The more TOS I read through, the more it seems we need a "common law" solution.
(I use the term "common law" loosely here)
Something like a couple of pre-defined categories for software services (e.g. info provider, social network, real-world interface) with pre-set rules (e.g. the client cannot attempt to break the social network; the owner of the social network cannot re-sell data to a third party).
We have something like this for brick'n'mortar retail already -- each store can't just make up their own rules but rather has to operate within a societal framework.
The system we have right now leads to every corporation being incentivized to claim as much legal ground as possible in the TOS, leading to a de-facto corpo-state. It also undermines the rule of law in a cultural sense since many things in the TOS may be deemed unenforceable when actually challenged in court. The users will always be is a several disadvantageous bargaining position.
Until your country actually implements laws like these and Hacker News starts complaining that it is "business hostile" and "stifling innovation".
There are plenty of European countries which already have some laws like these. When I buy something on the internet, I have 14 days to return it if I don't like it. I am guaranteed to have a reasonable warranty. Companies cannot abuse my personal data without explicit consent. And indeed, forced binding arbitrage is also not allowed.
There is no need to mandate a template ToS, you just need basic consumer protection laws.
Having grown up in the US, my absolute favorite law in Czechia is the one that says the advertised price has to equal the price on the bill. In the US, you get a $20 cell phone plan and the bill is for $60 after fees. In Czechia the price is always exactly as advertised.
Another great on is that text size has legal meaning here. The larger/darker the text the greater the legal weight. So if the contract says two contradictory things, the larger text wins out...
Is that actually the law? Can I get a link to that? In slovenia we have a "suggest-to-government" website, and i'll put the working example there and hopefully at least gain some traction somewhere
Yes and no. The Czech law is very vague saying that contracts must be written in good will and be understandable by the signatories. It is the Czech supreme court which wrote up a legal test for understandability which you can find here https://www.epravo.cz/top/clanky/absolutni-zakaz-smluvnich-p...
I've translated the test using deepl:
Translation results
"In practice, the principle of fairness is manifested, inter alia, by the fact that the text of a consumer contract, especially if it is a form contract, should be sufficiently legible, clear and logically organised for the average consumer. For example, contractual terms must be of sufficient font size, not be significantly smaller than the surrounding text, and not be set out in sections which give the impression of being irrelevant. This principle of fairness also applies to the application of general terms and conditions. As stated in paragraph 9, general terms and conditions may also be applied in consumer contracts, but such application is subject not only to the formal limitations mentioned but also to restrictions as to content."
> When I buy something on the internet, I have 14 days to return it if I don't like it
One (unintended?) consequence of this is that as a consumer, you cannot buy an annual digital motorway toll pass in Austria with immediate validity. The earliest your pass can start from is 18 days from the date of purchase.
"Customers can withdraw from the online purchase of a digital vignette within 14 days. Taking into account a further three-day period for mail, your digital 2-months and annual vignette is only valid from the 18th day after purchase."
How glorious that it's necessary to include 3 extra days to cover the potential delivery time of postal mail in the event of a return for an entirely digital product :/
The workaround for this - which I discovered last time I drove a rental car in Austria - is to tick the box that says "I'm a business, not a consumer". You don't need to prove you're a business, just to tick the box. Consumer protection nullified, can purchase product valid immediately.... <sigh>
Interesting though, that's not what the regulations say - DIRECTIVE 97/7/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 20 May 1997 on the protection of consumers in respect of distance contracts
3. Unless the parties have agreed otherwise, the consumer may not exercise the right of withdrawal provided for in paragraph 1 in respect of contracts:
- for the provision of services if performance has begun, with the consumer's agreement, before the end of the seven working day period referred to in paragraph 1,
You can buy digital goods for immediate use in other EU countries as a consumer - this sounds like something more specific (is it actually even the same in Austria for things like an e-book?).
Some online services simply ask you to wave your 14-day return right if you want to start using the service immediately. Not sure why they won't do this in this case.
In NL you don't get your 14 days on remote purchases when it doesn't make sense. You cant purchase a game play it and return it. You cant eat the food. You cant wear the dress etc
If the 14 days do apply you have to inform the customer about it or it turns into 12 months.
Strange, I would have thought a pro rata refund would be allowable in these cases. I'm pretty sure that's how it works with insurance so I'm unsure why a toll pass would be any different.
Because they only sell them for durations of 10 days, 2 months and 1 year. So if you only need to cross the country for 5 hours, they would lose a lot of money.
> This is no longer true, I believe (starting Dec 1 2023). You can buy the vignette online starting immediately
If that's true then it's possible that Asfinag (the toll agency) haven't updated their website. On trying a test purchase just now to buy a two-month or annual pass it still states:
"I'm a consumer
Digital 2-month vignettes and digital annual vignettes purchased today are valid from 25.12.2023 at the earliest due to the right of withdrawal when purchasing online. All other toll products can be used immediately. (More info in the FAQ)
I represent a company
The right of withdrawal does not apply to commercial customers; purchased digital toll products are therefore valid immediately. (More info in the FAQ)"
I was only partially correct. Looked again at asfinag and the grace period does not apply to 1 and 10-day vignettes. From their website:
"18-days-period
Consumer protection is very important to us – especially as far as our digital products are concerned.
Customers can withdraw from the online purchase of a digital vignette within 14 days. Taking into account a further three-day period for mail, your digital 2-months and annual vignette is only valid from the 18th day after purchase.
This deadline does not apply if you purchase a 1-day or 10-day vignette!"
> "18-days-period Consumer protection is very important to us"
Which is of course how you immediately know that it is not just unimportant to them but they will try to do anything to not have to abide by the rules and maliciously comply with anything they can't disregard completely.
Really the 14 days should start when you actually receive the item in a usable state and if the law actually allows these kind of workarounds around that then it should be changed.
If you collect a vehicle in Austria it's almost certainly already got a vignette (pretty tricky for the rental company to operate an Austria-registered vehicle without one).
If you collect in your car in Germany, as I did, and drive it over the border yourself then you almost certainly won't get one (although I've ever been lucky!) so you need to purchase one (physical or digital) before (or as) you cross the border.
> There are plenty of European countries which already have some laws like these. When I buy something on the internet, I have 14 days to return it if I don't like it. I am guaranteed to have a reasonable warranty. Companies cannot abuse my personal data without explicit consent. And indeed, forced binding arbitrage is also not allowed.
This is because of EU laws. A lot of the best laws we have in European countries are because of EU laws.
I also suspect that this clause isn't valid in most of Europe.
