Michael Calore: So the data was posted for sale at a site called BreachForums. What can you tell us about this corner of the internet?
Lily Hay Newman: BreachForums is a popular and well-known kind of clearinghouse for people to post all sorts of data and tools, other information, and it fits into a broader ecosystem of hacker forums for advertising and posting data. Sometimes, these forums can be used in positive ways to just share information about potential concerns. But they can also be used at times to distribute stolen data or at least advertise its existence and then actually distribute it elsewhere.
Michael Calore: Right.
Lauren Goode: Mike’s been hanging out there a lot. Yeah, he doesn’t know. I can see his computer here at the office and I’m like, “What is Mike doing at breachforums.com?”
Michael Calore: Yeah, I lost the keys to my car and I’m trying to figure out how to get into it. It’s totally white hat, totally up and up. I swear.
Lauren Goode: You don’t have a car.
Lily Hay Newman: When Calore and I see each other, he says, “See you on BreachForums.” And I say, “Not if I see you first.”
Michael Calore: All right, well on that note, let’s take a break and we’ll come right back.
[Break]
Michael Calore: All right, welcome back. For years, companies like 23andMe and Ancestry have been collecting genetic information from millions of people. They’ve used it to generate massive pools of data about some of the most important things you can know about a person. Where you come from, who you’re related to, what genetic conditions might run in your family. It’s intimate, personal information gleaned from just a little bit of spit. Lily, I’m sorry for asking such a leading question, but should people be willingly sending their genes to these companies? Are all of our family trees already up for grabs now somewhere?
Lily Hay Newman: So it’s a really good question. It’s the type of thing that you want to think about in terms of genetic testing, but that also applies conceptually to a lot of things. Ultimately, I think there isn’t a clear-cut answer because it’s more of a cost-benefit assessment of what you’re getting out of it. First of all, in other contexts, people do genetic testing for medical reasons, to find out things about their health status and that might be urgent or very important. But even for the consumer facing more home tests, which also potentially have a medical purpose but aren’t necessarily being prescribed or recommended by a doctor or something like 23andMe, there still could be a massive personal and emotional and psychological value to someone knowing more about the ancestry component or the finding relatives, finding biological connections. So I don’t want to minimize or downplay and say, “Well, these are just curiosities and it’s become way too mainstream and people shouldn’t be using it”, because I don’t think that’s the case. But if there isn’t a specific and compelling reason to do it or if there aren’t these pressing personal questions that people are wanting to get some insight on, I do think it’s really worth taking a pause, especially for services that have this social component. I think that’s really the tie into this breach. And like I said, this can apply to a lot of things. If there’s a social component to a service, where to really be able to use it and get the full feature set out of it, you’re going to need to opt into sharing data, not just with the company, but with other users and a broad network of users, you start to encounter these issues. The same ones that the traditional social networks have grappled with about social graph and what else can be gleaned about you and a cohort of people that you then can be grouped into from that data that you’re sharing semi publicly with other users. So I think that’s what this incident with 23andMe really underscores.
