GEDmatch, the much beloved “free” site for genetic genealogy, is now the target of two class-action lawsuits that could make its corporate owners liable for billions of dollars in statutory penalties. GEDmatch appears to be taking the allegations seriously; today, they enacted new Terms of Service giving themselves permission to do what they’re being sued for doing and asking you as a user to “waive your right to participate in a class action lawsuit or class-wide arbitration.”
Judy Russell has written an informative summary of the changes.
If It’s Free, You’re the Product
GEDmatch was founded in 2010 and has a long-standing reputation of being a trustworthy site built by hobbyists for hobbyists. However, that was two corporate sales and more than $150 million ago.
In 2019, GEDmatch was purchased by the forensics company Verogen for approximately $15 million. At the time, the database held roughly 1.3 million DNA kits, so the sale netted about $11.50 per DNA profile.
Three years later, Verogen was, in turn, snapped up by QIAGEN, a multinational biotechnology company, for $150 million. Verogen has other assets besides GEDmatch. According to its founder, GEDmatch’s portion of the deal was valued at $60 million, or more than $33 for each of the 1.8 million kits then in the database. One wonders how they planned to recoup that investment.
There’s nothing wrong with companies making profits, of course, but many genealogists are encouraged to upload to GEDmatch under the misconception that it’s just a hobby site and not a business. They don’t realize that they’re giving their private genetic data to a for-profit company.
What’s more, while users may be aware that law enforcement uses GEDmatch to identify criminal suspects, they may not know that GEDmatch charges law enforcement to upload to the database. The upload fee has increased steadily since 2020 and is currently $1,000 per forensic kit and $250 per reference kit. In essence, GEDmatch is selling law enforcement access to the personal information and genetic profiles it’s recreational users gave for free.
What Is a Class Action Lawsuit?
Class-action lawsuits are primarily a United States phenomenon, so you may not be familiar with them. A class-action suit typically involves one or a few individuals filing on behalf of an entire “class” of people who were all injured in a similar way. The class may represent hundreds or thousands of individuals who may not even know that they are part of the class or that they were injured.
Class-action lawsuits have pros and cons. By consolidating many individual cases into one class, the plaintiffs may benefit from economies of scale with respect to legal fees and recovery amounts. On the flip side, class action suits can be binding on everyone in the class (even if they don’t know they’re involved) and often benefit the lawyers financially more than the plaintiffs.
In the past few months, GEDmatch has been hit with not one—but two—class-action lawsuits claiming that they violated genetic privacy laws by illegally disclosing user data.
I am not a lawyer. I can’t speak to the legal merits of these two cases. What I can do is summarize them as I understand them so that you don’t have to read the legalese if you don’t want to.
Curley v. Verogen
The first case, Kristin Curley v. Verogen, Inc. was filed on 30 August 2024 in Cook County, Illinois, and moved to federal court in early October. Ms Curley represents the class of “all Illinois individuals who, during the applicable statute of limitations, (i) had a Facebook account; and (ii) uploaded their DNA file to GEDmatch.com according to Defendant’s records.”
‘Why Facebook?’ you might ask. According to the lawsuit, Verogen knowingly installed tracking software—the Meta Pixel and Facebook’s Conversions Application Programming Interface (CAPI)—on their website to communicate with Facebook for advertising purposes. Because CAPI stored data on individual user behavior on the GEDmatch website, users were unaware of it, nor could they use ad-blocker or cookie-blocker tools to prevent it from working.
Verogen did not transfer Kristin Curley’s genetic data to Facebook, but under Illinois’ Genetic Information Privacy Act of 1998, merely telling Facebook that Curley had done a DNA test violated her privacy rights. “No person may disclose or be compelled to disclose the identity of any person upon whom a genetic test is performed” without that person’s written authorization (410 ILCS 513/30(a)). Apparently, that’s precisely what GEDmatch did.
The financial penalties could be substantial. Under Illinois law, the statutory fines are $2,500 per violation if the act was negligent and $15,000 per violation if it was reckless or intentional. My back-of-the-envelope calculations suggest there could be as many as 40,000 Illinoisans who qualify to be in this class, so total penalties could theoretically exceed half a billion dollars in that case alone.
