A DNA testing and analysis platform called “GEDmatch” has been linked to a security incident that could mean the company was following wrong data protection practices all along.
More than 1.2 million people had their DNA profiling on the GEDmatch platform, uploading their autosomal test data to identify potential relatives in the same database, find common ancestors, calculate genetic distance, figure out their ethnic background, and more. The company claimed that the real names were hidden from the user profiles and that it also offered strict privacy settings to help users stay anonymous or even disallow law enforcement agencies from accessing that data.
Somehow, people’s settings on whether the police would be allowed to tap into their data or not have changed over the weekend, without users being asked or prompted to review them again.
As a result, all 1.2 million DNA profiles may have been accessed by the police, or even downloaded already. Naturally, the platform users were outraged by this “privacy breach,” and the platform’s stance not clarifying what has happened has infuriated them even more. GEDmatch simply said they would investigate, not citing any data breaches or a misconfiguration in their systems.
There's been a major privacy breach at GEDmatch. It appears that all kits, regardless of user preferences, have been opted in to law enforcement matching. I've messaged Verogen on Facebook to alert them to the problem. The site now seems to be down completely. #geneticgenealogy pic.twitter.com/RZhEXEVa7s
— Debbie Kennett 🧬🌳 (@DebbieKennett) July 19, 2020
The first response of GEDmatch was to briefly take down the site, allegedly as a precaution to keeping the users’ data away from the law enforcement’s reach. Still, some see this as a pretense move to convince the userbase of an illusionary data privacy and security context.
Whether or not the police already accessed or downloaded all of this data remains unknown, but the authorities would surely love to have it in their hands. They are known to push these firms to share whatever they can with them, and this aspect has also been reflected in this year’s transparency reports from Ancestry.com and 23andMe.
In April 2018, GEDmatch helped the FBI identify Joseph James DeAngelo Jr., an American serial killer, rapist, and burglar. While this was a positive deployment of the technology and the genetic database, it raised data privacy concerns among the userbase. To address them, GEDmatch introduced an opt-in policy in May 2019, with approximately 260,000 users choosing to allow the police to access their DNA profiles.
That said, about a million people may now have been compromised without giving their consent. Many of them have deleted their GEDmatch profiles now, but the damage has already been done.