… but no consequences
The hits keep coming for that part of the genealogical community called investigative genetic genealogy — IGG for short — the use of DNA to identify human remains and solve crimes.
A statement posted this past week, on the website of Verogen.com, the forensic firm that now owns the GEDmatch website and subsidiary of the Dutch company QIAGEN, confirms the breaches that have been reported in recent weeks.1
The statement posted Thursday reads:
GEDmatch’s commitment to user data privacy and security is a top priority. We recently learned that a small number of forensic genetic genealogy practitioners had circumvented GEDmatch settings in violation of our Terms of Use, enabling them to access the profiles of GEDmatch users who had not opted in to law enforcement searches for violent crime and homicides. Further, the practitioners had advocated not to disclose this misuse to GEDmatch, trained others to use it, and doctored reports to prevent it from becoming known. The information accessed includes relationships that were otherwise not available for the law-enforcement cases in question.
GEDmatch takes the privacy and trust of our users very seriously, and we were concerned to learn about this misuse. To address this issue, the following steps have been taken:
• We have fixed the loopholes that were raised in the report.
• We have undertaken system-wide assessments to mitigate the possibility of other vulnerabilities that may be exploited. These assessments have been incorporated into our ongoing software development life cycle.
• We will be requiring practitioners to reaffirm through an additional binding contract that they will not circumvent any GEDmatch settings or otherwise use GEDmatch in violation of the Terms of Use. GEDmatch can and will suspend accounts and take legal action in the event of any violation.
• We have notified the relevant regulatory bodies about the unauthorized access of data.
• We will continue to work with the forensic community and data security and privacy experts to support the adoption of best practices for this emerging field.2
In The Legal Genealogist‘s view, there are three things about this statement that are remarkable:
1. As far as I can tell, it’s not on the GEDmatch site itself. I am a registered user,3 and I think I looked pretty thoroughly, including in the official GEDmatch forums. If it’s there, I couldn’t find it — which at least means GEDmatch users aren’t being notified easily by GEDmatch itself.
2. The language of the statement makes it crystal clear that this happened. There is absolutely none of the wiggle language that corporations (and their lawyers) typically use, like “it has been reported that..”. or “we have learned of allegations that…” Clearly, Verogen knows that this happened: members of the investigative genetic genealogy community deliberately and willfully exploited security loopholes to see matching data on DNA kits whose owners had opted out of any law enforcement use of their kits.4
3. There’s not one word about consequences to those who did this. Nothing that says their accounts have been suspended. Nothing that says they’re barred from being in a position to do something like this again. Nothing that says they’ve been required to come clean — even with GEDmatch if not in public.5 Nothing that even says that those responsible for the data breaches won’t be allowed to be in a position to be “foxes in the hen house” when those best practices are being developed for genetic genealogists who work with law enforcement.
In short, we have truth here.
But with no consequences.
This does little to repair the damaged trust the larger genealogical community has in GEDmatch. It calls into question the commitment of Verogen and the investigative genetic genealogy community to truly police this field. And it leaves those investigative genetic genealogists who have been ethical to be tarred with the same brush as those who have not.
It’s hard to imagine that that’s enough.
But it’s all that GEDmatch is offering.
And why all we can do, in response, is decline to use or recommend GEDmatch as a research tool.
Cite/link to this post: Judy G. Russell, “Truth,” The Legal Genealogist (https://www.legalgenealogist.com/blog : posted 17 Sep 2023).
