GEDmatch, the much beloved “free” site for genetic genealogy, is now the target of two class-action lawsuits that could make its corporate owners liable for billions of dollars in statutory penalties. GEDmatch appears to be taking the allegations seriously; today, they enacted new Terms of Service giving themselves permission to do what they’re being sued for doing and asking you as a user to “waive your right to participate in a class action lawsuit or class-wide arbitration.”
Judy Russell has written an informative summary of the changes.
If It’s Free, You’re the Product
GEDmatch was founded in 2010 and has a long-standing reputation of being a trustworthy site built by hobbyists for hobbyists. However, that was two corporate sales and more than $150 million ago.
In 2019, GEDmatch was purchased by the forensics company Verogen for approximately $15 million. At the time, the database held roughly 1.3 million DNA kits, so the sale netted about $11.50 per DNA profile.
Three years later, Verogen was, in turn, snapped up by QIAGEN, a multinational biotechnology company, for $150 million. Verogen has other assets besides GEDmatch. According to its founder, GEDmatch’s portion of the deal was valued at $60 million, or more than $33 for each of the 1.8 million kits then in the database. One wonders how they planned to recoup that investment.
There’s nothing wrong with companies making profits, of course, but many genealogists are encouraged to upload to GEDmatch under the misconception that it’s just a hobby site and not a business. They don’t realize that they’re giving their private genetic data to a for-profit company.
What’s more, while users may be aware that law enforcement uses GEDmatch to identify criminal suspects, they may not know that GEDmatch charges law enforcement to upload to the database. The upload fee has increased steadily since 2020 and is currently $1,000 per forensic kit and $250 per reference kit. In essence, GEDmatch is selling law enforcement access to the personal information and genetic profiles it’s recreational users gave for free.
What Is a Class Action Lawsuit?
Class-action lawsuits are primarily a United States phenomenon, so you may not be familiar with them. A class-action suit typically involves one or a few individuals filing on behalf of an entire “class” of people who were all injured in a similar way. The class may represent hundreds or thousands of individuals who may not even know that they are part of the class or that they were injured.
Class-action lawsuits have pros and cons. By consolidating many individual cases into one class, the plaintiffs may benefit from economies of scale with respect to legal fees and recovery amounts. On the flip side, class action suits can be binding on everyone in the class (even if they don’t know they’re involved) and often benefit the lawyers financially more than the plaintiffs.
In the past few months, GEDmatch has been hit with not one—but two—class-action lawsuits claiming that they violated genetic privacy laws by illegally disclosing user data.
I am not a lawyer. I can’t speak to the legal merits of these two cases. What I can do is summarize them as I understand them so that you don’t have to read the legalese if you don’t want to.
Curley v. Verogen
The first case, Kristin Curley v. Verogen, Inc. was filed on 30 August 2024 in Cook County, Illinois, and moved to federal court in early October. Ms Curley represents the class of “all Illinois individuals who, during the applicable statute of limitations, (i) had a Facebook account; and (ii) uploaded their DNA file to GEDmatch.com according to Defendant’s records.”
‘Why Facebook?’ you might ask. According to the lawsuit, Verogen knowingly installed tracking software—the Meta Pixel and Facebook’s Conversions Application Programming Interface (CAPI)—on their website to communicate with Facebook for advertising purposes. Because CAPI stored data on individual user behavior on the GEDmatch website, users were unaware of it, nor could they use ad-blocker or cookie-blocker tools to prevent it from working.
Verogen did not transfer Kristin Curley’s genetic data to Facebook, but under Illinois’ Genetic Information Privacy Act of 1998, merely telling Facebook that Curley had done a DNA test violated her privacy rights. “No person may disclose or be compelled to disclose the identity of any person upon whom a genetic test is performed” without that person’s written authorization (410 ILCS 513/30(a)). Apparently, that’s precisely what GEDmatch did.
The financial penalties could be substantial. Under Illinois law, the statutory fines are $2,500 per violation if the act was negligent and $15,000 per violation if it was reckless or intentional. My back-of-the-envelope calculations suggest there could be as many as 40,000 Illinoisans who qualify to be in this class, so total penalties could theoretically exceed half a billion dollars in that case alone.
