A Blog by Jonathan Low


Nov 18, 2019

The Reason Police Can Access Consumer DNA To Solve Crimes Despite User Objections

Judges rulings on warrants assert that consumer DNA testing and social media companies have no legal standing to object to use of such personal data - even if users have signed statements saying they do not want their information used - because the companies which collect and store the data are not the subject of the search. JL

Aaron Mak reports in Slate:

Law enforcement has accessed genetic information (through) GEDmatch that finds relatives by uploading DNA profiles. Warrants overrule any companies’ policies—and consumers’ clearly stated preferences—about how their data can be used. Even if companies wanted to challenge a warrant that violated users’ Fourth Amendment protections from unreasonable searches, a judge ruled that because Facebook was not the subject of the criminal probe, the company had no standing to assert this constitutional right (so) DNA companies might not be able to use constitutional justifications to challenge warrants for their users’ genetic information.
Law enforcement may soon be able to regularly search entire databases made up of consumer DNA information, regardless of whether the companies or users themselves have consented to it. Detective Michael Fields claimed at a police convention last week that the 9th Judicial Circuit Court of Florida had approved a warrant for him to search the entirety of the GEDmatch database, which contains the DNA profiles of nearly 1 million people. Because these profiles reveal information not only about the users themselves but also their extended family, such a search could implicate a far larger group of people. It appears to be the first time that a court has approved a warrant this broad for a genetic genealogy database.
DNA-testing companies like 23andMe and Ancestry.com have generally sought to keep their consumers’ genetic profiles private from law enforcement unless there is a valid government order forcing them to divulge such data. Ancestry.com in fact claims that in its history, it has only fulfilled a request for a customer’s genetic information once, in response to a 2014 search warrant, and 23andMe indicates that it has not fulfilled any law enforcement data requests without prior consent from a customer since it started publishing transparency reports in 2015. The door through which law enforcement has more easily accessed genetic information is GEDmatch, a database that allows people to find relatives by uploading DNA profiles they received from 23andMe, Ancestry.com, and other such services. It was GEDmatch that helped law enforcement track down the Golden State Killer as well as at least 58 other suspects as of April. But back in May, the site changed its policies so that users would have to explicitly opt in to allowing police to access their data. (Previously, it had been opt-out.) So far, only 185,000 of the 1.3 million people using the database have elected to make their profiles available to law enforcement. At the time, it seemed that this change could make GEDmatch practically useless for solving crime.
But that may have changed. The warrant that Fields claims to have obtained would seem to be able to overrule any of these companies’ policies—and consumers’ clearly stated preferences—about how their data can be used. “Law enforcement has repeatedly asserted that the reason it’s OK for them to use this kind of consumer genetics data is because it’s all voluntarily shared,” says Natalie Ram, an associate law professor at the University of Maryland. “To then override an explicit opt-out seems quite troubling.” It’s possible that the Florida court decision could pave the way for law enforcement to tap into Ancestry.com’s 15 million-user database and 23andMe’s 10 million-user database, but that would depend on the exact wording of Fields’ warrant, which he declined to share with the Times.
Advocates have long warned that it’s a mistake to rely on DNA-testing companies’ privacy policies. For one, these companies can change their policies on a whim to be either more or less protective of consumer data. In addition to creating an opt-in system, GEDmatch’s May policy change included expanding the range of crimes that it would help law enforcement to investigate by providing DNA data. The Florida warrant also suggests that when push comes to shove, DNA-testing companies are legally obligated to comply with government orders. As genealogy experts have pointed out, invasive warrants further undercut companies’ new efforts to improve the security of DNA information through encryption and cryptographic signatures. These measures can prevent unofficial use of DNA info but won’t do much to protect against government intrusion.
Even if these companies wanted to challenge a warrant, it’s not clear they have the legal standing to do so. Ram notes that Facebook attempted in 2013 to challenge warrants from Manhattan prosecutors to access hundreds of accounts on the basis that it violated its users’ Fourth Amendment protections from unreasonable searches. A New York judge ruled that because Facebook simply stores the data and was not the actual subject of the criminal probe, the company had no standing to assert this constitutional right on behalf of its users. By this logic, these DNA companies might not be able to use certain constitutional justifications to challenge warrants for their users’ genetic information.
The issue of standing for challenging a warrant like the one in Florida becomes even more complicated once you consider how police usually use genetic genealogy. Investigators take DNA gathered at a crime scene and match it against the genetic information in a genealogy database. They rarely expect to find the suspect themselves. Rather, the goal is to see whether the DNA sample is a partial match to one of the database users’ profiles. Investigators then examine that user’s family tree to determine whether one of their family members could be the perpetrator of the crime. It’s not clear whether the database users have standing to challenge a warrant because they aren’t technically the subject of the criminal investigation. But the suspects themselves also might not have standing because it isn’t technically their DNA that law enforcement is trying to access in the database. “We might find that we are, as a practical matter, in a black hole for enforceability where nobody can effectively challenge the warrant,” says Ram.
If it turns out that the courts are not a viable avenue for challenging warrants like Fields’, it may be up to legislators to take up the cause. “Rather having private companies set the standards, we’d basically have legislation that requires certain controls on government access or on the types of information that can be shared,” says Vera Eidelman, a staff attorney with the ACLU’s Speech, Privacy, and Technology Project. She notes, though, that it’s tough to determine what that sort of legislation should look like without seeing the exact wording of the warrant.
None of this means that you should give up on your genetic privacy. If you’ve submitted your genetic information to any database and it gives you the option of opting out from law enforcement use of your DNA, it’s still worth taking it. In practice, investigators usually don’t need a warrant if you’ve already given consent for them to search your DNA profile. And, as Eidelman says: “[Opting out] makes a statement. It shows that there are people in society who are not interested in this information being used by law enforcement.”


Post a Comment