Hutcheson et al. v. Verogen
The second case, Hutcheson et al. v. Verogen Inc., is much broader in both geographic and legal scope. It was filed on 24 October 2024 in the US District Court for the Southern District of California (federal court) with plaintiffs in Alaska, Illinois, New Hampshire, New Mexico, and Oregon.
It makes three claims:
First, as in the Illinois lawsuit, Hutcheson et al. allege that Verogen violated the genetic privacy laws of Illinois, New Hampshire, and Oregon by communicating with Meta/Facebook without user consent.
Second, the suit argues that Verogen violated state privacy laws of Alaska, Illinois, New Hampshire, New Mexico, Oregon, and California1 when QIAGEN purchased it for $150 million. As part of the sale, “Verogen knowingly and purposefully disclosed to Qiagen the genetic information of every individual with a DNA file in its database at that time.” QIAGEN itself boasted that it gained “full access to Verogen’s pioneering GEDmatch database.” The sale gave QIAGEN not only knowledge that specific individuals had tested, but also the genetic information in their DNA file; personal details such as full name, email address, and sex; and any family trees uploaded to the site, all without the written consent of the individuals in the database.
Finally, the plaintiffs claim that GEDmatch disclosed private information to law enforcement against their explicit wishes in violation of the laws of Alaska, Illinois, New Hampshire, New Mexico, and Oregon.
The suit states:
from approximately 2019 (perhaps earlier) through at least July 2023, GEDmatch had a “loophole” that allowed law enforcement or other users acting on behalf of law enforcement, to view DNA files not marked as “opt in”. In so doing, Defendant disclosed the DNA files of an unknown number of individuals to law enforcement not only without their consent, but against their specific wishes. The information disclosed to law enforcement included the DNA files, names, email address, DNA kit number, and the degree to which the file was related to the law enforcement evidentiary sample.
The “loophole” in question was the subject of a shocking exposé in The Intercept involving some of the biggest names in genetic genealogy. Briefly, some forensic genetic genealogists discovered a programming flaw in GEDmatch’s system that allowed them to see recreational users who were not opted in to forensic matching. They even compared notes on how best to access the forbidden profiles. (Margaret Press of the DNA Doe Project later issued a public apology.)
Whether Verogen knew about these programming holes will be a critical issue in a successful lawsuit, because the statutory penalties can be much higher for willful or reckless violations than for negligence. In Oregon, for example, Verogen would be liable for at least $5,000 per violation if they were merely negligent (i.e., they didn’t know) but at least $100,000 per violation if they were reckless or knowing (i.e., they did know).
Shit Just Got Real
I’ve long been an advocate for informed consent when it comes to our private information. If you want your genetic profile matched to law-enforcement kits or even your every keystroke shared with Facebook, great! You should have that choice! But it needs to be a choice. You can’t consent if you don’t know it’s happening.
These lawsuits may be the wake-up call this field needs. Our DNA profiles are not just fun and games. They’re more than just a useful tool for hobbyists. They contain intensely private information, and it’s time everyone started treating them as such.
—–
Hey!
I’m trying out Substack as an alternative blogging site. I may stick with it; I may not. If you’d like to check me out there, you can find me at thednageek.substack.com.
1 Interestingly, none of the plaintiffs are from California.
As a cybersecurity engineer who has worked in the medical field for over 20 years. I think that DNA data needs to be treated the same as HIPAA data and is something that cannot be purchased or moved around like a commodity. It’s personal data that even insurance companies should not get a hold of let alone law enforcement, regardless if they have probable cause or a warrant. I gave my DNA over for testing and analysis because my father was adopted at birth and his records were sealed. I used the test to see if I could find a genetic match to my father and it did help. I don’t want my records being used as leverage against myself, just because I voluntarily gave it away.
Glad I quit GEDmatch and took all my kits down a few years ago.
…. and just like 23&Me, we will watch a tremendously-helpful database lost due to people overreacting. Yes, we have rights, but when people have voluntarily uploaded to a public database, they have effectively expressed a desire to share and collaborate. Trust me, I get it…. they may well have done EXACTLY what each of these lawsuits state, but the damages are WAY out of line with what would be reasonable, IMO. And I don’t really understand the sentiment that because GEDMatch is a business that it is automatically evil. ALL of the largest genetic genealogy databases are operated by businesses.
