Wednesday, 6 November 2019

Search warrant granted for access to GEDmatch database

A troubling story has been published in the New York Times about a security breach at GEDmatch. Detective Michael Fields from the Orlando Police Department was able to obtain a search warrant which allowed him to over-ride the privacy settings of individual customers at GEDmatch and search for matches in the entire database rather than in the subset of the database which had opted in to law enforcement matching. Fields had previously been able to use GEDmatch in collaboration with Parabon Nanolabs to identify a suspect in the 2001 murder of Christine Franke. He was disappointed when GEDmatch changed their terms of service in May this year which resulted in all users being required to actively opt in to law enforcement matching. This change effectively reset the number of profiles available for law enforcement matching to zero, including many people who had transferred their results to GEDmatch specifically to help with law enforcement cases. Since then a steady trickle of people have opted back in to law enforcement matching but, according to the New York Times article, just 185,000 of GEDmatch's 1.3 million users have done so at the present time. The cold case which resulted in the search warrant relates to a serial rapist who assaulted a number of women several decades ago, though the full details have not been made public. The New York Times reports as follows:
In July, he [Fields] asked a judge in the Ninth Judicial Circuit Court of Florida to approve a warrant that would let him override the privacy settings of GEDmatch’s users and search the site’s full database of 1.2 million users. After Judge Patricia Strowbridge agreed, Detective Fields said in an interview, the site complied within 24 hours. He said that some leads had emerged, but that he had yet to make an arrest. He declined to share the warrant or say how it was worded. 
Detective Fields described his methods at the International Association of Chiefs of Police conference in Chicago last week. Logan Koepke, a policy analyst at Upturn, a nonprofit in Washington that studies how technology affects social issues, was in the audience. After the talk, “multiple other detectives and officers approached him asking for a copy of the warrant,” Mr. Koepke said.
It is difficult to comment on this case without having the full facts available. As this is an active investigation it is not possible to get a copy of the search warrant to find out why the police thought it necessary to over-ride the consents and we don't know the grounds on which the judge granted the warrant. GEDmatch could potentially have resisted the warrant but they are unlikely to have the resources to fight a lengthy legal battle. They are also likely to be sworn to confidentiality so they would not be able to discuss the case and would not have been in a position to warn their users. But if GEDmatch were sworn to confidentiality I wonder why Detective Fields was boasting about his actions at a police conference.

However, the use of a search warrant in this case does provide cause for concern as it potentially sets a precedent. What is to stop the police issuing search warrants to search for matches at the other testing companies? Would these companies be able to defy the warrant and refuse access? It is also troubling from an international perspective. An American judge has made a unilateral decision which affects the privacy and rights of all of GEDmatch's many international users who do not have any legal or governmental representation in the US. Granting access to the opted out profiles of international customers is not only a disproportionate measure, as their family trees are much less likely to be used to solve the crime, but it is also a gross over-reach by the judge who has passed a judgement which affects individuals who live in countries which are outside her jurisdiction.

If you think you might have been affected I suggest that you write to the Orlando Police Department to find out if your name is included in the match lists they are using. If you are an EU citizen you should be protected by the General Data Protection Regulation (GDPR) and you will have the right to have your information removed. If the police refuse to do so you should complain to your data protection regulator in the EU. If you are in the UK you should write to the Information Commissioner's Office. If you are in Ireland you should write to the Data Protection Commission. The ICO have a handy template on their website which you can use if you wish to submit a complaint. I have now written to the Orlando Police Department and I await their response with interest.

If you feel strongly about this judgement you might also like to write to Judge Patricia Strowbridge. She can be contacted via her judicial assistant. I have sent her an e-mail because I think it's important that she understands the international implications of her decision though I am not expecting a response.

Update 7th  November 2019
I have received the following response from Judge Strowbridge's office:

"Judge Strowbridge’s office is in receipt of the email you sent yesterday, November 6, 2019. Unfortunately, the Florida Code of Judicial Conduct strictly prohibits judges from commenting on any pending cases. As such, Judge Strowbridge is unable to respond to your email."

Update 13th November 2019
Someone was able to get a redacted version of the GEDmatch search warrant and they've shared it on Twitter. You can access it here:

I will comment on this in due course.

Further reading
Related blog posts

Sunday, 3 November 2019

Genotype extraction and false relative attacks: potential security risks at third-party genetic genealogy sites

Hot on the heels of a paper published the other week by Michael "Doc" Edge and Graham Coop on the possibility of attacks on genetic privacy via uploads to genealogy databases comes another paper by an independent team of researchers warning of another potential security risk.

The latest paper is written by Peter Ney, Luis Ceze and Tadayoshi Kohno, three researchers at the Paul G. Allen School of Computer Science & Engineering at the University of Washington. They caution about the risks of genotype theft and falsified genetic relations in the GEDmatch database.

I do not feel qualified to comment on the security risks they have identified so I will provide some links and let you make your own judgement.

The authors have provided some FAQs which provide a good starting point:

If you want read the full paper you can find it here:

The possible implications are also discussed in this article by Antonio Regalado in MIT Technology Review:

See also this report in the University of Washington News:

GEDmatch were given advance notice of the publication of the paper to allow them time to implement any necessary fixes. I understand that GEDmatch currently have measures in place that would thwart the method described in this paper but, understandably, they are not sharing the specifics. Further measures are also being investigated.

