Do Not Access – Is Law Enforcement Access to Commercial DNA Databases a Substantial Privacy Concern?
By: Elise Kletz
The use of forensic genetic genealogy (FGG) as an investigative tool for law enforcement has become, “if not exactly routine, very much normalized.” The normalization is in large part due to law enforcement’s use of FGG to identify and arrest the Golden State Killer. The April 2018 arrest gained national recognition, and subsequently, so did the police’s use of FGG as an investigative tool to narrow in on suspects.
Forensic genetic genealogy has immense potential to serve as an investigative tool for law enforcement. The technique helps investigators “reduce the size of the haystack” by identifying the suspect’s family—making it that much more probable to find the needle. In the case of the Golden State Killer, law enforcement used GEDmatch, a public website that produces possible familial matches based on users’ genetic profiles. The site allows users to upload genetic profiles from third parties (such as 23andme and Ancestry.com), which is how law enforcement uploaded a DNA profile of the suspect from the Golden State Killer case. GEDmatch produced a partial match to the DNA profile, uploaded under a fake name, which led law enforcement to a distant relative. By narrowing down the possible suspect pool to one family tree, investigators were then able to deploy traditional investigative techniques, ultimately identifying the suspect as former police officer Joseph DeAngelo. Since the success of law enforcement’s use of FGG became national news with the arrest of DeAngelo, the technology has been used to solve at least 50 other killings and rapes nationwide. Currently, an estimated 300 active cases, involving violent and non-violent crimes, are relying on FGG as an investigative aid.
While the benefit to law enforcement is clear, particularly for cold cases in which more traditional investigative tools have been exhausted, forensic genetic genealogy raises important privacy concerns stemming from law enforcement’s access to and use of genetic profiles stored in commercial DNA databases by genealogy and genetic testing companies such as 23andme and FamilyTreeDNA. The American Civil Liberties Union (ACLU) and the Future of Privacy Forum (FPF) have both expressed concern regarding law enforcement’s current use of forensic genetic genealogy. FPF highlighted its concerns following the reveal in January that FamilyTreeDNA had a secret agreement with the FBI which allowed agents to test DNA samples from crime scenes, develop genetic profiles and identify familial matches. This agreement is the first time a prominent private company has agreed to voluntarily provide law enforcement with routine access to customers’ data.
According to FPF, the agreement is not only outside of industry norms but also is inconsistent with consumers’ expectations. In its critique of the FamilyTreeDNA/FBI agreement, FPF noted that other leading genetic testing companies require legal authorization, such as a warrant, prior to allowing law enforcement to access genetic data. Elaborating, the FPF stated that “FBI genetic searches should be predicated on probable cause and conducted pursuant to appropriate process.” A major concern is that the agreement allows the FBI to cast too wide of a net and could potentially use profiles provided by FamilyTreeDNA on other sites without the consumer’s knowledge or permission. FPF further explained that FamilyTreeDNA’s agreement conflicts with FPF’s Best Practices for Consumer Genetic Testing Services, which express that genetic data should only be disclosed or made accessible to third parties with the person’s express consent or as required by law.
Following the notoriety of the Golden State Killer case and the backlash from FamilyTreeDNA’s agreement with the FBI, genetic testing companies began clarifying their policies regarding law enforcement’s access to genetic data. Both Ancestry.com and 23andme restated their policies; not to permit law enforcement access to consumers’ data without a subpoena or warrant. GEDmatch changed its policy, asking users to opt-in to share their genetic profiles with law enforcement. As a result of the new policy, nearly 90% of the profiles on GEDmatch are no longer available for law enforcement to search. FamilyTreeDNA, however, took the opposite approach, instead making its consumers opt-out. The choice of an opt-out approach is a unique strategy since research indicates that many consumers do not take the time to read terms and conditions or privacy policies when signing up for a service. Thus, it is possible that law enforcement will still be able to access the genetic data of thousands of FamilyTreeDNA’s customers without their knowledge, or at least recognizing, that law enforcement’s access to data is a condition of FamilyTreeDNA’s service.
These companies’ policy changes and the media’s continued coverage of privacy issues suggest significant public concerns regarding DNA privacy. A 2018 study conducted by individuals at the Baylor College of Medicine, however, indicates that “such concerns have been overstated.” The results showed that 79% “supported law enforcement searches of genetic websites” and 62% supported disclosure of direct-to-consumer “genetic testing customer information” to investigators. Notably, respondents were much more supportive of law enforcement’s use of FGG to aid in investigations of violent crimes, crimes against children, and missing persons (80%, 78%, and 77% respectively) whereas only 39% supported the use of FGG to help investigations of non-violent crimes. These results imply that while potential privacy intrusions exist regardless of the type of crime or investigation, the public is more willing to permit these intrusions to aid law enforcement’s ability to solve violent crimes.
