
Breach exposed more than one million DNA profiles on a major genealogy database - pseudolus
https://www.buzzfeednews.com/article/peteraldhous/hackers-gedmatch-dna-privacy
======
jacquesm
And half the DNA of all of the siblings and parents of the people that
submitted their DNA, a quarter of their grandparents and grandchildren and so
on. That's what I really hate about these companies, they get people to submit
their DNA and the customers do not realize it isn't a decision that affects
just them.

~~~
dcgudeman
So I should get the consent of my entire extended family before I ever submit
my DNA to a service for analysis?

~~~
sbassi
Your data, your rules. I put my 23andme raw data in github
([https://github.com/sbassi/MiGenomaSbassi](https://github.com/sbassi/MiGenomaSbassi))
for the world to see and use without asking anybody in my family.

~~~
berkes
I strongly disagree. I consider it comparable to something like financial
administration. In which an "expense" or "exchange" has two sides. Me, paying
you, you receiving the money.

It is not up to me to decide to just release such data. Because it encodes
other people's data too. If I were to release my financial records because
"it's my data", i'd be exposing a lot of people, organisations and companies
who I had interaction with.

~~~
yreg
But it _is_ up to me to decide to release my financial records. All the
parties I've dealt with have to expect the possibility (unless there is some
signed agreement that prevents disclosing them).

With DNA I'm not so sure.

~~~
berkes
I'm pretty sure that if <insert ecommerce platform here> were to leak all
their financial transactions, that is considered a large data-breach and would
be considered a privacy infringement.

I am aware that "an ecommerce platform" is something else than "your personal
finance", but the principle is the same: X shouldn't release other people's
financial transactions just because those were done with X.

------
site-packages1
For those who are annoyed about the name of the site not being in the title:
GEDMatch was phised a few days ago, then yesterday phishing led to the data
exfiltration from the Israeli DNA site MyHeritage.

[https://www.myheritage.com/](https://www.myheritage.com/)

~~~
markdown
I thought myheritage was owned by the Mormons.

~~~
hangonhn
Just out of curiosity, is there a reason for Mormons to especially care about
their genealogy?

~~~
js2
> One of the core tenets of Mormon faith is that the dead can be baptized into
> the faith after their passing. Baptism of the dead evolved from the beliefs
> that baptism is necessary for salvation and that the family unit can
> continue to exist together beyond mortal life if all members are baptized.

> Mormons trace their family trees to find the names of ancestors who died
> without learning about the restored Mormon Gospel so that these relatives
> from past generations can be baptized by proxy in the temple. For Latter-day
> Saints, genealogy is a way to save more souls and strengthen the eternal
> family unit.

[http://www.pbs.org/mormons/etc/genealogy.html](http://www.pbs.org/mormons/etc/genealogy.html)

~~~
tzs
That leads to my afterlife nightmare scenario.

I die bravely in glorious battle and am chosen by the Valkyries for Valhalla.
One evening as we feast after that day's fighting, quaffing giant tankards of
mead and boasting of our deeds, there comes a knock at the door.

Two young men in suits enter, and go to speak to Odin.

Odin then call for me to come over. He tells me that the young men are
Mormons, and that some distant relative born long after I died (great-grandkid
of a second cousin or something like that) has joined the Mormon church and
has been busy baptizing the whole damn family tree.

Odin tells me I'm Mormon now, and cannot stay in Valhalla. I must move to the
Mormon afterlife.

(Actually, the Mormon afterlife doesn't seem all that bad compared to that of
most Christian or Christian-adjacent religions, in the sense that if you
reject their teachings but still live a decent life you get a decent
afterlife).

~~~
riffraff
I believe the "if you live a good life you go to heaven" is a common tenet of
many Christian denominations since the Vatican Council.

At least, I recall my religion teacher (a catholic priest, we have such a
class in public schools in Italy tho they vary in content and quality) telling
us that some decades ago.

You do not go to heaven if you're an atheist tho, as _denying_ there is
something divine puts you in the bad list, sorry.

~~~
kmonsen
I mean does it really matter what the church says? The important part is what
God actually thinks here and that seems to be very different depending on who
you ask.

