… but no consequences
The hits keep coming for that part of the genealogical community called investigative genetic genealogy — IGG for short — the use of DNA to identify human remains and solve crimes.
A statement posted this past week, on the website of Verogen.com, the forensic firm that now owns the GEDmatch website and subsidiary of the Dutch company QIAGEN, confirms the breaches that have been reported in recent weeks.1
The statement posted Thursday reads:
GEDmatch takes the privacy and trust of our users very seriously, and we were concerned to learn about this misuse. To address this issue, the following steps have been taken:
• We have fixed the loopholes that were raised in the report.
• We have undertaken system-wide assessments to mitigate the possibility of other vulnerabilities that may be exploited. These assessments have been incorporated into our ongoing software development life cycle.
• We have notified the relevant regulatory bodies about the unauthorized access of data.
• We will continue to work with the forensic community and data security and privacy experts to support the adoption of best practices for this emerging field.2
In The Legal Genealogist‘s view, there are three things about this statement that are remarkable:
1. As far as I can tell, it’s not on the GEDmatch site itself. I am a registered user,3 and I think I looked pretty thoroughly, including in the official GEDmatch forums. If it’s there, I couldn’t find it — which at least means GEDmatch users aren’t being notified easily by GEDmatch itself.
2. The language of the statement makes it crystal clear that this happened. There is absolutely none of the wiggle language that corporations (and their lawyers) typically use, like “it has been reported that..”. or “we have learned of allegations that…” Clearly, Verogen knows that this happened: members of the investigative genetic genealogy community deliberately and willfully exploited security loopholes to see matching data on DNA kits whose owners had opted out of any law enforcement use of their kits.4
3. There’s not one word about consequences to those who did this. Nothing that says their accounts have been suspended. Nothing that says they’re barred from being in a position to do something like this again. Nothing that says they’ve been required to come clean — even with GEDmatch if not in public.5 Nothing that even says that those responsible for the data breaches won’t be allowed to be in a position to be “foxes in the hen house” when those best practices are being developed for genetic genealogists who work with law enforcement.
In short, we have truth here.
But with no consequences.
This does little to repair the damaged trust the larger genealogical community has in GEDmatch. It calls into question the commitment of Verogen and the investigative genetic genealogy community to truly police this field. And it leaves those investigative genetic genealogists who have been ethical to be tarred with the same brush as those who have not.
It’s hard to imagine that that’s enough.
But it’s all that GEDmatch is offering.
And why all we can do, in response, is decline to use or recommend GEDmatch as a research tool.
Cite/link to this post: Judy G. Russell, “Truth,” The Legal Genealogist (https://www.legalgenealogist.com/blog : posted 17 Sep 2023).
- For background, see Judy G. Russell, “Not whether, but how,” The Legal Genealogist, posted 13 Aug 2023 (https://www.legalgenealogist.com/blog : accessed 17 Sep 2023). And see ibid., “A time for reflection,” posted 20 Aug 2023. ↩
- “Notice regarding investigations into FIGG practitioners circumventing GEDmatch settings and violating Terms of Service, and actions taken,” posted 14 Sep 2023, Verogen.com (https://verogen.com/ : accessed 17 Sep 2023). ↩
- I keep an account there even though I don’t use it and don’t recommend it. See “Withdrawing a recommendation,” The Legal Genealogist, posted 15 May 2019. ↩
- Update: I am informed that some users do see a message on the GEDmatch home page. It is not visible to all users. ↩
- I note for the record that one person involved has come clean, in public. See “From Our Founder, Margaret Press,” DNA Doe Project (https://dnadoeproject.org/ : accessed 17 Sep 2023). ↩