DNA Company Accidentally Exposes Opted Out Users' Data To Law Enforcement
from the apparently-the-software-does-not-approve-of-your-decision dept
A couple of years ago, investigators in California used a DNA matching service to track down the so-called “Golden State Killer.” Uploading a sample of the suspected serial murder’s DNA, they were able to identify distant relatives of the suspect. Using these sentient clues, investigators eventually worked their way back to the suspected killer, who had eluded authorities for years.
Shortly after this made news, GEDmatch informed users that law enforcement had never approached the company directly to acquire this information. Instead, investigators created an account and uploaded samples, bypassing anything GEDmatch might have had in place to limit use by government agencies. GEDmatch said the only way customers could ensure their DNA info wouldn’t be obtained by law enforcement was to not use the service at all.
A month later, it went a step further. It opted all users out of allowing law enforcement to access their DNA data. Users were allowed to opt in if they were comfortable with the government digging through their information. This somewhat solved the problem. But law enforcement has been known to create faux profiles to search DNA data, so opting out isn’t guaranteed to stop cops from accessing this info.
Unfortunately, something recently went very wrong with GEDmatch’s database.
[U]sers reported Sunday that those settings had changed without their permission, and that their DNA profiles were made available to law enforcement searches.
Users called it a “privacy breach.” But when reached, the company’s owner declined to say if the issue was caused by an error or a security breach, citing an ongoing investigation.
This incident/error opted everyone in to law enforcement access. The company still isn’t sure what happened. The statement issued by the CEO says the problem is “resolved” but the company has taken the site offline until it can determine what actually happened.
The site is still down as of the time of writing (July 20th). GEDmatch hasn’t offered any further statement on the matter, either. It also has refused to say whether any law enforcement requests to the service were received or responded to while everyone was temporarily opted in.
The larger problem remains, however. GEDmatch’s default is opt out, which is best for its users. But it’s unclear whether GEDmatch polices its service for bogus accounts possibly be used by… well, police. GEDmatch only requires an email address for registration. It says you must link a “real name” to uploaded DNA data but nothing in its terms of service indicates this name must be verified before the site can be searched for matches. This means opting out is only as good as the law enforcement agencies using the service. If they can’t be trusted then GEDmatch probably can’t be trusted either.
Filed Under: data, data breach, dna, law enforcement, privacy, surveillance
Companies: gedmatch
Comments on “DNA Company Accidentally Exposes Opted Out Users' Data To Law Enforcement”
Wrong conjunction
I think you mixed up "If" and "Since".
What is the state of DNA these days?
This article highlights a point regarding DNA. DNA records are valuable, clearly to law enforcement by the lengths they will go to get it.
Who else might be interested broad DNA record trolling?
Bluntly, has DNA technology and records proceeded sufficiently far that one could perform either a preliminary screening or an actual match for a needed organ donor, using DNA records? Are the global well to do & VIP crowd scraping DNA sites and records in order to provide a list of potential organ donors for their own use?
With enough money and power and a list of potential matches, any global VIP could have several people "acquired", forcibly tested (if needed) and then the best match killed for their organs. Lesser matches could be perpetually retained (imprisoned) until the next time the organ(s) need replaced. (Donated organs do not survive as long as natural organs).
Has DNA technology reached this point?
You know, I thought I heard a warrant canary dying a little while back…
Apology
GEDmatch would like to apologize to anyone who has learned of our hurtful, spiteful and malicious actions. GEDmatch takes full responsibility for not having stronger measures in place to prevent this public disclosure that GEDmatch gave DNA records to law enforcement. To all employees, managers, directors and investors at GEDmatch who may have suffered personal embarrassment from this disclosure, GEDmatch would like to extend our sincerest apology. To all other members of the public, and especially persons who have given us their DNA record for safekeeping, we would like to extend our sincerest indifference.
Sincerely
GEDmatch
Opted in just long enough to run those critical searches
Color me skeptical, but I think GEDmatch’s entire database of users was accidentally opted in to law enforcement searches, just long enough for some law enforcement agency to run some critical searches. Isn’t this the company that was recently bought out by Verogen a company with ties to the FBI and law enforcement? Anyone that still has any of their data in that companies hands is just asking for trouble.
Genetic matching was a nice idea in the field of genealogy. Unfortunately the lack of privacy protections in this country coupled with the overzealous (and unjustified) belief in the efficacy of DNA evidence I fear has drowned that baby in the bathtub.
Did anyone really think their data would be secure?
Well, I know of this bridge that is for sale ….
Re: Re:
Yes they did.
My wife is a genealogist and of course I read here, so when people asked her about these services she would tell them no and explain that doing so was providing their DNA information (that may not be super accurate in the first place) to anyone that gained access. Law enforcement or hackers or anyone.
The responses?
I’m not worried they will protect it.
If it is breached I have nothing to hide.
She wold tell them not to do it, and they would go ahead anyway.
I Was Hacked
They were probably hacked by some sort of LE agency. It’s happened before.
They just need to put a checkbox on the profile creation page that says "I swear I am not a member of law enforcement." so when the cops do create a phony account, they can be viciously prosecuted under the CFAA. That’s how it works, right? Violate the terms of use, get your life ruined in court. Right?
Whatever word you were aiming for, I think you missed.
Re: Re:
It may have been salient. Previously i thought it might have been stretching license as human DNA comes from sentient critters.
Why not just make it "anonymous" ?
A sequencing company could simply keep someone’s DNA together with some “username/password” info in its database. So, the company doesn’t *really* know who is actually who, but users know who they are and so can login and still access their data all they want. However, such an “anonymous” database would not be of any use to any law enforcement as well, and this would work in the interests of privacy.
Yes sometimes users may have to “mail samples” from their address (or a PO box), but that’s fine since the company does not have to actually store those addresses anywhere after the return mail/sequenced-dna-data is sent back to them.
Why not just make it "anonymous" ?
A sequencing company could simply keep someone’s DNA together with some “username/password” info in its database. So, the company doesn’t *really* know who is actually who, but users know who they are and so can login and still access their data all they want. However, such an “anonymous” database would not be of any use to any law enforcement as well, and this would work in the interests of privacy.
Yes sometimes users may have to “mail samples” from their address (or a PO box), but that’s fine since the company does not have to actually store those addresses anywhere after the return mail/sequenced-dna-data is sent back to them.