~~~
dvfjsdhgfv
To be more precise, what matters is not so much what God/gods "think", but
what they want us to do. In this case, the textual foundation for Extra
Ecclesiam nulla salus is Mark 16:16: "Whoever believes and is baptized will be
saved; whoever does not believe will be condemned." Assuming these really are
the words of Jesus, they leave very little for interpretation, no matter what
Vaticanum II says.

~~~
sorokod
These can not be the words of Jesus since the language of these words did not
exist at the time (assuming a deity that doesn't express itself in yet
unformed languages).

~~~
vabadus
Is this better?

"ὁ πιστεύσας καὶ βαπτισθεὶς σωθήσεται, ὁ δὲ ἀπιστήσας κατακριθήσεται."

That's the closest we can get, although Jesus would have assumedly spoken
these words in Aramaic, not Greek.

Source:
[http://bibletranslation.ws/trans/markwgrk.pdf](http://bibletranslation.ws/trans/markwgrk.pdf)

------
varenc
“ _As a result of this breach, all user permissions were reset, making all
profiles visible to all users_ ”

This seems like the opposite of how a sensible permissioning data model should
work.

~~~
0x00000000
“But A/B testing showed more ‘user engagement’ when you default to public”

~~~
W-_-D
Who are you quoting there?

~~~
woolinsilver
wooosh

------
slg
Can someone explain the potential short to medium term fears of one's DNA
leaking? My initial assumption is that it would be less of a problem compared
to nearly any other personal data leaking. Like it certainly sounds creepy,
but credit card or other financial data being stolen presents a huge headache
and creates a lot of work.

I understand that in specific instances, for example when paternity is in
question or if a person is hiding from someone this information getting out
could be catastrophic, but that applies to such a tiny portion of the
population. So for most people, what is the downside to some random individual
knowing the country of origin one's ancestors are from or that they might have
a genetic predisposition to heart disease? It isn't like any reputable company
is going to be able to use this information against us.

Plus in the long term there are likely going to be ways to get this
information directly and almost instantaneously from any personal interaction
you make since we can't really stop ourselves from shedding our DNA wherever
we go.

~~~
kilo_bravo_3
Nothing.

Absolutely nothing.

The DNA records aren't the type that can be used to clone you, or frame you
with some kind of non-existent DNA copying machine.

They are autosomal records. (or similar genealogical, or non-medical, types)

The people spinning fantastic fairytales about how the jackbooted thug of big
brother is going to crush your throat probably don't even know what autosomal
means and no amount of eduction will convince them.

I encourage everyone to submit their Autosomal DNA to public databases. You
may bring closure to someone who has been or known a victim of a horrific
crime and there is no risk to you.

You have at least one reply about insurance companies using this information
to screw you.

1\. This type of information is practically useless, actuarially, and

2\. It has been illegal for them to do so for many years.

~~~
thephyber
> there is no risk to you.

There is _always_ risk. You probably don't see it yet just like only privacy-
forward folks thought Facebook's encouragement to "share everything" publicly
(circa 2007) foresaw the problems that would commit 10+ years later.

The small benefit of closure to a stranger who has already dealt with the
grief of loss is not worth it for me. It depends on your personal value
system.

> It has been illegal for them to do so for many years.

Laws can change. Just like I always assume a company can screw me after I
agree to a ToS (eg. through a pivot, an M&A, or a bankruptcy), I assume any
law can change with enough societal acclimation.

Also, laws are relative to where you are. If you try to visit another country,
expect that they might have access to your leaked data. Hopefully you never
want to work as a spy in the future.

~~~
risyachka
Exactly because there is always risk, when it is small - people say there is
no risk.

Lots of things can happen and could have happened but never did.

~~~
thephyber
> Exactly because there is always risk, when it is small - people say there is
> no risk.

This is analogous to the definition of "literally". It was misused so much
that a new second definition for the word is close to the opposite of the
original definition.

It's still worth mentioning the nuance at least occasionally.

------
thephyber
As someone who works in cybersecurity, it's always hard for me to interpret PR
language like "orchestrated through a sophisticated attack". This could be
aimed towards non-savvy readers meaning basically anything or it could be
accurate and describe a nation-state (although I don't get the feeling of a
sophisticated nation-state actor here).

The DoJ used similar wording when prosecuting Aaron Schwartz for using Python
scripts to glue together "curl" calls.