People can react however they like to facts, but they deserve to have the facts, don’t you think?
I didn’t say that GEDmatch is evil for being a business. In fact, and I quote, I said “There’s nothing wrong with companies making profits.” However, many users still think GEDmatch is a charity op and have no idea how much money has changed hands for access to their genetic data.
The facts, YES, multi-million dollar judgements and settlements where the majority of those funds go to teams of lawyers, NO, in my opinion. When this happens the rest of us are left with another valuable resource either eliminated, or compromised to such an extent that it is no longer even usable. Let’s hope that GEDMatch does not have to actually pay and we do not lose access because we have droves of people deleting their data in a panic again. Most civil lawsuits require proof of damages, but when a state law is found to be breached, too often that requirement is waived, and they end up having to pay the state. Who will truly win in all of the outcomes that you can image right now? I just want people to think about that. I’m just a user of the system who is trying to solve some stubborn brick walls, and while I’m not thrilled that GEDMatch may have taken some of these alleged actions, the penalties should be commensurate with the actual harm that was done (if any can be proven).
Fact: Verogen shared information with Facebook that is forbidden under the laws of multiple states.
Fact: Verogen transferred transferred genetic data to QIAGEN without consent.
Fact: Verogen’s system had bugs that circumvented their own opt-out system.
Fact: GEDmatch has, in the past, violated their own Terms of Service.
That lawyers might make bank on this does not change those facts. That you personally benefit from GEDmatch does not change those facts. The facts are the facts.
Also, saying “I hope people don’t do what’s right for themselves because it might inconvenience me” is an interesting take.
I’m glad you find it interesting. Trust me, I will only be one of scores of people who will be inconvenienced by this. I can’t speak for others, but I know that a lot of people rely heavily on the data in GEDMatch. We might as well start telling people how to download all of their data, because something like this could well end up shutting it down.
This should go without saying, but your convenience does not obligate anyone to keep their genetic data in a site they don’t trust. Everyone deserves the facts so they can make the right choices for themselves. If GEDmatch goes under, it will be almost entirely GEDmatch’s fault, with a not insignificant contribution from the forensic folks who knowingly circumvented the opt-in/out system. Blame them, not me.
I place no blame on you. I’m merely providing a different viewpoint on this. There is an expression about throwing the baby out with the bath water that comes to mind.
Note that I didn’t advocate any particular path for what people should do with their own genetic data. I don’t use GEDmatch, so I don’t have a dog in this fight. I simply summarized the lawsuits and argued that informed consent is imperative. If anyone finds that problematic, perhaps they should reflect on their own biases.
I don’t advocate for any particular path for individuals either. People have full rights to do what they want to with their data, including the decision to upload or delete at any time. I didn’t find anything you argued for to be problematic, and I hope that you don’t find my personal opinion on these lawsuits problematic either. We’re all entitled to our opinions, and I think it is worth considering what the possible fallout will be from all of this. 23&Me has never recovered. They made huge mistakes too. Who pays the ultimate price? It isn’t just me, almost the entire genetic genealogy community has been negatively impacted, first by the data breach, then by the bungled handling of it by 23&Me, which, ironically, makes the safety of existing genetic data in that database even more uncertain due to the resulting financial instability that was a direct result of similar lawsuits that GEDMatch is now faced with.
Ironically, it was genealogists who took 23andMe down. We were the ones with poor password hygiene. We were the ones who pushed for open sharing. *We* made 23andMe vulnerable. Their customers who weren’t in the matching system weren’t affected by the breach.
I’ve been arguing since at least 2017 that genealogists need to think more carefully about genetic privacy. Maybe people will listen now. It sucks being Cassandra.
