Do we (Wikitree) Violate Privacy by Publishing Gedmatch Numbers?

Question

Several of us on Wikitree are members of the I.S.O.G.G. Wiki Group on Facebook (our very own Mags Gaulden is one of the administrators).  There was an interesting thread today challenging the fact that Wikitree publishes Gedmatch numbers on a publicly-accessible site.

The point at hand is that when we publish a person's Gedmatch number on a public site, we are, by default, publishing the results of their 'one-to-many' match list on Gedmatch.  As any Gedmatch user with even a basic understanding of the site knows, Gedmatch allows users to access the 'one-to-many' match results of any test number that you enter.  For example, if you enter my A403516 test in a Gedmatch 'one-to-many'  search, you can see  all of my matches and their contact information (a list of up to 2,000 matches for each test).

As Debbie Cruwys Kennett observed, if we publicly-share Gedmatch numbers, we are by default publicly-sharing the match lists and contact information of every person on the match lists of these tests - without the consent of the people who appear on the match lists.   As Debbie explained, "If my name and e-mail address appear on someone else's match list I don't think they should be sharing my details publicly on Wikitree without my permission. There has to be explicit informed consent to republish information on an external website."

She also raised this point about the UK's new General Data Protection Regulation:

"Have Wikitree taken action to ensure that they comply with the new GDPR regulations which will be implemented in May this year? GDPR will apply to all users in the European Union. Non-compliance can result in large fines so it's important to get it right. There are details here:"

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

 I have to admit that these are interesting points.  Should we publicly share Gedmatch numbers given the fact that the number provides direct access to the Gedmatch numbers and contact information for 2,000 matching tests?

And - I'm not at all familiar with the GDPR, but is this something that we should address?

I agreed to post a thread about this on g2g to see what people think about this observation.  Thanks.

Comments

Thanks for posting this Ray. It's an important question and should be reviewed to make sure WikiTree is proactive in ensuring the privacy of our members via our members posting of their own GEDmatch Id's and those for which they have permission to post.

My GEDMatch ID is out there - T387473. But you can not access my GEDmatch information unless you have registered at GEDmatch and consented to their rules and guidelines for privacy. So is this more of a GEDmatch thing and not so much a WikiTree thing?

Mags

---

Thanks Mags!

I agree with you, as this is how I have always viewed my Gedmatch number, which I have shared here and on Ancestry message boards (i.e. publicly-accessible sites that appear in Google search results).

I have often wondered though about Gedmatch allowing users to access the 'one-to-many' results of any test number.

---

My hope is that GEDmatch has stout terms of use. This way it will continue to be open and shared. Mags

---

Based on my understanding, I think there may be a breach of the guidelines, but I don't think it is on us. While in a philosophical sense we may be sharing an access point to people's personal info, legally GEDMatch is actually sharing people's personal info.

Just my take as if one of my IT clients were concerned about it. (Though my next advice would be to have them ask a lawyer).

---

This is just a thought but wouldn't it be better, rather than publishing a citation with information, if it was a link sent to the other party for them to consent to participating and acknowledging the shared DNA?
 

I would think there would be benefits to Wikitree in drawing further people into the site plus there would be no published information about the other individuals other than confirming it is linked and acknowledged by the other profile owner.

---

The only Gedmatch numbers that should be on WikiTree are for kits that WikiTree members manage. If we aren't allowed to share our own Gedmatch numbers, then what is the point? The match list isn't being republished on WikiTree, WikiTree is just linking to Gedmatch. So if there is a privacy issue, it is with Gedmatch and not WikiTree.

---

Very good point Jamie. Thanks, Mags

Answer 1

I find the whole subject highly regrettable, because this is wholly a voluntary effort.  We willingly provide DNA and contact info for the benefits we gain, by our conscious choice.  And the only personal info exposed is a name we manufacture and an email address, which has to be somewhat public to be useful.  An email address that is completely secret cannot send email or receive email, or it's no longer completely secret.