You are correct, I can not find where arbitration is forbidden in the directive also it is quite the opposite.
I think in this particular case we are talking about Directive 2011/83/EU of the European Parliament and of the Council on consumer rights.
Article 6(1)
(t) where applicable, the possibility of having recourse to an out-of-court complaint and redress mechanism, to which the trader is subject, and the methods for having access to it.
ADR is not forbidden. But it is regulated by 2013/11/EU [1]. In particular:
"
(43)
An agreement between a consumer and a trader to submit complaints to an ADR entity should not be binding on the consumer if it was concluded before the dispute has materialised and if it has the effect of depriving the consumer of his right to bring an action before the courts for the settlement of the dispute. Furthermore, in ADR procedures which aim at resolving the dispute by imposing a solution, the solution imposed should be binding on the parties only if they were informed of its binding nature in advance and specifically accepted this. Specific acceptance by the trader should not be required if national rules provide that such solutions are binding on traders."
Australia also has very strong consumer protection laws. I'm not an Aussie, but many come here and tell us about it. It doesn't seem to scare companies away from doing B2C business in Australia.
As an Aussie, I can say that our consumer protection laws are awesome. Some multinational / international companies have been bitten by them, but only because they didn't do their due diligence before launching in Australia.
They're really an example of laws designed to protect people. I've universally found that people who complain about them either don't understand them, or they're trying to take advantage of people.
I don't understand how other countries operate without similar laws!
IIRC, Steam famously had to implement their refund system after the Aus government threatened legal action against them. They ended up making the refund system global rather than Aus-specific, so cheers for that one mates!
The problem as I see it is that the internet gives businesses the ability to operate globally, but having to be in specific compliance with different laws from every single country (or group like EU) is really challenging and in some cases the regulations are misguided (I think the rise of cookie consent banners is one of the crappiest things to happen to the internet as a user)
And that does make it hard, especially if you want to start an internet based business without a ton of money. It adds a huge barrier to entry. Whereas existing players can take on the burden of complying etc... further solidifying the position of very large tech companies.
I do agree that basic consumer protection laws are needed, but one overzealous piece of regulation really can cause a lot of problems.
> and Hacker News starts complaining that it is "business hostile" and "stifling innovation".
Thinking in such simple terms is going to draw you to wrong conclusions. Hacker News doesn't complain. People discuss things. Different people have different opinions. And if they did - so what? You're phrasing this as though people talking on Hacker News would somehow overturn common law.
I think GP was a valid comment about how people propping up business hostility is one of the main reasons consumer law is very weak in the US. Of course, people are allowed to have opinions. GP is arguing what the results of one of these opinions are.
I’d also use the comparison between what was claimed about EU regulations in the UK during the years leading up to Brexit, and subsequent developments. The money spent promoting those false claims was effective.
14 days is the minimum legal requirement for returns without having to state a reason. And they have to give you back real money no some funny store currency. There are also munimum warranty periods.
> Until your country actually implements laws like these and Hacker News starts complaining that it is "business hostile" and "stifling innovation".
Literally, so what? I don't understand your point. You can't be under the impression that all laws must be popular with all people, so what does it matter if some ancrap libertarians complain about it? This shouldn't stop the implementation of such laws.
It’s more than “so what” because those people aren’t coming from nowhere. American businesses spend a lot of money promoting libertarianism to this end, and it’s been effective enough that any reforms will face unified opposition from every Republican in Congress and likely some Democrats. Most of these are minority positions in the public but not in terms of legislative votes.
> American businesses spend a lot of money promoting libertarianism to this end
American businesses would be the first one crying if they had to operate in a libertarian environment. In reality, they spend a lot of money to ensure heavy regulation that allows them to build moats.
They’re pretty fond of disclaiming obligations and not being sued in real courts, though. The key thing is recognizing that most of the libertarian media exists to serve the funders’ interests, not to promote a coherent ideology.
What media is seen as holding a libertarian ideology? That is not a common bias. I do see the "consumers should have more choice" bent that you seem to be talking about more prevalently, but that's something quite different.
There’s a pipeline you can see when they’re workshopping ideas where things start at some think tank or other very openly ideological organization and moves through Reason, TNR, Fox, on to the WSJ and NYT where at each level the issue is pitched as more of a “lots of people are talking” kind of phenomenon detached from the source.
A really good example of this happened a decade ago when you started seeing these public reconsiderations where an NYT oped or someone on a Sunday news show was asking whether Rachel Carson was responsible for increased numbers of Africans dying from malaria. If you didn’t follow it before then, it looked like an organic discussion reconsidering whether an environmental success has unintended consequences.
If you had followed it, however, it was actually funded by the tobacco companies as part of an attack against public health agencies. They started with places like their lobbyist’s blog, got traction in the libertarian / right-wing blogosphere, then Reason, then the unabashed right-wing media, etc. until the more mainstream media felt the need to cover this story “everyone” was talking about:
It’s not uncommon to find that cycle behind “runaway government” news stories where the mainstream coverage doesn’t mention that someone’s full-time job was pitching that story to reporters.
While I understand that looseness of your "common law" phrase, it's precisely the newness of the field that leads us to the lack of historical precedence (ie "common law").
So I would argue that we don't need "common law", we need "actual law".
The problem is that "law" is a subject that is very, very specific. Don't want them yo sell "your data" - well then first you need to define what data is "yours" and what is "theirs". That might be harder than you think. (Do you own your docile security number? Or find the govt lend it to you? Are public records considered to be public data?)
Privacy is just one corner. What about finances - can a service cut you off? What if you never oaid for it? Can you delete posts? Can quotes from deleted posts still exist? Can advertisers target specific demographics?
The problem being that writing actual law gor this stuff is hard. Writing law that will satisfy even a majority of people is near impossible.
So I hear your call, but I suspect you won't be happy with the law when they make it.
I'm not sure, IANAL but I would say that much of what a EULA or ToS covers is not that novel, companies skate by on technicalities, and a nontrivial portion of a typical agreement may even already be invalid but lacks case law. If companies weren't worried this might be true they wouldn't need the severability clauses. For example, disassembling or repairing items you paid for or duplicating legally owned copyrighted works for personal use (not distribution) were rights that were well established, but sprinkle in the right technology (even if it has no purpose other than to interfere with these rights) and suddenly it gets a pass. It's not a novel situation, it's a loophole to opt out of established law.
You are right that we won't be happy with the new laws, as so far and with the examples I gave new laws have mostly removed consumer rights, not asserted them.
