On Dec. 9, Verogen, a California-based forensic genomics company, acquired GEDmatch, a user-sourced DNA genealogy site. The acquisition suggests that GEDmatch’s transformation from a popular genealogy site to a crime-fighting tool is almost complete. The privacy implications will be enormous, even for those who have never considered taking a consumer genetic test.

GEDmatch launched in 2010 as an open-source database where individuals who have tested their DNA with private companies, like 23andme and AncestryDNA, could upload their results and find family members. More recently, GEDmatch has acquired a second use—solving crimes. Most Americans first learned about GEDmatch in 2018, after law enforcement announced that they had used it to identify the suspected Golden State Killer.

While not the first time the technique was used, the Golden State Killer investigation was certainly the highest-profile, and it opened the floodgates to solving crimes with genetic genealogy. Law enforcement simply input DNA from unsolved cases into GEDmatch (as well as some other databases, like FamilyTreeDNA and Othram). When crime scene DNA demonstrates even a partial match, forensic genealogists can use that information to construct a family tree and determine who a suspect might be. The final step is to acquire the suspect’s DNA (often through something discarded, like a tissue) and confirm the match. Genetic genealogy was used in an estimated 200 cases in 2018 alone.

To date, more than 1.3 million users have uploaded their DNA to GEDmatch. When they uploaded their information, they might reasonably have expected that it would be kept safe and secure, shared only with those users authorized and in ways they intended. Unfortunately, this has rarely been the case. Instead, the past few months have revealed that GEDmatch lacks security, has altered its terms of use without predictability, and has been used by law enforcement in unexpected ways.

Genetic genealogy has ushered in a new era devoid of rules and regulations concerning genetic privacy. And for a long time, GEDmatch co-founder Curtis Rogers tried his best to create order out of the chaos. Without guidance from the government on the matter, he navigated difficult decisions—such as which types of crimes law enforcement could use the site to try to solve and whether users should have to opt in to or opt out of sharing their data with the police.

Each decision created controversy. At first, Rogers’ policy was that GEDmatch would only be used to help solve the most egregious violent crimes—like murder and sexual assault. But he changed his mind after Utah law enforcement contacted Rogers for assistance in a 2018 assault case they were investigating. First, he made an exception. Then, a few months later, he codified the change and expanded the definition of “violent crime” to include “murder, nonnegligent manslaughter, aggravated rape, robbery, or aggravated assault.”

Another policy change occurred when GEDmatch was criticized for sharing information with law enforcement without users’ explicit consent. So in May 2019, GEDmatch changed its policy to an opt-in version, asking users when they logged in whether they wanted to share their profiles with law enforcement. Many thought this would be the end of GEDmatch as an effective mechanism for police to solve cold cases—though competitor site FamilyTreeDNA still made most of its more than 1 million profiles available through an opt-out approach. Still, by November 2019, 185,000 individuals on GEDmatch had opted into allowing law enforcement to access their profiles.

While reasonable parties may differ on where to draw the line regarding the use of genetic genealogy, the troubling reality here is that one individual—in this case, Rogers—had the power both to draw that line and to change it unilaterally. With no legal regulations providing clarity on how and when genetic genealogy should be used to fight crime, we have left private entities in charge of the decision-making. And with Verogen taking over GEDmatch, we have new reasons to be concerned.

GEDmatch was a nonprofit company free for users who hoped to explore their family histories. In contrast, Verogen is a next-generation sequencing business in the forensic genomics market. It has been working with the Federal Bureau of Investigation to create DNA profiles for the National DNA Index System, the database that combines contributions from federal, state, and local forensic laboratories. Verogen CEO Brett Williams has made clear he sees GEDmatch as a crime-fighting tool—a “molecular eyewitness” that will enable law enforcement to solve violent crimes.

There may be some benefits to Verogen taking over GEDmatch. For instance, Williams has promised he will improve the system’s security, which is important, given that in November, computer scientists revealed serious vulnerabilities. This is significant: If DNA gets into the wrong hands, experts say we can expect a parade of horribles, including having our genes held ransom, people pretending to be our relatives asking for our help, and our data being sold to insurance companies and drug manufacturers. Williams has also said that he will keep the same opt-in standard that GEDmatch adopted in June 2019.

But as Rogers’ tenure demonstrated, GEDmatch’s terms and conditions are subject to change—and that was before a profit motive was introduced. While time will tell exactly how Verogen’s takeover will affect users, the company’s business model explicitly includes selling its services to crime labs, suggesting that future partnerships with law enforcement agencies would not be a surprise.

After Verogen acquired GEDmatch, users were quietly informed when they logged in that the purchase had taken place, and those who were uncomfortable with the new for-profit management could delete their accounts. But many thousands of users uploaded their data to GEDmatch, forgot about it, and have never logged back in, leaving a treasure trove of genetic data for Verogen to potentially use at its discretion. While the current terms and conditions protect individuals who haven’t opted in from being subjected to law enforcement searches, Verogen could always change those policies.

With a for-profit entity that is interested in sharing genetic data at the helm, GEDmatch might well become more like Facebook, Twitter, and other for-profit social networking sites, but with access to much more vital data. We ask these sites to be responsible stewards of our information, but they are nevertheless subject to incentives to make millions by selling our data to others. Thus far, only our pictures, clicks, likes, and preferences have been monetized. Now, we’re talking about our DNA, and the potential buyer is the government.

With an ally like Verogen in control of GEDmatch, law enforcement will be able to more easily conduct dragnet searches—the genetic equivalent of stop-and-frisk. Police often do not have an individual suspect in mind when they start their search; user-sourced DNA sites give them thousands of genetic profiles to wade through to attempt to find a match.

And unfortunately, DNA searches are not foolproof. For example, police did not immediately conclude that Joseph DeAngelo was the Golden State killer—initially, two other suspects were identified. Police issued a warrant for one man in an Oregon nursing home and had him supply his DNA. In another case, police identified the wrong individual in a DNA search of a cold case. It took several anxiety-filled days before the man was exonerated by a swab of his cheek. This is all to say that the government’s power to invade genetic privacy is immense, and mistakes made in the criminal justice system can be costly.

Genetic privacy is vital: Unlike an ATM or credit card number, DNA cannot be changed. It can reveal information about us that we don’t even know ourselves—about paternity and siblings, our ethnic ancestors, and our propensity to get certain diseases. What’s more, DNA can reveal information about individuals who have not shared anything at all: A study last year found that 60 percent of white Americans can be identified through GEDmatch searches, with that number expected to rise as more people share their DNA with the system.

Verogen’s acquisition of GEDmatch should thus concern us all—even those of us who haven’t shared anything with GEDmatch. It is vital that there are clear policies about when and how genetic genealogy is used, and that those policies are created by publicly accountable institutions, not by a private for-profit entity on an ad hoc basis. The onus is on legislative bodies to draft laws to govern law enforcement searches for familial DNA matches. Potential regulations could require that law enforcement use this technique only for the most serious crimes, lower false positive identifications, and ensure that the data is stored and managed appropriately.

Additionally, a warrant should be required to search databases like GEDmatch, which would ensure a third-party judicial officer would review each case. Legislation could specify that only those who have opted-in to assist law enforcement should be subjected to a search (avoiding what occurred in November in Florida, when a judge authorized a search of the entire GEDmatch database). In addition, the law can put punitive measures in place to remedy situations when data is misused or the rules are not followed.

Without such limits, and with Verogen’s takeover, the use of genetic genealogy by police will only increase. But by articulating guidelines now, lawmakers can create boundaries that apply no matter who is in charge of genetic platforms like GEDmatch.

Featured Publications