Just two years ago, GEDmatch was still an obscure genealogy website, known only to a million or so hobbyist DNA sleuths looking to fill in their family trees. The site was free, public, and run by two guys with a knack for writing algorithms that helped relatives find each other. All in all, it was a pretty controversy-free place.
That all changed in April of 2018, when news broke that police had used GEDmatch to identify a suspect in the 40-year-old Golden State Killer case. As the site emerged as a crime-fighting tool, some users and privacy experts began to worry about how people’s genetic data might ensnare them in criminal investigations when all they wanted was to learn about their family history. The transition has been rocky for GEDmatch. One drama after another has engulfed the website: Police searches have grown increasingly invasive; the site’s owners tried to react with changes to its terms of service that ended up backfiring; and white-hat hackers pointed out glaring security flaws. But starting today, that’s all someone else’s problem.
On Monday afternoon, GEDmatch announced it was being taken over by a new owner, the forensic genomics firm Verogen. The San Diego-based company spun out of sequencing giant Illumina two years ago, specializing in next-generation DNA testing services catered to law enforcement. With the acquisition of GEDmatch, Verogen may also start offering genealogy searches like the ones that have so far identified suspects in as many as 70 cases. “Never before have we as a society had the opportunity to serve as a molecular eyewitness, enabling law enforcement to solve violent crimes efficiently and with certainty,” Verogen CEO Brett Williams said in a statement announcing the deal. The terms of the agreement were not disclosed.
Reactions so far, have been mixed. “I suspect this will be the last straw for all the genealogists who don’t want to share with law enforcement,” Debbie Kennett, a genealogist and honorary research associate at University College London, told WIRED. On Monday GEDmatch updated its terms of service to reflect the new ownership, but it did not alert users via email. Kennett found out from a Facebook group discussion. When she tried to log into GEDmatch, she discovered she was locked out until she accepted the new terms. (Additional options included deciding later and permanently deleting all her data from the GEDmatch servers.) According to a Verogen spokesperson, whatever settings users had earlier selected for their GEDmatch profiles—opting in or out of police searches—will remain under the new terms.
GEDmatch itself has not always stuck to its word on such matters. Earlier this month, the site’s users discovered their privacy settings weren’t ironclad, when reports surfaced that a Florida detective had obtained a warrant to search the site’s full database, including individuals who had opted out of cooperating with law enforcement. A few weeks later, a team of genetic security researchers revealed a flaw in GEDmatch’s relative-matching algorithm that would allow a hacker to scrape more than 90 percent of users’ DNA data. Verogen’s Williams says GEDmatch has already addressed these security issues, and that his company will continue to monitor other possible vulnerabilities.
Some genealogists are hopeful that under Verogen’s management, the database won’t be as susceptible to investigative overreaches or genetic data phishing attacks. “Curt and John have just been out there on their own, protecting the data from the rest of the world,” says Colleen Fitzpatrick, a genealogist and forensic consultant. (Curtis Rogers, 81, and John Olson, 68, launched GEDmatch in 2010. Neither could be reached for comment.) “Having Verogen buy it takes some of the concerns about the future of GEDmatch away.”