00:00Thank you, Mr. Chair. I think what we've seen in both last week's hearing on AI and today's is how unprepared this country is to protect people's private information.
00:12This bankruptcy in the cell 23 and me demonstrates just how little control people actually have over their sensitive information.
00:20The few federal privacy laws we do have on the books have just not kept up with the Internet age and the technological advancement.
00:30As a result, more and more of our data is just accessed by more and more interests and it's just out there.
00:36Companies are handing over private data to the government that would normally be protected by the Fourth Amendment, for instance, and you would need a warrant to get.
00:44That includes genetic data at 23 and me. Some states have, of course, pushed for stronger consumer protections around privacy, but the data threats are not stopped by state lines.
00:55So people need protections that cover the entire country.
00:58Professor Hu, just briefly, what is your biggest concern about the gaps in privacy law that Congress ought to address through legislation?
01:07My deep concern is the way in which AI is changing, I think, the nature of data.
01:13I think that, as it's been explained before, data is to AI the way that airspace is to aircraft.
01:19And without being able to have a way in which to really protect it and secure it, I think that we're going to increasingly see abuses, misuses, and discrimination flow from that lack of regulation.
01:34The patchwork of privacy protections in this country has created an ecosystem where data brokers and companies like 23andMe hold massive amounts of sensitive information for millions of Americans, and they can just really do what they want with it.
01:46Beyond just collection and storage of data, we should also be worried about how these companies use this data, including who has access to it.
01:54For one, law enforcement officers.
01:56There are few restrictions on law enforcement's access to DNA profiles stored in databases like 23andMe.
02:02The so-called forensic genealogy is often done without a court-approved warrant, and can mean that law enforcement has access to the genetic information of millions of Americans with little to no oversight.
02:12Even if you yourself did not give your DNA away, if you have a family member who did, you could be affected.
02:19What's even worse is that people usually aren't even aware that their profiles are being shared with police.
02:2523andMe's current privacy policy states that when faced with law enforcement requests, the company will, quote, only comply with court orders, subpoenas, search warrants, or other requests that we determine are legally valid, unquote.
02:39Mr. Self-Savage, that last part is a bit concerning.
02:41What exactly do you mean by other requests that are legally valid, and what other request is going to get 23andMe to give over information to police?
02:49Let me first say that 23andMe to date has not given any information over to law enforcement.
02:56We have a transparency page on our website, which shows the requests that we've received from law enforcement.
03:03It's a small number, and those that we've complied with, and you'll see that it is zero that we've complied with.
03:09The only way we will comply with a law enforcement request is with a legally valid process, such as a court order or subpoena.
03:17Yeah, I see that.
03:19Just really specifically, just really wondering about the other requests that we determined.
03:24I get that.
03:25I get the subpoenas and a search warrant, but there is a caveat for other requests that we determine are legally valid.
03:31Can you give an example of what that might be?
03:33That is, I cannot give an exact example of that other.
03:37I will say that basically the only way we would comply with a law enforcement request was with what we determined to be a legally valid process.
03:46I think that the fact that you can't define what that means is a massive loophole for 23andMe, to do what it wants with people's data.
03:53And that's, I think, a really big concern.
03:56Mr. Self-Savage, also, how does 23andMe notify a customer when it has provided their genetic data to law enforcement?
04:02I'm sorry if you already answered that.
04:04What information do you provide them about the requests?
04:07As I mentioned, to date, we have not provided any information to law enforcement.
04:11If you did, do you have an example of how, do you know what the policy would be about how you would notify them?
04:17I do not, but I can take that back to our team.
04:20I appreciate that.
04:21I think these policies have a lot of room for improvement and that your customers deserve better, but it's at least a baseline, hopefully, of protection.
04:28Can you commit that 23andMe will not get rid of this policy, regardless of who ends up owning it, once the bankruptcy sale goes through?
04:36I can say that the two bidders for the company have both agreed, both verbally and in writing in their contracts to purchase the company,
04:46that they will step into the shoes of the company and adopt the privacy policies and other consents on a go-forward basis.
04:54God willing, I guess.
04:55It's really scary that people have to rely on the whims of private company to protect their private information.
05:00The Fourth Amendment can only protect us so much as these loopholes and workarounds need to be fixed.
05:05So I thank you all so much for your testimony today, and I yield back.
