Engadget reports on 23andMe's decision to change its terms of service to prevent class action lawsuits days after a data breach affecting 7 million customers. The article frames this as an attempt to evade corporate accountability through procedural silencing. Coverage engages multiple human rights themes—particularly the right to remedy for violations (Article 8), fair and public hearings (Article 10), privacy protection (Article 12), and freedom of expression (Article 19)—while documenting corporate efforts to restrict legal remedies and shield proceedings from public scrutiny.
I'm not a lawyer but I doubt that this will matter in the court because the time of actions matter; or in another words at the time when user registered they agreed to TOS A and later when 23andMe changed their TOS A to TOS B they achieved nothing because you can't unregister users and register them again and force them to agree to the new TOS B. I mean they can ask you to agree to new TOS but you don't have to because TOS is not a law, it is a voluntary legal agreement between a company and a customer. Retroactively enforcing something is not possible not even for the governments e.g. if I pay my corporate tax of let's say 20% in 2023 to the government, government can't say like 5 years later: you know what corporate tax is now 30%, compensate for all the differences in the past.
To duck out of the new ToS, just write this email to [email protected]
To Whom It May Concern:
My name is [name], and my 23andMe account is under the email [email]. I am writing to declare that I do not agree to the new terms of service at https://www.23andme.com/legal/terms-of-service/.
Automatically opting-in customers to a more restrictive TOS is pretty suspect, especially given the timing. IANAL, but I'm pretty sure that a court would not allow that, given that the TOS was changed AFTER the breach and it's pretty clear that the company is trying to avoid legal issues after-the-fact.
I would expect the court would evaluate any breach under the TOS that was in effect at the time of the breach, rather than under a new (and arguably suspect one) that was put in place after it, arguably in an attempt to "rewrite history".
I would have presumed that security-minded people, which includes those who work in tech, would not so easily give away their genome, and that most of 23andMe's customers are a slice of the general population. But then I read about things like WorldCoin and that people who go to startup parties jump at the chance to give away scans of their retinas and I'm befuddled. Why would anyone willingly do that?
Forcing customers to use arbitration hasn't always been in the companies interest - if only a fraction of the 7M effected customers started the arbitration process it could cost a lot more than a class action suit.
Didn't Uber drivers get a large payment from them in this way?
An alternative take is that they changed their terms of service so that if/when this happens again they'd have more control over the fallout. I think they're totally expecting to get railed for the last one and are preparing for it, but this doesn't mean they can't prepare for the future as well. I imagine other providers will also revise their TOS.
Which companies offer similar services sans all the bullshit and privacy issues? I'm not interested in finding long lost relatives and even less interested in having my data sold or shared with LEO.
I have tried to quickly diff the previous TOS with the new one and I wasn't able to identify any big changes. I would like to know what the actual changes are. I see a lot of articles criticizing the new TOS, but no one is showing the actual wording differences.
I interviewed for a security position there a few years ago, but they cut the role before the interview process was over. Kind of feels like they didn't prioritize security - you reap what you sow.
Gladly I never used any of these services, not just knowing my ancestors origins will add zero value to my life, but also I don’t trust any cloud services to store my passwords or notes, let alone a biometric I will never be able to change, alive or not.
In case anyone is interested I've been compiling as much factual information on arbitration here. Not yet complete but reasonably useful and well sourced
I honestly don't understand how "If you don't opt out within 30 days you'll be bound to the new TOS" works.
I have heard of two big "trends" of how people think about legal contracts:
[1] What is written there and what both parties agreed to is the truth.
[2] A contract is supposed to be a "meeting of the minds". If it's proven that one party was being deceitful, then the contract (or that part) doesn't hold.
If we go by [1], then the company can change the TOS by sending me a notice with "if you don't opt out, then you're bound by these terms"... but so should I. I should be able to send a letter to 23&me saying "if you don't disagree these are the new terms: if my information is ever hacked, you owe me 10M dollars in damages"
If we go by [2], then sending a notice like that is absolutely invalid. They have no way of proving that I read that notice within 30 days, so there was never a "meeting of the minds".
