“This is exactly what we expected would happen…” my editor wrote ominously. And he was right. In another alarming legal ruling against personal privacy at the deepest level – genetic identifiers – a Florida judge recently granted a warrant to a detective keen on conducting a mass search on about a million people, innocent or guilty.
In early November, 2019, Detective Michael Fields of the Orlando Police Department claimed at the International Association of Chiefs of Police conference in Chicago that “the 9th Judicial Circuit Court of Florida had approved a warrant for him to search the entirety of the GEDmatch database, which contains the DNA profiles of nearly 1 million people.”
GEDmatch co-founder Curtis Rogers said his company had 1.3 million users as of the beginning of November.
Fields wanted to find a suspected 25-year-old female involved in a 2001 murder case that the detective had been unable to solve for six years.
According to the Florida judge, all information provided for ancestral research is fair game for law enforcement sweeps. Extended family members face possible risks, too, since their data is often also provided by the primary family researcher to the data-storing service that links family histories by tracing back genetic lines of ancestry.
This state judgment sets a dangerous precedent for everyone who voluntarily provided DNA samples to companies that use information stored in their computer databases to research family trees. Ancestry.com and 23andMe are two very popular services whose customers are now at grave risk of having their private information inspected by law enforcement officials, even if no crime is suspected.
This Orwellian specter is nothing short of alarming and it’s time to provide feedback to our elected officials that such a practice violates our Constitutional Fourth Amendment.
“Contents of communications and any data relating to the DNA of an Ancestry user will be released only pursuant to a valid search warrant from a government agency with proper jurisdiction.”
The “23andMe Guide for Law Enforcement” says user data is at risk of being handed over to the cops:
“23andMe chooses to use all practical legal and administrative resources to resist requests from law enforcement, and we do not share customer data with any public databases, or with entities that may increase the risk of law enforcement access. In certain circumstances, however, 23andMe may be required by law to comply with a valid court order, subpoena, or search warrant for genetic or personal information.”
In 2015, Ancestry received 14 law enforcement requests for data about members and provided information in response to 13 of those 14 requests. In 2014, a search warrant ordered the company “to provide the identity of a person based on a DNA sample that had previously been made public for which the police had a match. We disclosed information in response to that valid warrant.”
GEDmatch is much more exploitable by law enforcement officials. This outfit searches user-uploaded DNA profiles received from 23andMe, Ancestry, and other comparable data sources, to locate relatives.
GEDmatch, a free service, helped law enforcement track down the Golden State Killer, a truly bad man “who killed 12 people and raped 45 women across California between 1976 and 1986.” Police compared the crime scene DNA to the GEDmatch genealogy database and got a positive hit.
Former police officer Joseph James DeAngelo was arrested at age 72, tried, and convicted by genetic evidence provided by a computer search.
Privacy advocates are concerned that sensational “win” stories, especially where cold cases are solved many years after they happen, distract the public away from the fact that their data may have been part of that criminal identification investigation. Of course, those people weren’t found to be the true suspect.
But what if our Fourth Amendment right erodes to the point that the police can perform a simple database mining operation to genetically identify drivers with outstanding parking tickets or some other minor offense? What if third-party marketers were allowed to mine our genetic records to target ads for people with family histories of illness?
A new section states explicitly the potential uses of customer DNA results, including using client DNA for “Familial searching by third parties such as law enforcement agencies to identify the perpetrator of a crime, or to identify remains.”
The Florida judge granted Detective Fields permission to scour GEDmatch records to find a suspected serial rapist who attacked a number of women decades ago. Forensic consulting firm Parabon is collaborating with the police investigator to find the DNA match that will bring the rapist to justice.
New York University law professor Erin Murphy pointed out the consumer danger following the Florida judgment allowing police access to GEDmatch users’ private data:
“The company made a decision to keep law enforcement out, and that’s been overridden by a court. It’s a signal that no genetic information can be safe.”