Skip to content
Naked Security Naked Security

Warrant let police search online DNA database

This is a "game changer" when it comes to genetic privacy rights, experts say.

In May, genealogy site GEDmatch, stung by a revolt over its approach to DNA privacy, changed its privacy policy.

The new policy required users who upload their DNA to explicitly opt in – or out – of having their profiles used in police investigations. According to the New York Times, GEDmatch co-founder Curtis Rogers said that as of last week, only a handful – 185,000 – of the site’s 1.3 million users had opted in.

Its privacy switch sharply disappointed many in law enforcement. As it is, GEDmatch had become a favorite for investigators, not because it’s the biggest database – it’s far overshadowed by Ancestry.com and 23andMe – but because it’s been the most open.

One of the disappointed was Detective Michael Fields of the Orlando Police Department in Florida. He’d successfully used GEDmatch to identify a suspect in the 2001 murder of a 25-year-old woman that he’d spent six years trying to solve. So, because Fields didn’t want to stop using DNA records – he was searching for suspects in the case of a serial rapist who attacked a number of women decades ago – he took his disappointment to the court.

As Fields reportedly announced at a police convention last week, he won what he was after: a warrant to search GEDmatch’s full database. As the Times reports, he’s now working with the forensic consulting firm Parabon to try to find a DNA match that will lead him to that rapist.

Legal experts told the Times that overriding a site’s policies in this way is a “huge game changer” for genetic privacy. The newspaper quoted Erin Murphy, a law professor at New York University:

The company made a decision to keep law enforcement out, and that’s been overridden by a court. It’s a signal that no genetic information can be safe.

Everybody wants to see that warrant

Fields described his methods at the International Association of Chiefs of Police conference in Chicago last week. In July, he’d asked a Florida judge to approve a warrant that would let him skirt GEDmatch’s user privacy settings and get into its full database – one that the Times says has DNA records of 1.2 million users.

Logan Koepke, a policy analyst at Upturn, a nonprofit in Washington that studies how technology affects social issues, was in the audience. He told the Times that after his talk, Fields was approached by a number of detectives and officers who wanted to get a copy of the warrant.

They don’t need your spit to DNA-trace you

GEDmatch is the same database that was used to identify suspected serial killer Joseph James DeAngelo, the alleged Golden State Killer, in 2018. After DeAngelo’s arrest, law enforcement agencies started using GEDmatch to investigate violent crimes, making it what’s been called the “de facto DNA and genealogy database” for all of law enforcement.

As of April 2019, GEDmatch had been used in at least 59 cold case arrests and in 11 Jane and John Doe identifications across the US.

Policy experts say they’ll be keeping a close eye on how Fields’ successful pursuit of a warrant may embolden other law enforcement agencies to try to penetrate DNA databases and their privacy policies with court-ordered warrants.

Will there be backlash over the legal spurning of privacy preferences? Will it be enough to kill the goose that laid the golden egg? If people have no real say in whether their family trees can be accessed by police, will they refrain from uploading their genetic data?

It’s not just genealogy buffs and people searching for insight into what their DNA may tell them about their medical makeup – for example, whether they may have a gene that predisposes them to breast cancer – that are affected by the privacy implications of DNA profiling.

We don’t have to spit into a tube and submit it to a genealogy database to have it made public. Because we share much of our DNA with relatives, all it takes is one of them to submit their DNA, thus making much of our own genetic information available to the police without our knowledge or consent.

The more people who submit DNA samples to these databases, the more likely it is that any of us can be identified. According to Columbia University research published in October 2018, at the time, the US was on track to have so much DNA data on these databases that 60% of searches for individuals of European descent would result in a third cousin or closer match, which can allow their identification using demographic identifiers.

As far as Detective Fields is concerned, he’s hoping that he does get a chance to go after the motherlode: Ancestry.com, with its 15 million person database, and 23andMe, with 10 million records. The Times quotes him:

You would see hundreds and hundreds of unsolved crimes solved overnight. I hope I get a case where I get to try.

4 Comments

When these services first became available, I instantly swore off them for this exact reason. Of course the problem is (as noted in the article) that I can be ‘condemned’ by distant relatives who aren’t as savvy as I am.

Reply

Despite what Lisa Vaas says at he end of her article, it still seems wrong that anyone can go on fishing expeditions of databases when they feel like it. And why should the forces of ” law and order” stop there – surely now any database is wide open to this sort of writ?

Reply

Unfortunately this seems to be the same situation as phone records. The DNA information are “business records” of the genealogy companies and as such is accessible to the police with a valid warrent.

Reply

This sounds to me a likely case for the Supreme Court. If it’s OK here, there is no limit for fishing in any other data base or collection.

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!