
THE announcement by California police in 2018 that they had arrested a suspect in the Golden State Killer case, a series of murders, rapes and burglaries in the 1970s and 1980s, came with a sting. The suspect had been identified in part using data that members of the public had uploaded to the personal genomics database GED match.
People add their genetic data to such sites in the hope of tracing long-lost relatives, biological parents and so on. Most wouldn’t expect their genomes to be accessed by the police. Yet officials in the US have used “investigative genetic genealogy” in more than 100 cases. Earlier this year, for failing to tell its users it was sharing data with the FBI.
Advertisement
The attraction of such databases to law enforcement is clear. Just 3 million profiles from a particular population will generate a match with a third cousin or closer for 90 per cent of DNA samples. With a match, police can use public records to build out family trees and home in on people who fit the suspect’s age, location and even physical appearance. The Golden State Killer case involved a tree with thousands of members.
These DNA searches jeopardise privacy in several ways. It takes only a relatively small number of profiles to effectively waive the genomic privacy of hundreds of millions of people. An investigator who looks at the records of dozens of people linked by biology – even if they aren’t linked to each other in the real world in any way – will learn a lot of private information, with the obvious potential for abuse. To help build out family trees, police have in some cases even collected biological material from non-suspects without alerting them, such as by taking a discarded coffee cup. This material can then be retained in police databases as “abandoned” DNA.
GEDmatch initially defended its practice of allowing access by law enforcement by arguing that information in its database was open to any member of the public. After its users baulked, it switched to a default opt-out from such access, encouraging users to opt back in.
In a new twist, last week police in Florida obtained a warrant to search all GED match’s opted-out profiles, causing disquiet among direct-to-consumer genomic testing firms. Such services hold the data of millions of people who have had their genomes screened, whether for genealogical or health reasons.
A big company like 23 and Me, which of challenge to the Florida warrant as “disturbing”, may put up a vigorous fight if pressured to share its data. However, US privacy laws are anaemic – and smaller, less well-resourced companies may prove more attractive targets.
More controls are urgently needed. The 21st Century Cures Act, enacted by the US Congress in 2016, created a legal protection known as a “certificate of confidentiality” to prevent law enforcement from accessing sensitive information collected to advance medical knowledge. Similar protection could be extended to recreational genetics.
Some US states have begun to talk about regulating or banning investigative genetic genealogy. The Department of Justice is currently receiving comments on an interim policy that has a promising, although incomplete, set of regulatory restrictions. For now, though, consumers worried about genetic privacy have few choices: opt for a service based outside the US; choose one with a well-resourced legal team that seems committed to its users’ privacy and hope for the best; or forego such services altogether. But if your fourth cousin once removed made a different choice, that apparent power to decide is probably meaningless.