Hutcheson et al. v. Verogen
The second case, Hutcheson et al. v. Verogen Inc., is much broader in both geographic and legal scope. It was filed on 24 October 2024 in the US District Court for the Southern District of California (federal court) with plaintiffs in Alaska, Illinois, New Hampshire, New Mexico, and Oregon.
It makes three claims:
First, as in the Illinois lawsuit, Hutcheson et al. allege that Verogen violated the genetic privacy laws of Illinois, New Hampshire, and Oregon by communicating with Meta/Facebook without user consent.
Second, the suit argues that Verogen violated state privacy laws of Alaska, Illinois, New Hampshire, New Mexico, Oregon, and California1 when QIAGEN purchased it for $150 million. As part of the sale, “Verogen knowingly and purposefully disclosed to Qiagen the genetic information of every individual with a DNA file in its database at that time.” QIAGEN itself boasted that it gained “full access to Verogen’s pioneering GEDmatch database.” The sale gave QIAGEN not only knowledge that specific individuals had tested, but also the genetic information in their DNA file; personal details such as full name, email address, and sex; and any family trees uploaded to the site, all without the written consent of the individuals in the database.
Finally, the plaintiffs claim that GEDmatch disclosed private information to law enforcement against their explicit wishes in violation of the laws of Alaska, Illinois, New Hampshire, New Mexico, and Oregon.
The suit states:
from approximately 2019 (perhaps earlier) through at least July 2023, GEDmatch had a “loophole” that allowed law enforcement or other users acting on behalf of law enforcement, to view DNA files not marked as “opt in”. In so doing, Defendant disclosed the DNA files of an unknown number of individuals to law enforcement not only without their consent, but against their specific wishes. The information disclosed to law enforcement included the DNA files, names, email address, DNA kit number, and the degree to which the file was related to the law enforcement evidentiary sample.
The “loophole” in question was the subject of a shocking exposé in The Intercept involving some of the biggest names in genetic genealogy. Briefly, some forensic genetic genealogists discovered a programming flaw in GEDmatch’s system that allowed them to see recreational users who were not opted in to forensic matching. They even compared notes on how best to access the forbidden profiles. (Margaret Press of the DNA Doe Project later issued a public apology.)
Whether Verogen knew about these programming holes will be a critical issue in a successful lawsuit, because the statutory penalties can be much higher for willful or reckless violations than for negligence. In Oregon, for example, Verogen would be liable for at least $5,000 per violation if they were merely negligent (i.e., they didn’t know) but at least $100,000 per violation if they were reckless or knowing (i.e., they did know).
Shit Just Got Real
I’ve long been an advocate for informed consent when it comes to our private information. If you want your genetic profile matched to law-enforcement kits or even your every keystroke shared with Facebook, great! You should have that choice! But it needs to be a choice. You can’t consent if you don’t know it’s happening.
These lawsuits may be the wake-up call this field needs. Our DNA profiles are not just fun and games. They’re more than just a useful tool for hobbyists. They contain intensely private information, and it’s time everyone started treating them as such.
—–
Hey!
I’m trying out Substack as an alternative blogging site. I may stick with it; I may not. If you’d like to check me out there, you can find me at thednageek.substack.com.
1 Interestingly, none of the plaintiffs are from California.
As a cybersecurity engineer who has worked in the medical field for over 20 years. I think that DNA data needs to be treated the same as HIPAA data and is something that cannot be purchased or moved around like a commodity. It’s personal data that even insurance companies should not get a hold of let alone law enforcement, regardless if they have probable cause or a warrant. I gave my DNA over for testing and analysis because my father was adopted at birth and his records were sealed. I used the test to see if I could find a genetic match to my father and it did help. I don’t want my records being used as leverage against myself, just because I voluntarily gave it away.
Glad I quit GEDmatch and took all my kits down a few years ago.
