Genealogy DNA websites are getting breached

In painfully predictable privacy news, genealogy website GEDmatch got hacked. Not only that, but the DNA data of over a million people was “accidentally” made available to law enforcement.

The surprised Pikachu meme is the only way I’m able to express how I feel about this. Did people not see this coming when they were enthusiastically sending their DNA to some random company just so they can make a social media post about how black they are? I digress.

Apparently, researchers became aware of the breach when they suddenly got far more matches on a DNA sample as usual – signifying that related DNA data was found. Except, a lot of that new data seemed spammy in nature, or belonged to suspected murderers and rapists.

Suspects’ DNA samples that are used by law enforcement should not normally appear in civilian search results. This is to prevent accidentally letting a suspect’s family finding out.

Whoever conducted this hack either intentionally wanted to cause chaos and anxiety around people’s DNA privacy, or simply wanted law enforcement to access all the available DNA data with complete disregard to people’s privacy. Personally, I think it was the latter.

Back in December 2019, Jennifer Lynch of the privacy advocacy group Electronic Frontier Foundation published a blog post about GEDmatch getting acquired by its current owner – Verogen Inc.

The article’s title included the words “Why You Should Be Worried“.

The answer: Verogen Inc was formed in 2017 for the sole purpose of bringing genomics to the “forensic market”.

Even before the acquisition, GEDmatch was already no stranger to sharing the same bed with law enforcement. All of their DNA data prior to May 2019 was available to law enforcement without even needing a warrant. The only reason that changed was due to public outcry.

Since May 2019, law enforcement has only been able to warrantlessly access the DNA records of users who have opted in to assist authorities. Of course, only a small percentage of users did, but the larger pool of DNA data was still available to them with a warrant.

The problem here is that law enforcement isn’t only interested in the DNA records of suspects. After all, what are the odds that their suspect would have willingly submitted their DNA to a silly website? No. Law enforcement is interested in finding family members of a suspect. That’s a close enough match to them.

Aside from the chilling implication that you don’t even need to have done anything wrong to be implicated in something a distant relative is suspected to be involved in, the more Orwellian undertone here is perhaps even more important: you, as a potential suspect’s distant relative, don’t need to consent before giving them your DNA.

We’ve all learned about the six degrees of separation growing up. Doesn’t that mean that everyone is potentially related to at least one suspect? Does that mean law enforcement should have access to all our DNA data on file without our consent?

And it’s not like they know, at the time of running their samples, who their suspect will be or who their relatives will be. There isn’t anything resembling reasonable doubt. They’re fishing for leads and arguing we shouldn’t have a reasonable expectation of privacy since we willingly submitted our DNA to companies whose terms of service we never read.

I’ve spoken repeatedly about how unreasonable it is that terms of service are legally binding when we all know, as a society, that nobody ever reads them. More importantly, when you’re unable to use a service without agreeing to the terms, most people will probably agree just so they can get GPS directions home or connect with an old friend. Does that mean they agreed to be spied on for the rest of their lives? Of course not. Similarly, sharing DNA with a company that will provide you more insight into your DNA and potentially your health is not the same as sharing that DNA with law enforcement.

It’s the same exact flaw with terms of service that is being exploited here. It’s only more obvious because the consequences are much larger.

The EFF article argues that “We need to think long and hard as a society about whether law enforcement should be allowed to access genetic genealogy databases at all – even with a warrant.”

60% of white Americans can reportedly be identified using GEDmatch’s very small sample size of only 1.3 million. Currently, that accounts for 0.5% of the U.S. adult population. Once that figure reaches 2%, 90% of white Americans will be identifiable.

Interest is slowly dying down in such websites, but not enough to stop the growth of their user base completely.

On the flip side, this exponential ability to identify people so many degrees apart also comes with false positives. Contrary to popular belief, DNA tests aren’t always exact and fool-proof. It’s completely possible to send an innocent person to jail if the court decides that DNA data is paramount and refuses to run additional tests.

The lack of regulation surrounding the use of DNA data by law enforcement essentially makes it the wild west.

My favorite part of the entire story is that this all came down to a single switch. A switch that allowed users to opt-in to allowing law enforcement to use their data, or not.

Let’s say I’m wrong and that Verogen didn’t do this themselves. The fact that it’s so easy for an attacker to flip that switch – which takes your DNA data from being an innocent, fun, potentially informative tool and turns it into a criminal record that could be used against you in the future regardless of whether or not you do anything wrong – that’s what I have the most trouble processing.

It should not be this easy for something to change so drastically from what you signed up for. It’s like having a bowl of fruit punch at a party and a bowl of poison right next to it, each labeled by a card in front of it. Right now, changing service agreements is as simple as swapping those cards to give companies complete legal immunity to do whatever they want.

It should not be this easy for someone to turn something as innocent as fruit punch into a death sentence.