Biotech company 23andMe first disclosed a data breach affecting a portion of its customers back in October. The information was obtained in a credential stuffing attack. An SEC filing now reveals roughly 14,000 accounts were accessed, along with information on millions of users participating in the DNA Relatives feature.
They sent out an email Sunday at 5 PM, dinner time, deep weekend, who’s checking their emails? The email notified its users that they updated their terms of service, specifically the Dispute Resolution and Arbitration section. And ended with a note that if you don’t “notify us within 30 days” that you disagree with these updates then you will be “deemed to have agreed to the new terms”
I don’t have to read the terms of service to know their trying to hobble class actions with this and trying to sneak the consent by omission work around while we are less likely to check our email is really fucked up.
One of the things I’ve been doing lately is snail mailing these companies their exact terms of service with the forced arbitration and class action waivers completely removed to their registered addresses with the same language that says “unless notified by mail, the continuation of service assumes that you agree to these terms.”
As of yet, no company has ever mailed me back and my service hasn’t been disabled.
Not sure how enforceable it is but I figure I can’t lose.
Fantastic work! Adding this to my tackle box of fuck-the-man-ery