Is GEDmatch safe? Genetic privacy under scrutiny

In 2019 law enforcement agencies in Florida gained warrant to access GEDmatch – genetic database of 1.2 million people. That came just after a five-month attempt (pictured above) to protect privacy of GEDmatch Inc. customers by handing over data to the police forces only when genotyped/sequenced individual issued an informed, additional consent.

Law professor, Erin Murphy, was astonished:

The company made a decision to keep law enforcement out, and that’s been overridden by a court. It’s a signal that no genetic information can be safe. I have no question in my mind that if the public isn’t outraged by this, they will go to the mother lode: the 15-million-person Ancestry database.

Erin Murphy for New York Times

Detective Michael Fields, who applied for a warrant and received it, said that he would welcome access to Ancestry database (15 million people) and 23andMe database (10 million people).

Is GEDmatch safe to use?

Leader of DNA testing market, 23andMe, issued a statement in which they accused GEDmatch of failing to protect genetic privacy, essentially stating that GEDmatch is unsafe. After court’s decision, GEDmatch opened the access in 24 hours and reportedly did not challenge the warrant. That ruling could be extrapolated as a precedent in eventual cases involving other databases. 23andMe promised resistance to possible requests from law enforcement agencies:

In contrast, if we had received a warrant, we would use every legal remedy possible.

It’s worth noting that the warrant already affected part of 23andMe customers – those who uploaded their data to GEDmatch on their own.

GEDmatch privacy

The ruling was more of an ad hoc case – GEDmatch was already used by the US agencies and its new, more strict policy was simply reverted in few months to allow the usage again. In the context of privacy and safety, GEDmatch is clearly as unsafe to anyone who may be of interest to law enforcement agencies. Police warrants can also affect relatives, since they have highly similar genomes.

The difference between GEDmatch and Ancestry/23andMe leaves possibility that the warrant is only an exception. In the end, more warrants will probably spark negative reaction of the public, scare off customers from GEDmatch and other genetic analysis platforms, and in a consequence limit capabilities of the law enforcement.

Update #1: Change of GEDmatch owner

In December 2020, forensic science company named Verogen bought the platform. The company, among their specializations, lists: criminal cases, missing persons, disaster victim identification.

Update #2: Further breaches in GEDmatch

In July 2020, GEDmatch suffered from security breach (more about other platforms here). Organization’s spokesperson commented:

This was the case for approximately 3 hours. During this time, users who did not opt-in for law enforcement matching were also available for law enforcement matching, and conversely, all law enforcement profiles were made visible to Gedmatch users.

Leave a Reply