I have been thinking a lot about what genetic genealogists can do keep themselves out of hot water even prior to any public policy changes that are surely coming. I think that they should plan out their research efforts in advance identifying a handful of consenting testers who they determine will be the most likely testers to conduct a deeper investigation of and they should write down their reasoning for selecting the specific testers as being the most likely to yield a connection – reasons like being the top five closest matches or, if not in the top 5 closest having some feature that advances their likelihood such as a shared maternal or paternal haplogroup or shared X or a particularly fantastic family tree or being from the same region as the victim or suspect. The genealogist should have an estimated targeted degree of distance based on the shared amount of DNA being in range of an average for a degree, citing the target degree and the two adjacent degrees of distance as the initial extent or scope of the search. The search will obviously entail having to search for and identify relatives of the consenting tester who have not consented to being investigated. I think a thoughtful well documented plan stating the logic behind the choices and stating the limit or stopping point would demonstrate proof that a search of these specific consenting testers family members to a specific degree of distance was warranted given the likelihood that the scope of that search could yeild a connection by involving the fewest number of non consenting individuals. Then if a warrant to conduct an IGG search is required the genealogist would be prepared to demonstrate why a search of those specific consenting tester’s relatives was reasonable and warranted. If a warrant was not required for the IGG search, I think it would simply be good practice, good form, and a demonstration to the public that extreme care was being taken to limit the scope of the search to relationships most likely to yield a connection. The genealogist should document their efforts and failures to make a connection in those closest possible relationships and only if all efforts fail then document the second plan to expand the scope outward to more distant relationships. If a warrant for a search was required they’d have to go back and get the judges permission to begin searching more distant relationships having demonstrated that a more extensive search involving more non consenting relatives of the consenting tester was warranted due to efforts having failed at the closer level. We would have to change our thinking that the most distant relationships were more likely than close ones, focusing first on categories in range of the amount of DNA shared, simply because it’s logical and would mean involving fewer non consenting relatives in the search. I would think that the only time one would choose a distant consenting tester in their initial investigation would be if that distant tester shared a maternal or paternal haplogroup and if they shared enough DNA for the 3rd cousin level then using that person to build a direct maternal line could be incredibly helpful and so one could demonstrate that a search of a more distant consenting relative was warranted due to the likelihood that the testers were related on a direct maternal line which could fairly quickly net a connection. I think the only way IGG will be allowed to continue utilizing commercial DNA databases is if it initiates some scope limiting procedural policies before policies are dictated by lawmakers who don’t understand the search process. If IGG begins documenting it’s searches as if a warrant was required, it will be prepared when and if one is required or when and if the public challenges the outcome of a search. Right now it’s just a free for all wide open fishing expedition especially with recent articles indicating that matches of say 40 cM might be incredibly distant and matches of 40 cM is often all the IGG genealogist has to work with it’s like saying OK they can just start with the assumption that the MRCA is 8 generations back and every non consenting relative between here and there is fair game in order to catch the bad guy. They really need to switch the thinking that most likely is distant to most likely is closest that is in range of the average and then incrementally work their way more distant.
Jeff, thednageek, and Marilyn;
I’m enjoying your conversation. I’m worried about DNA sites closing down and Ancestry.com being the only one left standing. I think this is a worst case scenario for people like me.
I’m just a hobbyist who uses the techniques of genetic-genealogy to develop/verify family trees at a distance. So, I’m generally casting very wide nets across wide groups of kits across several sites and working at the very limits of atDNA in conjunction with Y-DNA. I feel my work is important in a sociological, societal context; and that I’ve made some good, fairly technical discoveries.
So, I sympathize with Jeff, know that it costs much more money and technology beyond storing kits to make a good genealogy site. I worry about the attitude of ‘thednageek’ whose core value is ‘We believe that everyone has the right to know their genetic heritage’ but is also ‘in the business’. Marilyn’s viewpoint is a disaster for someone like me. I usually don’t care about the closer genetic links, but occasionally need them.
So, my question is, what;s the complete list of risks from sharing DNA data beyond catching criminals? That is, what kinds of nefarious things can happen from people getting access to large amounts of DNA data? I’ll start:
* someone I care about is accused of a crime that he/she didn’t really commit but the DNA data puts them at the scene. They will suffer even if innocent and proven innocent in the end.
* Insurance companies start rejecting people based on DNA
* Angry adoptee goes after relatives of family.
