GEDmatch opt out is an illusion

Dealing with privacy issues when it comes to DNA databases created for genealogical purposes is like trying to nail jello to a tree.

Sometimes, just when The Legal Genealogist thinks one thing has been nailed down, something we hadn’t thought of pops up to pose more issues.

Sometimes, what’s being said doesn’t match what’s being done.

And sometimes what’s being done turns out to be much different than what anyone might have thought.

Which means that sometimes it’s just a matter of smoke and mirrors.

smoke and mirrors

In this case, the issue is GEDmatch and its newly-announced system for allowing its users to choose between having their matching data accessible to police for criminal and unidentified remains cases and not allowing that result.1

Earlier this week it looked very much as though GEDmatch had switched to a system where an individual user could control the use of his or her uploaded kit for matching purposes when it came to the police. Public kits were divided into two categories: Public + opt in (“available for comparison to any Raw Data in the GEDmatch database”) and Public + opt out (“available for comparison to any Raw Data in the GEDmatch database, except DNA kits identified as being uploaded for Law Enforcement purposes”).2

And GEDmatch explained that: “Comparison results, including your kit number, name (or alias), and email will be displayed for ‘Public’ kits that share DNA with the kit being used to make the comparison, except that kits identified as being uploaded for Law Enforcement purposes will only be matched with kits that have ‘opted-in’.”3

Sounds good, doesn’t it? If you want to allow your DNA to be used for investigations, you opt in. If you don’t, you opt out. Simple, and on the surface looking like it allows all of us real choice — to exercise our own judgment and make our own choices.

Here’s the problem.

It’s smoke and mirrors.

The opt out doesn’t provide any meaningful privacy for uploaded data at all.

That’s because it’s ridiculously easy for the investigator handling a police kit to get access to any matching data of any opted-out kit that the investigator might want. That “kit number, name (or alias), and email” plus DNA segment data and more is going to fully exposed in about 30 seconds, maybe twice that if the investigator is slow.

Here’s how it’s done, and why the opt out status is really just an illusion.

Let’s say person A has uploaded to GEDmatch and is kit ABC123. Person A chooses public + opt in, meaning he chooses to allow police access to his matching information. Person B, who is person A’s third cousin, has also uploaded and is kit DEF456. Person B has chosen public + opt out, meaning he’s chosen not to allow police access to his information.

In comes Investigator Jones with crime-scene kit GHI789 and runs a one-to-many search on that kit. Assume that the bad guy in this case is a third cousin to person A and a first cousin to person B. The one-to-many search on kit GHI789 will show person A’s kit but not person B’s.

And you know what Investigator Jones is going to do, right?

He’s going to take the kit numbers of as many matches to his bad guy’s kit as he can and he’s going to run those kit numbers through that same one-to-many search.

And because Investigator Jones is now running a search on kit ABC123, rather than kit GHI789, all the opt outs vanish.

The minute the kit number being used is not explicitly identified as a police kit, anyone who chose public + opt out and who matches the kit the investigator is now using for his search is as exposed to police use of his data as if he had opted in. And with person B’s info and kit number exposed, it’s child’s play to continue spider-webbing out to matches of matches, then matches of matches of matches.

Person B’s choice — and the choice of all users who opt out — is no choice at all.

I wasn’t 100% sure that GEDmatch didn’t have a plan to prevent that ridiculously simple workaround that utterly destroys the opt-out status of person B’s kit. Perhaps law enforcement users wouldn’t be given access to kit numbers. Or perhaps they’d only have access to the opted-in subset of users. There had to be something, surely, since the GEDmatch Terms of Service and Privacy Policy don’t even suggest that law enforcement shouldn’t use any kit but its own to do searches.

So I asked.

And the official word: GEDmatch has confirmed that there is no legal or technical restriction on law enforcement representatives in using any non-case related kit number to perform other searches that may disclose opted-out users. And — not that it’d be effective anyway — nothing, nothing at all, in GEDmatch’s own rules. And there is no intention of changing that: those who run the GEDmatch site are strongly committed to helping law enforcement use the data there.

No doubt about it.

The public + opt out status is smoke and mirrors.

So… here’s the bottom line.

If you are comfortable with police use of your data for law enforcement investigations, you can choose public + opt in.

If you aren’t comfortable with it or manage a kit for a relative who isn’t comfortable with it or hasn’t consented or can’t consent, then you must choose research kit status to be able to get any use out of GEDmatch for matching purposes.

And if that still leaves you concerned, deleting your data from GEDmatch altogether is another option.

But choosing public + opt out at GEDmatch is … well … not an option.

It’s nothing but smoke and mirrors.


Cite/link to this post: Judy G. Russell, “The choice that really isn’t,” The Legal Genealogist (https://www.legalgenealogist.com/blog : posted 22 May 2019).

SOURCES

  1. See Judy G. Russell, “GEDmatch reverses course,” The Legal Genealogist, posted 19 May 2019 (https://www.legalgenealogist.com/blog : accessed 22 May 2019).
  2. GEDmatch.Com Terms of Service and Privacy Policy,” updated 18 May 2019, GEDmatch.com (https://genesis.gedmatch.com/ : accessed 22 May 2019).
  3. Ibid.
Print Friendly, PDF & Email