I also find somewhat regrettable the attitude that it's not our problem, it's GEDmatch's problem, so we can 'wash our hands' of it, and deny we ever liked them.  GEDmatch is our fellow collaborator.  GEDmatch is our good friend, and we don't want to be fair weather friends only.  GEDmatch is an integral part of the WikiTree DNA support.  Without GEDmatch, WikiTree would be MUCH less interesting for many users.  (I personally would recommend that *everyone* not only take a DNA test, but also register at GEDmatch and upload their DNA there.)

So whatever happens to GEDmatch also happens to us.  I believe we should be encouraging them to make whatever adjustments are necessary to comply.  Hopefully, the changes will not be too onerous.  It's in all our interests that they spend more time on development of DNA features, than have to spend time changing their contact management.  I wonder if it could be as simple as adjusting the privacy notices you initially acquiesce to, to say the alias and email address you provide will be made public.

My suggestions for guidelines:

* Make it clear and publicly stated to all GEDmatch users, that GEDmatch kit ID's, alias names, and email addresses are published as public information, and should therefore be entered with care, to both protect personal identities yet assist in genealogical information sharing.

* An alias should ALWAYS be constructed and used.  Because surnames are integral to genealogical research, it is recommended to use the correct surname, but not the full first name or any middle name.  You can use anything for a first name, but a first initial may be more helpful for others.  To obfuscate further, and especially if you manage multiple kits, use a first initial plus a number (e.g. R1, R986, R007, etc).

* For email address, obtain a throwaway address, one you can easily change monthly or as desired.  There are many sources of free email addresses, such as Gmail, Yahoo, HotMail, etc.  If you wish to have a WikiTree link on GEDmatch, then you will also want to use this email address on WikiTree too.  Having a throwaway email address means you don't have to care about its public visibility, and if there's a problem, you can easily grab another one, and change it on both GEDmatch and WikiTree, with almost no disruption.

With these few guidelines, personal info is protected and unavailable, yet full sharing is possible and easy, unrestricted.  That's what we want.

Comments

These are sensible recommendations for those who want to use Gedmatch and remain rather anon. Thank you!

Answer 2

GEDmatch also states that members should not publish "other people's results or personal information without their permission". It seems to me that having your information included without your consent as part of someone else's match list is a breach of the GEDmatch guidelines. Anyway I'm not a lawyer but I think these are serious issues that need consideration. GDPR will apply to all EU users of Wikitree. Any one of them could potentially complain about a breach of privacy when the new legislation comes in. There are big fines for organisations that are in breach of GDPR.

Comments

By linking our GM ids to our profiles, we are not publishing information. It is simply a link to the GM website, which you have to be registered for to log in to see anything.  So, the link is not a violation of GM's terms of use. And GM can't be violating its own terms of use.

Actually, because of this, I do not find the WT hyperlinked GM id all that helpful and it would not bother me if it was removed.

---

Hey Maxine and thanks for your post. I find the GM ID's and the campare links incredibly helpful. Working on a family legend in the NA Project I was able to compare 18 different kits in much less time than it would have taken me without the links.

Thanks!

Mags

---

I find the fact that GM ids are provided VERY helpful, just not the actual physical hyperlink (since I have to log in each and every click anyway). I prefer to copy and paste over, but it is perhaps just personal preference. It seems to work better for you and that is great!

---

I think GEDmatch is being somewhat disingenuous with their policy.  They can say not to share others' information, but its really up them to prevent said public access.  They've created a system whereby the information of one user automatically gives away information of other users.

---

GEDmatch will never be able to control what users do with the information, which is why I don't think they should even try.  I think they have 2 choices here - either take valuable development time to redo the contact management system (hide all names and emails, and add a PM system), or declare all ID info completely public - require users to acknowledge that, and provide clear guidelines as to how alias names and email addresses should be constructed, and why that needs to be done.  I'm not an expert or lawyer, but that seems to me the way to satisfy the GDPR, and keep our easy accessibility and usage.