SOURCES
- For background, see Judy G. Russell, “Not whether, but how,” The Legal Genealogist, posted 13 Aug 2023 (https://www.legalgenealogist.com/blog : accessed 17 Sep 2023). And see ibid., “A time for reflection,” posted 20 Aug 2023. ↩
- “Notice regarding investigations into FIGG practitioners circumventing GEDmatch settings and violating Terms of Service, and actions taken,” posted 14 Sep 2023, Verogen.com (https://verogen.com/ : accessed 17 Sep 2023). ↩
- I keep an account there even though I don’t use it and don’t recommend it. See “Withdrawing a recommendation,” The Legal Genealogist, posted 15 May 2019. ↩
- Update: I am informed that some users do see a message on the GEDmatch home page. It is not visible to all users. ↩
- I note for the record that one person involved has come clean, in public. See “From Our Founder, Margaret Press,” DNA Doe Project (https://dnadoeproject.org/ : accessed 17 Sep 2023). ↩
These recent incidents have just reinforced my choice to not use GEDmatch – and to continue to advise others not to do so either. The fact that there have been no consequences clearly shows the company does not really care about user privacy. It’s all just so many words.
Teresa and others who feel this way have every right to be offended and to disconnect from GEDmatch. My life is most likely to be affected by their disengagement rather than a knock on the door from LE. And it is firstly LE I blame for this, then the press for encouraging illegal actions like this and only then Verogen and their owners for allowing it. The nature of actions being complained of exploit vulnerabilities that were both fairly evident and had been mentioned – in some cases for nearly a decade – in the social media of users and more recently in places more likely to have been seen by the general public.
For the loss of possible matches. For the subsequent loss of finding MY family connections, I feel aggrieved.
I have already lost some valuable connections who used to be there. Now more will go.
I pulled my records out of GedMatch years ago because I didn’t trust that information would be protected. This just reaffirms that decision.
How are they being held accountable?
How does the genealogy ecosystem hold people like those named in the Intercept article to account?
I totally get trying to solve these cold cases (and support it 100%), but these folks *knowingly* crossed what was obviously a professional and ethical red line.
And the platform referenced needs to get its house in order and fix that website. Seriously.
Some of these folks are interconnected to some of the highest levels of genealogy and are frequently on television and stages.
Who’s holding them accountable?
Are they invited back on the stage at RootsTech?
Are we going to see them on the stage at genetic genealogy events?
Will we continue to see them on television shows hosted by Henry Louis Gates?
Where is the accountability?
Good questions.
@Robert Plummer,
The first step would be to confirm who, exactly, crossed the line rather than assume particular high-profile individuals within the genealogical and IGG community are guilty.
As Judy wisely pointed out in the post, “… it leaves those investigative genetic genealogists who have been ethical to be tarred with the same brush as those who have not.” Without first-hand knowledge or proof that a specific researcher was involved in unethical practices, it’s speculative–and, one might argue, unethical–to insinuate that individual’s guilt in a public forum.
Thank you! Where is the proof? All of this speculation and all of these accusations, yet so many genealogy professionals who are supposed to be evidence-based have not been presented with proof as to who exactly did *what* exactly. We also need to properly evaluate the sources of these allegations; it is very easy to make accusations, but those accusation should not automatically become conclusions. The Intercept article had an obvious bias, and that bias should be taken into account by those reading. Verogen needs to be held accountable for their role in all of this, as it is their sole responsibility to ensure that their software functions properly and does not reveal private data.
It is not at all speculative when a corporation says “this happened” or when one of those involved says “we did it.”
The first step ought to be individuals practicing IGG to make clear where they stand and what their actions have been regarding the GEDmatch cases. It is unfortunate that actions by some tarnish all, but they have. There are no circumstances where I would trust the word of anyone practicing IGG without that clarity, much less attend a lecture or conference with speakers who have not taken a stand.
The Intercept article named three FGG practitioners by name. One has confessed and apologized. We could start by holding the other two accountable.
Kimberly, if an objective observer is going to question the motives of the Intercept reporter, they have to question the motives of the accused, as well. What does the reporter stand to gain by lying? What do the accused stand to gain?
I wonder! Is it possible for anything, anywhere in the world to be private if it is hooked, tied or wirelessly connected to the internet? I will answer my on question. NO! It does not matter what kind of agreements are put forth, expect no kind of privacy ever, it will never happen. In all languages, Nix, Nien, Nyet, Never Hachie, expect no privacy, it does not exist on the INTERNET. Nothing is safe…. HIPPA….HA, even your medical records are not safe. The most secret of Big Brothers secrets are not safe. So, surf on, but expect nothing.