> duplicating legally owned copyrighted works for personal use (not distribution) were rights that were well established, but sprinkle in the right technology and suddenly it gets a pass
True in more than one way; owning copyright to your works and being able to refuse/get paid for commercial distribution was a right well established, but a sprinkle of right technology and suddenly they can charge people to copy your work on demand with minor modifications for your own commercial use (while you get nothing).
The newness of the field has nothing to do with it. The internet and tech in general has benefitted from being outside the law and doing all the old illegal sales and marketing techniques, online.
We can get into the weeds on the detail of the law, and we'll find in the end it looks something like where we started with 'common' law.
Law doesn't need to satisfy the majority of people, most don't want or care about what the law says or does. The law needs to secure some core concepts of liberty, freedom and move on.
There's nothing new under the sun, it's a lot of work. Making small changes works better than thinking about an entirely new system.
The easy answer should be TOS that are not non lawyer readable or not under N paragraphs are not binding. When you buy a house you don’t give 1 signature. You literally sign every friggen page including multiple places on the same page, TOS shouldn’t be different
Require companies to make a reasonable effort to ensure users have read the license.
Want to order some food from some new delivery website? Hold on, I just have to sit on this screen for 30 minutes pretending to read the EULA -- oh nevermind, I'll just go pick it up.
> Want to order some food from some new delivery website? Hold on, I just have to sit on this screen for 30 minutes pretending to read the EULA -- oh nevermind, I'll just go pick it up.
Well, that would be ideal, because in order to actually get users, the company would have to have very simple and reasonable terms. After all, that's the case for the cast majority of in-person businesses.
Youtube has a relatively short UK ToS [1] that doesn't require a lawyer to understand. This is impressive given the variety of copyright, monetisation, and content moderation rules it touches.
Yet almost nobody reads it, despite it being promoted on visitation to one of the world's most popular sites.
How about a "continental law" solution? Usually you can't give up rights you do not have yet, so you can't sign a binding arbitrage clause if you haven't been wronged yet. This is in addition to TOS'es being restricted heavily by laws that define the limits of general terms and conditions (generally contracts that are offered to a large amount of people) and the existence of consumer arbitration committees that make it really simple for consumers to go after firms.
> so you can't sign a binding arbitrage clause if you haven't been wronged yet.
This doesn't make sense to me.
Firstly, I take it that by "arbitrage" you mean "arbitration"; arbitrage is a kind of market trading, and "binding arbitrage clause" isn't a thing.
If we're talking about arbitration, many contracts contain binding arbitration clauses which are enforcible by either party from the outset; neither party has been wronged yet.
It's not like we don't have cultural admonishments against this type of behavior - take Rapunzel for example.
* Walled garden of the sorceress equivalent to corporate walled garden.
* Rapunzel (the leafy green) representing either a life-saving service or unquenchable greed of the consumer. By holding the genetic health of future children hostage, The 23andMe connection is particularly apropos - the sorceress holds Rapunzel hostage.
* The husband agrees to a ToS in exchange for rapunzel (the leafy green).
As the story unfolds the consequences reveal themselves...
It's difficult because digital ToS are so tightly tailored to your business, and digital businesses are so malleable and formless.
If you went through the effort to standardize your ToS, it would only be "useful" to a tiny handful of businesses at specific points in their growth trajectory.
Regulations like GDPR are a top-down approach to the privacy component of a Terms of Service (i.e. there are only so many variations to the privacy sections within a ToS that comply with GDPR), but there are so many more components than just customer data locality.
That being said, as a privacy-respecting entrepreneur, coming up with a "user-respecting" (i.e. win/win, legible, minimally-demanding/withholding) ToS is a sizable challenge. It'd be nice to have templates. I basically resort to reading the ToS of companies I respect in similar verticals.
Imagine there were a set of a few common terms that businesses could select, each with an icon, a high-level explanation, and the detailed legal copy.
I think there is a common set of those that would probably cover 80% of needs.
The remaining 20% could be "extended", custom terms for this company.
Such a system seems like it would make things much easier for consumers to understand, and also save legal fees for most companies. Maybe a good standard for a TOS-generator company to design and promote?
In general the problem is not that the documents are not readable or comprehensible - I understand perfectly well that in legalese it says that the situation will favor the business in every possible legal fashion and if some of those are not legal the remaining document will favor the business in every remaining possible fashion.
The problem is they are contracts of adhesion that consumers don’t have a real interest or consideration in, other than the performance being conditioned upon your agreement, and which they do not have any ability to debate or modify or generally any recourse except to go to another business with an equally odious contract as a condition of performance.
They’re not incomprehensible, they’re unconscionable, and solutions tackling the former are missing the point.
The problem is that the same “lobbying” that produced the regulatory environment permitting such contracts to be forced upon consumers also precludes any real attempt to tackle the latter. Businesses would scream here if you forced them to follow standard consumer protections, and our system is oriented to favor their interests over consumers in nearly every possible scenario as well.
Another “continental” solution to this would simply be to outlaw contracts of adhesion or contracts in which the consumer does not receive a consideration (other than performance of the contract). If you don’t have a consideration it’s simply not a valid or consciencable contract, people don’t agree to give up money or rights voluntarily in return for nothing, therefore these contracts must facially be coercive.
> If you went through the effort to standardize your ToS, it would only be "useful" to a tiny handful of businesses at specific points in their growth trajectory.
Sounds like the kind of language used by people who consider consumer protection to something to work around to maximise profit. Yeah, those businesses can get fucked.
> That being said, as a privacy-respecting entrepreneur, coming up with a "user-respecting" (i.e. win/win, legible, minimally-demanding/withholding) ToS is a sizable challenge. It'd be nice to have templates. I basically resort to reading the ToS of companies I respect in similar verticals.
Its only a sizable challenge if you want to seize more rights for yourself than is already guaranteed by existing laws.
Part of the ToS is explaining exactly what you do as a business with users' data and IP that they submit to your service. If you're maximally ethical, you still have to outline everything, and yes doing this concisely + precisely is a challenge.
Pulling an example out of a hat, see Mullvad's ToS[1] and Privacy Policy[2], and "No Logging" Policy [3].
I wouldn't say (at all) that Mullvad is trying to seize more rights that those guaranteed by existing laws, and yet maintaining their ToS almost certainly costs tens of thousands of dollars per year.
For another example, see Bandcamp's Terms of Use [1]. They straddle the line of social media (where you need the platform to be an effective moderator, which requires extensive ToU) and the music industry (which involves much liability around various IP rights).