---

I've alerted the GEDmatch team to the forthcoming GDPR legislation and they will be getting legal advice from their lawyers. I think they will need to include something in their privacy policy about the use of GEDmatch IDs on third-party websites. It's one thing signing up to GEDmatch and agreeing to share your information on the GEDmatch site but it 's another matter if someone else shares their GEDmatch ID on a public site linked to a public tree which shows up in internet searches. That is revealing much more information than a search on the GEDmatch site. And it's revealing information not just about them but about their matches as well.

Answer 3

Hi Ray,  You have an issue here that has always concerned me on GedMatch, the ready publication of names and emails for thousands of people.  I was able to collect data for thousands of GedMatch accounts in about 5 minutes. Shockingly accessible!  When I complained about this, I was pretty much disregarded as worried about nothing.

Now when an account is created on GedMatch, there is a suggestion that you create a fake username and perhaps create an email account solely for GedMatch publication.  I wish it was more strongly worded as a warning, but it is better than it was.  

The problem is not publication of GedMatch numbers on WikiTree.  The problem is GedMatch publishes the username and email address with the GedMatch number.  This information should be hidden.  Why even have a GedMatch number if you publish the contact information for all to see?

Comments

What Kitty said!  ... plus even more - as others have pointed out elsewhere in this thread, gedmatch not only publishes the email address for the user whose gedmatch ID is on their WikiTree profile, but when you click the link to their gedmatch page, you see the email addresses for all the other gedmatch users who have a match to that person.  Let's remember that these 2,000 people have NOT given WikiTree permission to publicize their email addresses, yet that is effectively what is being done.

There is no earthly reason why gedmatch cannot do the same thing WikiTree does - use a contact form to send anonymous email to a match, without disclosing their email address, however it is not my function, nor WikiTree's, to tell gedmatch how to do things.

Answer 4

Here are the GEDmatch Policies (they look pretty stout to me - buyer beware): https://www.gedmatch.com/policy.php

Mags

Comments

Good information, Mags, but what about the evil-doers that don't read or don't care about policies?  My concern is with lawbreakers that just don't care much about the policy.

Edit:  Admittedly, this is somewhat different from the original question.

---

What, do people not read a sites information before posting?

If a WikiTree user publishes DNA information that they do not have express permission to use then the Problems With Members process is followed and the appropriate steps taken to remove the information.

Mags

---

Kinda like locking the barn door after the horse was stolen.

Has anyone contrasted all the concern we have about protecting the privacy of email addresses here (to protect from spammers and other bad guys) with technically aiding and abetting that same sort of abuse by providing a link to a page on gedmatch containing 2,000 email addresses?

---

Hey Gaile,

We are linking to the login page for GEDmatch. Which means that you have to be a registered member of GEDmatch to view any other page.

Mags

---

Whew!  That's a relief ... for WikiTree, anyway.  What gedmatch is doing, though, still strikes me as very wrong, morally if in no other way, but as I said before, that's not within the scope of G2G or any other part of WikiTree.

---

GEDmatch Policies seem fairly weak to me, Mags.

Real names and email addresses shouldn't need to be displayed (or easily accessible) just to make the DNA data sharable. Looks like an identity thief's paradise to me.

But that will be GEDmatch's headache - and all their members' headaches, too (guess I won't join any time soon)!!

---

I have no comment about legality or the GDPR, but agree this is an important discussion.

One small observation--pun intended--is that GEDmatch does take at least a minor step in preventing automated harvesting of email address in one-to-many results, even though they are behind an account registration process. If you look closely at your results, you'll see the first portion of the email addresses, up to and including the @ symbol, appear slightly smaller than the rest of the displayed info. If you check the source code for the display, you'll see email addresses are rendered like this:

<font size=-1>someone@</font>somewhere.com

While certainly not as effective as other programmatic methods to cloak or "stealth" an address, it does break it up and make it less susceptible to internet 'bots who make it their job to siphon email addresses from web pages. The addresses can still be manually copy-and-pasted, however.