Exactly.this behavior is why I never gonna send my DNA to any of these services. Certainly not US. I hope than EU will have some regulations for this soon.
"reports revealing that attackers accessed personal information of nearly 7 million people — half of the company’s user base — in an October hack."
Breaking into a system should never provide access to 7 million people. The database should be divided up into multiple "cells" each with its own separate access restrictions.
It's the same idea that spy networks use to prevent one compromised spy from bringing down the whole system. Or you can think of it like watertight compartments in a battleship.
"In October, the San Francisco-based genetic testing company headed by Anne Wojcicki announced that hackers had accessed sensitive user information including photos, full names, geographical location, information related to ancestry trees, and even names of related family members."
For those who do not know, her sister is a longtime Google marketing person since 1999, who worked on AdWords, AdSense, DoubleClick, GoogleAnalytics and the money-losing data collection and advertising subsidiary YouTube.
It seems personal data collection for profit runs in the family.
I am a security engineer. When I signed up for 23andme, I assumed with certainty that it would be hacked and all data leaked at some point. I balanced that with the value of knowing potentially important health/genetic bio markers.
In the end, I valued knowing these bio markers above the privacy of my genome. The former is actionable and I can use it to optimize my health and longevity; the latter is of vague value and not terribly exploitable outside of edge-case threat models.
They probably know that it doesn't hold water legally. The hope is to victim blame as much as possible so that fewer people sue them in the first place. The next step will be to "remind" people about the TOS that they totally agreed to.
Trying or arbitrating a large number of cases individually is far more expensive than litigating a class action suit. But only if the people pushing the arbitration hold firm, rather than agreeing to the initial settlement offering.
The same people believed crypto-currency, infinite growth, social media and many other things. At least 23andMe provided actual value, to some at least.
What I find strange is that 23andMe did not automatically delete data after 30 days, or at the very least took it offline, only to be available on request. Notify people that their results are available and inform them that the data will be available for 30 days after the first download. This is potentially really sensitive data and based on 23andMe's response, they seem to be aware of that fact. So why would they keep the data around? That seem fairly irresponsible and potentially dangerous to the company.
They ought to be evaluated as if no TOS exists. Given the clear intent to defraud customers by misrepresenting the contract they were bound by, the claims should be evaluated under the TOS most favorable to the plaintiffs. The most favorable TOS is the one that's invalid because 23andMe didn't get anyone to actually agree, ergo the claims are evaluated as if no TOS exists.
This is an attempt to undermine consumer protection laws, and the government should treat it as a direct attack. Other companies are watching. The government needs to send a clear message that this won't be tolerated before it spreads, becomes the status quo, and leaves many consumers believing that they don't have any rights or protections.
The head of legal should also be disbarred under American Bar Association rule 1.2(d):
> (d) A lawyer shall not counsel a client to engage, or assist a client, in conduct that the lawyer knows is criminal or fraudulent, but a lawyer may discuss the legal consequences of any proposed course of conduct with a client and may counsel or assist a client to make a good faith effort to determine the validity, scope, meaning or application of the law.
This reads as clear contract fraud in the factum [1]. Customers are told that they're bound by new contract terms, despite that 23andMe never got agreement, nor tried to get agreement, nor even know whether customers have read the new contract. I can't fathom any other reasonable interpretation of the situation. They created a fraudulent contract hoping to confuse other entrants to prior versions of the contract, and intend to benefit from that confusion. It seems clear to me. They are attempting to undermine the legal system, and the ABA needs to deal out swift punishment as one of the protectors of that system.
The slightly annoying thing with this data, though, is that even if you don't provide your data your privacy can be violated via any relatives' data that did decide to use the service.
