Monday, 21 May 2018

Updates to the Terms of Service and Privacy Policy at GEDmatch

In the light of the revelations that the citizen science website GEDmatch was being used by law enforcement to identify victims of crime and suspects in murder investigations, the site owners have now updated the Terms of Service and Privacy Policy. When you log into your GEDmatch account you will now receive the following message:
The new Terms of Service and Privacy Policy can be seen here. (You do not need to be a GEDmatch user to access the link.)

It is of note that GEDmatch have now clarified that "DNA obtained and authorized by law enforcement" can be uploaded for two very specific uses to: "(1) identify a perpetrator of a violent crime against another individual; or (2) identify remains of a deceased individual".


There is also a new section which explicitly spells out the potential uses of your DNA results including the fact that your DNA could be used for "Familial searching by third parties such as law enforcement agencies to identify the perpetrator of a crime, or to identify remains."

The user is presented with three options: (1) to accept the new terms and conditions; (2) to reject the new policy and delete their account; (3) to decide later.

Preliminary thoughts
When the news first broke that GEDmatch had been used to identify a murder victim known as the Buckskin Girl, I expressed concerns about the use of GEDmatch for this purpose without the explicit informed consent of the users. The use of GEDmatch in the identification of a suspect in the Golden State Killer case exacerbated those concerns. I am therefore very pleased that GEDmatch have taken prompt action to update their site policy. The revised policy is also a commendable example of transparency, and a welcome use of plain, simple and direct language.

If you'd asked me two months ago what would happen if it was revealed that GEDmatch had been used by the police in a murder investigation I would have predicted that large numbers of people would have withdrawn their data and that GEDmatch would have been pressurised to restrict access to law enforcement. I couldn't have been more wrong. While views have been mixed there has been a positive reaction from many members of the genetic genealogy community who are happy that their DNA has potentially been used to catch a killer.

GEDmatch have made a bold and brave move in legitimising the use of their site for law enforcement searches in specific circumstances. I think they are being genuinely altruistic and want to have GEDmatch used to bring closure to the affected families. They are to be commended for this decision.

However, we now have a very interesting situation. GEDmatch is a citizen science website that was initially set up to provide DNA and genealogy tools to help adoptees who were searching for their biological parents. At present all the police DNA databases use autosomal STR (short tandem repeat) markers, and up to 24 such markers are currently used. Although the number of markers used is very small, they are specially chosen for their variability, and there are very low odds that two people would have an identical DNA fingerprint. Autosomal STRs can be used for familial searches but are only effective for identifying very close relationships. The standard tests used for genetic genealogy use a different type of marker known as a SNP (single nucleotide polymorphism). Upwards of 600,000 autosomal SNPs are tested on a microarray chip. Results can be compared in a database using the amount of DNA shared and the length of the shared segments to make predictions about relationships. Predictions can be made with reasonable confidence in combination with genealogical records for relationships up to about the second cousin level. Predictions are more difficult for more distant relationships because of the random nature of DNA inheritance and the limitations of family tree research. As far as I'm aware, there is no police force in the world which has its own autosomal SNP database for familial searches. Bizarrely, as Sarah Zhang has pointed out GEDmatch.com has become "the de facto DNA and genealogy database for all of law enforcement". Given that probably around 80% of GEDmatch users are in the US, it is likely that, in the short term at least, it will only be the American police using GEDmatch in this way, though that situation could change as the consumer genetic testing market continues to grow internationally.

There are still many issues to be addressed going forwards. I have many questions but no answers:
  • Can privacy policies on websites be legally enforced?
  • What oversight will there be of these searches to ensure that the police use these powers responsibly?
  • Will there be an ethics committee or some other supervisory body which will scrutinise applications for such searches?  In the UK oversight is provided by the Biometrics Commissioner and Forensic Science Regulator. Do similar bodies exist in America and in other countries?
  • What measures will be taken to ensure that searches are proportionate and that large numbers of innocent third and forth cousins identified from a crime scene sample are not brought into the police dragnet? In America this could mean that your cousin will be stalked by armed police in an attempt to get a discarded item to obtain a DNA sample.
  • Which genealogists are qualified to perform such searches and how can the police verify whether a genealogist has the necessary skills and will behave in an ethical way?
  • How will people feel if their DNA is used to falsely incriminate an innocent person? There have already been recorded cases of well meaning volunteer search angels misidentifying the biological parents of adoptees. The stakes are much higher in criminal investigations, and especially in US states which still have the death penalty.
  • Is there a case for the police to upgrade their own databases so that they use autosomal SNPs instead of STRs?
All these issues will be discussed in the months and years to come, and it will be interesting to see what happens. For now I think it's important that everyone gets their voice heard. What do you think?