Another however is that use of the "font size=" statement was deprecated back in HTML v4.01, and declared obsolete in HTML v5. So it's a fairly weak precaution to begin with, and GEDmatch really does need to find an alternative.

Back to the real discussion...

---

Thank you Edison. I always appreciate your humor. Mags

---

Hi Mags, I hate to be the bearer of bad tidings, but re: . . .

"you have to be a registered member of GEDmatch to view any other page."

Anyone can easily become a member of GEDmatch.  The problem is still that GEDmatch publishes copious lists that have the GEDmatch ID number, member's name and email all nice and tidy.  Wrapped up with a bow.  

---

Yes Kitty you have to be a registered user on GEDmatch meaning you consent to their guidelines. This is if it is you or a thief. Mags

Answer 5

WikiTree is not out of the woods on this... we routinely tell people to upload their results to GedMatch.  So we are making a recommendation.  That can come back and land on us...  so we need a much stronger look at this in terms of privacy.  To really be safe, I would get  the opinion of an international rights and permissions attorney.  This is not something most corporate attorney's are versed in.  I know I bought rights and permissions for yeas and my 8 corporate attorneys would not touch it I had to go out of house and work with an international specialist.  But we never had any lawsuits so it was probably worth the money.  Rights and permissions law which is what privacy falls under is not for the faint of heart.  It varies by state in the US and by country internationally.  

For me there are several issues here:

1.  Indicating our own GedMatch number.  That would seem to fall within our own personal rights but if I understand the greater issue it is what someone can do with that number.

2.  What GedMatch allows a registered user to do with a kit number.

3.  Our recommending people for DNA confirmation and Adoption Angels to upload to GedMatch.  

Each of these is distinct and needs to be looked at in tandem and singularly for a proper legal opinion to be rendered based on my past experience.

Comments

Recommendation to seek legal advice is spot on -- especially with regard to privacy of non-USA members and other non-USA persons whose information is vulnerable to disclosure.  A number of other nations (especially those in the European Union) have much stricter laws than the USA does and getting hit with enforcement proceedings could be very expensive, even for a successful defense.

Answer 6

For those who have read the General Data Protection Regulation, are you able to quote specific parts of it where GEDmatch and/or WikiTree would be in violation?

Thanks and sincerely, Peter

Comments

Peter as I understand the GDPR it is based on  this:

  https://en.wikipedia.org/wiki/General_Data_Protection_Regulation

Please note:  The regulation was adopted on 27 April 2016. It becomes enforceable from 25 May 2018 after a two-year transition period and, unlike a directive, it does not require national governments to pass any enabling legislation, and is thus directly binding and applicable.^[3]

The proposed new EU data protection regime extends the scope of the EU data protection law to all foreign companies processing data of EU residents.    (my note here... you can sometimes but not always tell from an email address if the person is from a country in Europe. So this is where the email issue gets thorny)

and this is the stated scope:

The regulation applies if the data controller (an organization that collects data from EU residents) or processor (an organization that processes data on behalf of data controller e.g. cloud service providers) or the data subject (person) is based in the EU. Furthermore the regulation also applies to organizations based outside the European Union if they collect or process personal data of EU residents. According to the European Commission "personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address."^[6]

Consent[edit]

Where consent is used as the lawful basis for processing, consent must be explicit for data collected and the purposes data is used for (Article 7; defined in Article 4). Consent for children^[15] must be given by the child’s parent or custodian, and verifiable (Article 8). Data controllers must be able to prove "consent" (opt-in) and consent may be withdrawn.^[16]

(my note:  I think the question here is if the consent currently being given has information that is specific enough for the GDPR to consider it an informed consent)

Pseudonymisation[edit]

The GDPR refers to pseudonymisation as a process that transforms personal data in such a way that the resulting data cannot be attributed to a specific data subject without the use of additional information. An example of pseudonymisation is encryption, which renders the original data unintelligible and the process cannot be reversed without access to the correct decryption key. The GDPR requires that this additional information (such as the decryption key) be kept separately from the pseudonymised data. Pseudonymisation is recommended to reduce the risks to the concerned data subjects and also help controllers and processors to meet their data-protection obligations (Recital 28).

Although the GDPR encourages the use of pseudonymisation to "reduce risks to the data subjects," (Recital 28) pseudonymised data is still considered personal data (Recital 26) and therefore remains covered by the GDPR.   

The sanctions can be quite heavy.  so the question is, how much do we want to gamble on WikiTree and my response is that is not up to us it is up to Chris. 

Right to erasure[edit]

A right to be forgotten was replaced by a more limited right to erasure in the version of the GDPR adopted by the European Parliament in March 2014.^[20][21] Article 17 provides that the data subject has the right to request erasure of personal data related to them on any one of a number of grounds including non-compliance with article 6.1 (lawfulness) that includes a case (f) where the legitimate interests of the controller is overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data (see also Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González).

Data protection by Design and by Default[edit]

Data protection by Design and by Default (Article 25) requires that data protection is designed into the development of business processes for products and services. This requires that privacy settings must be set at a high level by default and that technical and procedural measures should be taken care by the controller in order to make sure that the processing, throughout the whole processing lifecycle, complies with the regulation. Controllers should also implement mechanisms to ensure that personal data is only processed when necessary for each specific purpose.

over 80 percent of those surveyed expect GDPR-related spending to be at least $100,000.^[30] These concerns were echoed in a report commissioned by the law firm Baker & McKenzie that found that "around 70 percent of respondents believe that organizations will need to invest additional budget/effort to comply with the consent, data mapping and cross-border data transfer requirements under the GDPR."^[

I say again, if it was my money I would consult an international rights and permissions attorney with background in digital security and privacy issues.  

---

I agree that it's very important that Wikitree seeks legal advice to ensure that its policies are compliant with the new GDPR legislation. 

There are some useful infographics here which provide a summary of the requirements:

http://gdprcoalition.ie/infographics/

---

Those graphics are great, will definitely wake some people up, that may have thought this was just minor tweaks for lower staff to deal with.

I'm still hopeful though, that good 'informed consent' is all we will have to do.  But you and Laura clearly know more about this than I do.

---

Debbie that is a great find!

Answer 7

I fall into the camp that thinks this is an important discussion, but I also do not think there is a significant privacy problem. The discussion seems to overlook the fact that participation in Gedmatch and WT is voluntary. Both platforms are flexible enough so that when individuals register then they can be as public (sharing real name) or private (sharing an alias) as they wish to be at the time. WT just points to Gedmatch, but you cannot access information there unless you are registered. Yes, it is straight-forward to register at Gedmatch and then you can access information, but that is not dfferent than other platforms sharing various degrees of personal (Facebook, LinkedIn, blogs etc) information.

As for the argument that someone could use the platforms inappropriately and therefore there is some liability for WT or GM, to me that is akin to saying that the DOT is liable because someone is driving illegaly on a state highway. As long as the terms of use are clear for both services (and perhaps there has to be some degree of monitoring and enforcing those terms), then abuses should be the sole responsibility of the abuser. That is not to say that someone is not going to bring a crazy lawsuit at some point but I do not think either platform should live in fear or curtail service based off of such fear.

Comments

The issue relates to informed consent. Are users informed of how their personal information is being used and shared? Is this explained in an easy-to-understand and transparent way? If GEDmatch IDs a re used on Wikitree people need to be aware when they sign up for GEDmatch that their accounts could be shared by other users on third-party websites simply because they are on someone else's match list. The GEDmatch policies are ambiguous at best about third-party websites and do not appear to me to give unambiguous consent for Wikitree to publicly publish GEDmatch IDs.

The burden of the new EU legislation is going to be more difficult for organisations that are mostly run by volunteers but it's very important to get it right.

Answer 8

WikiTree's integration with GEDmatch is very important. Not only to WikiTree but the promise of what this kind of integration brings to the Genetic Genealogy community as a whole. The point isn't that it's any single company or persons specific issue it's more a community issue and all parties involved, I am sure, will do the due diligence to make sure the legalities of these issues are reviewed.

Blaine Bettinger posted in the ISOGG post about this:
"It does matter to a certain degree where the organization is based. Whether the GDPR applies to WikiTree and GEDmatch is far from clear. The GDPR applies to EU organizations and to organizations that collect data from people in the EU. But organizations outside the EU have to target people in the EU to fall under the GDPR (such as with a specific domain, collecting EU currency, targeted marketing in the EU, mentioning customers in the EU, etc.). See Article 3(2). Mere accessibility of a website in the EU is not sufficient. I don't know that either WikiTree or GEDmatch satisfies this requirement. There's arguments both ways. And of course there's a question about how any violations of the GDPR would be enforced against a non-EU organization; I don't know whether there are any international treaties or agreements that provides for enforcement of GDPR fines on organizations outside the jurisdiction of the EU. All the testing companies, of course, satisfy this criteria (and some would be considered EU organizations). 

All that aside, it is in the best interest of every organization to ensure that they satisfy the requirements of the GDPR if they collect data from people in the EU." (This is not legal advice just an opinion from Blaine).

WikiTree will be doing due diligence to make sure we are in good stead if there are any legal implications for our great big ole shared tree with the pending new regulations in the EU.

Mags

Comments

Mags that makes the most sense.  Laws are not always straight forward.  

Some don't make sense and believe me that does not stop a country from exercising them.  The worst thing WikiTree can do is assume we are protected because members choose to do something.  That is not often sufficient protection as many companies have discovered working in an international arena.  

https://en.wikipedia.org/wiki/Personality_rights

http://gilc.org/privacy/survey/intro.html  please take note that the right to private email communications is called out in this overview and it says:

"The right of the individual to be protected against intrusion into his personal life or affairs, or those of his family, by direct physical means or by publication of information.[fn 16 ]"

Pay particular attention to this segment:

The Evolution of Data Protection

Interest in the right of privacy increased in the 1960s and 1970s with the advent of information technology (IT). The surveillance potential of powerful computer systems prompted demands for specific rules governing the collection and handling of personal information. In many countries, new constitutions reflect this right. The genesis of modern legislation in this area can be traced to the first data protection law in the world enacted in the Land of Hesse in Germany in 1970 This was followed by national laws in Sweden (1973), the United States (1974), Germany (1977) and France (1978). [fn 34]

Two crucial international instruments evolved from these laws. The Council of Europe's 1981 Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data [fn 35] and the Organization for Economic Cooperation and Development's Guidelines Governing the Protection of Privacy and Transborder Data Flows of Personal Data [fn 36] articulate specific rules covering the handling of electronic data. The rules within these two documents form the core of the Data Protection laws of dozens of countries. These rules describe personal information as data which are afforded protection at every step from collection through to storage and dissemination. The right of people to access and amend their data is a primary component of these rules.

The expression of data protection in various declarations and laws varies only by degrees. All require that personal information must be:

• obtained fairly and lawfully;
   
• used only for the original specified purpose;
   
• adequate, relevant and not excessive to purpose;
• accurate and up to date; and
   
• destroyed after its purpose is completed.

There is more but I thought it might help if you had an inkling of the complexity of these international laws. 

---

Points taken Laura but I am not an attorney and I will leave this to them as the post states.