You got it wrong. They can throw a big TOS in front of you next time you login. Most users will just accept.
Additionally they sent an email out saying that you have 30 days yo tell them you want to "opt out" otherwise by default they assume you accept the new TOS agreement.
I was 24 in 2015 and not in tech or as security minded as I am now when I received the test as a Christmas present. Obviously now I wouldn’t have dared do it, but it’s too late. Lacked the foresight at the time.
I'm familiar with security (I keep a copy of Applied Cryptography on my shelf for "fun reading") and tech, here's a copy of my whole genome:
https://my.pgp-hms.org/profile/hu80855C
Note it's a full human genome, far more data than a 23&Me report. You can download the data yourself and try to find risk factors (at the time, the genetic counsellors were surprised to find that I had no credible genetic risk factors).
Please let me know in technical terms, combined with rational argument, why what I did was unwise. Presume I already know all the common arguments, evaluated them using my background knowledge (which includes a PhD in biology, extensive experience in human genome analysis, and years of launching products in tech).
I've been asking people to come up with coherent arguments for genome secrecy (given the technical knowledge we have of privacy, both in tech and medicine) and nobody has managed to come up with anything that I hadn't heard before, typically variations on "well, gattaca, and maybe something else we can't predict, or insurance, or something something".
I don't know where you have been the last few years, but I am pretty sure things like that happen all the time, based on the emails I received regarding ToS updates. And I have never heard any company got into trouble in court. Maybe public opinion, but that's it.
>But then I read about things like WorldCoin and that people who go to startup parties jump at the chance to give away scans of their retinas and I'm befuddled.
I'm befuddled that anyone thinks Sam Altman is the least bit trustworthy after WorldCoin.
insertion into the middle of Limitation of Liability "WITHIN THE LIMITS ALLOWED BY APPLICABLE LAWS, YOU EXPRESSLY ACKNOWLEDGE AND AGREE THAT 23ANDME SHALL NOT BE LIABLE FOR ANY DAMAGES"
Lots of changes to the Dispute Resolution, and new content re: Mass Arbitration.
However, the previous ToS still had binding arbitration clauses, and stuff about class actions.
What if you want to run a query to compare your DNA to everyone else’s to see if you have any relatives that are registered already? Wouldn’t that need access to the entire database and essentially be a point of weakness?
Central topic: article advocates for customer right to remedies by reporting 23andMe's deliberate blocking of class action lawsuits post-breach; frames remedy denial as fundamental violation
FW Ratio: 50%
Observable Facts
Article headline: '23andMe frantically changed its terms of service to prevent hacked customers from suing'
Updated terms explicitly state 'To the fullest extent allowed by applicable law, you and we agree that each party may bring disputes against the other party only in an individual capacity and not as a class action or collective action'
Article notes 'multiple class action claims' have already been filed in California federal/state courts, Illinois, and Canadian courts
Inferences
Positioning class action as a remedy mechanism and reporting its deliberate restriction frames remedy access as core right violation
The article's critical tone toward timing (changing ToS days after announcing breach) advocates for maintenance of remedy pathways
Including expert skepticism about legal validity of the change affirms the right to pursue remedies
Advocates for public, fair hearings by reporting arbitration's private nature; quotes expert on how arbitration 'hides information about proceedings from the public'; frames transparency as remedy component
FW Ratio: 50%
Observable Facts
Article states arbitration 'hides information about the proceedings from the public since affected parties typically attempt to resolve disputes with arbitrators in private'
Expert Nancy Kim quoted discussing how arbitration differs from public court proceedings
Article explicitly contrasts class action (public) with private arbitration, noting Axios reporting on this distinction
Inferences
Centering arbitration's private nature as a problem frames public accessibility to proceedings as a human right
Expert commentary lending credibility to transparency concerns amplifies advocacy for fair and public hearings
