DNA Company Accidentally Exposes Opted Out Users' Data To Law Enforcement
from the apparently-the-software-does-not-approve-of-your-decision dept
A couple of years ago, investigators in California used a DNA matching service to track down the so-called "Golden State Killer." Uploading a sample of the suspected serial murder's DNA, they were able to identify distant relatives of the suspect. Using these sentient clues, investigators eventually worked their way back to the suspected killer, who had eluded authorities for years.
Shortly after this made news, GEDmatch informed users that law enforcement had never approached the company directly to acquire this information. Instead, investigators created an account and uploaded samples, bypassing anything GEDmatch might have had in place to limit use by government agencies. GEDmatch said the only way customers could ensure their DNA info wouldn't be obtained by law enforcement was to not use the service at all.
A month later, it went a step further. It opted all users out of allowing law enforcement to access their DNA data. Users were allowed to opt in if they were comfortable with the government digging through their information. This somewhat solved the problem. But law enforcement has been known to create faux profiles to search DNA data, so opting out isn't guaranteed to stop cops from accessing this info.
Unfortunately, something recently went very wrong with GEDmatch's database.
[U]sers reported Sunday that those settings had changed without their permission, and that their DNA profiles were made available to law enforcement searches.
Users called it a “privacy breach.” But when reached, the company’s owner declined to say if the issue was caused by an error or a security breach, citing an ongoing investigation.
This incident/error opted everyone in to law enforcement access. The company still isn't sure what happened. The statement issued by the CEO says the problem is "resolved" but the company has taken the site offline until it can determine what actually happened.
The site is still down as of the time of writing (July 20th). GEDmatch hasn't offered any further statement on the matter, either. It also has refused to say whether any law enforcement requests to the service were received or responded to while everyone was temporarily opted in.
The larger problem remains, however. GEDmatch's default is opt out, which is best for its users. But it's unclear whether GEDmatch polices its service for bogus accounts possibly be used by… well, police. GEDmatch only requires an email address for registration. It says you must link a "real name" to uploaded DNA data but nothing in its terms of service indicates this name must be verified before the site can be searched for matches. This means opting out is only as good as the law enforcement agencies using the service. If they can't be trusted then GEDmatch probably can't be trusted either.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: data, data breach, dna, law enforcement, privacy, surveillance
Companies: gedmatch
Reader Comments
Subscribe: RSS
View by: Time | Thread
Wrong conjunction
I think you mixed up "If" and "Since".
[ link to this | view in thread ]
What is the state of DNA these days?
This article highlights a point regarding DNA. DNA records are valuable, clearly to law enforcement by the lengths they will go to get it.
Who else might be interested broad DNA record trolling?
Bluntly, has DNA technology and records proceeded sufficiently far that one could perform either a preliminary screening or an actual match for a needed organ donor, using DNA records? Are the global well to do & VIP crowd scraping DNA sites and records in order to provide a list of potential organ donors for their own use?
With enough money and power and a list of potential matches, any global VIP could have several people "acquired", forcibly tested (if needed) and then the best match killed for their organs. Lesser matches could be perpetually retained (imprisoned) until the next time the organ(s) need replaced. (Donated organs do not survive as long as natural organs).
Has DNA technology reached this point?
[ link to this | view in thread ]
You know, I thought I heard a warrant canary dying a little while back...
[ link to this | view in thread ]
Apology
GEDmatch would like to apologize to anyone who has learned of our hurtful, spiteful and malicious actions. GEDmatch takes full responsibility for not having stronger measures in place to prevent this public disclosure that GEDmatch gave DNA records to law enforcement. To all employees, managers, directors and investors at GEDmatch who may have suffered personal embarrassment from this disclosure, GEDmatch would like to extend our sincerest apology. To all other members of the public, and especially persons who have given us their DNA record for safekeeping, we would like to extend our sincerest indifference.
Sincerely
GEDmatch
[ link to this | view in thread ]
Opted in just long enough to run those critical searches
Color me skeptical, but I think GEDmatch's entire database of users was accidentally opted in to law enforcement searches, just long enough for some law enforcement agency to run some critical searches. Isn't this the company that was recently bought out by Verogen a company with ties to the FBI and law enforcement? Anyone that still has any of their data in that companies hands is just asking for trouble.
Genetic matching was a nice idea in the field of genealogy. Unfortunately the lack of privacy protections in this country coupled with the overzealous (and unjustified) belief in the efficacy of DNA evidence I fear has drowned that baby in the bathtub.
[ link to this | view in thread ]
Did anyone really think their data would be secure?
Well, I know of this bridge that is for sale ....
[ link to this | view in thread ]
I Was Hacked
They were probably hacked by some sort of LE agency. It's happened before.
[ link to this | view in thread ]
They just need to put a checkbox on the profile creation page that says "I swear I am not a member of law enforcement." so when the cops do create a phony account, they can be viciously prosecuted under the CFAA. That's how it works, right? Violate the terms of use, get your life ruined in court. Right?
[ link to this | view in thread ]
Re:
Yes they did.
My wife is a genealogist and of course I read here, so when people asked her about these services she would tell them no and explain that doing so was providing their DNA information (that may not be super accurate in the first place) to anyone that gained access. Law enforcement or hackers or anyone.
The responses?
I'm not worried they will protect it.
If it is breached I have nothing to hide.
She wold tell them not to do it, and they would go ahead anyway.
[ link to this | view in thread ]
Whatever word you were aiming for, I think you missed.
[ link to this | view in thread ]
Re:
It may have been salient. Previously i thought it might have been stretching license as human DNA comes from sentient critters.
[ link to this | view in thread ]
Why not just make it "anonymous" ?
[ link to this | view in thread ]