Update: November 13, 2023 PST
As our investigation continues, we will continue to update this post with relevant information. Please continue to follow this post for updates.
GEDmatch’s commitment to user data privacy and security is a top priority. We recently learned that a small number of forensic genetic genealogy practitioners had circumvented GEDmatch settings in violation of our Terms of Use, enabling them to access some profiles of GEDmatch users who had not opted in to law enforcement investigations for violent crime and homicides. Further, the practitioners had advocated not to disclose this misuse to GEDmatch, trained others to use it, and doctored reports to prevent it from becoming known. The information accessed includes relationships that were otherwise not available for the law-enforcement investigations in question.
What information was accessed?
Information potentially accessed, in violation of users’ privacy settings, includes information normally provided by the tools, including name/alias, email address, kit number, and the degree of relatedness to a law enforcement kit.
Impact
Data accessed has a low risk of being identifiable for UK or EU residents because databases used by law enforcement to resolve the identities do not commonly contain data of UK or EU residents. If some information were deemed relevant to an investigation, some users may hypothetically be contacted by investigators, though this is unlikely given that genetic relatives may be more easily identified in the US.
What actions has GEDmatch taken?
GEDmatch takes the privacy and trust of our users very seriously, and we were concerned to learn about this misuse. To address this issue, the following steps have been taken:
- We have fixed the loopholes that were raised in the report.
- We have undertaken system-wide assessments to mitigate the possibility of other vulnerabilities that may be exploited. These assessments have been incorporated into our ongoing software development life cycle.
- We are now asking practitioners to reaffirm through an additional binding contract that they will not circumvent any GEDmatch settings or otherwise use GEDmatch in violation of the Terms of Use. Access to GEDmatch PRO is contingent on signing the contract. GEDmatch can and will suspend accounts and take legal action in the event of any violation. Note: Investigations and data retention policies in the U.S. are subject to the United States Department of Justice Interim Policy on Forensic Genetic Genealogical DNA Analysis.
- We have notified the relevant global regulatory bodies about the unauthorized access of data.
- We are masking email addresses in GEDmatch and will continue to roll this out to all tools, while balancing the need to communicate with new connections that GEDmatch enables.
- We will continue to work with the forensic community, and data security and privacy experts to support the adoption of best practices for this emerging field.
What steps are we taking to keep you informed?
- We will keep this post updated with the results of our investigations.
- The GEDmatch dashboard of users who had not consented to their data being made available for law enforcement research have been updated with a notification regarding this data leak. Similarly, the dashboard of users who had consented to their data being available for law enforcement research have been updated with a notification that they are not impacted by this data leak.
GEDmatch is committed to providing you with a secure environment where you can learn about your history. If you have further questions, please email us at GEDmatch@qiagen.com.
Thank you,
Swathi A. Kumar, Ph.D
Sr. Director, Verogen, a QIAGEN company