~~~
Balgair
To be fair, curl _is_ a nightmare of pedantry without something like postman
to deal with it all for you. BTW, when did postman come out anyway?

~~~
thephyber
Postman is nice and ergonomic!

curl is great if you already have the command crafted. My suspicion is that
the Python script scraping a web page for URLs/IDs which then ran a curl shell
command which saved the resulting document to the file system.

------
pickledcods
This is the same level as having a breach of biometric data.

With password/payment/location breaches you have the ability to change what
you entered as to invalidate/outdate the data which was stored.

Having your biometric/genome authentication data stolen or made public will be
a nightmare.

~~~
mirimir
No, not really.

There's no practical way to protect our genomes in meatspace. We're constantly
shedding DNA into the environment. Hair, skin, saliva, etc. For example, an
adversary can just tail us to a coffee shop or restaurant, and take a utensil
or straw or napkin that we've used. And then submit the sample using a fake
name, as investigators often do.

Edit: Those are excellent comments about scale. But generally, if you don't
want to publicize your genomic data, just don't send in a sample.

~~~
clusterfish
But you can't do that to a million people, only to individual targets.
Economic scale matters in a lot of evil plots.

~~~
ComodoHacker
Just wait until these fancy "smart" coffee cups with built-in nano-labs become
ubiquitous.

~~~
mirimir
Before that happens, I'm guessing that full DNA sequencing at birth will be a
legal requirement. Like footprints are now.

~~~
alcover
Holly... You're right. This will happen. To an over-arching state this is the
ultimate modus.

    
    
      INSERT INTO Citizen(dob,ssn)
      VALUES 2030-10-28, sha(atgcaatgcatcgc..)

~~~
kzrdude
hashing (sha) is not very appropriate since you're not likely to ever
reproduce exactly the same base pair sequence for the same person.

------
zeepzeep
I waited for this. Sorry to all that are affected, but maybe this is a sign
for others, not to give their DNA to a random company.

~~~
raxxorrax
Yeah, just like people stopped using their real identities on the net where
there is absolutely nobody with an axe to grind for trivial issues.

Sorry for the cynicism. What is even worse, people actually using these
services create expectations towards everyone smart enough not to do that. Of
course, that would mean your near relatives have to be smart enough not to use
these services either...

Now any health insurer could use this data to identify high risk genetic
defects...

~~~
immawizard
Isn’t it illegal to use DNA data for purposes of health insurance? How would
insurance company be able to use it? Companies like kaiser run both hospitals
and insurance, yet they can’t use your full medical history when determining
your insurance risk.

The bigger issue imho is companies using biometrics as a secure
authentication, but at least in USA that’s going to be no worse than SSN mess.

~~~
raxxorrax
Legislation is sensible and in larger insurers this promise will probably be
kept. But if the info is available, people will look it up. Long time disease
risk is interesting to many people.

If you leave your door open, people are still not allowed to steal you things.
Do you leave your door open?

------
baby
One thing I’m thinking about: this is probably an inevitable future. That we
like it or not technology is going to be more and more intrusive. If not our
generation, the next one, or the one after.

We’ve seen that short-sighted laws have caused more harm than good on the
long-term. Like the war on drugs.

Knowing this, is there a future where we can lose privacy but still live a
good life? And what can we do to get there?

~~~
xiler
[https://en.wikipedia.org/wiki/Homomorphic_encryption](https://en.wikipedia.org/wiki/Homomorphic_encryption)

~~~
alecco
The cost of that is prohibitive except for very particular cases. On the other
hand, even tiny devices have powerful computers nowadays. We don't need 3rd
party cloud.

------
auganov
The way GEDmatch works you can enter any "kit number" and get a long list of
matching people which has their kit number, name, email and some other basic
information.

It sounds to me like hackers just managed to traverse the entire database to
hunt for emails. Which is not exactly hard given how the site works.

Most kit numbers seem to be a letter and 6 numbers so not exactly hard to
brute force either. You don't even have to get that many right as for any hit
you might get a list of 1000+ people and use their kit numbers to get even
more.

You might say that's a terrible design security-wise but that's what makes
GEDmatch great for researching who you're related to. They'll either have to
degrade the experience or be really stringent about rate limits and so forth.

~~~
tschwimmer
I can’t believe this is a website. It’s essentially a rolling data breach.

------
aahhahahaaa
So they sent an email to their users that states:

>We can assure you that your DNA information was not compromised, as GEDmatch
does not store raw DNA files on the site. When you upload your data, the
information is encoded, and the raw file deleted. This is one of the ways we
protect our users’ most sensitive information.

This is kind of BS right? It's encoded... not encrypted.

