As soon as 23andMe filed for bankruptcy, concerns about its vast genetic and personal data exploded. Shortly after, a US judge ruled the company could sell its consumer data as part of the bankruptcy, triggering alarms about the potential misuse of sensitive information.

While most focused on the genetic data, the real privacy risk lies in the personal survey information the company has collected. From health details to lifestyle habits, these seemingly harmless answers now pose a far bigger threat – especially when combined with genetic data that customers thought was anonymous.

Genetic Data: Not Just a Sample, but a Security Risk

When customers sent their DNA to 23andMe, they handed over more than just a biological sample. They gave up a detailed profile of their genetic traits, health risks, and family history. While this data could benefit researchers, it also creates a security risk if misused.

But the threat goes beyond genetics. 23andMe also collected vast amounts of personal survey data. Over 85% of users consented to share sensitive information about their health, habits, and even personal vulnerabilities like drinking habits and risk tolerance. Combined with genetic data, this creates a highly detailed user profile.

This dual-threat – genetic data plus personal survey responses – makes 23andMe’s database a target for corporate espionage, identity theft, and geopolitical manipulation.

The Privacy Problem of Personal Survey Data

While much of the public's concern centers around the sale of genetic data, the more pressing issue lies in the wealth of personal survey data 23andMe has collected. This information – about things like health conditions, mental health, and even lifestyle preferences – is much more personal than many realize. It's information that, if mishandled or sold to the wrong entity, could be used for targeted advertising, manipulation, or even discrimination.

For example, if the data were to be accessed by life insurance companies, it could lead to discriminatory practices based on genetic predispositions or health risks. Personal insights gleaned from survey answers could be used by marketers or even government agencies to build detailed profiles for manipulation or surveillance.

One need only look at the case of GEDmatch, where law enforcement used genetic data to apprehend the Golden State Killer, to understand the potential dangers of unrestricted access to this kind of information. In 2018, police uploaded an old crime scene blood sample to GEDmatch, which matched with a distant relative in the database. This violated the platform’s privacy policies but led to a successful arrest.

The situation raises an uncomfortable question: could 23andMe’s data one day be used similarly, for criminal investigations or, worse, for government surveillance?

Survey Data: The More Dangerous Asset

While the sale of genetic data poses obvious risks, the survey data that 23andMe holds is arguably just as, if not more, dangerous. This is the information that reveals a person’s lifestyle choices, mental health, vulnerabilities, and social behaviors.

As pointed out by prof. Kayte Spector-Bagdady, personal insights about a person’s fears, hopes, and limitations are not just valuable to the company that collects them – they’re valuable to anyone willing to exploit them.

Take, for instance, data related to a person’s mental health or social habits. This can be used to target them with manipulative advertisements, exploit their emotional vulnerabilities, or even sell them products they don’t need. As we’ve seen with social media platforms like Facebook, where user data is harvested to influence consumer behavior, the stakes for privacy are high.

The risks of data abuse are not just hypothetical. Cybernews research shows that healthcare data breaches are very common, with 65% of the 100 largest US hospitals and health systems experiencing a recent breach. The fact that 79% of these institutions scored poorly on cybersecurity underlines just how vulnerable sensitive information can be.

If health systems, managing far less detailed data, are prone to breaches, the risks with 23andMe’s wealth of personal and genetic information are similarly significant.

When combined with other data points available on the internet, such as a dating profile, social media activity, or even a medical record, the survey data from 23andMe creates an incredibly detailed picture of an individual. This could lead to personalized attacks, cyberbullying, or financial fraud, as well as more insidious forms of manipulation by those with access to such data.

AI, Data Cross-Referencing, and the End of Anonymity

The risks are compounded by advances in AI and data analytics, which can cross-reference genetic and survey data with public records, social media, and other databases. This combination of machine learning and vast datasets makes it possible to identify individuals with high precision, even when their data is supposed to be anonymized.

For instance, while 23andMe assures consumers that their data is protected, the reality is that AI can reverse-engineer identities from anonymized data.

Aras Nazarovas is an Information Security Researcher at Cybernews, a research-driven online publication.