A Utah state representative said he believes lawmakers are prepared to continue their “strong record of protecting individual privacy.”
When direct-to-consumer genetic testing services debuted in the early 2000s, they were heralded as a way for people to find out more information about potential hereditary conditions without the help of a physician. Eventually, they also became an important part of the booming genealogy trend, with amateur genealogists uploading DNA profiles in the hopes of matching with long-lost relatives.
In the latest iteration of their use—alternately labeled a breakthrough or dystopian nightmare —law enforcement is turning to some consumer genealogy database to help them find criminals. By uploading DNA from crime scenes to genetic databases or by obtaining warrants to search genealogy websites, police have been able to suss out suspects by connecting DNA evidence to the profiles of distant relatives.
A state lawmaker in Utah wants police to stop this practice. Legislation proposed by Rep. Craig Hall, a Republican, would prevent mass searches of consumer DNA databases, which Hall referred to as “fishing expeditions.”
“We understand that law enforcement wants to use these tools, but the ends don’t justify the means,” Hall said. “We don’t need a surveillance state to catch the bad guys.”
Hall said he believes that law enforcement searches of DNA databases violate the particularity requirement of the Fourth Amendment, which courts have interpreted as requiring law enforcement to obtain search warrants and describe in detail to a judge the evidence they plan to gather when invading someone's privacy.
Jasmine McNealy, the associate director of the Marion B. Brechner First Amendment Project at the University of Florida, said that law enforcement accessing personal data held by third parties is not a new legal debate. “We’ve seen this problem with banking and cell phone data for a long time,” she said. “But with DNA we immediately see the implications. It needs a higher privacy standard.”
Elsewhere in the world, such as in the European Union, DNA has been categorized as personal data, making it extremely difficult for law enforcement to access and search on a broad scale. But no such legal designation exists in the U.S., meaning that the bill in Utah would be the first to explicitly ban state law enforcement from tapping into consumer DNA databases.
The legislation is targeted at a small number of companies, the most prominent of which is GEDmatch, a free DNA database that allows people to discover relatives and ancestors. More recently, GEDmatch has been used by law enforcement agencies in nearly 70 cold cases to identify people suspected of murder or rape. (GEDmatch has also been used in at least one case to prove a wrongful conviction.)
Critics of this practice, though, say that law enforcement agencies already have tools of their own. There exists a national government DNA database known as CODIS, or the Combined DNA Index System, which is used by police daily. But the information in CODIS is more limited. While it contains profiles of 16 million arrestees and incarcerated people, the information stored there is known as STRs, or short tandem repeats, which are small sequences of DNA, not genes. That means police can use CODIS to see if DNA gathered at a scene is an exact match with somebody in the database. In some states, police are also authorized to conduct “familial searches,” which can match with a close relative.
Users of GEDmatch, by contrast, upload raw DNA data from genetic testing companies. With more genetic profiles and much more detail in those profiles, law enforcement can match crime scene DNA to distant relatives, like, say, a third cousin.
That’s what happened in the case of the Golden State Killer, a serial rapist and murderer who roamed California between 1976 and 1986. In 2018, police arrested Joseph James DeAngelo, a former police officer. Investigators found him using GEDmatch. He is awaiting trial, charged with 13 counts of murder and 13 counts of kidnapping.
Jen King, the director of consumer privacy at the Stanford Center for Internet and Society, said that cases like the Golden State Killer make it difficult to argue against using DNA for police work. “Nobody wants serial killers roaming free or for cold cases to go uninvestigated,” she said. “But we’re concerned DNA will soon be used for everything. The scope increases dramatically once you open the door.”
King pointed to a case from March 2019, when investigators in South Dakota used the same process on a 38-year-old case of a baby who died abandoned in a ditch, eventually filing murder charges against the mother. King said that case is a warning sign. “There’s a difference between going after the Ted Bundys of the world, those who have killed forty to fifty people, and someone like this mother whose circumstances we just don’t know,” she said. “There’s a sense of ‘who are we willing to punish?’ with this. It unravels so quickly.”