~~~
Shared404
Presumably. However, if it was a PR drone who wrote that, it may or may not be
accurate as to whether or not it was encoded/encrypted.

I would just assume that it has in fact been compromised though.

~~~
neltnerb
Or at least a summary version of it with all the data _they_ felt was relevant
to keep... so everything we currently know to be important.

------
loughnane
This is why I’ve been putting off getting my genome sequenced. One breach and
it’s out there forever.

I’ve heard good things about nebula[0] as a way to get an anonymous genome but
have yet to be motivated enough to take the plunge

[0] [https://nebula.org/whole-genome-sequencing/](https://nebula.org/whole-
genome-sequencing/)

~~~
all_blue_chucks
What is the impact of having your DNA known? As far as I can tell the worst
case scenarios are finding out you have to pay child support or getting placed
at the scene of a crime.

If those risks don't apply to you, who cares?

~~~
dfee
If you’ve got nothing to hide... then make it all public. Let’s start with
your finances.

~~~
all_blue_chucks
I openly talk about my finances with anyone who wants to talk personal
finance. What threat are you imagining this could pose?

~~~
daveevad
let's start with your bank account and routing numbers.

~~~
all_blue_chucks
I share that information when it benefits me. That's the basis of ACH. Next?

~~~
kazagistar
Specific pornographic preferences and fetishes? Nothing illegal there, no
reason to hide.

~~~
all_blue_chucks
What is the advantage of sharing that information?

------
subhro
This was bound to happen at some point of time. I have been having repeated
"conversations" with my dad about why he and I should NOT send a cheek swab to
23andme (or any similar services). Today I think I will be able to drive the
final nail in that coffin.

------
jdright
Did not take long: [https://mittr-frontend-prod.herokuapp.com/s/614642/dna-
datab...](https://mittr-frontend-prod.herokuapp.com/s/614642/dna-database-
gedmatch-golden-state-killer-security-risk-hack/)

~~~
game_the0ry
That url is atrocious. It looks like the MIT tech review doesn't pay for its
Heroku account.

~~~
bacondude3
This is the correct URL:
[https://www.technologyreview.com/2019/10/30/132142/dna-
datab...](https://www.technologyreview.com/2019/10/30/132142/dna-database-
gedmatch-golden-state-killer-security-risk-hack/)

------
novok
This is why I want a genetic sequencing lab that will sequence your genome,
send it to you encrypted by your own public key and once you confirm receipt
and verify it is valid, DELETE IT COMPLETELY. Along with the record you were
their customer after the 6 months or whatever required for waiting out
chargebacks.

Then you can analyze your DNA with a desktop app that doesn't send out any
data.

The deleting part is hard to find.

~~~
daave
Seems unlikely to be a sustainable business.

For GEDMatch, Ancestry.com, 23andMe, etc, most of the value comes from being
able to aggregate many people's data. If they had to delete it after
collecting, they'd have to charge a lot more, and there's just no market for
that.

Perhaps they could anonymize the data (at least, purge foreign key references
to account/billing info) after 6 months, but not delete it.

~~~
0xy
Much like you can't anonymize browsing history data, email metadata or
financial transactions -- I suspect DNA information also cannot be
satisfactorily anonymized.

"Anonymized data" is a marketing term.

~~~
HeWhoLurksLate
Was going to say this as well- I _highly_ doubt it's possible to anonymize DNA
and still have useful data.

'Anonymized Data' is a misnomer.

------
coronadisaster
Probably the worst breach in history (so far), because unlike anything else,
this information can't be changed

------
tafurnace
I understand the desire to trace one's family history, find/treat diseases,
discover murderers, etc. However, any time I read about these types of
personal information breach events (DNA and genealogy could arguably be the
most personal info of all) I so badly wish we didn't have this tech to begin
with and how much present day sucks compared to the past as a direct result of
these personal data mining tech companies (thinking social media, surveillance
as well). I also wish the general population thought more clearly about the
long term consequences of their information being in the hands of others
before they so naively and/or willingly divulge it. Worse yet, we often don't
have the choice. Nightmare scenarios where some could wield such information
to do harm are not too difficult to think up, and if we are really being
honest with ourselves, are occurring present day. Personal information data
playgrounds like Facebook become precision tools for deception and oppression
at best, genocide at the worst (thinking Myanmar). Not to single out Facebook,
imagine what a psychopathic genocidal leader could do with 23andme data. With
the rampant data collection, the human population has never faced this scale
and breadth of societal threat before and we are indirectly feeling the
consequences of it in our lives daily. I wish we could go back.

------
dontcare1
This quote by John Young of Cryptome sums up the dark truth of the state of
cybersecurity:

" Wonder how long it will take to reveal cybersecurity is a Ponzi racket.

Profits from commercial harvesting data of online users now exceeds the total
funding of all the global spy agencies, with a healthy chunk of the steal
bought by official spies and law enforcement which ignore the violation. Edu,
orgs and NGOs part of the rotten racket."

Essentially, every major data breach is planned by the "good guys" having a
stake in criminal ops.

------
tossmeout
There should be fines big enough to bankrupt the companies who fail to secure
data this kind of data. Is there some other way to convince them to take the
issue more seriously?