Thanks,

Mags

Answer 9

In my view, I granted permission for public publication of my email address associated with a gedmatch number when I agreed to the gedmatch guidelines.  The option exists, if I have any privacy concerns to;  1-use a single purpose email address on gedmatch, 2-use an alias kit name, and/or 3-using the Edit Resources features to make the kit or kits as Private or Research which prevents them from being shown in "User Lookup" or anyones match list.

Further - Granted there are a lot of Newbies, however, this IS a genealogical community - just how many spammers, bad guys etc actually might or are using these sites for their selfish purposes?  Who in their right mind would subject themselves to potential exposure on a site populated by genealogists...Who are well established and who, as a community are  VERY Good at finding people who do not want to be found?

Comments

Tony ... people who make their money by accumulating lists of email addresses that they sell to people who want to deliver a sales pitch for their products to as many people as they can reach are not likely to have any sort of problem signing up for an account at gedmatch and using it to harvest email addresses.  This, of course, is the most innocuous use ... there are lots worse things that can be done with an accumulation of email addresses ... things come to mind like using it for a stepping stone to collect more information eventually leading to an identity theft operation ... and there are still worse things that can be done.

Answer 10

Is GEDmatch site down today, or is it just a problem on my end that i get an Internal Server error message?  If it is down, is it because of the privacy issue?

Comments

GEDmatch was down about 7:00 am Eastern Time this morning.  It is up now (1:30 pm Eastern Time).

---

Thank you!

Answer 11

My concern hit the fan over this new Law Enforcement involvement. 

The problem is that given the value of the data to LE, gedmatch should have dictated terms and conditions to define the scope of that activity and ensure that it is being equally used to exonerate or screen out suspects that should not be intruded on.  This is what law enforcement is - but sometimes those in the profession lose sight of it.  And there are 50 states all with their own judicial rules.

The other implication is that according to a survey I put out on a FB page, most people by far have matches in 20 or more and I would say that an average would be over 40 countries.

So what is the scope of law enforcement or the meaning there.  Is it reserved to the United States or could it mean one of the other countries could use it to enforce whatever laws that they dream up. 

It is important because it has been and might be an issue of life or death based on ethnicity or to whom you are related

To shorthand this issue, let me introduce my fourth cousin, three times removed on both her mother and father's side, Baroness Albertine von Pfeiltizer gen Franck

the first "Russian" (Courlanders were Russians by virtue of Polish agreements) Salvation Army Martyr.  (I will be adding her connection to the family soon on Wikitree

Our common ancestor is Franz George von Pfeilitzer gen Franck (1688 - 1770) who married the widow of General-in Chief of Russia and Governor of Moscow, Carl von Biron , whose brother was Duke of Courland and Semigallia (and Prince Regent of Russia Ernst Johann von Biron (1690 - 1772) and this family and ours intermarried further.

EJ of course was lover of Empress Anna of Russia and it is said by some Russian historians that his children were from Anna rather than from his wife.

So I think any historian knows where this goes, in terms of going under cover (many of my family were killed, and others took on a complete other Russian name, some who still know who they are and others not yet - and DNA will be the key to consolidate the survivors

But the point of this story is to show a completely documented situation which would have posed even more serious danger had "Law Enforcement" had DNA opportunities - but like so many less documented situations for millions and millions of people shows the danger

Will some dictator some day look at even ethnicity through DNA and exterminate anyone with a certain ethnicity under the guise of law enforcement - it evidently almost happened 

So gedmatch and FTDNA (which also holds Y) simply need to define the geographical and jurisdiction scope and conditions 

who married this woman as a second wife

https://www.wikitree.com/wiki/Von_der_Wenge_gen_Lambsdorff-1

whose first husband was this Governor 

https://www.wikitree.com/wiki/Von_Biron-1

and brother of this man

https://www.wikitree.com/wiki/Von_Biron-2

whose family further intermarried with ours and who several Russian historians believe 

So all this is past - but the same scenario coul