Shouldn’t the defense in any case that is brought based on such actions, be able to get them thrown out? They are obtained by breach of Terms of Service on the part of the researchers; isn’t it actually through fraud, as they agreed to the terms with no intent to actually abide by them, and then obtained something of value – aren’t any matches and anything flowing from them “fruits of the poison tree”?
Not unless it becomes part of a chain the law regards as “the fruit of the poisonous tree.” The general problem is, the defendant has no standing to raise the privacy rights of those third parties whose kits were accessed, and the third parties have no standing to intervene in the criminal case. It’s this sort of thing that makes IGG so immune from scrutiny.
Thanks for the explanation.
And I suppose the third parties whose privacy rights were breached are also helpless, first in difficulty showing that it was *their* private info that was misused, and second in being unable to show how they were harmed? So, not really able to sue the IGG consultants?
Individuals might have the right to sue, but GEDmatch limits its own damages under the TOS to what folks paid in the prior 12 months (which is a pittance even for serious users) and proofs against IGG practitioners would be really hard to come by.
I find it hard to worry about this. You freely chose to publicize your DNA (and of course that of your associated relatives) in return for access to the DNA of the thousands of others who may (hopefully) match you a little. They of course can see yours. I hope they’re all good guys because it’s tough to open the door halfway. But then, does your twin brother or second cousin have a legal case against you for giving away their DNA without their permission?
The people who were used by these bad actors *did not* freely choose to make their DNA available for forensic cases. That’s the point.
This was my fear all along, I may have limited my research but I sleep at night knowing that I am not aiding and abetting bad actors. My son won’t even take a DNA test for fear of repercussions.
Regarding point #1, the announcement is at the top of the home page. I noticed it right away when I logged in on September 15th.
I just noticed the statement on the home page may not be visible to everyone. It states “As a GEDmatch user with kits not opted in, you may have been affected. Please read our full statement here.” I have both types of kits. My husband and I are both opted in, but my son is not (because he would be redundant).
Thanks, Ann — that’s clearly how I missed it.
So, Verogen owns up to the exploitation of loop holes by certain members of the IGG community, and because the company doesn’t specify any consequences, it is suggested that genealogists decline to use GEDmatch tools? Who should Verogen apply consequences to? Only the few who have been honest enough to have admitted the breach? The company has already forwarded this information on to the regulatory authorities (per the Verogen statmenet).
And, what about other sites that have been used by IGG contrary to their terms of service? MyHeritage is one such site. There are at least two examples that have been cited of breaches involving this company. Clearly, there are “loop holes” that would permit this misuse. Should we also recommend that genealogists decline to use MyHeritage services? That company has not put out a statement nor responded to requests for comment on the breaches.
It’s the pattern that makes me distrust GEDmatch. The adage is, when someone shows you who they are, believe it. GEDmatch has repeatedly broken trust with its users.
Judy, this is a statement I can agree with wholeheartedly!
I am glad to see that mistakes and errors were acknowledged by several parties. How those errors will be resolved is still an unanswered question, granted.
I spent my career in the computer business. If I refused to use or boycotted every website or system that found an error over the past many years, I would not be able to use any today. Mistakes happen. That is a simple fact of life. A friend of mine say, “Humans are mistake-making machines.”
GEDmatch was started by a couple of hobbyists and when DNA became overwhelmingly popular, they tried their best to keep up with the demands. They did the very best they could under very challenging circumstances and finally had to retire and sold it to a professional company, hoping it would be well taken care of. Since then, it has changed hands again.
Errors were made, eventually discovered, and have been acknowledged. Turning that siltation into a campaign to malign a good resource goes way too far, in my opinion. How many people can say they have never made a mistake in their life? I’ve never met one yet.