~~~
MattGaiser
That just pushes them offshore.

I would rather that there be greater security training in software development
programs/bootcamps.

I’m a software engineer. I know a lot of software engineers. None of us have
ever been trained in security.

Any “best practices” are usually picked up in Stack Overflow conversations.

~~~
harimau777
It seems to me that the way to deal with offshoring would be to bring back a
modern version of outlawery. The US could basically declare: "Until this
corporation pays their fines the US will not prosecute or extradite any
individual or corporation who hacks them, steals their physical or
intellectual property, declares debts to them canceled, or violates contracts
with them."

------
sneak
This is why I did my DNA sequencing several years ago with a fake name, a
sparkling brand new email address, at a unique domain registered for the
purpose, with a fake name as the registrant, paid for with a prepaid card, via
a VPN. I downloaded the results and let all of it lapse; other than the DNA
itself, it is utterly disconnected from the rest of my digital records.

It's a shame that one has to go to such lengths to safely use health-related
electronic services.

------
acwan93
I’ve always wondered if this were a worthy business proposition, cause I would
definitely buy a product like this:

Basically all of the features of 23AndMe/Ancestry/etc, but done offline.
You’re given an app to download online, provided all of the hardware needed to
spit in a tube, and get the same results.

No data stored on a cloud server, and no centralized database of everyone’s
DNA. That’s probably where the real business model is though.

~~~
eloff
I think you're missing the part where you have to send the tube to a lab to do
the actual sequencing. At that point they have your data, and even if there
were to be a provider that says they don't keep it, that's about as credible
as all the VPNs which "don't keep logs" where we later discover, whoops, they
lied...

~~~
acwan93
Right, maybe this is where I’m being ignorant, but would there be a way to do
the actual sequencing down to a consumer device?

I presume the machines used are pretty complex.

~~~
throwawayDNA
DNA sequencers are not that expensive [1]. And I’m told the actual lab work is
not that hard or dangerous (high school level?).

I fact, the database correlating millions of people’s DNA with their medical
history and migration history is probably the hardest part.

But the potential market is there. I’d gladly play $1000 to have my sequence,
even unanalyzed, with the knowledge no one else does.

1 cursory look at eBay. I don’t know if those sequencing machines are good for
human DNA - I hate bio.

~~~
hobofan
I'm assuming that you meant to link a MinION (as it's the only device I know
of at that price point). They would be fit for human DNA, though a single flow
cell (consumable part that will degrade after X amount of DNA read) might not
be quite enough to read a whole human genome with the desired accuracy.

So if you purchase all the consumables (flow cells + chemicals) in low
quantities, a single human genome will probably run you around $2000 in
materials. With the bulk orders from their website you could get it down to
half of that (so probably even more if you were doing really big bulk orders).

~~~
acwan93
$1000-2000 seems like the price point I was expecting for a full offline
solution. It does seem too high for the mainstream market when 23AndMe kits
are going for $99 despite all the privacy concerns.

------
thelittleone
I consider myself a fairly optimistic person. Yet here we are deeply immersed
in a world of technology that trades privacy for conveniences (that we did
fine without before) and week after week these mega data stores are
compromised and we just move on. The optimist in me hopes its merely
incompetence and greed, but then it seems almost programmatic.

------
parishill
Yikes... Now I'm glad I have been telling all my friends who are considering
using genealogy database services to use fake names.

------
oliv__
Like this wasn't just waiting to happen.