Bandcamp isn't really screwing anybody. IMO the most objectionable thing they do is provide Google Analytics as a service to paid musicians. But the lines around that are <5% of their overall set of policies, precious few lines of which are objectionable.
Personally, I'd like for it to be illegal to force people into TOSes which add binding arbitration to access their accounts and data once they've already time and money into the system otherwise. I shouldn't be negatively impacted regarding my rights to data or damages just because you were careless with my data. Likewise, any explicit agreement to legal remedy should really be in its own independent section for users to approve.
Personally I'd like for binding arbitration to be unenforceable period. It's a hack to work around the laws of the country by preventing people from availing themselves of this and should be treated as such.
"... the owner of the social network cannot resell data to a third party)."
Not sure I understand. Social media operators do not sell data. They provide access to computer users, acting like a Trojan Horse. ("Our app is installed on millions of phones. Millions people use some individual's website to communicate with each other." Zuckerberg, Musk, etc.)
Perhaps "resell" refers to when social media companies buy data. What prohibits them from (re)selling it. Maybe the seller's terms would prohibit transfer to any third party.
Using to term "sell" to describe these data transfers to other parties is ineffective. Prohibiting the "sale" of data will not stop social media companies from transferring data to others.
I like this idea, but I think it's not flexible enough. Instead my over complicated dream is to allow companies to propose new TOS in a similar way to new top level domains. They can put in a lot of money and add TOS language to the approved list, but then anyone can use that language. Ideally the pricing would be such that only 10 to 50 unique TOS would exist at any point in time
So instead of the richest companies setting the standard for what a TOS contains.... The richest companies would formally set the standard for what a TOS contains.
I think the problem I was most interested in solving is maybe only somewhat related to this. I was frustrated that no one actually ever looks at TOS and so there is very little real informed choice happening. With a small fixed number it would be easier for audits and understanding to happen
Individual states don’t have the power to restrict arbitration agreements in this way. California has tried repeatedly, but the laws keep getting invalidated because they’re preempted by the Federal Arbitration Act, which requires that contracts containing binding arbitration clauses be enforced and treated the same as all other contracts. State laws that selectively disfavor or restrict arbitration agreements will violate this.
If this regrettable state of affairs is to be improved, it will require an act of Congress, unfortunately.
If you don't want a company to have your DNA, don't give it to them.
It seems like a business was built around people wanting to be told they had 20% more fun in their bloodline, for a fee. Those people didn't consider the implications of giving this kind of data to a private company.
Now the company is saying, "we got the DNA you gave us, for a fee and we don't want to go to court to fight you about how we use it".
Just don't give them your DNA. It's not that hard.
To: arbitrationoptout@23andme.com
Subject: Request to Opt-Out of Updated TOS
23andMe Team,
I am contacting you regarding the recent changes to the 23andMe Terms of Service, dated November 30, 2023. My name is [your name as registered with 23andMe], and the email associated with my 23andMe account is [your 23andMe account email].
I hereby formally request to opt out of the newly updated Terms of Service. I do not consent to the terms as outlined in the recent update.
The article points out that the mass-sent email used a different email address than that of the ToS. arbitrationoptout@23andme is the email in the ToS.
Jury is out whether this hyperlink mix-up was intentional...
I was confused exactly because arbitration was in the previous ToS, so disagreeing with the new T&S doesn't give you new benefits (other than the full refund in case sampling doesn't work). See Bard [1] / ChatGPT's [2] assessment here.
It seems the 30d opt out was intentionally buried, so folks thought opting out of T&S would get you out of the forced arbitration.
23andMe is only giving users 30 days from when they receive the email to opt out of the new policy, which you can do by contacting arbitrationoptout@23andme.com.
I am a young person who has never sent a fax so please forgive my ignorance, but how does a fax allow you to prove you sent it?
edit: nvm I looked it up myself and learned about fax receipts. Sucks that the equivalent feature in email (read receipts) is usually not enabled due to abuse by spammers.
Polish Competition and Consumer Protection Office looked at the terms and conditions for subscriptions to various Amazon services available in Poland and in a message published in the press yesterday office chairman says:
> "(...) companies Amazon EU and Amazon Digital UK had procedures in place that allowed unilateral price changes from the new subscription period onward. This type of condition is particularly detrimental to customers in situations where a payment card (debit or credit card) has been assigned to the account, and the operator grants itself the right to automatically charge the new amount for the next subscription period."
> "We have been advocating for years that contractual terms should fairly regulate the obligations of the contracting parties. In the case of subscription services, which are gaining popularity, consumers trust the service provider and entrust their payment card data to access and pay their obligations on a regular basis. >>This does not mean that from that point on, operators can, without their consent, charge more than what consumers had previously agreed to<<."
> "It is unacceptable to automatically charge according to the amended price list in the form of blocking the funds from the connected payment card or unilaterally introducing significant changes in the contractual terms,"
It's about Amazon here but the office investigates subscription services offered by other companies as well. Amazon EU and Amazon Digital UK cooperated with the office and now will notify their customers about the upcoming changes allowing them to refuse these and break contracts without any penalites. This work for ISP providers already - they can't change contracts at own whims; tho, they can pest you with phones with "totally new tied for your needs plans".
It's possible to push companies to change their behavior but I doubt this could apply to a specific service that 23andMe is. Although, this data breach might force data protection offices from various countries to look closer what they're doing here.
Part of the initial terms of service that you agree to is that the terms can be changed by the company at any time as long as they give you X days of notice.
In the UK an unfair contract term or notice is not binding. It is defined as "contrary to the requirement of good faith, it causes a significant imbalance in the parties’ rights and obligations under the contract to the detriment of the consumer."
The absolute limits of terms of service aren't clear, but there have been tons of cases about website/software terms of service. A quick search of Westlaw finds hundreds of reported cases in my state alone. There are certain things like binding arbitration that courts have found unconscionable to be in a clickwrap agreement[0], but generally terms of service have been found fully enforceable. There's definitely been a lot of court testing.[1]
I assume you mean US courts? In other countries there have been lots of cases about TOS, in one way or another. Strange that there isn't such a thing in the us
Not the parent commenter nor a lawyer, but I believe it's something like a company can't put things that someone would never agree to in the TOS and have it be binding. But obviously that "would never agree to" part is fuzzy at best and possibly what they're referring to when saying it's not been tested. I might be mistaken about that but I have heard something to that effect from a prosecutor I know.
even if, in general, a TOS could be changed without explicit consent, a judge may well decide that agreeing to arbitration requires a higher standard than just ignoring an email
IANAL, but I believe it works the same way to say physical property. If you don't "defend" it by objecting to it or putting up fences, and let people move in or say they are changing things, it's effectively qui tacet consentire videtur (silence gives consent).
