Showing posts with label Privacy. Show all posts
Showing posts with label Privacy. Show all posts

Sunday, 19 July 2020

Major privacy breach at GEDmatch

There has been a major privacy breach at GEDmatch, the third-party genetic genealogy website which has become well known in the last two years because of its use by law enforcement agencies in the US to solve cold cases. A member of the Genetic Genealogy Ireland Facebook group posted a message at lunchtime today (13.38 pm UK time) to advise that the site had been compromised and that people were receiving what appeared to be fake matches with suspicious e-mail addresses.(This Facebook post has now been deleted.) Some users were reporting that they were receiving unusually large numbers of  new matches, all sharing unexpectedly high amounts of DNA which would normally indicate a very close relationship. In another group, one user reported receiving over 3000 matches, all of which shared over 700 cM. A match in this range would normally indicate a very close relationship such as a first cousin or closer.

Later on this afternoon (14.54 pm UK time) a user posted in the Genetic Genealogy Tips and Techniques group on Facebook that all his kits on GEDmatch were now publicly accessible and all marked as available to the police. This included not just standard kits but also phased kits and Lazarus kits,which are by default always marked as research kits and are not normally available for matching. I checked my own account at GEDmatch and found that all my kits had been changed without my consent to allow police access. This included two phased research kits which were never intended to be made public. I initially found that I was unable to change the settings on any of the kits. The site was up and down for a short while this afternoon before I was finally able to log in and restore my preferred access settings.

Since then GEDmatch has been offline with a message that the site is down for maintenance.
Many other people have also reported that their kits have been affected and that the settings have been changed to allow police access without their consent. Graham Coop shared on Twitter this afternoon a screenshot of his accounts showing how they had all been changed to allow police access..


It therefore appears that the entire database has been changed to make all kits available for police access. This also means that the law enforcement kits, which are normally uploaded as research kits so that they do not appear in match lists, have been compromised. Anyone logging onto the website during this period would have seen those kits and might have been able to save a screenshot with the kit numbers. Allowing unauthorised access to law enforcement kits could potentially have serious consequences and could compromise an investigation.

This is clearly a matter of great concern. There are well over 1.2 million profiles on GEDmatch but only around 200,000 or so kits had opted to make their profiles available for law enforcement matching. This means that the DNA profiles and e-mail addresses of probably around a million people have been exposed, including all the law enforcement kits. It is unlikely anyone would have been able to do anything with the matches during the period when the website was compromised because so many spurious matches were being produced. It is the exposure of the e-mail addresses and kit numbers which is likely to be of the most concern.

According to a report on the Tech in the City website the original privacy settings were restored before the site was taken down though I'm not clear what time this happened as I'm not clear what timezone the author is reporting from.

As GEDmatch operates in the European Union and has many EU customers, they are obliged to comply with the EU's General Data Protection Regulation (GDPR). Because of the serious nature of this breach it seems likely that they will have to report the matter to the appropriate regulatory authority in the EU. I don't know which authority they have registered with but the Information Commissioner's Office in the UK has information on how such data breaches should be reported. If a company or organisation has not protected the security of its customers than an enforcement action can be take and the company can be fined.

GEDmatch have since advised that they are aware of the issues and are responding. According to a post in the GEDmatch User Group on Facebook GEDmatch are "doing research right now to confirm what is happening. They are leaving the site down until they can clearly confirm what is going on." They are expected to make a formal statement later. It appears that this was an inadvertent update that went wrong. There appears to be no evidence that the site was hacked.

In the meantime it is pointless to speculate about what might have happened and we will need to await until further information is available. I will update this page if I receive any further news.

Update
Just after publishing this blog post I discovered (22.51 pm UK time) that GEDmatch is back up and running and my kits all have the correct access levels.

23.09 pm The following message has been posted on the GEDmatch Facebook page.

Update 21 July 2020
GEDmatch have announced on their Facebook page that they experienced a security breach on Sunday which was orchestrated through a sophisticated attack on one of their servers via an existing user account. The site was functioning briefly yesterday but reports started coming in late last night that people were once again receiving lots of unexpectedly high matches with a low SNP overlap in their match lists. I was able to briefly log into my account at 1.00 am night and found that the kit I checked had lots of matches with users with words like "imputed" and "partial" in the names. My highest match was at the first cousin level with a user from the Chinese company Gese DNA. The site has now been taken down and GEDmatch are working with a cybersecurity company to implement new security measures. Here is a screenshot of the message from GEDmatch. I've removed the contact details from the post but these are are available in the full version of the message in the Facebook group. 


It is good that GEDmatch are being transparent about the problems and this may turn out for the best in the long run if the security of the database is improved. The site was down for at least three hours and although they say that no data was downloaded in that time it would have been possible to take screenshots of match lists from many different accounts. Once you have a kit number you then essentially have access to that individual's account. It is also a cascading effect because you can click on all the matches of the matches as well. This essentially means that all the kit numbers have been compromised because no one will know which kits were affected. All the kit numbers will need to be changed. Ideally it would be better if GEDmatch did not reveal kit numbers in the match lists. It will be interesting to see what happens but I rather suspect the site will be down for a long time.

Further update 21 July 2020
5.00 pm 
From the GEDmatch Facebook page: "GEDmatch will remain offline for 2 to 3 days as we further enhance security protocols. Thank you for your patience. We apologize for the inconvenience this has caused."

Update 22 July 2020
MyHeritage advised late last night of a security alert involving a malicious phishing attempt that was possible related to the GEDmatch breach. For full details see the MyHeritage blog post:


The further reading section of this blog post has been updated to include an informative blog post from Leah Larkin explaining why we were seeing the mystery matches at GEDmatch sharing unusually high amounts of DNA. I have also included an official statement from Verogen which was published on their blog on 20th July, a further blog post from Leah Larkin which includes a timeline of the events and an article from Peter Aldhous of Buzzfeed News..
 
An e-mail has been sent out by Verogen to all GEDmatch users informing them of the breach. My e-mail arrived at 8.40 am. It may take time for a bulk e-mail to reach all 1.2 million or more users. If you haven't received the e-mail check your spam folder. I've copied the text below in case you haven't received it.

Dear GEDmatch member,

On the morning of July 19, GEDmatch experienced a security breach orchestrated through a sophisticated attack on one of our servers via an existing user account. We became aware of the situation a short time later and immediately took the site down. As a result of this breach, all user permissions were reset, making all profiles visible to all users. This was the case for approximately 3 hours. During this time, users who did not opt-in for law enforcement matching were available for law enforcement matching, and, conversely, all law enforcement profiles were made visible to GEDmatch users.

On Monday, July 20, as we continued to investigate the incident and work on a permanent solution to safeguard against threats of this nature, we discovered that the site was still vulnerable and made the decision to take the site down until such time that we can be absolutely sure that user data is protected against potential attacks. It was later confirmed that GEDmatch was the target of a second breach in which all user permissions were set to opt-out of law enforcement matching.

We can assure you that your DNA information was not compromised, as GEDmatch does not store raw DNA files on the site. When you upload your data, the information is encoded, and the raw file deleted. This is one of the ways we protect our users’ most sensitive information.

Further, we are working with a leading cybersecurity firm to conduct a comprehensive forensic review and help us implement the best possible security measures. We expect the site will be up within the next day or two.

We have reported the unauthorized access to the appropriate authorities and continue to work toward identifying the individuals responsible for this criminal act.

Today, we were informed that MyHeritage customers who are also GEDmatch users were the target of a phishing scam. Please remember to exercise caution when opening emails and clicking links. Never provide sensitive information via email. If an email seems suspicious, contact the company in question directly through the phone number or email address listed on their website, not via a reply to the suspicious email. You can reach GEDmatch at  xxxx or xxxxx [email address and telephone number removed]. At this time, we have no evidence to suggest the phishing scam is a result of the GEDmatch security breach this week. We are continuing to investigate the incident.

Please be assured that we take these matters very seriously. Our Number 1 responsibility is to protect the data of our users. We know we have not lived up to this responsibility this week, and we are working hard to regain your trust. We apologize for the concern and frustration this situation has caused.

Sincerely,

Brett Williams
CEO, Verogen Inc.

For a French translation of this e-mail see the post in the Facebook group France ADN - Généalogie Génétique (ISOGG).

Update 25th July 2020
There is a notice on the GEDmatch Facebook suggesting that the site will be back online today though at 11.35 am UK time the site was still down.

The site was restored in the afternoon of 25th July and no further issues have been reported to date.

Wednesday, 6 November 2019

Search warrant granted for access to GEDmatch database

A troubling story has been published in the New York Times about a security breach at GEDmatch. Detective Michael Fields from the Orlando Police Department was able to obtain a search warrant which allowed him to over-ride the privacy settings of individual customers at GEDmatch and search for matches in the entire database rather than in the subset of the database which had opted in to law enforcement matching. Fields had previously been able to use GEDmatch in collaboration with Parabon Nanolabs to identify a suspect in the 2001 murder of Christine Franke. He was disappointed when GEDmatch changed their terms of service in May this year which resulted in all users being required to actively opt in to law enforcement matching. This change effectively reset the number of profiles available for law enforcement matching to zero, including many people who had transferred their results to GEDmatch specifically to help with law enforcement cases. Since then a steady trickle of people have opted back in to law enforcement matching but, according to the New York Times article, just 185,000 of GEDmatch's 1.3 million users have done so at the present time. The cold case which resulted in the search warrant relates to a serial rapist who assaulted a number of women several decades ago, though the full details have not been made public. The New York Times reports as follows:
In July, he [Fields] asked a judge in the Ninth Judicial Circuit Court of Florida to approve a warrant that would let him override the privacy settings of GEDmatch’s users and search the site’s full database of 1.2 million users. After Judge Patricia Strowbridge agreed, Detective Fields said in an interview, the site complied within 24 hours. He said that some leads had emerged, but that he had yet to make an arrest. He declined to share the warrant or say how it was worded. 
Detective Fields described his methods at the International Association of Chiefs of Police conference in Chicago last week. Logan Koepke, a policy analyst at Upturn, a nonprofit in Washington that studies how technology affects social issues, was in the audience. After the talk, “multiple other detectives and officers approached him asking for a copy of the warrant,” Mr. Koepke said.
It is difficult to comment on this case without having the full facts available. As this is an active investigation it is not possible to get a copy of the search warrant to find out why the police thought it necessary to over-ride the consents and we don't know the grounds on which the judge granted the warrant. GEDmatch could potentially have resisted the warrant but they are unlikely to have the resources to fight a lengthy legal battle. They are also likely to be sworn to confidentiality so they would not be able to discuss the case and would not have been in a position to warn their users. But if GEDmatch were sworn to confidentiality I wonder why Detective Fields was boasting about his actions at a police conference.

However, the use of a search warrant in this case does provide cause for concern as it potentially sets a precedent. What is to stop the police issuing search warrants to search for matches at the other testing companies? Would these companies be able to defy the warrant and refuse access? It is also troubling from an international perspective. An American judge has made a unilateral decision which affects the privacy and rights of all of GEDmatch's many international users who do not have any legal or governmental representation in the US. Granting access to the opted out profiles of international customers is not only a disproportionate measure, as their family trees are much less likely to be used to solve the crime, but it is also a gross over-reach by the judge who has passed a judgement which affects individuals who live in countries which are outside her jurisdiction.

If you think you might have been affected I suggest that you write to the Orlando Police Department to find out if your name is included in the match lists they are using. If you are an EU citizen you should be protected by the General Data Protection Regulation (GDPR) and you will have the right to have your information removed. If the police refuse to do so you should complain to your data protection regulator in the EU. If you are in the UK you should write to the Information Commissioner's Office. If you are in Ireland you should write to the Data Protection Commission. The ICO have a handy template on their website which you can use if you wish to submit a complaint. I have now written to the Orlando Police Department and I await their response with interest.

If you feel strongly about this judgement you might also like to write to Judge Patricia Strowbridge. She can be contacted via her judicial assistant. I have sent her an e-mail because I think it's important that she understands the international implications of her decision though I am not expecting a response.

Update 7th  November 2019
I have received the following response from Judge Strowbridge's office:

"Judge Strowbridge’s office is in receipt of the email you sent yesterday, November 6, 2019. Unfortunately, the Florida Code of Judicial Conduct strictly prohibits judges from commenting on any pending cases. As such, Judge Strowbridge is unable to respond to your email."

Update 13th November 2019
Someone was able to get a redacted version of the GEDmatch search warrant and they've shared it on Twitter. You can access it here:

https://twitter.com/rot13x2/status/1194325134653435904

I will comment on this in due course.

Update 18th November 2019
Leah Larkin published an analysis of the GEDmatch search warrant.

Further reading
Related blog posts

Sunday, 3 November 2019

Genotype extraction and false relative attacks: potential security risks at third-party genetic genealogy sites

Hot on the heels of a paper published the other week by Michael "Doc" Edge and Graham Coop on the possibility of attacks on genetic privacy via uploads to genealogy databases comes another paper by an independent team of researchers warning of another potential security risk.

The latest paper is written by Peter Ney, Luis Ceze and Tadayoshi Kohno, three researchers at the Paul G. Allen School of Computer Science & Engineering at the University of Washington. They caution about the risks of genotype theft and falsified genetic relations in the GEDmatch database.

I do not feel qualified to comment on the security risks they have identified so I will provide some links and let you make your own judgement.

The authors have provided some FAQs which provide a good starting point:

https://dnasec.cs.washington.edu/genetic-genealogy/

If you want read the full paper you can find it here:

The possible implications are also discussed in this article by Antonio Regalado in MIT Technology Review:


See also this report in the University of Washington News:


GEDmatch were given advance notice of the publication of the paper to allow them time to implement any necessary fixes. I understand that GEDmatch currently have measures in place that would thwart the method described in this paper but, understandably, they are not sharing the specifics. Further measures are also being investigated.

Note that this loophole affects GEDmatch only. The method won't work at AncestryDNA, 23andMe, FamilyTreeDNA, MyHeritage and Living DNA.

Update 4th November 2019
This research was also covered in New Scientist. You need a subscription to access the full article but here are some quotes from the end of the article:
"The study identifies a “clear risk” to the GEDmatch database, according to Graham Coop at the University of California, Davis, who wasn’t involved in the work. “I do worry that [GEDmatch are] not taking these concerns seriously enough. They have over a million people’s genetic data and they have placed these data at risk, which is incredibly concerning.” 
The risks could be easily solved by limiting genetic data uploads to DNA test results that are authenticated or digitally signed, says Ney. Better checks on uploads to detect anomalies, and restrictions on one-to-one comparison searches would help too, he says. His team alerted GEDmatch to the vulnerabilities before publishing and took measures to avoid exposing anyone’s identity. 
Curtis Rogers at GEDmatch says: “We are concerned about security and appreciate they have pointed out vulnerabilities.” He says the site has made several changes to address the vulnerability and is working on others, but didn’t specify what measures.
The article can be found here:

 https://www.newscientist.com/article/2221972-privacy-attack-on-dna-website-reveals-93-per-cent-of-a-persons-data/

Tuesday, 22 October 2019

Attacks on genetic privacy via uploads to genealogical databases

Update 7th January 2020
This paper has now been published in the peer-reviewed open access journal eLIFE. You can read it here.  In the same journal there is also a good commentary article by Shai Carmi "Genealogy: the challenges of maintaining genetic privacy" which you can read here

A new preprint has just been published by Michael "Doc" Edge and Graham Coop from the University of California Davis about some potential security risks in genetic genealogy databases. The paper is concerned with genealogy databases which accept uploads (ie, GEDmatch, FamilyTreeDNA, Living DNA and MyHeritage DNA). AncestryDNA and 23andMe do not accept uploads so they are not affected. Not all of the techniques described in the paper would necessarily work at all the companies. The companies were all given early sight of the paper so they have had the opportunity to make any adjustments. I understand that GEDmatch have already taken some unspecified measures and are considering more. The authors have provided a few suggestions on possible solutions for dealing with the risks they have highlighted and improving security such as using cryptographic signatures on DNA data files.

The authors have written some FAQs about their paper and if you want to understand what it is all about I recommend reading these FAQs first.

If you want to read the full paper it can be found here.

UC Davis have issued a press release which can be found here.

Leah Larkin has written an excellent blog post about the paper explaining the concepts in easy-to-understand terms.

Blaine Bettinger has shared his thoughts in this blog post.

I will update this post with further links if I find any other useful commentaries on the subject.

Update 18th December 2019
An updated copy of the preprint was uploaded to BiorXiv on 18th December and can be seen here.