You voluntarily hand over your DNA to a private company. What could possible
go wrong?

~~~
wiz21c
Well, I'd add : You voluntarily hand over your DNA to a private or public
company. Makes no difference. The bigger the trove, the finer the hackers.

------
moltar
That’s why I bought the tests on Amazon on Father’s Day sale. Then used
completely fake info and fake email to register on the testing company site.
Totally anonymous as there’s no way to link the purchase to results.

~~~
crumpled
Eventually that data will become associated with your real identities. How
could it not? you're obviously so-and-so's grandfather/first-cousin/whatever,
and they gave their names.

------
qserasera
I wonder if we're getting close to being able to synthesize a DNA profile and
fool most of the labwork being done.

Most DNA profiles are SNP's and they wont be enough to 'clone' a DNA sample.

------
cinquemb
I'd be only interested in this stuff when we can do our own dna readouts at
home and compare it against population level statistics that have been
published publicly by researchers

------
drusepth
Is there a list somewhere of who exactly was exposed? It's difficult to
remember which sites I've given DNA to and which I haven't.

------
GnarfGnarf
The human genome is about 3.4B base pairs (G-C, A-T). The specific DNA used
for genealogical matching is 700K base pairs. So the testing companies are
only using 0.02% of your DNA, hardly enough to compromise you.

Furthermore, the matching process is based on SNPs (Single Nucleotide
Polymorphism) and STRs (Short Tandem Repeat) in the "junk" DNA section, which
constitute 92% of your DNA, and is distinct from the coding DNA that contains
health traits, among others.

So, not much to worry about.

------
maltelandwehr
Is there any way to get my DNA analysed anonymously? Like, with just a
throwaway email and payment via some service that anonymises?

~~~
eitland
At least it was possible for one person to send two identical samples under
two different names a few years ago to one company, but if everyone has closed
that loophole yet - I don't know.

Alternatively (a business idea for someone here who has already registered?)
you could send in other peoples samples in tour name and then request deletion
via GDPR or something. Do things that do not scale and all that ;-)

------
kzrdude
Is there a download available? It could be an exciting time to do some bootleg
research

------
Neph
Let the Clone Wars begin!

On a more serious note, is their any way to have your DNA analyzed
confidentially ?

------
causality0
Amazing we don't have a law granting each individual copyright of their own
genome.

~~~
smolder
Why? Who is going to grease politicians to write that law?

------
troynabed
Aliens absconded with the DNA records obviously. Connect the dots people!

------
Sudophysics
Perfect, so I, a hypothetical nation state can build targeted and tuned viral
RNA for phenotypes and people I know will definitely cause me the most trouble
on the battlefield, diplomats, engineering floors, and economy? Oh, corona has
among the largest kilobase count? Hmmmmmm. What a fucking coincidence!

------
musicale
Well that's completely unsurprising.

------
qertoip
Self-hosted genome sequencing when?

------
StreamBright
Where do I reset my DNA?

------
systematical
1 million and me.

------
est31
Not saying that building databases of DNA is a good idea, but DNA is basically
public information. Everyone whose hands you shake (nowadays quite rare) gets
copies of it. The Amazon package you get has genes of every human who touched
it. If you send it back, you are sending Amazon your genes. The only issue is
the sequencing and the consent to use it for purposes like "improving our
services" aka improving the ads targeting or insurances (once the DNA company
is bought by an insurance). Consent is arguably less of an issue for hackers.

~~~
ivalm
It is a bit like face recognition databases. In principle, the data is already
public-enough. In practice, building these databases enables qualitatively
higher levels of surveillance.

~~~
jeffbee
How, exactly? It's not like I can use wide-area instrumentation to locate you
via your genome. You can imagine how to do it with cameras and faces, but I
just don't see the method for DNA.

~~~
throwawayDNA
Imagine the BLM protests (since that will probably be popular with the HN
crowd).

There’s video footage of a guy in a mask spitting on the ground after throwing
a rock. He’s wearing a mask.

His second cousin did 23 and me.

Actually, statistically many of his second cousins did 23 and me.

Therefore we know who he is.

If only one second cousin did 23 and me, we’ve narrowed the suspects to,
perhaps, a few hundred. Filter by apparent height, gender and you have a very
narrow set of suspects.

~~~
jeffbee
Didn't understand your point. Identifying specific individuals is not the same
thing as mass surveillance.

~~~
ivalm
But it IS a qualitatively new mode of surveillance that can’t exist without
large databases.