Note that this loophole affects GEDmatch only. The method won't work at AncestryDNA, 23andMe, FamilyTreeDNA, MyHeritage and Living DNA.

Update 4th November 2019
This research was also covered in New Scientist. You need a subscription to access the full article but here are some quotes from the end of the article:
"The study identifies a “clear risk” to the GEDmatch database, according to Graham Coop at the University of California, Davis, who wasn’t involved in the work. “I do worry that [GEDmatch are] not taking these concerns seriously enough. They have over a million people’s genetic data and they have placed these data at risk, which is incredibly concerning.” 
The risks could be easily solved by limiting genetic data uploads to DNA test results that are authenticated or digitally signed, says Ney. Better checks on uploads to detect anomalies, and restrictions on one-to-one comparison searches would help too, he says. His team alerted GEDmatch to the vulnerabilities before publishing and took measures to avoid exposing anyone’s identity. 
Curtis Rogers at GEDmatch says: “We are concerned about security and appreciate they have pointed out vulnerabilities.” He says the site has made several changes to address the vulnerability and is working on others, but didn’t specify what measures.
The article can be found here:

Tuesday, 22 October 2019

Attacks on genetic privacy via uploads to genealogical databases

A new preprint has just been published by Michael "Doc" Edge and Graham Coop from the University of California Davis about some potential security risks in genetic genealogy databases. The paper is concerned with genealogy databases which accept uploads (ie, GEDmatch, FamilyTreeDNA, Living DNA and MyHeritage DNA). AncestryDNA and 23andMe do not accept uploads so they are not affected. Not all of the techniques described in the paper would necessarily work at all the companies. The companies were all given early sight of the paper so they have had the opportunity to make any adjustments. I understand that GEDmatch have already taken some unspecified measures and are considering more. The authors have provided a few suggestions on possible solutions for dealing with the risks they have highlighted and improving security such as using cryptographic signatures on DNA data files.

The authors have written some FAQs about their paper and if you want to understand what it is all about I recommend reading these FAQs first.

If you want to read the full paper it can be found here.

UC Davis have issued a press release which can be found here.

Leah Larkin has written an excellent blog post about the paper explaining the concepts in easy-to-understand terms.

Blaine Bettinger has shared his thoughts in this blog post.

I will update this post with further links if I find any other useful commentaries on the subject.

Thursday, 17 October 2019

Big changes at Living DNA

There have been some major updates at Living DNA. Their long-awaited new website has just been launched, and they have expanded their product range. The website upgrade will allow Living DNA to speed up processing times. By January 2020 they hope to have a system in place to allow them to deliver regular matches and notifications. At the moment the matching database is only re-run every two weeks. Most importantly, the update will allow Living DNA to update the ancestry reports with new regions. Spain and Germany are apparently nearly ready to go, and there are other updates in the pipeline, though anyone waiting for Scotland and Ireland will have to wait a little longer. The ancestry maps page has also been re-designed.

The new website is designed to be more accessible to non-genealogists and will guide the user through all the steps to ensure that they are able to access all the features. There is a simplified activation process which will allow for easier kit management for elderly relatives who do not use a computer. The upgrade process has also been simplified and now includes the ability to upload zip files. You will be able to opt in to relative matching with a single click.

At the time of writing the new website is live but I don't yet have the new "onboarding" experience or the updated ancestry maps. I will update this post with screenshots as and when they are available.

In the meantime here are some screenshots provided by Living DNA showing the new portal experience. (The names are all from a dummy account.) The screenshot below shows the new dashboard.

This is the redesigned ancestry map.

New products
The product range has been revamped and Living DNA are now offering a low-priced taster kit for £49/$49. The starter test includes the following reports:
● Your global ancestry breakdown across continents
● The ability to find people around the world who you share DNA with
● A nutrition report determining if your genetics indicate that you are prone to Vitamin D deficiency
● The type of exercise your muscles respond to best

Starter kit customers can upgrade to the ancestry experience for £49/$49 and the wellbeing experience for £69/$69.

The full ancestry test remains the same as before and is priced at $99/£99.

There is now a new wellbeing test with a full range of fitness and nutrition reports. This kit costs £129/$129. It will include a selection of reports indicating:
● How your body responds to different vitamins
● How your body breaks down foods to which your body may be sensitive to such as gluten or lactose
● How your body responds to different types of fitness.
● How to understand what type of exercise best supports your body. For example, it is claimed that DNA can indicate if you are better suited to running and sprinting or weight and circuit training.

Customers who order at launch will also receive a complimentary 180-day updates package worth £39/$39 that provides new reports as they are released.

Here is a screenshot of a sample wellbeing report.

There is also a bundle priced at £179/$179 which combines the full collection of ancestry, nutrition and fitness reports.

Existing Living DNA customers will have the option to upgrade their accounts in mid-November 2019 to purchase the full wellbeing test for a reduced rate of £49/$49 (normally £69/$69) until 31st December 2019.

This blog post was updated on 17th October to include a photo of the new starter kit and screenshots of the new portal provided by Living DNA.