Shaking family trees for killers
Genealogy sites, with vast repositories of DNA, aid law enforcement but raise privacy concerns
Consumer genetic-testing services are wrestling with a new threat to users’ privacy: detectives hauling a dragnet through their DNA.
In April, investigators arrested a suspect in the decades-old case of the Golden State Killer after sifting through online genetic data, setting off one of the most vigorous recent debates about privacy in the digital age.
A growing number of services say they can use a simple swab of a consumer’s genetic material to find long-lost family members or detect early warning signs of disease, and millions of users have eagerly shared their samples. But there has been little public discussion of where that data is stored, how it will be used beyond its initial applications and who can access it.
To help track down the alleged Golden State Killer, investigators matched DNA from a crime scene to genetic data belonging to the suspect’s relatives that was posted on an open-source genealogy website. Those methods have raised questions about how the growing and often public repository of consumers’ most intimate data could be used by authorities.
“We all want a serial killer caught,” said CeCe Moore, a genetic genealogist who often appears on television shows like Dr. Oz and Finding Your Roots. “But what other applications could it be used for that maybe we would not be so in favor of ?”
From payment apps to smart thermostats to personal digital assistants, software and devices are collecting more data about consumers than ever. Questions about how personal data should be handled and how it might be abused are being asked more often and more urgently.
For online DNA services, the privacy issues have become entangled with guilt and innocence.
With more Americans logging on to genealogy websites, the services have become vast repositories of DNA, a potential trove for law enforcement agencies attempting to resolve languishing investigations.
In some cases, investigators have searched genetic material without informing the hosting companies. In the Golden State Killer case, police uploaded crime-scene data to GEDmatch. com to search for family members of the suspected murderer and rapist.
Two hobbyists who run the site, a publicly searchable platform that lets users post raw genetic-data files to try to find distant relatives, said authorities never contacted them.
“Criminal court cases thus far have treated DNA data like a fingerprint,” said Jennifer Lynch, a senior attorney with the Electronic Frontier Foundation, adding that judges haven’t found genetic information to be protected under the Fourth Amendment, which bars unreasonable search and seizure. “There are no meaningful protections. And we need them.”
In criminal cases, DNA evidence is sometimes misused or misinterpreted. But the implications of such DNA dragnets could extend beyond murder cases. Following the California arrest, some members of the genealogy community raised the possibility that, for example, police might use genetic data pulled from the web to track down women who had illegal abortions, as they did this year in the case of an abandoned fetus in Georgia.
“The police are just going ahead and doing this without any oversight,” said Debbie Kennett, a British genealogist who has written several books on the subject. Kennett argues that users should have a right to determine how their DNA data is used.
Investigators say that despite the availability of much more genetic information online, tracking suspects using DNA is still costly and labor-intensive. In the Golden State probe-even in GEDmatch’s database of a million people-the closest familial matches to the suspect were third cousins, said Paul Holes, a coldcase detective who helped crack the case.
Holes said the amount of quality DNA needed to run the same tests many genealogy sites perform is often hard to come by when dealing with what is left behind at a crime scene. Such tests are also more extensive and expensive than those tests crime labs perform. Parabon NanoLabs, a Virginia-based forensic DNA company, said it charges about $5,000 for law enforcement officers to run such a test.
The tension between consumers’ expectations of digital privacy and the needs of law enforcement has swelled as more people adopt technology that can suck up ever-more-personal information, often without users being aware that it’s happening.
In 2016, Apple refused a request from the Federal Bureau of Investigation to unlock an iPhone recovered from one of the perpetrators of a mass shooting that killed 14 people in San Bernardino, Calif. The company said investigators were asking to create a back door that could be exploited by hackers, a move that could tarnish its closely guarded reputation for security.
“The United States government has demanded that Apple take an unprecedented step which threatens the security of our customers,” Chief Executive Officer Tim Cook said then. “We oppose this order, which has implications far beyond the legal case at hand.”
Some of the largest genetictesting companies have staked out positions similar to the stand taken by Apple, promising to safeguard consumer information from investigators.
“We treat law enforcement inquiries, such as a valid subpoena or court order, very seriously,” 23andMe’s privacy chief, Kate Black, said in an interview. “23andMe policies prohibit our voluntary cooperation with law enforcement in order to protect our customers’ privacy.
“To date, we have successfully challenged the law enforcement requests we’ve received.”