تحديث: 2nd Aug 2020 قراءة: 6 دقائق

GEDmatch Hacked, Exposing Millions' DNA

In painfully predictable privacy news, genealogy website GEDmatch got hacked. Not only that, but the DNA data of over a million people was “accidentally” made available to law enforcement.

The surprised Pikatchu meme is the only way Im able to express how I feel about this. Did people not see this coming when they were enthusiastically sending their DNA to some random company just so they can make a social media post about how black they are? I digress.

Apparently, researchers became aware of the breach when they suddenly got far more matches on a DNA sample as usual signifying that related DNA data was found. Except, a lot of that new data seemed spammy in nature, or belonged to suspected murderers and rapists.

Suspects DNA samples that is used by law enforcement should not normally appear in civilian search results. This is to prevent accidentally letting a suspects family finding out.

Whoever conducted this hack either intentionally wanted to cause chaos and anxiety around peoples DNA privacy, or simply wanted law enforcement to access all the available DNA data with complete disregard to peoples privacy. Personally, I think it was the latter.

Back in December 2019, Jennifer Lynch of the privacy advocacy group Electronic Frontier Foundation published a blog post about GEDmatch getting acquired by its current owner Verogen Inc.

The articles title included the words “Why You Should Be Worried”.

The answer: Verogen Inc was formed in 2017 for the sole purpose of bringing genomics to the “forensic market”.

Even before the acquisition, GEDmatch was already no stranger to sharing the same bed with law enforcement. All of their DNA data prior to May 2019 was available to law enforcement without even needing a warrant. The only reason that changed was due to public outcry.

Since May 2019, law enforcement has only been able to warrantlessly access the DNA records of users who have opted in to assist authorities. Of course, only a small percentage of users did, but the larger pool of DNA data was still available to them with a warrant.

The problem here is that law enforcement isnt only interested in the DNA records of suspects. After all, what are the odds that their suspect would have willingly submitted their DNA to a silly website? No. Law enforcement is interested in finding family members of the suspect. Thats a close enough match to them.

Aside from the chilling implication that you dont even need to have done anything wrong to be implicated in something a distant relative is suspected to be involved in, the more Orwellian undertone here is perhaps even more important: you, as a potential suspects distant relative, dont need to consent before giving them your DNA.

Weve all learned about the six degrees of separation growing up. Doesnt that mean that everyone is potentially related to at least one suspect? Does that mean law enforcement should have access to all our DNA data on file without our consent?

And its not like they know, at the time of running their samples, who their suspect will be or who their relatives will be. There isnt anything resembling reasonable doubt. Theyre fishing for leads and arguing we shouldnt have a reasonable expectation of privacy since we willingly submitted our DNA to companies whose terms of service we never read.

Ive spoken repeatedly about how unreasonable it is that terms of service are legally binding when we all know, as a society, that nobody ever reads them. More importantly, when youre unable to use a service without agreeing to the terms, most people will probably agree just so they can get GPS directions home or connect with an old friend. Does that mean they agreed to be spied on for the rest of their lives? Of course not. Similarly, sharing DNA with a company that will provide you more insight into your DNA and potentially your health is not the same as sharing that DNA with law enforcement.

Its the same exact flaw with terms of service that is being exploited here. Its only more obvious because the consequences are much larger.

The EFF article argues that “We need to think long and hard as a society about whether law enforcement should be allowed to access genetic genealogy databases at all even with a warrant.”

60% of white Americans can reportedly be identified using GEDmatchs very small sample size of only 1.3 million. Currently, that accounts for 0.5% of the U.S. adult population. Once that figure reaches 2%, 90% of white Americans will be identifiable.

Interest is slowly dying down in such websites, but not enough to stop the growth of their user base completely.

On the flip side, this exponential ability to identify people so many degrees apart also comes with false positives. Contrary to popular belief, DNA tests arent always exact and fool-proof. Its completely possible to send an innocent person to jail if the court decides that DNA data is paramount and refuses to run additional tests.

The lack of regulation surrounding the use of DNA data by law enforcement essentially makes it the wild west.

My favorite part of the entire story is that this all came down to a single switch. A switch that allowed users to opt-in to allowing law enforcement to use their data, or not.

Lets say Im wrong and that Verogen didnt do this themselves. The fact that its so easy for an attacker to flip that switch which takes your DNA data from being an innocent, fun, potentially informative tool and turns it into a criminal record that could be used against you in the future regardless of whether or not you do anything wrong thats what I have the most trouble processing.

It should not be this easy for something to change so drastically from what you signed up for. Its like having a bowl of fruit punch at a party and a bowl of poison right next to it, each labeled by a card in front of it. Right now, changing service agreements is as simple as swapping those cards to give companies complete legal immunity to do whatever they want.

It should not be this easy for someone to turn something as innocent as fruit punch into a death sentence.

Link copied to clipboard

اتصل بي