Home “Cops, AI, drug companies”: Who wants to buy your DNA from 23andme?

“Cops, AI, drug companies”: Who wants to buy your DNA from 23andme?

· March 28, 2025 · 0 Comment

The bankruptcy of personal genomics company 23andMe is a headline that has broken past the well-heeled haze of the business world — given, of course, its existential implications for millions of Americans’ genetic information. The company, founded in San Francisco 2006, and having served 15 million individuals to-date, is one of a handful of genetic testing businesses whose customers mail in a cotton swab of their saliva. 

This tiny DNA sample can be used to generate a host of comprehensive reports on a person’s ancestry, genetic health risks, and even how they process certain medications. Earlier this week, 23andMe announced it would be filing for Chapter 11 bankruptcy proceedings, which would involve the sale of those consumers’ most sensitive biological data to the highest bidder.

This raises a monumental question: who wants to buy your DNA, and why?

If you were hoping that 23andMe would be ushering in a long line of buyers who would like to use the data to finally cure cancer, buckle up. The companies and agencies that are most likely to be interested in 23andMe’s data represents a laundry list of cops, AI startups and pharmaceutical companies. And because DNA and collected by genetic testing companies isn’t protected under the Health Insurance Portability and Accountability Act (HIPAA) — the privacy laws that set robust standards for providers’ and insurers’ handling of medical data — users’ sensitive genetic information is at risk to be weaponized for any number of nefarious ends, too.

“The data could be conceivably used and repurposed for a number of consumer targeting efforts — from marketing and advertising to blackmail,” Rennie Westcott, senior intelligence analyst at Blackbird.AI, told Salon in an email.

Darren Williams, an expert in data privacy and the founder of the antivirus software BlackFog, told Salon in an email that 23andMe’s genetic data could potentially be used “for identity theft or other malicious purposes, potentially for years.”

Law enforcement agencies have long shown interest in the company’s DNA stock.

As mentioned, 23andMe customers first pay for the service online, then send the company a swab of their saliva. In addition to customers’ genetic information, 23andMe is also in possession of other highly sensitive data, “extensive questionnaires and additional metadata about individuals,” Erika Gray, co-founder and chief medical officer of Toolbox Genomics, told Salon.

“While common genetic industry practices, and 23andMe, do keep their raw data de-identified, there is a risk that de-identified data could be re-identified with the correct inputs, and especially with 23andMe’s extensive questionnaire and ‘find your relative’ feature,” Gray said.

Law enforcement agencies “all the way from local to state to federal government” could be “very interested” in 23andMe’s trove of genetic information, Adanté Pointer, a civil rights attorney in Oakland, told Salon. “Being able to get access to 23andMe gives them a bigger database of genetic information than they currently have in order to match a potential suspect, victim or even a witness to a particular incident they’re investigating,” Pointer explained.

Those who sent their genetic samples to 23andMe “may have waived the right to assert that constitutional interest in the database or the sample,” Pointer said, and the company’s lengthy, “often overlooked” private waivers may have also waived individuals’ rights. 

Want more health and science stories in your inbox? Subscribe to Salon’s weekly newsletter Lab Notes.

“I’d imagine that in the consent form, there is language allowing 23andMe, its subsidiaries, spin-off companies, or even a company that purchases 23andMe’s assets (including the DNA database), to use that data as they see fit,” Pointer added.

Pointer is no stranger to law enforcement’s use of genetic information from other sources. In 2022, he represented a woman whose DNA she provided in a rape kit that was later used to arrest her six years later for retail theft. The plaintiff, identified as Jane Doe, said that before providing a DNA sample to the San Francisco Police Department, authorities assured her that her DNA would be used “only to investigate her sexual assault.” The case ultimately settled out of court, with Doe being paid around $200,000 by the city, Pointer told Salon.

Customers’ genetic data could also be attractive to the companies that serve law enforcement agencies — which have a “ready-built customer base” of agencies already equipped to process genetic information, Pointer said.