This dichotomy could be partly the result of bias stemming from the national recognition of the Golden State Killer case. The Baylor study did include information about the Golden State Killer, which could have influenced the respondents’ results and biased findings. Additionally, the case of the Golden State Killer was “how the American public as a whole was introduced to forensic genealogy.” Erin Murphy, a law professor at New York University, explained that it is common to have potentially controversial forensic techniques, like FGG, tested in cases that will “bring out the most public sympathy.” As Christi Guerrini, an ethicist at Baylor who co-authored the study explained, “[a]rresting a suspected serial killer who murdered at least 13 people and raped at least 50 made the technique a much easier sell.” Despite the public’s support of forensic genetic genealogy as an investigative tool, it is still imperative that privacy concerns are addressed and that the technique is properly regulated.
To better regulate the function and use of this new investigative technique, the Department of Justice (DOJ) released an interim policy, effective as of November 1st, on forensic genetic genealogical DNA analysis and searching (FGGS). The policy requires investigators to attempt to identify a suspect through the FBI’s Combined DNA Index System (CODIS) prior to searching genetic profiles from commercial databases. Additionally, law enforcement must identify themselves prior to searching consumer genetic databases, which directly addresses the issue of police uploading fake profiles to these commercial sites.
The policy, which applies to all law enforcement agencies that receive federal funding, is certainly a step in the right direction but, in terms of balancing public safety and consumer privacy, many have argued that the policy does not go far enough. Requiring law enforcement to exhaust traditional investigative tools prior to accessing consumers’ genetic profiles is a critical consumer privacy protection, as is the requirement that law enforcement identify themselves prior to searching these databases. Identification prior to search, however, only informs the company that law enforcement is searching genetic profiles and does not address the issue of notice to and informed consent of consumers.
Also, the interim policy only requires investigators to obtain prosecutor approval to run a search. Given that such a large net is cast when investigators run a search using a commercial DNA database, requiring only prosecutor approval is a low standard that prioritizes law enforcement’s desire to use FGGS as an investigative tool over the privacy of consumers. Furthermore, while the interim policy only allows for searches following a “substantial threat of public safety,” at the moment law enforcement officials decide what constitutes a public threat. If law enforcement retains the decision-making authority to classify a public threat, there is potential for substantial abuse of forensic genetic genealogy to aid in investigations that do not constitute public threats. Thus, the interim policy again comes up short by failing to give adequate guidelines for the classification of substantial threats to public safety.
On its face, the DOJ’s interim policy appears to have made significant strides in promoting “the reasoned exercise of investigative, scientific, and prosecutorial discretion in cases that involve forensic genetic genealogical DNA analysis and searching,” but the policy fails to address key privacy concerns. While current public sentiment indicates consumers are more comfortable with potential privacy invasions when FGGS is used to aid in investigations of violent crimes, such as murder and sexual assault, the public’s support shifts more heavily towards privacy protections when it comes to law enforcement’s use of FGGS for non-violent crimes, such as identity theft and shoplifting. Thus, these concerns, particularly regarding notice and informed consent, still need to be addressed. The DOJ should develop clearer guidelines regarding law enforcement’s use of commercial databases in investigations in its final policy, set to be released in 2020, to help assuage privacy concerns while still protecting law enforcement’s ability to investigate and maintain public safety. A stronger, more transparent DOJ policy coupled with well-articulated company policies that inform consumers of potential law enforcement access would certainly strike a better balance between public safety and DNA privacy.
Elise Kletz is a second-year law student at Cornell Law School. Elise earned a B.S.B.A. from the Olin Business School at Washington University in St. Louis, where she completed a double major in Leadership & Strategic Management and in Marketing. Currently, Elise serves as an associate for The Issue Spotter and serves as Co-President for the Business Law Society and the Jewish Law Student Association.
Suggested Citation: Elise Kletz, Do Not Access – Is Law Enforcement Access to Commercial DNA Databases Actually a Substantial Privacy Concern?, Cornell J.L. & Pub. Pol’y, The Issue Spotter, (March 3, 2020), http://jlpp.org/blogzine/do-not-acess-is-law-enforcement-acess-to-commercial-dna-databases-a-substantial-privacy-concern.