DNA Company Accidentally Exposes Opted Out Users' Data To Law Enforcement

from the apparently-the-software-does-not-approve-of-your-decision dept

A couple of years ago, investigators in California used a DNA matching service to track down the so-called "Golden State Killer." Uploading a sample of the suspected serial murder's DNA, they were able to identify distant relatives of the suspect. Using these sentient clues, investigators eventually worked their way back to the suspected killer, who had eluded authorities for years.

Shortly after this made news, GEDmatch informed users that law enforcement had never approached the company directly to acquire this information. Instead, investigators created an account and uploaded samples, bypassing anything GEDmatch might have had in place to limit use by government agencies. GEDmatch said the only way customers could ensure their DNA info wouldn't be obtained by law enforcement was to not use the service at all.

A month later, it went a step further. It opted all users out of allowing law enforcement to access their DNA data. Users were allowed to opt in if they were comfortable with the government digging through their information. This somewhat solved the problem. But law enforcement has been known to create faux profiles to search DNA data, so opting out isn't guaranteed to stop cops from accessing this info.

Unfortunately, something recently went very wrong with GEDmatch's database.

[U]sers reported Sunday that those settings had changed without their permission, and that their DNA profiles were made available to law enforcement searches.

Users called it a “privacy breach.” But when reached, the company’s owner declined to say if the issue was caused by an error or a security breach, citing an ongoing investigation.

This incident/error opted everyone in to law enforcement access. The company still isn't sure what happened. The statement issued by the CEO says the problem is "resolved" but the company has taken the site offline until it can determine what actually happened.

The site is still down as of the time of writing (July 20th). GEDmatch hasn't offered any further statement on the matter, either. It also has refused to say whether any law enforcement requests to the service were received or responded to while everyone was temporarily opted in.

The larger problem remains, however. GEDmatch's default is opt out, which is best for its users. But it's unclear whether GEDmatch polices its service for bogus accounts possibly be used by… well, police. GEDmatch only requires an email address for registration. It says you must link a "real name" to uploaded DNA data but nothing in its terms of service indicates this name must be verified before the site can be searched for matches. This means opting out is only as good as the law enforcement agencies using the service. If they can't be trusted then GEDmatch probably can't be trusted either.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: data, data breach, dna, law enforcement, privacy, surveillance
Companies: gedmatch


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    David, 23 Jul 2020 @ 3:05am

    Wrong conjunction

    This means opting out is only as good as the law enforcement agencies using the service. If they can't be trusted then GEDmatch probably can't be trusted either.

    I think you mixed up "If" and "Since".

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Jul 2020 @ 6:02am

    What is the state of DNA these days?

    This article highlights a point regarding DNA. DNA records are valuable, clearly to law enforcement by the lengths they will go to get it.

    Who else might be interested broad DNA record trolling?

    Bluntly, has DNA technology and records proceeded sufficiently far that one could perform either a preliminary screening or an actual match for a needed organ donor, using DNA records? Are the global well to do & VIP crowd scraping DNA sites and records in order to provide a list of potential organ donors for their own use?

    With enough money and power and a list of potential matches, any global VIP could have several people "acquired", forcibly tested (if needed) and then the best match killed for their organs. Lesser matches could be perpetually retained (imprisoned) until the next time the organ(s) need replaced. (Donated organs do not survive as long as natural organs).

    Has DNA technology reached this point?

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Jul 2020 @ 6:15am

    It also has refused to say whether any law enforcement requests to the service were received or responded to while everyone was temporarily opted in.

    You know, I thought I heard a warrant canary dying a little while back...

    link to this | view in chronology ]

  • icon
    DannyB (profile), 23 Jul 2020 @ 6:30am

    Apology

    GEDmatch would like to apologize to anyone who has learned of our hurtful, spiteful and malicious actions. GEDmatch takes full responsibility for not having stronger measures in place to prevent this public disclosure that GEDmatch gave DNA records to law enforcement. To all employees, managers, directors and investors at GEDmatch who may have suffered personal embarrassment from this disclosure, GEDmatch would like to extend our sincerest apology. To all other members of the public, and especially persons who have given us their DNA record for safekeeping, we would like to extend our sincerest indifference.

    Sincerely

    GEDmatch

    link to this | view in chronology ]

  • icon
    jilocasin (profile), 23 Jul 2020 @ 6:52am

    Opted in just long enough to run those critical searches

    Color me skeptical, but I think GEDmatch's entire database of users was accidentally opted in to law enforcement searches, just long enough for some law enforcement agency to run some critical searches. Isn't this the company that was recently bought out by Verogen a company with ties to the FBI and law enforcement? Anyone that still has any of their data in that companies hands is just asking for trouble.

    Genetic matching was a nice idea in the field of genealogy. Unfortunately the lack of privacy protections in this country coupled with the overzealous (and unjustified) belief in the efficacy of DNA evidence I fear has drowned that baby in the bathtub.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Jul 2020 @ 8:39am

    Did anyone really think their data would be secure?
    Well, I know of this bridge that is for sale ....

    link to this | view in chronology ]

    • icon
      Atkray (profile), 23 Jul 2020 @ 1:28pm

      Re:

      Yes they did.

      My wife is a genealogist and of course I read here, so when people asked her about these services she would tell them no and explain that doing so was providing their DNA information (that may not be super accurate in the first place) to anyone that gained access. Law enforcement or hackers or anyone.

      The responses?

      I'm not worried they will protect it.
      If it is breached I have nothing to hide.

      She wold tell them not to do it, and they would go ahead anyway.

      link to this | view in chronology ]

  • identicon
    Smartassicus the Roman, 23 Jul 2020 @ 11:16am

    I Was Hacked

    They were probably hacked by some sort of LE agency. It's happened before.

    link to this | view in chronology ]

  • identicon
    Rekrul, 23 Jul 2020 @ 11:19am

    They just need to put a checkbox on the profile creation page that says "I swear I am not a member of law enforcement." so when the cops do create a phony account, they can be viciously prosecuted under the CFAA. That's how it works, right? Violate the terms of use, get your life ruined in court. Right?

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 24 Jul 2020 @ 2:13am

    Using these sentient clues

    Whatever word you were aiming for, I think you missed.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 24 Jul 2020 @ 3:51am

      Re:

      It may have been salient. Previously i thought it might have been stretching license as human DNA comes from sentient critters.

      link to this | view in chronology ]

  • icon
    mksmith (profile), 30 Jul 2020 @ 4:06am

    Why not just make it "anonymous" ?

    A sequencing company could simply keep someone's DNA together with some "username/password" info in its database. So, the company doesn't *really* know who is actually who, but users know who they are and so can login and still access their data all they want. However, such an "anonymous" database would not be of any use to any law enforcement as well, and this would work in the interests of privacy. Yes sometimes users may have to "mail samples" from their address (or a PO box), but that's fine since the company does not have to actually store those addresses anywhere after the return mail/sequenced-dna-data is sent back to them.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.