Wednesday 6 November 2019

Search warrant granted for access to GEDmatch database

A troubling story has been published in the New York Times about a security breach at GEDmatch. Detective Michael Fields from the Orlando Police Department was able to obtain a search warrant which allowed him to over-ride the privacy settings of individual customers at GEDmatch and search for matches in the entire database rather than in the subset of the database which had opted in to law enforcement matching. Fields had previously been able to use GEDmatch in collaboration with Parabon Nanolabs to identify a suspect in the 2001 murder of Christine Franke. He was disappointed when GEDmatch changed their terms of service in May this year which resulted in all users being required to actively opt in to law enforcement matching. This change effectively reset the number of profiles available for law enforcement matching to zero, including many people who had transferred their results to GEDmatch specifically to help with law enforcement cases. Since then a steady trickle of people have opted back in to law enforcement matching but, according to the New York Times article, just 185,000 of GEDmatch's 1.3 million users have done so at the present time. The cold case which resulted in the search warrant relates to a serial rapist who assaulted a number of women several decades ago, though the full details have not been made public. The New York Times reports as follows:
In July, he [Fields] asked a judge in the Ninth Judicial Circuit Court of Florida to approve a warrant that would let him override the privacy settings of GEDmatch’s users and search the site’s full database of 1.2 million users. After Judge Patricia Strowbridge agreed, Detective Fields said in an interview, the site complied within 24 hours. He said that some leads had emerged, but that he had yet to make an arrest. He declined to share the warrant or say how it was worded. 
Detective Fields described his methods at the International Association of Chiefs of Police conference in Chicago last week. Logan Koepke, a policy analyst at Upturn, a nonprofit in Washington that studies how technology affects social issues, was in the audience. After the talk, “multiple other detectives and officers approached him asking for a copy of the warrant,” Mr. Koepke said.
It is difficult to comment on this case without having the full facts available. As this is an active investigation it is not possible to get a copy of the search warrant to find out why the police thought it necessary to over-ride the consents and we don't know the grounds on which the judge granted the warrant. GEDmatch could potentially have resisted the warrant but they are unlikely to have the resources to fight a lengthy legal battle. They are also likely to be sworn to confidentiality so they would not be able to discuss the case and would not have been in a position to warn their users. But if GEDmatch were sworn to confidentiality I wonder why Detective Fields was boasting about his actions at a police conference.

However, the use of a search warrant in this case does provide cause for concern as it potentially sets a precedent. What is to stop the police issuing search warrants to search for matches at the other testing companies? Would these companies be able to defy the warrant and refuse access? It is also troubling from an international perspective. An American judge has made a unilateral decision which affects the privacy and rights of all of GEDmatch's many international users who do not have any legal or governmental representation in the US. Granting access to the opted out profiles of international customers is not only a disproportionate measure, as their family trees are much less likely to be used to solve the crime, but it is also a gross over-reach by the judge who has passed a judgement which affects individuals who live in countries which are outside her jurisdiction.

If you think you might have been affected I suggest that you write to the Orlando Police Department to find out if your name is included in the match lists they are using. If you are an EU citizen you should be protected by the General Data Protection Regulation (GDPR) and you will have the right to have your information removed. If the police refuse to do so you should complain to your data protection regulator in the EU. If you are in the UK you should write to the Information Commissioner's Office. If you are in Ireland you should write to the Data Protection Commission. The ICO have a handy template on their website which you can use if you wish to submit a complaint. I have now written to the Orlando Police Department and I await their response with interest.

If you feel strongly about this judgement you might also like to write to Judge Patricia Strowbridge. She can be contacted via her judicial assistant. I have sent her an e-mail because I think it's important that she understands the international implications of her decision though I am not expecting a response.

Update 7th  November 2019
I have received the following response from Judge Strowbridge's office:

"Judge Strowbridge’s office is in receipt of the email you sent yesterday, November 6, 2019. Unfortunately, the Florida Code of Judicial Conduct strictly prohibits judges from commenting on any pending cases. As such, Judge Strowbridge is unable to respond to your email."

Update 13th November 2019
Someone was able to get a redacted version of the GEDmatch search warrant and they've shared it on Twitter. You can access it here:

I will comment on this in due course.

Update 18th November 2019
Leah Larkin published an analysis of the GEDmatch search warrant.

Further reading
Related blog posts

Sunday 3 November 2019

Genotype extraction and false relative attacks: potential security risks at third-party genetic genealogy sites

Hot on the heels of a paper published the other week by Michael "Doc" Edge and Graham Coop on the possibility of attacks on genetic privacy via uploads to genealogy databases comes another paper by an independent team of researchers warning of another potential security risk.

The latest paper is written by Peter Ney, Luis Ceze and Tadayoshi Kohno, three researchers at the Paul G. Allen School of Computer Science & Engineering at the University of Washington. They caution about the risks of genotype theft and falsified genetic relations in the GEDmatch database.

I do not feel qualified to comment on the security risks they have identified so I will provide some links and let you make your own judgement.

The authors have provided some FAQs which provide a good starting point:

If you want read the full paper you can find it here:

The possible implications are also discussed in this article by Antonio Regalado in MIT Technology Review:

See also this report in the University of Washington News:

GEDmatch were given advance notice of the publication of the paper to allow them time to implement any necessary fixes. I understand that GEDmatch currently have measures in place that would thwart the method described in this paper but, understandably, they are not sharing the specifics. Further measures are also being investigated.

Note that this loophole affects GEDmatch only. The method won't work at AncestryDNA, 23andMe, FamilyTreeDNA, MyHeritage and Living DNA.

Update 4th November 2019
This research was also covered in New Scientist. You need a subscription to access the full article but here are some quotes from the end of the article:
"The study identifies a “clear risk” to the GEDmatch database, according to Graham Coop at the University of California, Davis, who wasn’t involved in the work. “I do worry that [GEDmatch are] not taking these concerns seriously enough. They have over a million people’s genetic data and they have placed these data at risk, which is incredibly concerning.” 
The risks could be easily solved by limiting genetic data uploads to DNA test results that are authenticated or digitally signed, says Ney. Better checks on uploads to detect anomalies, and restrictions on one-to-one comparison searches would help too, he says. His team alerted GEDmatch to the vulnerabilities before publishing and took measures to avoid exposing anyone’s identity. 
Curtis Rogers at GEDmatch says: “We are concerned about security and appreciate they have pointed out vulnerabilities.” He says the site has made several changes to address the vulnerability and is working on others, but didn’t specify what measures.
The article can be found here: