US court let police search GEDmatch's entire DNA database despite protections

DNA policy experts believe it could encourage law enforcement agencies to request warrants for larger DNA databases.

Michael Fields, a detective from the Orlando Police Department, has revealed at a police convention that he secured a warrant to search the full GEDmatch database with over a million users. Legal experts told The New York Times that this appears to be the first time a judge has approved this kind of warrant. New York University law professor Erin Murphy even told the publication that the warrant is a "huge game-changer," seeing as GEDmatch restricted cops' access to its database last year. "It's a signal that no genetic information can be safe," the professor said.

GEDmatch came under the spotlight in 2018 after it was revealed that California police used its database to identify the Golden State Killer, who killed a dozen people in the '70s and '80s and was accused of over 50 rapes, through his relatives. It also came to light that cops have been using it to solve other cases, including decades-old cold ones. As a response to the backlash it got, GEDmatch changed its policy so that law enforcement can only use it to look for suspects in "murder, nonnegligent manslaughter, aggravated rape, robbery or aggravated assault" cases.

More importantly, its new policy only allows authorities to search for GEDmatch users who make their information available to the police. Users literally have to opt in -- their profiles are set to opt out by default. Company co-founder Curtis Rogers said only 185,000 users chose to opt in, but Fields' warrant allowed him to access all 1.3 million users' information. The detective said the service complied with the warrant within 24 hours, and while he hasn't made an arrest yet, he has already found some leads.

DNA policy experts are now worried that this development will encourage law enforcement to secure warrants for much larger databases. GEDmatch is smaller than its peers, since it doesn't offer its own testing kits: users have to upload their own DNA information in order to find relatives through its website. Meanwhile, 23andMe and, which both sell their own testing kits, have 10 million and 15 million users, respectively. Since those databases allow authorities to identify DNA profiles even through distant family relationships, a lot more people than actual users could be affected.

Update: 23andMe has posted its stance on protecting data, part of which reads:

"...just as disturbing is GEDmatch's apparent lack of scrutiny and challenge of the validity of the warrant issued. According to reporting by the New York Times, the company opened up its database to law enforcement within 24 hours of the judge's decision. Given this timing, it does not appear that GEDmatch exhausted all legal avenues to challenge the warrant. In contrast, if we had received a warrant, we would use every legal remedy possible. And to be clear, because our database is and always has been private, we don't believe that this decision impacts 23andMe.

In our 13 year history, 23andMe has never turned over any customer data to law enforcement or any other government agency. Protecting the security and privacy of our customers' information is at the core of what we do as a business..."