Millions of Americans who want to know more about their family histories have uploaded genetic information to commercial genealogy services like Ancestry.com and 23andMe, believing their DNA profiles will remain private.
A recent development in Florida, however, is raising questions about how secure and confidential that information can continue to be. According to the New York Times, an Orlando police detective announced at a police convention in late October that he had been granted a warrant to search the full database of one of the sites, GEDmatch, which has around 1 million users.
This is reportedly the first time a judge has issued such a warrant and is raising questions about what might be coming next.
For years, DNA testing companies have sought to keep their customers' genetic profiles off-limits to law enforcement unless there is a valid specific order to divulge information. According to the Times, Ancestry.com, the biggest of these companies with about 15 million profiles in its database, has done it only once; 23andMe, the second biggest with about 10 million, has never done it.
The detective's target, however, was a much smaller company, GEDmatch, which is also much different in nature from the bigger ones. While Ancestry.com and 23andMe are closed systems that lab test customers' saliva, GEDmatch simply allows customers to upload their known DNA information to look for relatives. It's a more open system, and therefore more attractive to law enforcement.
In April 2018, police in California used GEDmatch to track down 72-year-old Joseph James DeAngelo, the suspected "Golden State Killer," who committed at least 13 murders and 50 rapes in the '70s and '80s. Police had an unusually well-preserved sample from one the crime scenes and uploaded it to GEDmatch, apparently identifying itself as someone other than police.
By doing so, police were able to identify relatives of the suspect — not the suspect himself — in the same way that other users can locate family members. They were able to narrow the field of suspects and positively identify DeAngelo after locating his home obtaining an object he discarded that contained matching DNA. His trial is expected next year.
After the DeAngelo case made the news, GEDmatch received heavy blowback from genealogists and privacy advocates and thus announced a new, restrictive policy. First, law-enforcement agents would now need to identify themselves when searching the database and would be restricted only to users who opted in to allow those queries. Only about 15 percent of the users opted in.
But now that a judge has issued a warrant allowing police complete access to the entire database, GEDmatch's restrictions are suddenly moot.
The next logical question: If police have gained access to a site of 1 million DNA profiles, might they have their eyes on Ancestry.com's 15 million and 23andMe's 10 million?
And what kind of legal defenses might these companies employ in trying to keep the police out?
All of this remains to be seen, but as Slate reported on Nov. 8, the legal standard may be the same one that tripped up Facebook in 2013, when it tried to protect user accounts from a criminal investigation. In that case, Manhattan prosecutors obtained warrants to gain access to hundreds of Facebook user accounts as part of a fraud investigation and were successful in arguing that they legally had a right to do so.
"A New York judge ruled that bedcause Facebook simply stores the date and was not the actual subject of the criminal probe, the company had no standing to assert this constitutional right on behalf of its users," Slate wrote.
The answer, then, for privacy advocates might be legislative. Maryland appears to be the first state to be looking at a law that would prohibit use of consumer genealogical databases for purposes of identifying a suspected criminal offender by their relatives' DNA samples. Nationally, the Health Insurance Portability and Accountability Act (HIPAA), the primary health privacy law, doesn't apply to genetic testing companies, but there have been calls to expand its protections to genetic information.
In the meantime, if you've submitted genetic information to any database that gives you the option of opting out of law enforcement, you should still take that option.
And if you're concerned about your own uploaded genetic information, you may be able to delete your data. But the policies of these companies can vary. For a good overview on how to remove genetic data, this article by Consumer Reports can be helpful.