You raise some very good points. The various tools were written by different people over many years, and it’s not a trivial task to discover how changes to one part impact other parts. I almost feel that GEDmatch would have been better off if they just continued with the TOS in effect before the Golden State Killer case. “While the results presented on this site are intended solely for genealogical research, we are unable to guarantee that users will not find other uses. If you find the possibility unacceptable, please remove your data from this site.”
If GEDmatch couldn’t protect the genetic data of 1.8 million people, it should never have had the genetic data of 1.8 million people. That said, GEDmatch made a mistake (poor security). The genealogists who exploited the bugs at GEDmatch knew exactly what they were doing.
My first thought about Verogen’s statement was that, yes, they did come clean about the violations; however, they certainly did try to wiggle around it. 1. They downplayed the incidents by using words like “circumvented” and “vulnerabilities that may be exploited.” This was a breach of customer data, plain and simple, not a circumvention or exploitation. 2. Verogen diverted the blame onto their users. Regardless of whether IGG practitioners acted ethically or not, the breach originated with Verogen. Yet they placed responsibility on the practitioners. Not only were there no consequences, they don’t even take responsibility. 3. I find it interesting that the violators are described as “forensic genetic genealogy practitioners,” leaving out law enforcement practitioners’ culpability.
The company that can not protect their customers data is at fault!
I remember my grandma telling me to pay attention when people show you who they are, Judy. It’s wise advice. I removed my DNA from GedMatch after the violation in their TOS. I had a very cordial email discussion with Mr. Rodgers at the time about it. He seemed like a very nice man, but I disagreed with his choice, and had no faith that if faced with another difficult choice, he would choose better the next time. Consequences for poor choices are important.
I continue to strive to be objective as more information is provided. There is clearly bias in much of what has been discussed.
Those who opt out and want the security of their data are screaming the loudest. I understand. But, these same individuals do not have a problem with all genealogical databases being used for adoption, donor conceived, and unknown parentage cases. This is hypocritical. If anyone has the right to scream the loudest about what genetic genealogy has revealed it’s those who had legally binding confidentiality agreements that are now bypassed by genetic genealogy practitioners. All these situations deserve to be opt in/opt out.
As far as GEDmatch, Lorraine Blanton made some very good observations. Also, the second point made by this company should have been in place long ago: “We have undertaken system-wide assessments to mitigate the possibility of other vulnerabilities that may be exploited. These assessments have been incorporated into our ongoing software development life cycle.“
You are calling Verogen statement truth. As you mentioned GEDmatch has a reputation. This should have been enough for those who opted out. The reason those who opted out remained is for the benefits and with benefits comes risk. What happened is the consequence.
I instruct my clients about the benefits and risks of GEDmatch. If they do not want to opt in to LE searches their data is not uploaded unless they realize and agree that it might happen anyway. This is the truth.
Also, Blaine placed his entire genome online and to this day I have never heard of a negative consequence. I find this interesting.
Is there bias in trying to defend unethical behavior?
Is there bias in suggesting that if I consent to A that I am a hypocrite for not consenting to B?
Is there bias in analogizing the behavior of people who conspired to break a contract they freely entered with that of people who are not bound by someone else’s confidentiality agreement?
Is there bias is implying that we should be as free with our own genetic privacy as the next guy?
If it is culturally acceptable to use genetic genealogy to identify biological parents of adoptees, then it seems to me it should be culturally acceptable to use the same methods to identify likely perpetrators of violent crimes. I support the civic goal of removing criminals from society for the benefit of public safety. That said, absent government oversight with enforceable regulations, the reasoning of “the ends justify the means” tends to invite violations of existing policies currently governing genetic genealogy methods, by law enforcement or their contractors.
I am also in a quandary over the ethical ramifications of uploading my DNA and GEDCOM file to a public database considering perhaps hundreds of my relatives who can be identified as matching my DNA have not been provided an opportunity to give an informed consent of me sharing our DNA.
There is a fundamental difference, legally and ethically, between identifying an individual for family purposes and identifying one for purposes of law enforcement. We don’t have a Fourth Amendment for the first scenario; we do for the second.