Representative Paul Gosar (R-AZ) urged the destruction of data collected from customers of the ancestry research company 23andMe after the business's bankruptcy in a recent hearing with its top members.
For additional context, 23andMe, which used customers' saliva samples to find ancestors and distant relatives, filed for Chapter 11 bankruptcy in March. 23 states and the District of Columbia sued to prevent the sale of remaining genetic data without the customers' consent.
Rep. Gosar began his questioning of 23andMe founder Anne Wojcicki and interim CEO Joe Selsavage by noting that "When customers sign up for testing like 23andMe, they pay for the service, not the storage and continued research of their DNA."
Does Texas have a constitutional right to defy Supreme Court on protecting its border?
"But at the minimum," Rep. Gosar continued, "American data should not leave American hands. China has already said it wants to create a database of genetic data to build bioweapons. If we are questioning whether our adversaries are going to use this genetic data to create a bioweapon against Americans, then frankly, this data collected from Americans should be destroyed, not stored."
The Arizona Congressman then asked Selsavage if 23andMe keeps physical and digital data, and what the company's erasure policy is.
Selsavage answered that digital data is stored in an encrypted format, which can be erased except for a customer's name, email, and purchase information. Physical data is either destroyed or preserved at the customer's consent. The interim CEO further noted that his own data is present in the system and at risk.
Gosar then turned to Wojcicki, asking if she had access to customer data and how accessible it is.
The founder replied that they "came up with very strict protocols" that kept genetic information separate from customers' identities, which only a select few were allowed to link together.
However, Gosar noted that last February, hackers were able to leak sensitive information of over 7 million customers in what 23andMe called "a very dumb move" on the customers' part.
Wojcicki explained that the hack was a "credential stuffing," meaning the hackers found passwords, email addresses, and physical addresses and gained access to the accounts, not the actual genetic information of the customers.
