GEDmatch loophole allows the police to access user DNA without their consent
On August 14th, DNA biometrics testing identified a body that was found on pilings in a Washington river a year ago, according to a release from the Cowlitz County Sheriff’s Office. It was too decomposed to conduct facial recognition or take fingerprints, the Tri-City Herald reports.
Investigators partnered with Othram, a forensic genetic genealogy lab in Texas, which was able to identify the brother of the unidentified body. The brother confirmed the deceased man was 55-year old Bryan M. Heinrich Sr. based on a tattoo. While there was no foul play in this instance, the case raises questions about privacy concerns with the use of DNA databases in criminal investigations.
By using a privacy loophole in GEDmatch’s services, Cece Moore, an actress and director-turned-genetic genealogist, worked with law enforcement agencies to use privately-held DNA databases to help identify unknown human remains or perpetrators who left DNA at a crime scene, according to The Intercept. A representative of Moore told Biometric Update in an email that the Intercept article contains “inaccurate information and misrepresentations.”
Police and the genealogists working with them can access the loophole by manipulating search fields within a DNA comparison tool to show profiles of individuals who explicitly opted out of sharing their information with police.
Records of communications reveal that Moore, along with two other forensic genealogists discuss how to trigger the loophole. One of the other genealogists mentioned hiding that her organization made an identification using an opted-out profile in separate communication.
Back in 2018 Joseph James DeAngelo, the Golden State Killer, was arrested after a broad, invasive search conducted without a warrant and in such a manner that it appeared to violate the privacy policy of at least one DNA company, according to the LA times.
Prosecutors claim to have used family tree searchers to find relatives of the killer to initially identify DeAngelo. Afterwards, a detective confirmed investigators uploaded semen from a rape kit to develop a DNA profile that was then uploaded to GEDmatch, an open-source platform.
Prosecutors did not share that the genetic material was first sent to FamilyTreeDNA, which allowed law enforcement to create a fake account and search for matching customers. After finding only distant leads, they uploaded the profile to MyHeritage where they identified a close relative who helped break the case.
Prior to The Intercept’s reporting on GEDmatch, Margaret Press, founder of the DNA Doe Project, published a statement on the organization’s website.
“In hindsight, it’s clear we failed to consider the critically important need for the public to be able to trust that their DNA data will only be shared and used with their permission and under the restrictions they choose,” she says.
“We should have reported these bugs to GEDmatch and stopped using the affected reports until the bugs were fixed,” continues Press. “Instead, on that first day when we found that all of the profiles were set to opt-out, I discouraged our team from reporting them at all. I now know I was wrong and I regret my words and actions.”
This post was updated at 7:10pm Eastern on August 23, 2023 to clarify that Margaret Press’ statement was published prior to The Intercept’s article, and at 10:53am Eastern on August 25, 2023 to clarify that one of Moore’s correspondents referred to hiding the opted out matches, clarify the description of involved databases and include a denial of the veracity of the Intercept article.
Article Topics
biometric identifiers | biometrics | criminal ID | data sharing | dna | police
Comments