How is it, that after the fact (the hack), can the TOS be changed to mitigate damages from their lack of security? If this is the case, why worry about security then if all we need to do is change the TOS after the fact. No, I suspect a good lawyer or two can challenge this.
Regardless of TOS, relatives who never agreed to the TOS may still have standing.
Will some non-TOS-signing relative who was impacted by the data breach lead a trillion-dollar class action suit?
(Class action, with the goal of putting a healthy fear of the public into abuse-inclined industry. Not the class action goal of letting a misbehaving company pay off liability with a small percentage of their gains from misbehavior, in exchange for making a few lawyers wealthy.)
This 2021 New Yorker article: How Your Family Tree Could Catch a Killer (https://www.newyorker.com/magazine/2021/11/22/how-your-famil...) was incredibly illuminating and changed my perspective on our sense of privacy. With a surprisingly small fraction of the world's population sequenced, we can still match a sample to a person whose sequence we don't have. To quote the article: "Genetic genealogy, it turned out, could function as an all-purpose de-anonymizer".
So perhaps be less upset that Mom signed up; our DNA really isn't ours in the same way the documents on our hard drive. You were never going to be able to opt-out.
> Before you submit your data for genetic testing please realize that you are giving away a portion of the ultimate family heirlooms, the genes that run in your family and that this decision could easily come back to bite others.
I wish my mom had read this. She would have understood the implications, and not done it.
It's very annoying how these companies sucker people in to do things they might come to regret later, there is absolutely zero transparency here. Besides the potential for massive privacy violation there is also always the specter of future uses against your interests.
>there is also always the specter of future uses against your interests.
This. The danger isn't even necessarily that we gain some crazy ability to predict things about a person from their DNA, but that people believe that it can be done accurately and that police, courts, government, marketers, etc believe it as well.
Police don't need much convincing if it gets them a conviction. Courts will already admit evidence from forensic labs which have been proven to fabricate evidence. Governments will let just about anything fly if someone donates enough, and if marketers are convinced that it might work, there will be no shortage of cash for campaign funds.
Currently, to my knowledge, you can take somebody's DNA and do just about anything with it without their knowledge or consent, and there seem to be a lot of well-monied interests with a stake in keeping things that way.
> Which undoubtedly well meaning civil servant long before World War II came up with the brilliant idea of registering religious affiliation during the census is lost in the mists of time.
I guess this happened because The Netherlands used to be a very religious nation?
I mean, in 1901 they got Abraham Kuyper[0] as a prime minister. Abraham Kuyper was a Christian minister, and is well-known among Reformed Christian circles as a very impactful theologian.
It is very understandable that a nation like that would want to list religion as part of their census data.
They used to be so religious that it incited a revolt in the southern parts of the country that were of a different religious branch. That's how Belgium came to be, with the only unifying trait for the new country being their shared religion, Catholics, regardless of the many other differences (French-speaking Walloons with many merchants and tradespeople, and Dutch-speaking Flemish that were mostly farmers, and mostly oppressed by the French-speaking ruling classes).
And now a nation state hacker can use the same database to identify U.S. citizen descendants (to what generation?). Good luck with "illegals" style espionage
This feels like a "think of the children" type of appeal.
I personally don't have any murderous history to hide. But there are unintended consequences with all of these losses of privacy. As a peer comment has rightly pointed out, nation state adversaries now have these same profiles.
Maybe they can find a common DNA profile for an efficient bio-weapon. Oops.
I escaped an authoritarian regime as a child, thanks to the same mother. I hold no ill will towards her, but I am deeply aware of the issues that bad actors can create with by compiling huge databases of otherwise unnecessary information.
> I personally don't have any murderous history to hide
I've been meaning to ask, could you please remove the curtains to your bedroom so I can see in? I know you're not doing anything wrong so you've got nothing to hide.
I think his point was that using this qualifier gives more credence to the "nothing to hide" folks. The more people get used to saying it in defense, the easier it becomes to use as an attack.
No, you are misreading the GP. What they mean is a bioweapon specifically tailored to match a particular DNA profile. Think Germany, 1939, or South Africa, 1985, but with this capability to see what the possibilities are and how utterly unstoppable that would be. And probably there are contemporary examples as well, but I don't feel like starting a flame-fest.
That only seems useful if said bioweapon can’t be determined by anyone else to have been DNA-based. Otherwise, why not just use a conventional bioweapon (lol) and target it more precisely? Using this hypothetical DNA targeting technology doesn’t seem like it’s solving a real problem.
I guess if you could target one person specifically? But then again there are way easier ways to kill people.
It could be specific to a family, or with this broad a DNA + meta data dataset, it could be enough data to wipe out much of an entire group. Choose the common traits in people who self-identified as a group. English, Jews, Slavs, Native South Americans, non-Han, etc.
The problem with bio-weapons has always been "blow back." Narrowing the scope of the weapon would help a lot with that.
Yes, exactly. And that DNA profile could be more or less specific as well to the point where you can commit genocide. Think 'final solution', not 'James Bond'.
There will be several Nobel Prizes in creating the technology to get this bioweapon.
You need something which reproduces itself even in non-targets, which enters the cell's nucleus, which detects the correct DNA - which may be scattered across the genome! -, which has a mechanism that kills the target people, and where none of this will mutate so as to stop effectiveness, change/broaden the target population, etc.
Furthermore, just because people identify as a group does not mean they have a distinct genetic pattern. How would you target "Christians" or "Americans" or "Hispanics"?
This appears to be a harder task than curing cancer, in that many of the same techniques could be used to target cancerous cells but that does not require the ability to spread from person to person.
A bioweapon doesn't appear in a vacuum. The required technological advances will be widely known. In this fantastical cancer-free world, why wouldn't your local health care center have the ability to sequence unexpected genomes and prepare a vaccine or phage in the same day?
> How would you target "Christians" or "Americans" or "Hispanics"?
You don’t need to have a 1:1 mapping in order to be effective. Incapacitating a sufficient number of a group is enough.
Similarly, such a bioweapon in an assassination context doesn’t need to only kill the target or go unnoticed. It’s enough that it is a disease or irritant that a particular individual is susceptible to.
Assuming you have a communicable bioweapon which is somehow able to target based on genetics, and assuming the rest of the world isn't able to defend against it, that still leaves the very tricky question of finding a genetic basis which characterizes any of those three categories in a way which is sufficiently effective.
Do you really believe there is way to identify "Christians" based on genetics?
