Gedmatch, the DNA analysis site that police used to catch the so-called Golden State Killer, was pulled briefly offline on Sunday while its parent company investigated how its users’ DNA profile data apparently became available to law enforcement searches.
The site, which lets users upload their DNA profile data to trace their family tree and ancestors, rose to overnight fame in 2018 after law enforcement used the site to match the DNA from a serial murder suspect against the site’s million-plus DNA profiles in the site’s database without first telling the company.
Gedmatch issued a privacy warning to its users and put in new controls to allow users to opt-in for their DNA to be included in police searches.
But users reported Sunday that those settings had changed without their permission, and that their DNA profiles were made available to law enforcement searches.
Users called it a “privacy breach.” But when reached, the company’s owner declined to say if the issue was caused by an error or a security breach, citing an ongoing investigation.
“We are aware of the issue regarding Gedmatch, where user permissions were not set correctly,” said Brett Williams, chief executive of Verogen, which acquired Gedmatch in 2019. “We have resolved that issue; however, as a precaution, we have taken the site down while we are investigating the actual cause of the error. Once we understand the cause, we will be issuing a more formal statement,” he said.
DNA profiling and analysis companies are increasingly popular with users trying to understand their cultural and ethnic backgrounds by discovering new and ancestral family members. But law enforcement are increasingly pushing for access to genetic databases to try to solve crimes from DNA left at crime scenes.
Williams would not say, when asked, if Verogen or Gedmatch have received any law enforcement requests for user data in the past day, or if either company has responded.
Gedmatch does not publish how frequently law enforcement seeks access to the company’s data. Its rivals, like 23andMe and Ancestry.com, have already published these so-called transparency reports. Earlier this year Ancestry.com revealed that it rejected an out-of-state police warrant, indicating that police continue are still using DNA profiling and analysis sites for information.
“The acknowledgement of an issue is a start, but if a ‘resolution’ means simply correcting the error, there are many questions that remain,” Elizabeth Joh, a professor of law at University of California, Davis School of Law, told TechCrunch.
“For instance, does Gedmatch know whether any law enforcement agencies accessed these improperly tagged users? Will they disclose any further details of the breach? And of course, this isn’t simply Gedmatch’s problem: a privacy breach in a genetic genealogy database underscores the woefully inadequate regulatory safeguards for the most sensitive of information, in a novel arena for civil liberties,” she said. “It’s a mess.”