* What about using the data for some sort of genetic modification project. What can realistically happen here?
My perspective is centered on informed consent. If you want to find out your own heritage, and if you’re aware of the potential risks, go for it! Those risks depend on which database you use and your settings.
At AncestryDNA, the main risks are that your biological family is not what you thought it was or that your new-found biological family will reject you.
At 23andMe, add on the risk of distressing health information.
At any site with a chromosome browser, a stranger could learn about your genetic conditions. See: https://thednageek.com/cystic-fibrosis-a-case-study-in-genetic-privacy/
At any site that takes uploads, you could be involved in a forensic search, with or without your consent. See a list of possible risks/benefits here: https://thednageek.com/informed-consent-what-it-is-what-it-isnt-and-why-its-necessary/
I just deleted everything in GEDmatch. I had to agree to the New Terms of Use to do it. If I didn’t agree to the terms, GEDmatch gave an email address I could contact to have them delete my account. NO Thank You – I’m a skeptic. I agreed to the new terms and deleted everything myself. I took copious screen shots and printed everything. After I hit the button to delete everything, they sent a listing of the deletions which I checked against the pre-deletion list. I printed that list. I will also send a letter to the address they gave and send it Certified Mail Return Receipt Requested.
I have an account with no kits in it. If you’d like me to check that your kits are no longer showing up in the system, I’d be happy to.
I did get a listing showing that the kits were deleted as well as my account. I am on my way to the USPS today to send my letter to Qiagen Certified Mail. In the letter I have asked for verification of deletion from them in writing. We’ll see what happens. I am now considering deleting 23andMe before they tank.
Thanks again for the offer to check for deletion of my accounts.
I let you know if I hear anything from them.
I doubt 23andMe would tank or sell without an announcement beforehand.
I just saw the message on the lawsuit for GEDMatch. How do we get in on it if we want to? Thanks Cindy
The lawyer for the Hutcheson case is Frank Hedin in San Francisco.
Important news. I’m going to be following these two.
FTDNA has also been sued in Illinois over the Meta Pixel. I just learned about it yesterday and will either update this post or write a new one.
And don’t forget COATNEY v. ANCESTRY COM DNA LLC (2024), which is essentially the same basis as one of the lawsuits against GEDMatch, but with Blackstone being the company that genetic data was transferred to.
Interesting. A similar suit against Blackstone has already been dismissed because “plaintiffs Carolyn Bridges and Raymond Cunningham failed to support the allegation that Blackstone’s all-stock acquisition of Ancestry compelled the genealogy company to disclose genetic information within the meaning of the Illinois genetic privacy law.”
https://news.bloomberglaw.com/privacy-and-data-security/blackstone-beats-genetic-privacy-suit-over-ancestry-acquisition
I think the Hutcheson suit has legs because QIAGEN boasted about gaining full access to the DNA data. Interesting times!
There are many times on many different web sites when I submit data or do a search, and I see at the bottom left of my screen that before my action is completed, the site is attempting to connect to Facebook. And other websites, IIRC.
This is *not* just on genealogy sites.
I’ve been vaguely disturbed by this but never looked into it.
I mean I know my data is being sold and basically I just get on with my life and don’t worry about it. Although if I really thought it through I’d probably be equal parts terrified and enraged!
Recently someone moved in next door to me, I learned her name and did a TruthFinder search on her background.
Two days later, Facebook suggested her to me as a possible friend.
Another time, I was working on a genetic genealogy case at Ancestry and I messaged someone who managed a kit for a DNA match for my client.
A while later, the woman who managed the kit popped up in my Facebook “friend” suggestions.
Yes, I suspect most business websites do this. The difference is that our taste in socks or convertibles or vacations is not protected by law, whereas your genetic privacy is in some states.
So, if Ancestry is doing this too, I’m quite sure the vultures will be coming for them too. Hopefully they will do the right thing and remove any such stealth links. It’s a shame that it requires lawsuits to make them all do what they should have been not doing in the first place.
Ancestry was sued last year for using customer photos in their advertising, but I think it was dismissed. Hopefully they (and 23andMe) have a better legal team advising them on tracking links. They’re a juicy target.