"Incapacitating a sufficient number of a group" is NOT enough. You also need specificity.
What genetic markers indicate "American"? Sure, if you target something simple like "has a Y chromosome" you might take out about 50% of the US population, which is likely a sufficient number, but you'll do equal damage to your own population.
How would a bioweapon meaningfully target "Hispanics"? The term is definitely not based in genetics. If some villagers from a German town emigrated to Argentina and others from the same village emigrated to Canada, then according to the US the descendants of the first group are just as Hispanic as Black Spanish-speaking Cubans, while the descendants of the second group are "white".
But, okay, you've figured something out. Now how do you prevent your bioweapon from mutating the specificity away? You've added a lot of machinery to the organism which must be preserved perfectly even though that machinery isn't required in order to reproduce.
The more failsafes you put in, the bulkier the organism and/or the fewer genetic markers you can target.
Clearly you should be promoting DEI as a way to increase group robustness against future bioweapons. ;)
I'm really curious what, and how, these commenters think a genetic bioweapon would target. Cell-surface receptors seem the easy target, but as we've seen with COVID, and the more general swine and avian flus passing to humans, specificity changes. And cell surface receptors aren't that specific for any ethnicity, so expect a nuclear response from the survivors (both from your target and from the others states who had affected citizens).
If targeting proteins or regulatory regions of DNA, how? Are you going to try to CRISPR it? This may be effective in quiescent or senescent cells. But I think even quiescent cells have some DNA repair pathways. At best such targeting may speed up the aging process and cause some cancers.
Are you going to integrate a toxic gene at a specific chromosomal locus? Maybe that would work. You'd need a very efficient gene therapy approach to do it though.
That's ok, I get it: I have the exact same thing when I'm too focused on a problem. And then a week later or so it's like a light bulb going off and I feel very silly for having missed the obvious. But let's not give people ideas here, this is pretty dangerous territory and I don't think HN should turn into a cookbook for miscreants.
Just because you think you can create a bioweapon doesn't mean it causes trouble.
And as I wrote, this sort of bioweapon won't be possible until we've effectively cured cancer, and likely also developed methods which can easily identify and stop it.
A secret skunkworks approach could facilitate genetic inventions that don't get passed into the general knowledge base. It would be difficult making discoveries that all of the other biologists working in society miss, but is remotely plausible.
Again, the technology would be able to cure cancer. Do you really think all those employees - who know that their friends and family could be cured of their cancer - would be willing to keep mum of the cure?
It depends on how isolated they are kept from each other's work. It's not as if we don't already have decent cancer therapeutic technologies in the pipeline.
We do not have broad-spectrum anti-cancer therapeutics, much less ones which are based on self-reproducing communicable organisms that target the cancer's DNA.
Therapeutics which prompt the endogenous immune system to recognize the cancer cells as something to attack. I believe this is the basis of mRNA cancer therapeutics? I believe they are targeted for individual cancers and possibly individual people, but given the speed in which they can be made this doesn't seem like a major future hurdle.
Throw one into a gene therapy vector and it could conceivably reproduce itself (though that seems like a bad idea for a cancer therapeutic anyway).
"I believe" and "conceivably" do not make good evidence that something is in the pipeline.
mRNA cancer therapeutics do not target nuclear DNA. They do not enter the nucleus and they produce proteins to trigger an immune response against the targeted disease, not against the DNA of the targeted disease.
You're misinterpreting my initial objection. Skunkworkers would care less about the personal ramifications of keeping technology which could be used to cure cancer secret if there are already viable full-cure treatments for all of the cancers they or their family members may plausibly come down with.
Again, technology isn't in a vacuum. You really can't predict what medicine will be like in 100 years.
If there are already viable full-cure treatments for all those cancers then why aren't there viable full-cure treatments for this sort of bioweapon?
Feeling ill? Sequence all the organisms in your blood, spot the unexpected ones, develop a vaccine/phage against it, and poof - all better.
Sure, you can construct movie plot scenarios to do anything. In a movie, our hero can use a lighter to ignite the leaking fuel trail from a jet plane taking off and cause it to blow Up. That doesn't mean it's likely or even feasible.
> If there are already viable full-cure treatments for all those cancers then why aren't there viable full-cure treatments for this sort of bioweapon?
Plenty of possibilities. A cancer is ultimately a mutated genome in a viable cell gone awry. Even with contagious cancers (like the one killing the Tasmanian Devils) you're still ultimately dealing with an infectious eukaryotic cell of basically the same species type as the organism, and our mammalian immune systems are already used to targeting our own cells gone awry. Viruses, satellite viruses, prokaryotes, other eukaryotes, edited out, and whatever I'm forgetting will require a diversity of approaches (unless someone invents pico-scale teleportation).
> Again, the technology would be able to cure cancer.
That's your strawman. But I can - easily, at that - imagine a POC that would be specific enough to kill a single human with a very high degree of success given some meta data about them and a sample of their DNA. I'm for obvious reasons not going to expand on that here because we have too many idiots in this world but the fact that you can't imagine such things doesn't mean that others can not.
So what? Movie plot scenarios do not need to reflect reality.
I can easily imagine hopping on the next Pan Am rocket service to Luna City.
I can easily imagine using a space laser to kill that same human.
I can easily imagine taking a bridge from Key West to Cuba.
I can easily imagine taking a pill to regrow an amputated leg.
Just because you can easily imagine a POC doesn't mean it's doable in our lifetimes.
What are you going to target in the DNA? Is it a single short sequence or multiple markers across the genome? How does the bioweapon sequence that DNA to find it? How does that then trigger the appropriate biological response? How do you prevent mutations? What infectious organism will you use? How do you know the target isn't already immune to that infection?
Even if you expand on one or two of these in convincing detail (congrats on your future Nobel Prize, by the way), that's still not enough for the idiots in the world to make a usable weapon.
> How would you target "Christians" or "Americans" or "Hispanics"?
You don't have to be able to target any group to be able to target some groups. Blacks, Jews and Uighurs might be sufficient. And those definitely have genetic markers.
"Blacks" is a term with very little basis in genetics. What do you think the bioweapon will target?
"Jews" is less diverse, but it's not like there's a single "I am Jewish" marker. Just look at https://en.wikipedia.org/wiki/Genetic_studies_on_Jews to see how difficult is it, with overlaps to other populations, and the need to correlate multiple haplogroups. How do you put all that detection machinery into a bioweapon?
https://en.wikipedia.org/wiki/Uyghurs suggest there are similar issues with Uyghurs - what will the bioweapon target if "the average genetic ancestry of Uyghurs is 63.7% East Asian-related and 36.3% European-related"?