Saturday, 19 May 2018

Genealogy and DNA casualties of GDPR – farewell to World Families Network, Ysearch and Mitosearch


On 25th May GDPR  the General Data Protection Regulation  will come into force in the European Union. Although the UK is leaving the European Union in 2019, the legislation will also apply to the UK and will be enshrined in UK law through the new Data Protection Bill, which is currently going through Parliament. Although this is an EU regulation, it applies to companies and organisations worldwide which have customers or members in the EU, though it is not at all clear how the EU will be able to enforce the regulation in practice in countries over which it has no jurisdiction. Nevertheless, most big companies outside the EU are taking the legislation seriously and it has already had the benefit of encouraging large American companies like Facebook and Google to improve their previously lax attitudes to privacy.

However, while the aims of GDPR are sound, the legislation is hitting small companies and volunteer organisations particularly hard. Valuable volunteer time is being taken up in interpreting and enacting the requirements. GDPR sets a high bar for consent, and all consents have to be GDPR compliant. Although fresh consent is not always necessary, some organisations have decided to take no chances and have sought renewed consent regardless. Like everyone else, I have been bombarded with e-mails from companies and organisations asking me to give consent to receive e-mails and newsletters that I've already asked to receive. There have been endless other e-mails informing me of updated privacy policies. With the best will in the world I simply do not have the time or inclination to read all the fine details of these thousands of new policies, which rather defeats the object of the requirement for informed consent.

Some people have decided that GDPR is not worth the effort:
There have been two big casualties in the world of genetic genealogy.

World Families Network
World Families Network, a website run by Terry Barton, will be shutting down on 23rd May. Terry decided that the "ambiguity and uncertainty of the bureaucratic requirements" of GDPR "are just more than we care to deal with". See here for the full text of Terry's statement. Terry was acting as administrator for 750 Family Tree DNA projects. These will now all be hosted directly on the FTDNA website, but the pedigree information accumulated over many years will be lost unless new admins can be found to take over.

Wayne Kaufman has kindly compiled a spreadsheet with a list of all the projects available for adoption. You can access the spreadsheet from this link:

https://docs.google.com/spreadsheets/d/1-DvykoSNPBmsUlq8THIIpBLAy1Pojmupxz_k9P9kNW4/htmlview

If you are interested in taking over one of these projects send an e-mail to Terry at World Families or write to FTDNA.

Ysearch and Mitosearch
Ysearch and Mitosearch were set up by Family Tree DNA as public databases where DNA results could be uploaded from any testing company for comparison purposes. Neither site has been maintained for several years now and it is perhaps no surprise that GDPR has prompted FTDNA to shut both sites. Ysearch was also controversially used to identify suspects in criminal investigations, which on three occasions led to the false incrimination of an innocent person. Here is the text of the e-mail that was sent out to Ysearch and Mitosearch customers:
Dear Valued Ysearch & Mitosearch Members, 
On May 24th, 2018, our free, public genetic-genealogy databases, ysearch.org and mitosearch.org, will no longer be accessible as a result of the EU General Data Protection Regulation (GDPR) going into effect on May 25th. 
As the founders of the direct-to-consumer genetic genealogy industry, we did not make this decision lightly. We believe it is necessary given the resources it would take to make both sites GDPR compliant. The current environment regarding DNA privacy as well as recent events in the news, particularly DNA databases being utilized to solve cold cases, were also considerations, but the rigorous requirements of GDPR would have prompted this action irrespective of current events. 
User privacy policies across all of the major consumer genetic-genealogy service providers have become a topic of national conversation, and it is our goal to ensure that our privacy policies continue to meet or exceed industry norms. 
We encourage you to continue your journey of discovery with us on FamilyTreeDNA, and we thank you for your participation in “citizen science” over the years. 
Sincerely, 
FamilyTreeDNA
The vast majority of DNA results on Ysearch and Mitosearch were contributed by Family Tree DNA customers. FTDNA now monopolise the Y-DNA and mtDNA testing market and are the only company that provides a matching database for Y-DNA and mtDNA. However, Ysearch and Mitosearch also hosted Y-DNA and mtDNA results from customers of other testing companies that have since ceased operations. Relative Genetics, DNA Heritage and GeneTree closed down many years ago. Ancestry stopped offering Y-DNA and mtDNA tests in 2014. Oxford Ancestors has announced that it will be shutting down this summer. Although Oxford Ancestors have not mentioned GDPR, it is likely to have been a precipitating factor in their decision.

With the closure of Ysearch and Mitosearch the DNA results from these other testing companies will no longer be accessible anywhere for comparison purposes. DNA Heritage was acquired by Family Tree DNA and customers were given the option of transferring the results to FTDNA free of charge. People who tested with a Sorenson Lab (AncestryDNA, GeneTree and the Sorenson Molecular Genealogy Foundation) can take advantage of FTDNA's Y-DNA transfer programme. Customers of other testing companies will need to get re-tested at Family Tree DNA if they wish to receive matches. Unfortunately, many of the results uploaded to Ysearch and Mitosearch will be lost forever because the participant has either passed away or is no longer active.

Preservation of DNA records
We as a genealogy community need to do a better job of preserving our DNA records. If you are interested in helping to find a solution please join the new Facebook group Committee for the Preservation of DNA Records.

Further reading