Why a Data Breach on a Genealogy Site Has Privacy Experts Worried
In Dr. Edge’s article, he warned that it was possible to create fake profiles to identify people with genetic variants associated with Alzheimer’s disease and other illnesses.
“If something is just a geeky genealogist screwing around, that’s okay,” Dr. Larkin said. But it becomes a problem, she said, if users try to find people who all share a particular genetic mutation or trait, as Dr Edge warned. Such information could be misused by insurance companies, pharmaceutical companies or others, she said.
The breach also reinforced something genealogists have been saying for years: Mixing genealogy and law enforcement is messy, even when trying to draw clear lines. Until two years ago, the main DNA databases used by law enforcement for investigations were managed by the FBI and the police. That changed with the Golden State Killer case in 2018.
As police departments rushed to re-examine cold cases, GEDmatch, which at the time was run by two family history buffs as a sort of passion project, tried to serve two audiences: genealogists who simply wanted to trace their family tree and law enforcement officials who wanted to know if a murderer or rapist was hiding in one of its branches. Amid a backlash, GEDmatch changed its policy in May 2019 so that only users who have explicitly chosen to help law enforcement appear in police searches. Yet there is little regulation on how authorities can use GEDmatch and other genealogy databases, so it is largely up to companies and their users to control themselves.
And as the breach demonstrated, users’ wishes could be quickly ignored.
For some users, the reason for keeping their profiles private is philosophical. Even though helping law enforcement might mean helping catch a killer, they don’t want their genetic information used to incriminate their loved ones. Others, like Carolynn ni Lochlainn, a genealogist from Huntington, NY, keep their profiles private because they fear the data will be misused to arrest innocent people.
“I work with a lot of black clients and cousins, and I was very irritated by the inexcusable risk they were exposed to,” Ms ni Lochlainn said.
Colleen Fitzpatrick, the founder of Identifinders International, which applies forensic genealogy techniques to identify unclaimed remains and crime suspects, oversees a team that relies heavily on GEDmatch.