Thursday, March 17, 2016

GEDMatch Suspends FTDNA Transfers


Update: Those wishing to upload their FTDNA results to GEDMatch can use the workaround I've posted in a follow-up article..


On March 16, GEDMatch removed the option for uploading of new Family Tree DNA kits and posted the following message:


Early this morning the following update was posted on GEDMatch:
We regret we had to make the decision to stop accepting FTDNA DNA uploads. FTDNA has threatened to sue GEDmatch over claimed privacy issues. We have been asked not to discuss the details, because it would be to FTDNA's disadvantage. Suffice it to say that FTDNA's own site seems to currently violate these same issues. 
We would prefer to work closely with FTDNA in solving this problem to everybody's benefit, but we have not received a response to any of our suggested compromise solutions. The technical obstacles to satisfying FTDNA current demands are significant. It appears that our only alternative may be to remove all FTDNA DNA match results from GEDmatch. The issues raised by FTDNA do not apply to kits from other testing companies. 

This came as a bit of a shock to many of GEDMatch users, and the potential legal battle between FTDNA and GEDMatch regarding the use of customer's DNA data means this is not likely to be a quick fix.

FTDNA's customer relations issued the following statement regarding the incident:

We have reached out to GEDMatch expressing our concern that their website could potentially lead to a breach in privacy of our customers. Given this, we proposed to discuss the subject with them, but in parallel we suggested that until further clarification and assurances that the privacy of our customers' records are protected, Family Tree DNA uploads should be suspended. We hope that with the cooperation of GEDMatch we can reestablish the uploads in the near future.
FTDNA's concerns regarding privacy are understandable.  GEDMatch is a site run by volunteers which in the past has been subject to security breaches.  Their own site policy statement makes it clear that security is not a priority, as the majority of user's personal data is stored unencrypted:

The data you upload to GEDmatch is placed into a database to make it accessible to other users through the various applications on this site. The DNA and genealogical data is not encrypted. DNA data is compressed in a proprietary format which makes it unreadable without a great deal of effort. Genealogy data is stored as plain text in a database. We encrypt your login password before putting it in our database. We cannot tell what your password is. However, there have been cases in the news of encrypted data being hacked and decoded. Be aware that may be a possibility on this or any other site. We take measures to ensure that only registered users have access to your results, but those measures have not been and never will be perfect. Direct access to your data is available to GEDmatch personnel, including volunteers, on a need to know basis. 
Because GEDMatch's entire purpose is to encourage open sharing and easy comparison of DNA results, loss of some privacy should be considered an expected risk of using the site.  Email addresses are visible to all matches.  Theoretically someone could pull all email addresses from GEDMatch's database quite quickly by having a script input sequential kit numbers into the URL and extracting addresses from the results.  The DNA data itself may not be terribly useful to the average hacker, but the personal information entered by users could be used for identity theft purposes. It is a risk all users should consider before uploading to the site, and should only do so with full awareness and consent to the risk.

Ultimately, it is the end user's choice whether to risk exposing their data on a site such as GEDMatch, and as long as acceptable warnings are in place, they should not be prevented from doing so.  For those who find GEDMatch's lack of strict privacy troublesome, there is a good alternative in DNA.Land.  This site, operated in conjunction with Columbia University, offers similar services to GEDMatch but much more robust privacy and security.  The site is relatively new and has very few users compared to GEDMatch, but it is growing and becoming more useful every day.  DNA.Land cofounder Yaniv Erlich issued the following statement concerning FTDNA transfers:
Following up questions of participants: DNA.Land *continues* to accept FTDNA files. An external committee provides oversight that our data collection adheres to the the US Federal Rule of Human Subject Research (45CFR46) and the informed consent clearly defines privacy expectations of our participates. We were never contacted by FTDNA about any privacy issue with our site.
We hope that FTDNA and GedMatch will reach a solution for the benefit of the community. We believe that DNA data is empowering and that informed individuals should have the autonomy to use their data.
Until the dispute between GEDMatch and FTDNA is resolved, FTDNA users of GEDMatch should take steps to save their results pages for future use. In addition, users may wish to reupload their data in 23andMe format in order to ensure their data stays on GEDMatch in the future. I've outline how to reformat the FTDNA results as 23andMe data in this post.


2 comments:

  1. I'd disagree with the statement that there is enough info for identity theft on GedMatch. Otherwise, good article.

    ReplyDelete
  2. This comment has been removed by the author.

    ReplyDelete