FB pixel

GEDmatch loophole allows the police to access user DNA without their consent

Categories Biometrics News  |  Law Enforcement
GEDmatch loophole allows the police to access user DNA without their consent

On August 14th, DNA biometrics testing identified a body that was found on pilings in a Washington river a year ago, according to a release from the Cowlitz County Sheriff’s Office. It was too decomposed to conduct facial recognition or take fingerprints, the Tri-City Herald reports.

Investigators partnered with Othram, a forensic genetic genealogy lab in Texas, which was able to identify the brother of the unidentified body. The brother confirmed the deceased man was 55-year old Bryan M. Heinrich Sr. based on a tattoo. While there was no foul play in this instance, the case raises questions about privacy concerns with the use of DNA databases in criminal investigations.

By using a privacy loophole in GEDmatch’s services, Cece Moore, an actress and director-turned-genetic genealogist, worked with law enforcement agencies to use privately-held DNA databases to help identify unknown human remains or perpetrators who left DNA at a crime scene, according to The Intercept. A representative of Moore told Biometric Update in an email that the Intercept article contains “inaccurate information and misrepresentations.”

Police and the genealogists working with them can access the loophole by manipulating search fields within a DNA comparison tool to show profiles of individuals who explicitly opted out of sharing their information with police.

Records of communications reveal that Moore, along with two other forensic genealogists discuss how to trigger the loophole. One of the other genealogists mentioned hiding that her organization made an identification using an opted-out profile in separate communication.

Back in 2018 Joseph James DeAngelo, the Golden State Killer, was arrested after a broad, invasive search conducted without a warrant and in such a manner that it appeared to violate the privacy policy of at least one DNA company, according to the LA times.

Prosecutors claim to have used family tree searchers to find relatives of the killer to initially identify DeAngelo. Afterwards, a detective confirmed investigators uploaded semen from a rape kit to develop a DNA profile that was then uploaded to GEDmatch, an open-source platform.

Prosecutors did not share that the genetic material was first sent to FamilyTreeDNA, which allowed law enforcement to create a fake account and search for matching customers. After finding only distant leads, they uploaded the profile to MyHeritage where they identified a close relative who helped break the case.

Prior to The Intercept’s reporting on GEDmatch, Margaret Press, founder of the DNA Doe Project, published a statement on the organization’s website.

“In hindsight, it’s clear we failed to consider the critically important need for the public to be able to trust that their DNA data will only be shared and used with their permission and under the restrictions they choose,” she says.

“We should have reported these bugs to GEDmatch and stopped using the affected reports until the bugs were fixed,” continues Press. “Instead, on that first day when we found that all of the profiles were set to opt-out, I discouraged our team from reporting them at all. I now know I was wrong and I regret my words and actions.”

This post was updated at 7:10pm Eastern on August 23, 2023 to clarify that Margaret Press’ statement was published prior to The Intercept’s article, and at 10:53am Eastern on August 25, 2023 to clarify that one of Moore’s correspondents referred to hiding the opted out matches, clarify the description of involved databases and include a denial of the veracity of the Intercept article.

Article Topics

 |   |   |   |   | 

Latest Biometrics News


Best biometrics use cases become clearer as ecosystems mature

Biometrics are for digital identity, socio-economic development, air travel and remote identity verification, but not public surveillance, the most-read news…


UK Biometrics and Surveillance Camera Commissioner role survives as DPDI fails

UK parliament will not pass data protection legislation during the current session, following the announcement of the general election in…


EU watchdog rules airport biometrics must be passenger-controlled to comply with GDPR

The use of facial recognition to streamline air passenger’s travel journeys only complies with Europe’s data protection regulations in certain…


NZ’s biometric code of practice could worsen privacy: Business group

New Zealand is working on creating a biometrics Code of Practice as the country introduces more facial recognition applications. A…


Demonstrating value, integrated payments among key digital ID building blocks

Estonia has achieved an enviable level of user-centricity with its national digital identity system through careful legislation and fostering collaboration…


Strata Identity launches uninterrupted identity services product

There are a few things that can be more annoying than your office computer logging you out of applications because…


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Read This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events