example a fictional person living in Boston: That person's mobile device may send a signal from an M.I.T. classroom in the morning, from a Harvard Square cafe in the afternoon, then in the evening from a bar in the Back Bay followed by a signal from a home in South Boston.

The specificity of geography included in The Pillar story suggests that whoever provided the information to the publication had access to an unusually comprehensive dataset that would have gone beyond what is normally available to advertising firms.

"A few of these places and times are going to be sufficient" to match other information a researcher might know about an individual that taken together makes it possible to identify the user of the mobile device, Mr Montjoye said.

That other information could include real estate records, social media posts or even published agendas.

Even in large cities with millions of people, it is not difficult to use just a few data points to identify an individual as "very few people will be at the same places at roughly the same time as you."

The co-founders of The Pillar defended their story against criticism that called the story journalistically unethical, saying in a statement that they "discovered an obvious correlation between hookup app usage and a high-ranking public figure who was responsible in a direct way for the development and oversight of policies addressing clerical accountability with regard to the Church's approach to sexual morality."

Daniella Zsupan-Jerome, the director of ministerial formation at St. John's University School of Theology and Seminary in Collegeville, Minn., said more and more surveillance and tracking technology will not produce righteous men fit for ministry.

Instead, she said, it will contribute to a culture of suspicion and perpetuate the lack of trust in the Catholic Church.

"Why not invest instead in formation processes that insist on a culture of honesty, transparency and integrity of character?" she said, adding that if and when religious leaders are found to have moral failings, there is a need to create space for conversation among the faithful.

"Sadly, many of us have had the experience of finding out scandalous information about a priest or pastoral leader. This is a shocking experience, often coupled with a sense of betrayal, sadness, grief, anger, disgust and even despair," she said.

"Communities experiencing this need spaces for turning together for conversation, honest sharing, and gathering to lament and grieve the loss of trust that occurred."

Hours before The Pillar published its report, the Catholic News Agency published a story stating that the organization had been approached by a person in 2018 who "claimed to have access to technology capable of identifying clergy and others who download popular ‘hook-up' apps, such as Grindr and Tinder, and to pinpoint their locations using the internet addresses of their computers or mobile devices."

The story said that C.N.A. declined to accept information from this person.

In a statement, Grindr called The Pillar's report an "unethical, homophobic witch hunt" and said it does "not believe" it was the source of the data used. The company said it has policies and systems in place to protect personal data, although it didn't say when those were implemented.

Mr Edwards, who has been critical of Grindr's privacy protections, said, "This is about the worst thing that could ever possibly happen to their business." Continue reading

The US Conference of Catholic Bishops said in a memo that Monsignor Jeffrey Burrill had resigned as its general secretary. This came after staff had learned on Monday of "impending media reports alleging possible improper behaviour."

The Pillar published an article on Wednesday that presented evidence the priest engaged in serial sexual misconduct.

The data captured by The Pillar highlights the invasive threat posed by mobile data.

Pillar said its analysis of the app data "correlated" to Burrill's cellphone. It shows he visited gay bars in several cities between 2018 and 2020 while using the app.

The article does not report that Burrill did anything illegal. However, homosexual acts are considered a sin according to Catholic teaching. Ordained priests are required to make a vow of celibacy.

It is not immediately clear how The Pillar obtained the data.

Brokered data is being used to identify the activities of cellphone users, confirming the long-voiced concerns of privacy experts.

A primary concern of privacy experts involves a concept known as "device fingerprinting". This is where a user can be identified, even when the data is supposed to be anonymous.

A tracker does this by looking for a unique and persistent way a person uses technology. The identity can be determined based on the location, time and activity, all of which can be collected through permission granted when the app is downloaded.

Security researchers have also found that apps are collecting more data than users are led to believe.

A report in 2019 found that more than 1,000 apps were taking data even after users denied them permissions, allowing them to gather precise geolocation data and phone identifiers.

In an article published Monday, the Catholic News Agency said it had received an offer in 2018 from individuals who claimed to have access to technology capable of tracking priests who download dating apps.

The news organization said it declined the proposal at the time. But it warned that "there are reports this week that information targeting allegedly active homosexual priests may become public."

Sources

• CNet
• Religion News
• The Pillar