DNA Company Accidentally Exposes Opted Out Users' Data To Law Enforcement

from the apparently-the-software-does-not-approve-of-your-decision dept

A couple of years ago, investigators in California used a DNA matching service to track down the so-called “Golden State Killer.” Uploading a sample of the suspected serial murder’s DNA, they were able to identify distant relatives of the suspect. Using these sentient clues, investigators eventually worked their way back to the suspected killer, who had eluded authorities for years.

Shortly after this made news, GEDmatch informed users that law enforcement had never approached the company directly to acquire this information. Instead, investigators created an account and uploaded samples, bypassing anything GEDmatch might have had in place to limit use by government agencies. GEDmatch said the only way customers could ensure their DNA info wouldn’t be obtained by law enforcement was to not use the service at all.

A month later, it went a step further. It opted all users out of allowing law enforcement to access their DNA data. Users were allowed to opt in if they were comfortable with the government digging through their information. This somewhat solved the problem. But law enforcement has been known to create faux profiles to search DNA data, so opting out isn’t guaranteed to stop cops from accessing this info.

Unfortunately, something recently went very wrong with GEDmatch’s database.

[U]sers reported Sunday that those settings had changed without their permission, and that their DNA profiles were made available to law enforcement searches.

Users called it a “privacy breach.” But when reached, the company’s owner declined to say if the issue was caused by an error or a security breach, citing an ongoing investigation.

This incident/error opted everyone in to law enforcement access. The company still isn’t sure what happened. The statement issued by the CEO says the problem is “resolved” but the company has taken the site offline until it can determine what actually happened.

The site is still down as of the time of writing (July 20th). GEDmatch hasn’t offered any further statement on the matter, either. It also has refused to say whether any law enforcement requests to the service were received or responded to while everyone was temporarily opted in.

The larger problem remains, however. GEDmatch’s default is opt out, which is best for its users. But it’s unclear whether GEDmatch polices its service for bogus accounts possibly be used by… well, police. GEDmatch only requires an email address for registration. It says you must link a “real name” to uploaded DNA data but nothing in its terms of service indicates this name must be verified before the site can be searched for matches. This means opting out is only as good as the law enforcement agencies using the service. If they can’t be trusted then GEDmatch probably can’t be trusted either.

Filed Under: , , , , ,
Companies: gedmatch

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “DNA Company Accidentally Exposes Opted Out Users' Data To Law Enforcement”

Subscribe: RSS Leave a comment
13 Comments
Anonymous Coward says:

What is the state of DNA these days?

This article highlights a point regarding DNA. DNA records are valuable, clearly to law enforcement by the lengths they will go to get it.

Who else might be interested broad DNA record trolling?

Bluntly, has DNA technology and records proceeded sufficiently far that one could perform either a preliminary screening or an actual match for a needed organ donor, using DNA records? Are the global well to do & VIP crowd scraping DNA sites and records in order to provide a list of potential organ donors for their own use?

With enough money and power and a list of potential matches, any global VIP could have several people "acquired", forcibly tested (if needed) and then the best match killed for their organs. Lesser matches could be perpetually retained (imprisoned) until the next time the organ(s) need replaced. (Donated organs do not survive as long as natural organs).

Has DNA technology reached this point?

DannyB (profile) says:

Apology

GEDmatch would like to apologize to anyone who has learned of our hurtful, spiteful and malicious actions. GEDmatch takes full responsibility for not having stronger measures in place to prevent this public disclosure that GEDmatch gave DNA records to law enforcement. To all employees, managers, directors and investors at GEDmatch who may have suffered personal embarrassment from this disclosure, GEDmatch would like to extend our sincerest apology. To all other members of the public, and especially persons who have given us their DNA record for safekeeping, we would like to extend our sincerest indifference.

Sincerely

GEDmatch

jilocasin (profile) says:

Opted in just long enough to run those critical searches

Color me skeptical, but I think GEDmatch’s entire database of users was accidentally opted in to law enforcement searches, just long enough for some law enforcement agency to run some critical searches. Isn’t this the company that was recently bought out by Verogen a company with ties to the FBI and law enforcement? Anyone that still has any of their data in that companies hands is just asking for trouble.

Genetic matching was a nice idea in the field of genealogy. Unfortunately the lack of privacy protections in this country coupled with the overzealous (and unjustified) belief in the efficacy of DNA evidence I fear has drowned that baby in the bathtub.

Atkray (profile) says:

Re: Re:

Yes they did.

My wife is a genealogist and of course I read here, so when people asked her about these services she would tell them no and explain that doing so was providing their DNA information (that may not be super accurate in the first place) to anyone that gained access. Law enforcement or hackers or anyone.

The responses?

I’m not worried they will protect it.
If it is breached I have nothing to hide.

She wold tell them not to do it, and they would go ahead anyway.

mksmith (profile) says:

Why not just make it "anonymous" ?

A sequencing company could simply keep someone’s DNA together with some “username/password” info in its database. So, the company doesn’t *really* know who is actually who, but users know who they are and so can login and still access their data all they want. However, such an “anonymous” database would not be of any use to any law enforcement as well, and this would work in the interests of privacy.

Yes sometimes users may have to “mail samples” from their address (or a PO box), but that’s fine since the company does not have to actually store those addresses anywhere after the return mail/sequenced-dna-data is sent back to them.

mksmith (profile) says:

Why not just make it "anonymous" ?

A sequencing company could simply keep someone’s DNA together with some “username/password” info in its database. So, the company doesn’t *really* know who is actually who, but users know who they are and so can login and still access their data all they want. However, such an “anonymous” database would not be of any use to any law enforcement as well, and this would work in the interests of privacy.

Yes sometimes users may have to “mail samples” from their address (or a PO box), but that’s fine since the company does not have to actually store those addresses anywhere after the return mail/sequenced-dna-data is sent back to them.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...