The article positions corporate ability to move disputes into private arbitration as undermining justice transparency
Article exercises freedom of expression through investigative reporting on corporate conduct; frames free press as accountability mechanism; reports on attempts to silence customer voice
FW Ratio: 50%
Observable Facts
Article byline: Pranav Dixit, Senior Editor, published at Engadget
Reporting exposes 23andMe's ToS change post-breach and documents customer outrage via social media
Multiple source types: company email, SEC filing, expert quote, social media reactions
Inferences
Publication of investigative reporting on corporate wrongdoing directly exercises freedom of expression
Article uses journalism to hold corporations accountable, demonstrating free press as democratic check on power
Reporting on corporate attempts to restrict customer legal voice protects the right to free expression itself
23andMe's ToS uses contract authority to restrict rights (remedy, fair hearing); article opposes this action, advocating against use of authority to destroy other rights
FW Ratio: 50%
Observable Facts
23andMe explicitly uses contractual terms to eliminate customer legal rights (class action, jury trial)
Article frames this action as wrongful corporate overreach requiring customer opt-out within 30 days
Inferences
Article advocates against misuse of contractual authority to eliminate substantive legal rights
Critical framing affirms principle that corporate powers cannot be used to destroy customer rights protected by law
Article frames corporate breach and remedy denial against backdrop of universal human rights; advocates for protection of customer legal remedies and transparency
FW Ratio: 50%
Observable Facts
Article reports 23andMe changed terms of service days after announcing 7 million customers' personal data was hacked in October
Company announced new terms 'to prevent customers from filing class action lawsuits' and participating in jury trials
Inferences
By reporting on rights violations (breach, remedy denial), the article implicitly affirms the dignity and equal rights premise of the Preamble
The article frames corporate accountability as prerequisite to respecting human dignity after harm
Page contains TCF consent framework and GUC consent tracking with multiple data collection categories (precise geolocation, cross-device mapping, account matching, search history). Cookies and tracking are extensive but disclosed in consent mechanism.
Terms of Service
—
No ToS visible on-domain in provided content.
Identity & Mission
Mission
+0.10
Article 19 Article 27
Mission statement indicates commitment to technology news and expert reviews ('Find the latest technology news and expert tech product reviews'). Aligns with free expression and access to information.
Editorial Code
—
No editorial standards document visible on-domain in provided content.
Ownership
+0.05
Article 19 Article 20
Engadget owned by Yahoo/Oath (NewsMediaOrganization). Large corporate ownership may support editorial independence but not explicitly verified on-domain.
Access & Distribution
Access Model
+0.10
Article 25 Article 26
No paywall or subscription requirement observed. Content appears freely accessible, supporting universal access to information.
Ad/Tracking
-0.20
Article 12 Article 17
Multiple ad placements visible with responsive ad containers (#_R_ailfaiv5tilbH1_, #_R_iilfaiv5tilbH1_, #_R_qilfaiv5tilbH1_). Ad network tracking (xsmr, bid, rid parameters) indicates surveillance-based advertising model.
Accessibility
+0.05
Article 25 Article 26
Responsive design visible (media queries for mobile, tablet, desktop viewports). No explicit accessibility features (alt text, ARIA) observed in provided content, but technical structure supports basic access.
DCP notes site uses TCF consent framework with extensive tracking for ad networks; structural privacy concerns create tension with editorial privacy advocacy
Headline 'frantically changed' implies haste/desperation without verification; user quotes include 'screw' and 'shady' (emotionally charged evaluative language)
appeal to fear
Framing of cover-up ('prevent hacked customers from suing') and detailed emphasis on data sensitivity (genetic material, family names, location, ethnic targeting) implicitly appeals to security and vulnerability concerns
build 1ad9551+j7zs · deployed 2026-03-02 09:09 UTC · evaluated 2026-03-02 13:57:54 UTC
Support HN HRCB
Each evaluation uses real API credits. HN HRCB runs on donations — no ads, no paywalls.
If you find it useful, please consider helping keep it running.