And how do you prevent the bioweapon from mutating that specificity away?
Yes, such a weapon will never be very precise. But since no weapon ever is (collateral damage) that doesn't mean it won't be used.
> And how do you prevent the bioweapon from mutating that specificity away?
You don't. But even that won't stop such a weapon from being used. Every weapon that man kind has been able to envision and create has been used. Not a single exception.
You have presumed that this sort of DNA-targeting bioweapon could exist. We have lots of pie-in-the-sky weapon ideas that haven't been developed, like the Supersonic Low Altitude Missile. Why are you so sure that this bioweapon isn't yet another one of those?
Setting that aside, the hydrogen bomb has not been used as a weapon, only a deterrent.
Same for the neutron bomb (an "enhanced radiation weapon").
And nuclear depth bombs ("All nuclear anti-submarine weapons were withdrawn from service by China, France, Russia, the United Kingdom and the United States in or around 1990.[citation needed] They were replaced by conventional weapons such as the Mk 54 Torpedo that provided ever-increasing accuracy and range as anti-submarine warfare technology improved." says https://en.wikipedia.org/wiki/Nuclear_depth_bomb ).
"The United States Army Biological Warfare Laboratories weaponized anthrax, tularemia, brucellosis, Q-fever and others.[51] ... In 1969, US President Richard Nixon decided to unilaterally terminate the offensive biological weapons program of the US, allowing only scientific research for defensive measures." says https://en.wikipedia.org/wiki/Biological_warfare .
Have all those weaponized organism really been used as a weapon? Not to my knowledge.
> Maybe they can find a common DNA profile for an efficient bio-weapon
For this it doesn't matter whether a "nation state" is making the weapon. An empire state, sub-nation state, or non-state entity would be fine. What matters for a common DNA profile weapon is that said entity targets a mostly ethnic state, or non-state nation such as the Kurds, preferably with an ethnicity genetically distinct enough from one's own people, and that said ethnicity is genetically specific enough, in exactly the right ways, to target. As eesmith writes, good luck with that.
Doesn’t that imply that we should object to all dna databases? If a database can be used to identify people not in the database, does the scale of the database matter? The consequence would be that law enforcement can no longer compile databases of dna materials (a curtailment which I wouldn’t mind, but many people see these databases as essential for modern law enforcement).
23andMe claims that no DNA information was revealed, and I'm having trouble finding a primary source that claims that the SNP info was taken. From a more detailed article:
> ... which exposed sensitive personal information that included things relevant to ancestry trees, birthdays and general geographic locations. In some cases, the company said that the hack could have exposed the pictures and display names of affiliated family members also using the company’s services through the accounts that were primarily breached. 23andMe insists that no actual genetic material or DNA records were exposed
> ... A 23andMe spokesperson told Engadget that hackers accessed the DNAR profiles of roughly 5.5 million customers this way, plus Family Tree profile information from 1.4 million DNA Relative participants.
>DNAR Profiles contain sensitive details including self-reported information like display names and locations, as well as shared DNA percentages for DNA Relatives matches, family names, predicted relationships and ancestry reports. Family Tree profiles contain display names and relationship labels, plus other information that a user may choose to add, including birth year and location. When the breach was first revealed in October, the company said its investigation “found that no genetic testing results have been leaked.”
Presumably the journalist at Stackdiary translated "DNAR profile" into "genetic profile," which is a term with no standard definition, but if it had one, I would have guessed it would mean at least some DNA info.
23andMe could be lying or ignorant of what happened, but that would also mean that there would also be another news cycle when further disclosure was mandated.
The worst is the classic social media tactic of using user-submitted data to attract others.
Imagine there came a responsible DNA service tomorrow, which used differential cryptography or something, so that you could share DNA and look for relatives with some semblance of privacy.
They wouldn't get off the ground, because your relatives? They're on this service, or Ancestry or MyHeritage or FamilyTreeDNA, which are every inch as sleazy, US or Israeli megacorporations which you can trust as far as you can throw them (which isn't an inch).
To make you feel better, it doesn't have to be your mother to identify you. If a cousin were to have done it, you would still be easily identifiable. Basically anyone in your blood line using any of the services would make you easily identifiable.
I fully agree with everything you say, but until legislation is enforced you can hardly blame a company for capitalizing on the lack of privacy laws (you can still hate them).
Point is, start demanding legislation around data privacy and security to anyone who will listen.
I feel like I can blame the humans involved with 23andMe specifically, as they are the specific humans who allowed unknown 3rd parties to have enough of my DNA to profile my family and myself.
However, I entirely agree with your last statement. I would like to call upon anyone who appreciates privacy to get behind a neural bill of rights. While it sounds a bit "tin foil hat" at the moment, non-invasive brain–computer interfaces are coming very soon. Especially using infrared techniques.
Today, TSA scans your face, soon enough it will be your brain. This is not a joke.
If the USA misses the boat on regulating neural interfaces, we will sail through the final frontier of personal privacy, and even agency.
I highly recommend that everyone listens to, or reads the transcript of Sean Carroll's podcast with Nina Farahany on the topic. It is dense with legal and technical information.
"Nita Farahany on Ethics, Law, and Neurotechnology"
By “unknown third parties” do you mean the hackers? The breach was bad but not that bad — it didn’t include your genetic material.
> The stolen data included the person’s name, birth year, relationship labels, the percentage of DNA shared with relatives, ancestry reports and self-reported location.
I meant 23andMe partners, and yes, also the hack, and future hacks.
This DB is a goldmine and I take an extremely pessimistic view on infosec.
Information wants to be "free" after all. Look at the KSA agents who were implanted at Twitter as an example. I would have to assume that nation state actors would also implant employees at 23andMe.
The publicized hack is the one we, and 23andMe, know about. It's just too juicy a target to keep safely guarded in perpetuity.
Simply by compiling this information, you are more or less guaranteeing it falling into the wrong hands eventually. This is an example of information which never should have been compiled.
There's no law against being a dirtbag but I am definitely still going to blame you for being a dirtbag. You could always choose... not to be a dirtbag.
I would rephrase your point, "don't be surprised when a company capitalizes on lack of laws" -- this I agree with. It's virtually a force of nature.
Meaning that she was over 70, and just wanted to learn some ambiguously defined information about her family history. There were some unknowns as far as where her great-grandparents came from. Maybe "naively" would be a better term.
We are all law abiding citizens, what do we have to hide, right?
