I Just Took a DNA Test, Turns Out I’m at Risk for Privacy Rights Violations

By: Erin Kelly

In 1990, the Federal Bureau of Investigations (FBI) developed software to compare DNA samples found at crime scenes against the DNA samples of arrestees. This software, the Combined DNA Index System (CODIS), has over 14.3 million DNA samples stored to its system. In 2013, the Supreme Court of the United States ruled in Maryland v. Kingthat states may collect DNA samples from arrestees without probable cause. However, law enforcement officials have recently used independent, commercial databases to identify suspects in criminal cases.

Ancestry is a company that specializes in commercialized DNA testing to show customers their family trees and their genetic heritage. The company has over sixteen million DNA samples stored in the Ancestry DNA database. A competitor company, 23andMe, has over ten million customers who have purchased a DNA testing kit. Both companies have reported that their customer information is not released to law enforcement officials absent a warrant or subpoena. This is not true of every commercial genealogy database.

After receiving their DNA data test results, customers from companies like Ancestry and 23andMe can upload their DNA data to third party websites to expand their search for familial connections. For example, GEDmatch is free to use and allows individuals to find genetic connections with users from across DNA testing websites, not just the original company they used. In 2018, Joseph James DeAngelo was arrested and charged with thirteen counts of murder committed in California between 1976 and 1986. When searching for suspects in this cold case, law enforcement officials created a profile on GEDmatch with the crime scene DNA. This is only one example of how DNA data from publicly available websites has helped to apprehend criminals.

After news broke about DeAngelo’s arrest and law enforcement’s use of GEDmatch, privacy concerns arose. To address these concerns, GEDmatch altered their terms of service. Previously, the website allowed law enforcement to use its database when investigating a violent crime. However, the website’s terms never defined “violent crime.” GEDmatch’s updated terms created an opt-in agreement, where customers must affirmatively agree to opt-in to automatically be included in future law enforcement searches. Customers who choose not to opt-in still have complete access to GEDmatch’s services.

On the surface, this might seem to address privacy concerns. In practice, these terms only apply to situations in which law enforcement formally requests access to GEDmatch’s database. As with the DeAngelo case, law enforcement officials may still create a profile on the website using the crime scene DNA. This provides complete access to the website’s DNA database. In December 2019, a forensic genomics company, Verogen, purchased GEDmatch. According to its website, Verogen works to improve the field of forensic science through technological advances. Verogen announced that “GEDmatch’s terms of service will not change, with respect to the use, purposes of processing, and disclosures of user data.” Verogen has previously worked with the FBI to create DNA profiles for the National DNA Index System, combining federal, state, and local forensic contributions. Therefore, GEDmatch users will likely not experience more privacy protection in the wake of the Verogen takeover.

            If law enforcement officials are able to make a profile with crime scene DNA, like in the DeAngelo case, are they also able to access the more popular Ancestry or 23andMe? These websites operate differently. Individuals gain access to their online profile only after purchasing a DNA test kit from one of these websites and sending in the completed kit. Therefore, unlike other websites, law enforcement officials cannot upload DNA samples collected from crime scenes. This does not necessarily mean the data is secure. These companies are not health care providers, therefore, the Health Insurance Portability and Accountability Act (HIPPA) does not apply. HIPPA is a federal law that ensures the privacy of health data. Subpoenas seeking the release of medical records are usually insufficient to release genetic information protected by HIPPA.

            As science and technology advance, legislatures try to keep up. In January 2020, Senator Susan Lee introduced a bill before Maryland’s General Assembly, requiring the State’s Attorney to make a disclosure to criminal defendants if “forensic genetic genealogical DNA analysis and search” is used during the case investigation. The disclosure is limited to cases where publicly available open databases and consumer genealogy services are used by law enforcement. The bill has support from Maryland House Delegate Charles Sydnor III, who proposed a similar bill in 2019, which did not make it out of committee. Consumers should exercise caution and make an informed decision when using any product, especially those that threaten constitutional rights, like privacy.

Sources:

Antony Barone Kolenc, “23 and Plea”: Limiting Police Use of Genealogy Sites After Carpenter v. United States, 122 W. Va. L. Rev.53 (2019).

Maryland v. King, 569 U.S. 435 (2013).

Our Story,Ancestry, https://www.ancestry.com/corporate/about-ancestry/our-story (last visited Jan. 16, 2020).

About Us, 23andMe, https://mediacenter.23andme.com/company/about-us/ (last visited Jan. 16, 2020).

Jason Tashea, Genealogy Sites Give Law Enforcement a New DNA Sleuthing Tool, but the Battle Over Privacy Looms, ABA (Nov. 1, 2019), http://www.abajournal.com/magazine/article/family-tree-genealogy-sites-arm-law-enforcement-with-a-new-branch-of-dna-sleuthing-but-the-battle-over-privacy-looms.

Breeanna Hare & Christo Taoushiani, What We Know About the Golden State Killer Case, One Year After a Suspect Was Arrested, CNN, https://www.cnn.com/2019/04/24/us/golden-state-killer-one-year-later/index.html (last updated Apr. 24, 2019).

Julian Husbands, GEDmatch Partners with Genomics Firm, Verogen(Dec. 9, 2019), https://verogen.com/gedmatch-partners-with-genomics-firm/. 

Nila Bala,We’re Entering a New Phase in Law Enforcement’s Use of Consumer Genetic Data,Slate(Dec. 19, 2019), https://slate.com/technology/2019/12/gedmatch-verogen-genetic-genealogy-law-enforcement.html.

Heather Murphy, What You’re Unwrapping When You Get a DNA Test for Christmas, N.Y. Times,https://www.nytimes.com/2019/12/22/science/dna-testing-kit-present.html? (last updated Dec. 23, 2019).

Taking the Fear out of Responding to Subpoenas for Medical Records, Norcal Group(June 29, 2017). https://www.norcal-group.com/library/taking-the-fear-out-of-responding-to-subpoenas-for-medical-records.

S.B. 46, 440th Gen. Assemb., Reg. Sess. (Md. 2020).