With the bankruptcy announcement of the once-highflying genetic testing company, 23andme, its customers are scrambling to delete their DNA data (link).
These people have little understanding of how the Internet, and especially modern, cloud-based services, work.
In most, perhaps all, cases, a user who deletes data has severed oneself from the data. The data persist at the company, in the cloud, at the company's various business partners, etc.
It is very hard to delete anything in the digital age.
***
Even before the arrival of computers with effectively infinite storage, when we delete a file from a PC, we have just severed the "pointer" to the locations on the hard drive where the file was stored. There are recovery software that allows us to retrieve the "deleted" file. The existence of such software proves that the file wasn't truly deleted.
Advanced software exists to supposedly truly delete files from computers. These would not be necessary if the files were truly deleted when users execute the "delete" function. Even these advanced software has blind spots. That's why some experts recommend physically destroying hard drives before disposal.
The cloud is a network of computers outside of the user's control. This network provides resiliency and efficiency by making copies of the data and strategically scattering them around the network. Thus, if someone wants to delete a file, one would have to find every copy of the file, and then thoroughly delete them from each computer using advanced software.
A business might use a cloud that is managed by some other entity (e.g. Amazon Web Services). Then, this business may not even know how many copies of a file have been created, and where they are stored. The business pays someone else to manage all of that, and the point is to wash their hands off of those details.
A business like 23andme makes money by selling user's data. Once the data change hands, they are now replicated in computers that are not controlled by 23andme. Those other businesses may also store their data in the cloud, which means the files are duplicated and distributed to yet another network of computers. 23andme has no ability to verify that its customers have thoroughly removed data from all of their computers using advanced software. It probably doesn't want to either.
Even if a business doesn't base its business model on selling customer data, they may still share customer data with business "partners." For example, if a hospital hires a third party to analyze CT scans, the CT scans of its patients will find their way to the computers of that third party. That third party may also send the images to its business partners, for exactly the same reason. If a patient requests the hospital to delete a file, the hospital would have to remove all of its copies, plus ask the third party to delete all of its copies, and so on down the tree of partnerships. The chance that all copies of that file are removed from all computers of all entities involved is exactly zero.
***
The above is not merely speculation. In your everyday usage of the Internet, you may inadvertently discover that data uploaded to some app are permanent.
Many years ago, I used an online email provider to send a single email to a list of people. This requires uploading the names and emails of those people. After sending the email, I deleted the contact information and closed my account. I specifically did this in the hope of preventing the vendor from taking the private data and using it for other purposes without my knowledge. The people on the list consented to receiving an email from me, but not more than that.
After I closed my account, surprise surpise, I got lots of marketing emails imploring me to return to the service.
One such email said that if I reactivated my account that day, I'd be able to recover all the contacts in my previous account. I could see how this would be a great convenience if I indeed wanted to continue from where I stopped.
However, it also shows that when I pushed the button to "delete" the contact list, it wasn't deleted at all! Even after I closed my account, the "deleted" contact list was still there.
***
In other words, data are permanent. It's delusional to think that going to the 23andme website and clicking on the "delete" button will remove one's DNA data from prying eyes.
Sure, doing it is better than not doing it. It's most likely a placebo - that makes one feel better but in reality, does not make a difference.
Pressing the delete button certainly detaches you from your data but there is no way to verify that your files have been permanently and thoroughly removed from all of 23andme's computers (not forgetting all the computers of employees who downloaded your files as part of some larger analyses of their database.) The DNA file would already have been sold many times over during your time as a customer, and will live on forever in many computers not owned by or accessible to 23andme. It would also have been shared with business partners who provided relevant services to 23andme. The most valuable asset that 23andme could sell during its bankruptcy proceedings is the DNA database, so you can bet that the leadership team has made sure that the data are transferred to the eventual buyer.
And remember, DNA data are itself immutable. It belongs to the class of data (like date of birth, social security number) that only needs to be stolen once. (See this previous post.)
The only effective way to ensure your DNA data don't fall into the wrong hands is to not have them stored at 23andme in the first place, i.e. don't be their customer.
Comments