After the case of Joseph James DeAngelo, we conducted research on several privacy policies. The Privacy Policies of Ancestry.com, 23andMe, and GEDmatch have fairly straightforward Policy Statements, however GEDmatch has several sections that can be misinterpreted and can cause its users to reveal more information than they intended or wanted to.
In the "Collection and Use of Information" section, GEDmatch confirms that they collect data regarding a user's equipment, browsing actions, and usage patterns. While they claim the information is gathered solely for statistical information and internal use, GEDmatch is still gathering personal information without the user's knowledge. Further, GEDmatch discloses that a user's Raw Data (DNA), personal information, and/or genealogy data can be disclosed to comply with legal obligation such as a subpoena or warrant. This disclosure of information may happen without the user's knowledge if notification is prohibited under law. What this means is that GEDmatch can give personal information to authorities without the user's consent or knowledge.
The next section of GEDmatch's policy breaks down their definitions of what is acceptable Raw Data. The fifth bullet of the breakdown claims that Raw Data can be DNA obtained and authorized by law enforcement to either identify a perpetrator of a violent crime against another individual, or to identify remains of a deceased individual. GEDmatch takes an extra step to define 'violent crime' as a homicide or sexual assault. This classification may have been added as result of the case against Joseph James DeAngelo; whose DNA was searched through GEDmatch by law enforcement and was later convicted as The Golden State Killer. It is unknown if this condition was part of the original Privacy Policy, or if it has been recently added. What this statement means, however, is that law enforcement can upload DNA they believe may be tied to a violent crime. The DNA of the suspect can then be uploaded without the suspect's knowledge. The risk that comes with giving law enforcement the ability to upload DNA may lead to an abuse of power. They can upload any DNA they claim to be a suspect of a violent crime, whether the suspect is involved in the crime or not.
Under the Privacy section of GEDmatch, they state that users have the ability to use an alias instead of their real name. However, if the user has their DNA linked to their Genealogy Data their alias will not be used and their real name will be displayed instead. If a user does not read this section carefully, they may be under the impression that their identity is going to remain anonymous, when in reality their real name could be displayed and for other users who search through GEDmatch's DNA database.
| Section of the Policy | Privacy |
|---|---|
| Presently Reads | "If an alias has been provided, it will be displayed in place of the real name along with results. If your DNA is linked to your Genealogy Data, and only one or the other uses an alias, it may be possible for users to see the real name in the linked data." |
| Recommended Translation | "An alias may be used in place of a real name along with results. To keep your real name private you must use an alias for both your DNA and Genealogy Data, otherwise the real name may be known." |
| Purpose of Updates / Translation | To clarify that the alias must be used in both areas in order to have the real name hidden. |
Within the GEDCOMs section, GEDmatch claims that the information users provide (family trees and genealogy data) is to remain the property of the person who uploaded it. They say that they give the user to right to delete their information at any time. However, the user’s information will not be deleted immediately. Instead it will remain on a backup file for at least 30 days. It goes on to say that even if a user may wish for their information to be private, all Genealogy Data provided to GEDmatch can be viewed, searched, and compared by any GEDmatch user. They say steps are being taken to avoid users' information being available to the 'casual web surfer' or search engines, but never go into details about what these steps are. The next sentence, states that they cannot guarantee that private information will not be accessed by individuals who are not GEDmatch users and that the only way to have absolute privacy is to not upload any genealogy data. While the information is still the property of the user, other members and outside sources may have access without the users knowledge.
Health insurance is a critical area in which the laws surrounding the use and application of DNA information can seriously affect individuals. Allowing health insurance companies to see and use GEDmatch's user information could lead to possible genetic prejudices. In an article, Genetic Testing Threatens the Insurance Industry, which was published by The Economist, they discuss the impacts of genetic testing on insurance companies and some of the limitations that are in place. “In America the Genetic Information Nondiscrimination Act bans health insurers (and employers) from using such results…”(Economist, p.10). However, by having user’s genetic information available to the public, there is nothing to stop insurance companies from breaking the law and using this information anyway. For example, health insurance companies could use the personal genetic information on GEDmatch to see possible hereditary health issues and simply list other reasons for the increases to coverage costs.
The key issue in this analysis is the concern for user privacy while using GEDmatch. The claim is that all user information is secure and has the ability to be set as private. After carefully reading the Privacy Policy, it is clear that is not fully true. Outside sources may acquire user information and aliases are not always used, even when the user wishes to have their real name remain anonymous. When reading the Privacy Policy, users could misunderstand how much privacy they actually have while using GEDmatch. A major concern was the fact that within the policy, GEDmatch claims to be taking steps to avoid users information from being breached, but a few statements later they say that they are unable to guarantee that the information will not be used by outside parties. While GEDmatch's policy was straightforward for most of the sections, adding more clarification regarding user information being used by outside sources and law enforcement will help reduce any misunderstanding with the language written in the policy. Elaborating on the steps GEDmatch is doing to protect user information would also provide relief to users who fear that their information may be breached.
23andMe. (2018). Full Privacy Statement.
https://www.23andme.com/about/privacy/#full-privacy-statement
Ancestry. (2018). Your Privacy.
https://www.ancestry.com/cs/legal/privacystatement
Economist. (2017). Genetic Testing Threatens the Insurance Industry.
https://www.economist.com/finance-and-economics/2017/08/03/genetic-testing-threatens-the-insurance-industry
GEDmatch. (2018). GEDmatch.Com Terms of Service and Privacy Policy.
https://www.gedmatch.com/tos.htm
Govtrack. (2008). H.R. 493 (110th): Genetic Information Nondiscrimination Act of 2008.
https://www.govtrack.us/congress/bills/110/hr493/text
Legal Information Institute. (2008). 29 U.S. Code § 1182 - Prohibiting discrimination against individual participants and beneficiaries based on health status.
https://www.law.cornell.edu/uscode/text/29/1182