GEDmatch has quietly introduced a "partnership" with Verogen, a company that has created technology specifically for use in the US National DNA Index System (NDIS), opening the door for a fresh wave of privacy concerns.
GEDmatch allows users to upload their DNA profiles -- obtained through third-party sequencers, as the organization does not perform testing itself -- to compare their results with other profiles and potentially find familial relationships.
This week, GEDmatch said the deal, inked with the San Diego, Calif.-based forensic genomics firm, will "ensure ongoing privacy protections and enhance the customer experience for users of its website."
According to Verogen CEO Brett Williams, the operational change will result in a better website and functionality, of which there are currently over 1.3 million customer profiles and as many as 1,000 new additions every day.
"GEDmatch's terms of service will not change with respect to the use, purposes of processing, and disclosures of user data. The website gives users a choice to opt-in to allow law enforcement to search uploaded files as a tool to solve violent crimes," the companies say.
However, as noted by the Electronic Frontier Foundation (EFF), earlier this year the FBI approved Verogen's technology for use in forensic laboratories dedicated to generating DNA profiles for the National DNA Index System (NDIS).
NDIS is the national level of the Combined DNA Index System (CODIS), a program managed by the FBI and its criminal division. DNA profiles are contributed by federal, state, and local forensic laboratories.
Verogen's approved MiSeq FGx Forensic Genomics System uses "Next Generation Sequencing" (NGS) technology to "dramatically increase profiling efficiency and data recovery from biological evidence," according to the company.
The use of NDIS by law enforcement-backed criminal forensic projects, when combined with the takeover of the management of a massive DNA profiling service, should be of concern.
While Verogen says everything will be "business as usual," you cannot help but remember a recent case in which a US judge approved a warrant to a detective, granting them the power to search the full GEDmatch database during an investigation. GEDmatch complied within 24 hours.
Warrants of these nature, so-called dragnet searches, render GEDmatch's "opt-in" consent mechanism for permitting law enforcement access to profiles useless.
Terms of service to use GEDmatch have not changed, yet, but these factors together with management from a company with close ties to the FBI could switch the website from a service to a treasure trove of DNA usable by the police in the future.
TechRepublic: How to use the Firefox Lockwise password manager
Our DNA is not like a payment card number or IP address. It cannot be changed but should never be considered immutable evidence in criminal cases -- as noted by the EFF in a criminal case in 2012, where DNA evidence was used to jail an innocent man.
It is not just those that have uploaded their profiles, either, that could be impacted -- according to recent research, 60 percent of white US citizens share DNA with GEDmatch's users.
What the change in management means for users and family connections alike remains to be seen. However, what is certain: handing over your DNA to private organizations, and therefore a slice of your families', too, should not come with an expectation of privacy. There is a lack of oversight and control, and with acquisitions such as these and a small tweak to terms of service, a warrant, or a change in local law, your DNA profile could end up in a police database permanently -- innocent of a crime or otherwise.
Previous and related coverage
- Law enforcement can plunder DNA profile database, judge rules
- Major biometrics data leak impacts UK Metropolitan Police, banks, enterprise companies
- EU votes to create gigantic biometrics database
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0