Law enforcement agencies have long shown interest in the company’s DNA stock. 23andMe received 15 requests from law enforcement between 2015 and 2024, denying all of them. That policy may change, depending on who buys that data from 23andMe’s going-out-of-business sale.

Outside the law enforcement, AI companies could use the genetic information to train their data sets. “Cybercriminals are already using generative AI to automate attacks, and large genetic datasets like this offer a new frontier,” Pete Nicoletti, a cybersecurity expert and member of the FBI and Secret Service Cybersecurity Task Force, told Salon in an email.

Pharmaceutical companies and precision medicine companies could also use the data to develop new drugs. It wouldn’t be the first time 23andMe user data had been used by drugmakers: in 2018, the pharma giant GlaxoSmithKline bought a $300 million stake in 23andMe, in exchange for the ability to “mine its genetic database for new therapies.”

“Governments and regulators must step in now — with clear protocols, independent oversight, and enforceable safeguards — before any data changes hands.”

Another genetic testing company could also be interested – though it’s unlikely, given that consumer demand has waned for DNA kits since around the height of the pandemic, in 2021. It makes some sense: those who have their data analyzed really only need the service once, meaning there is a finite number of people likely to become customers.

“This data is probably of most immediate value to drug developers and manufacturers, and therefore pharma is a likely landing spot,” Westcott said. It’s a nerve-wracking moment for 23andMe consumers. And in large part, such a data sale wouldn’t represent anything new for the private market or regulators.

“This is not new in practice — user data is bought and sold constantly without any notification to the user,” Westcott explained. In 2020, the private equity giant Blackstone paid $4 billion for Ancestry.com — just one high-profile, public example.

But given that 23andMe itself would be acquired in bankruptcy proceedings, “the sale of genetic data is somewhat untested and unaccounted for territory from a legal perspective, and the sale of consumer data in the U.S. has historically faced fewer regulatory roadblocks,” Westcott said.

In that sense, this moment also represents a chance to establish a precedent of strong consumer protections around packaged sales of sensitive biological data.

“Governments and regulators must step in now — with clear protocols, independent oversight, and enforceable safeguards — before any data changes hands,” Nicoletti said. “Once this kind of information is leaked, it’s out there forever.

It’s not much comfort to ponder which of these buyers might eventually come into possession of approximately 4.4% of Americans’ genetic information — and, by proxy, their relatives’ genetic information too. Many guides exist informing customers how to delete their data from 23AndMe before the company is sold (here’s the handiest guide I found on how to purge your genetic info from its database.) But even for customers who do everything they can to protect themselves, they’re still vulnerable.

“While consumers may hope the genetic material is deleted and not retained by 23andMe, that would be naïve,” Pointer warned. “Once information enters a database and is shared across servers or affiliates, it may exist in multiple locations.”

In Utah, Gray and her mother were among the many users that opted into the data being used for “research purposes,” she said. “Unfortunately, for individuals such as myself and my family, the way the research contribution was portrayed is that it would benefit society as a whole,” she said. For users who chose to opt into research, the company was given permission to “analyze our de-identified data and possibly sell it to third parties,” Gray said.

In a message to customers, 23andMe said its leadership would approach the sale process and “look to secure a partner who shares in its commitment to customer data privacy and will further its mission of helping people access, understand and benefit from the human genome.”

That doesn’t mean much, Westcott said. “23&Me has publicly committed to finding a buyer that shares an interest in protecting customer data privacy, but this is just a statement and doesn’t bind the potential buyer in any way,” she said. A spokesperson for 23andMe wouldn’t comment to NPR on what the company might do with its data beyond “general pronouncements about its commitment to privacy.”

Stunningly, the company is still operating as normal — and still welcoming you to hand over your personal data. “23andMe is still open for business,” it said in an open letter to customers.

showbizviral_threads_2024_111

Leave a Reply

Your email address will not be published. Required fields are marked *