…. and just like 23&Me, we will watch a tremendously-helpful database lost due to people overreacting. Yes, we have rights, but when people have voluntarily uploaded to a public database, they have effectively expressed a desire to share and collaborate. Trust me, I get it…. they may well have done EXACTLY what each of these lawsuits state, but the damages are WAY out of line with what would be reasonable, IMO. And I don’t really understand the sentiment that because GEDMatch is a business that it is automatically evil. ALL of the largest genetic genealogy databases are operated by businesses.
People can react however they like to facts, but they deserve to have the facts, don’t you think?
I didn’t say that GEDmatch is evil for being a business. In fact, and I quote, I said “There’s nothing wrong with companies making profits.” However, many users still think GEDmatch is a charity op and have no idea how much money has changed hands for access to their genetic data.
The facts, YES, multi-million dollar judgements and settlements where the majority of those funds go to teams of lawyers, NO, in my opinion. When this happens the rest of us are left with another valuable resource either eliminated, or compromised to such an extent that it is no longer even usable. Let’s hope that GEDMatch does not have to actually pay and we do not lose access because we have droves of people deleting their data in a panic again. Most civil lawsuits require proof of damages, but when a state law is found to be breached, too often that requirement is waived, and they end up having to pay the state. Who will truly win in all of the outcomes that you can image right now? I just want people to think about that. I’m just a user of the system who is trying to solve some stubborn brick walls, and while I’m not thrilled that GEDMatch may have taken some of these alleged actions, the penalties should be commensurate with the actual harm that was done (if any can be proven).
Fact: Verogen shared information with Facebook that is forbidden under the laws of multiple states.
Fact: Verogen transferred transferred genetic data to QIAGEN without consent.
Fact: Verogen’s system had bugs that circumvented their own opt-out system.
Fact: GEDmatch has, in the past, violated their own Terms of Service.
That lawyers might make bank on this does not change those facts. That you personally benefit from GEDmatch does not change those facts. The facts are the facts.
Also, saying “I hope people don’t do what’s right for themselves because it might inconvenience me” is an interesting take.
I’m glad you find it interesting. Trust me, I will only be one of scores of people who will be inconvenienced by this. I can’t speak for others, but I know that a lot of people rely heavily on the data in GEDMatch. We might as well start telling people how to download all of their data, because something like this could well end up shutting it down.
This should go without saying, but your convenience does not obligate anyone to keep their genetic data in a site they don’t trust. Everyone deserves the facts so they can make the right choices for themselves. If GEDmatch goes under, it will be almost entirely GEDmatch’s fault, with a not insignificant contribution from the forensic folks who knowingly circumvented the opt-in/out system. Blame them, not me.
I place no blame on you. I’m merely providing a different viewpoint on this. There is an expression about throwing the baby out with the bath water that comes to mind.
Note that I didn’t advocate any particular path for what people should do with their own genetic data. I don’t use GEDmatch, so I don’t have a dog in this fight. I simply summarized the lawsuits and argued that informed consent is imperative. If anyone finds that problematic, perhaps they should reflect on their own biases.
I don’t advocate for any particular path for individuals either. People have full rights to do what they want to with their data, including the decision to upload or delete at any time. I didn’t find anything you argued for to be problematic, and I hope that you don’t find my personal opinion on these lawsuits problematic either. We’re all entitled to our opinions, and I think it is worth considering what the possible fallout will be from all of this. 23&Me has never recovered. They made huge mistakes too. Who pays the ultimate price? It isn’t just me, almost the entire genetic genealogy community has been negatively impacted, first by the data breach, then by the bungled handling of it by 23&Me, which, ironically, makes the safety of existing genetic data in that database even more uncertain due to the resulting financial instability that was a direct result of similar lawsuits that GEDMatch is now faced with.
Ironically, it was genealogists who took 23andMe down. We were the ones with poor password hygiene. We were the ones who pushed for open sharing. *We* made 23andMe vulnerable. Their customers who weren’t in the matching system weren’t affected by the breach.
I’ve been arguing since at least 2017 that genealogists need to think more carefully about genetic privacy. Maybe people will listen now. It sucks being Cassandra.