The Atlanta Journal-Constitution
'Game changer' on crime
Warrant to search DNA database may also have profound implications for genetic privacy, experts say.
or police officers around the country, the genetic profiles that 20 million people have uploaded to consumer DNA sites represent a tantalizing resource that could be used to solve cases both new and cold. But for years, the vast majority of the data has been off limits to investigators.
The two largest sites, Ancestry.com and 23andMe, have long pledged to keep their users’ genetic information private, and a smaller one, GEDmatch, severely restricted police access to its records this year. Last week, however, a Florida detective announced at a police convention that he had obtained a warrant to penetrate GEDmatch and search its full database of nearly 1 million users. Legal experts said that this appeared to be the first time a judge had approved such a warrant, and that the development could have profound implications for genetic privacy.
“That’s a huge game changer,” said Erin Murphy, a law professor at New York University. “The company made a decision to keep law enforcement out, and that’s been overridden by a court. It’s a signal that no genetic information can be safe.”
DNA policy exp erts said the development was likely to encourage other agencies to request similar search warrants from 23andMe, which has 10 million users, and Ancestry.com, which has 15 million.
If that comes to pass, the Florida judge’s decision will affect not only the users of these sites but huge swaths of the population, including those who have never taken a DNA test. That’s because this emerging forensic technique makes it possible to identify a DNA profile even through distant family relationships.
Using public genealogy sites to crack cold cases had its breakthrough moment in April 2018 when the California police used GEDmatch to identify a man they believe is the Golden State Killer, Joseph James DeAngelo. After his arrest, dozens of law enforcement agencies around
the country rushed to apply the method to their own cases.
Investigators have since used genetic genealogy to identify suspects and victims in more than 70 cases of murder, sexual assault and burglary, ranging from five decades to just a few months old.
Most users of genealogy services have uploaded their genetic information in order to find relatives, learn about ancestors and get insights into their health — not anticipating that the police might one day search for killers and rapists in their family trees. After a revolt by a group of prominent genealogists, GEDmatch changed its
policies in May. It required law enforcement agents to identify
themselves when searching its database, and it gave them access only to the profiles of users who had explicitly opted in to such queries. (As of last week, according to the GEDmatch co-founder Curtis Rogers, just 185,000 of the site’s
1.3 million users had opted in.)
Like many others in law enforcement, Detective Michael Fields of the Orlando Police
Department was disappointed by GEDmatch’s policy shift. He had used the site last year to identify a suspect in the 2001 murder of a 25-year-old woman that he had spent six years trying to solve. Today, working with a forensic consulting firm, Parabon, Fields is trying to solve the case of a serial rapist who
assaulted a number of women decades ago.
In July, he asked a judge in the Ninth Judicial Circuit Court of Florida to approve a warrant that would let him override the privacy settings of GEDmatch’s users and search the site’s full database of 1.2 million users. After Judge Patricia Strowbridge agreed, Fields said in an interview, the site complied within 24 hours. He said that some leads had emerged, but that he had yet to make an arrest. He declined to share the warrant or say how it was worded.
Fields described his methods at the International Association of Chiefs of Police conference in Chicago last week. Logan Koepke, a policy analyst at Upturn, a nonprofit in Washington that studies how technology affects social issues, was in the audience. After the talk, “multiple other detectives and officers approached him asking for a copy of the warrant,” Koepke said.
DNA policy experts said they would closely watch public response to news of the warrant, to see if law enforcement agencies will be emboldened to go after the much larger genetic databases.
“I have no question in my mind that if the public isn’t outraged by this, they will go to the mother lode: the 15 million-person Ancestry database,” Murphy said. “Why play in the peanuts when you can go to the big show?”
Yaniv Erlich, chief science officer at MyHeritage, a genealogy database of around 2.5 million people, agreed. “They won’t stop here,” he said.
Because of the nature of DNA, every criminal is likely to have multiple relatives in every major genealogy database. Without an outcry, Murphy and others said, warrants like the one obtained by Fields could become the new norm, turning all genetic databases into law enforcement databases.
Not all consumer genetics sites are alike. GEDmatch and FamilyTreeDNA make it possible for anyone to upload his or her DNA information and start looking for relatives. Law enforcement agents began conducting genetic genealogy investigations
there not because these sites
were the biggest but because they were the most open.
Ancestry.com and 23andMe are closed systems. Rather than upload an existing genetic profile, users send saliva to the companies’ labs and then receive information about their ancestry and health. For years, fear
ful of turning off customers, the companies have been adamant that they would resist giving law enforcement access to their databases.
Both sites publish transparency reports with information about subpoenas and search warrants they receive. 23andMe says it has received seven data requests relating to 10 customers and has not released any data. Ancestry.com said in its 2018 report that it had received 10 “valid law enforcement requests” that year and complied with seven, but that all the cases involved “credit card misuse, fraud and identity theft,” not requests for genetic information.
Genetic genealogy experts said that until now, the law enforcement community had been deliberately cautious about approaching the consumer sites with court orders: If users get spooked and abandon the sites, they will become much less useful to investigators. Barbara Rae-Venter, a genetic genealogist who works with law enforcement, described the situation as “Don’t rock the boat.”
FamilyTreeDNA permits law enforcement searches of its database of 2 million users for certain types of crimes.
Ancestry.com did not respond to a request for comment on the Florida search warrant. A spokesman for 23andMe, Christine Pai, said in an emailed statement, “We never share customer data with law enforcement unless we receive a legally valid request such as a search warrant or written court order. Upon receipt of an inquiry from law enforcement, we use all practical legal measures to challenge such requests in order to protect our customers’ privacy.”
Fields said he would welcome access to the Ancestry.com and 23andMe databases. “You would see hundreds and hundreds of unsolved crimes solved overnight,” he said. “I hope I get a case where I get to try.”