Well, she did not read the T&C as far as how this information would be shared, and did not consider the implications of how she was making a choice for the people who she named on the family form, and did not consider the inevitable infosec implications which we are now all enjoying.
As it turns out, when binding arbitrarion is forced, those very same companies can't handle the caseloads that come with thousands of cases being filed individually so it can be a bit of a footgun
Seems the law critters at 23andMe have thought of that. From the Ars Technica coverage[1]:
> The updated terms also explain a new process for mass arbitration. This requires that "if 25 or more demands for arbitration are filed relating to the same or similar subject matter and sharing common issues of law or fact, and counsel for the parties submitting the demands are the same or coordinated," this "will constitute a 'Mass Arbitration.'" Any mass arbitration dispute will be settled by the National Arbitration and Mediation, "a nationally recognized arbitration provider."
Can someone please confirm: Is forced binding arbitrage allowed in EU/EEA/EFTA?
If no, what happens if you are a customer from France or Germany? It seems like this contract is totally unenforceable!
A bit deeper, I really wish it was illegal to create intentionally unenforceable contracts. Too many companies create these incredibly scary contracts that no mortal human can understand, let alone know if unenforceable.
No, not if the customer is a individual ("consumer").
Directive 2013/11/EU, article 10 states "Member States shall ensure that an agreement between a consumer and a trader to submit complaints to an ADR entity is not binding on the consumer if it was concluded before the dispute has materialised and if it has the effect of depriving the consumer of his right to bring an action before the courts for the settlement of the dispute." https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:...
This does not preclude the customer signing away their rights after the dispute arose, as part of a settlement agreement for instance.
Not only if you're a consumer. There are multiple cases in Germany of Oberlandesgerichten (~= "Circuit courts") voiding arbitration clauses in B2B contracts as well.
Subway (the sandwich chain) is a good example of that. They were kinda screwing their franchisees and were forcing them to do arbitration in NYC, even for German franchisees. This was voided by the northern German "circuit court"[1]
I can’t count the times I have advised friends and family against using certain products and services, only to be ignored or be accused of being paranoid. In some cases the response is “well, you can already find anything about anyone on the internet” or “they already have everything”, etc. It’s incredibly frustrating to watch some of these highly consequential breaches happen. I have yet to have someone come back to me to say “You know, you were right.
I am sure many/most HN readers have come across this to varying degrees.
Not sure there’s a fix. The only people who eventually get it are those who are unlucky enough to eventually suffer the consequences of their lack of interest in privacy and data safety.
Courts aren't dumb, though. It's a lot harder for an average person to fake something in their gmail outbox than it is for someone working for a corporation to delete emails from an inbox. Google could also possibly be sent a subpoena.
I asked because unlike paper mail where the deliverer is one trust-able government/commercial body, email by its distributed nature is delivered by hosts everywhere in the internet. How does plaintiff generally gather evidence to prove the email was indeed delivered in these cases?
Have terms of service ever successfully been challenged for failing to meet the requirements of a contract? Like if I make an Uber account for my mom, and she uses it, at what point is she bound by the ToS?
Ordinarily, ToS do meet all the requirements of a contract. Both sides assent to certain promises. They make an offer of the terms and you accept it by checking the box or whatever like they ask. That's what a contract is: https://matthewminer.name/law/outlines/1L/1st+Semester/LAW+5...
Even where you don't make the account, a court would assumedly find she agreed to the contract by virtue of quantum meruit by consenting to have you make it and her continuing to use the account.
If you sign your mom up for a credit card in her name, what makes her have to repay the debt if she uses it?
Thanks for reminding me that I needed to cancel my account. I should have done it years ago when they announced they were being bought out by private equity, and before the inevitable security breaches. Oh well, better late than never, I guess.
And, before the "why did you ever do this?!" replies, my wife really wanted to do it, all the way back when they first started, and I relented. Our common 0.3% "sub-Saharan African" results is still a running joke.
How do unilateral TOS changes like this work in practice? If the previous TOS didn't force binding arbitration, can they unilaterally impose this change on existing users? Basically forcing existing users to "agree" to this? What recourse do existing users have?
I don't use / won't use 23andMe, because of issues like this (the nature of the relationship changing unilaterally). I don't like sharing private data, nothing is more private than my DNA.
In case anyone is interested I've been compiling as much factual information on arbitration here. Not yet complete but reasonably useful and well sourced
The ability to join a class action. You may get very little or nothing, but litigators will extract for 23andme’s data security failures. Private actions fill a gap when regulators and statute are inadequate.
If there is no cost, business as usual continues.
(I have opted out and intend to join a class action; I also own customer IAM in my day job, and am aware of the effort that would’ve prevented the root cause)
People who are not 23andMe customers might nevertheless be harmed by these breaches due to the peculiar nature of DNA data, and they could conceivably sue without being bound by any TOS.
You have to go through all of this and give away your body's code to corps and governments just to learn maybe your grandparents were from some part of the world?
There is not any privacy-respectful business that won't eventually be acquired by private equity and squeezed for every just-this-side-of-legal dollar they can get.
Don't give away your genetic information if you can avoid it.
Your best bet is probably to go through a doctor and get testing from a medical genome sequencing service that is covered under HIPAA. I am not 100% sure if this is bulletproof, but it is probably better than going through a DTC company. Plus, most DTC companies like 23 and me use imprecise genome sequencing and not full genome sequencing like many medical providers do.
You are completely wrong. The courts encourage this. Specifically, Republican appointees to the supreme court favor arbitration, because it is better for corporations.
Just to share a positive from 23andMe, given all the bad press around here.
I got on this service a couple years ago. I am adopted and had spent a long time trying to track down one side of my biological family. I had very little to go on other than a first name and general whereabouts 40+ years ago.
As it became more popular, I had half siblings and, eventually, my biological father reach out to connect.
Its been great knowing I have that connection finally. We're planning to meet soon.
This is a huge benefit of this kind of "opt in" service, but I recognize how devastating it might be if someone was concealing my existence for, say, religious reasons and a data leak or loose privacy settings from a common relative revealed something.
It's a nuanced issue, but my experience has been immensely positive in that it gave me something I may never have had.
We have something like this for brick'n'mortar retail already -- each store can't just make up their own rules but rather has to operate within a societal framework.
The system we have right now leads to every corporation being incentivized to claim as much legal ground as possible in the TOS, leading to a de-facto corpo-state. It also undermines the rule of law in a cultural sense since many things in the TOS may be deemed unenforceable when actually challenged in court. The users will always be is a several disadvantageous bargaining position.