The Golden State Killer case brought widespread public awareness to how law enforcement could use consumer DNA products. But as other police departments began using the same technique, people began raising privacy concerns. In May 2019, GEDmatch announced a change to its terms of service so that users must opt-in to making their genetic profiles available to law enforcement.
GEDmatch and its 1.2 million DNA profiles was acquired in December by Verogen, a company that works with law enforcement on forensic DNA cases.
Brett Williams, the CEO of Verogen, said that he was not familiar with the specifics of the proposed legislation in Utah, but emphasized the company supports law enforcement’s “responsible use” of the database of users who have opted-in. "Forbidding law enforcement access to sites like GEDmatch removes users’ right to choose and unnecessarily hinders the efforts of law enforcement,” he said. "We are at a time in our history where we as citizens have the opportunity to choose to act as a molecular eye witness in order to help free those who have been falsely imprisoned and to assist law enforcement in taking violent criminals off the streets.”
But Hall, the Utah state lawmaker, said the difficulty with allowing users to opt-in is that they are only speaking for themselves. “Even if users consent to letting the government use their DNA, they can’t consent for all of their family members who share the DNA,” he said. “It’s not like when law enforcement is searching a car, where it’s yours and yours alone.”
McNealy said opt-in options are preying on common perceptions of privacy that don’t apply to DNA. “A lot of people still think along the lines of ‘if you have nothing to hide, you have nothing to fear.’” she said. “But DNA is not like that. It’s implicating your future children, your ancestors. There’s huge ramifications.”
Consumer genetic testing companies that give users the source information they upload to GEDmatch have said they are only willing to work with law enforcement if they receive a court order. On 23andMe’s website, the company states “under certain circumstances, your information may be subject to disclosure pursuant to a judicial or other government subpoena, warrant or order, or in coordination with regulatory authorities.”
Ancestry.com, the Utah-based genealogy giant, said in an emailed statement that the company does not “share customer personal information with law enforcement unless compelled to by valid legal process, such as a court order or search warrant."
Some scholars suggest that legislation to regulate companies like Ancestry or GEDmatch isn’t far reaching enough. McNealy supports the creation of “genetic data trusts,” which would give those who upload their DNA to a trust a say in who gets to access the information. The idea of a trust that allows participants to decide how collective data is used already exists in other contexts—Mayo Clinic has a biomedical data trust, for example, and many fisheries operate in information collaboratives—and McNealy thinks the same idea can be applied to DNA.
“Companies like GEDmatch have particular motives, often profit oriented, that may be in conflict with the expectations that people have for their data,” she said. “A genetic trust would allow everyone to be part of the governance of the trust and decide how the data is used based on the possible harm to them and their community.”
But McNealy said that the legislation in Utah is “a good start” even if it is “only the beginning.”
Hall said that his legislation wouldn’t radically change the way police solve crimes, as law enforcement would still be allowed to seek a warrant for a suspect’s DNA sample or could compare DNA samples from a crime scene to federal and state databases like CODIS.
Hall is working with the state attorney general’s office to draft the legislation, and said he is “cautiously optimistic that we can find language to protect the privacy rights of individuals while giving law enforcement the tools they need to catch the bad guys.” A representative from the state attorney general’s office said they were “not in a position to talk about the bill at this juncture.” The Utah Police Chiefs Association did not respond to a request for comment.
Hall said he plans to introduce the bill early in Utah’s legislative session, which opens on January 27, and that he has already heard supportive comments from other lawmakers. Along with the AG’s office, he has gotten input for the bill from the Libertas Institute, a libertarian-leaning think tank in the state, and the ACLU of Utah.
“The Utah legislature has a history of bipartisan cooperation and a strong record of protecting individual privacy in light of new technology,” Hall said. Last session, Hall shepherded a bill to make Utah the first state with a digital privacy law requiring police to obtain a warrant to see emails, instant messages and cloud-based communication.
Hall thinks that the DNA bill is a natural evolution of other privacy laws. “Over the last 200 years, our country has had a debate about individual privacy vs. catching criminals,” he said. “And with every new technology, we have to find the right line.”