DNA Test Results May Invade Your Privacy
It seems innocent enough, even fun and informative, but the millions of DNA test results people get to discover their lineage are suddenly making the news for unforeseen reasons.
For example, aiding the FBI in tracking down killers.
A year ago (2018) it was the so-called “Golden State Killer.” Recently it was a man who threw away a napkin and was subsequently charged with a murder from over twenty-five years ago.
As popular as DIY-DNA tests have become, it seems to be just as popular lately for law enforcement to crack some big cases by accessing these public records.
The most popular sites currently in use to track genetic profiles are Ancestry.com (AncestryDNA) and 23andMe. For a fee, individuals can send in their DNA (a saliva sample) and be given results to trace heritage, familial ties, and for some, genetic predispositions. But both Ancestry.com and 23andMe privacy policies are suddenly getting a closer look.
By the end of 2017, nearly 12 million people (mostly in the US) had used direct-to-consumer genetic testing kits. What this means is that a large number of people in the US are identifiable through familial genetic testing—even if they themselves had never given up their own DNA for testing to a company!
That’s probably not what most people expected when they got a DNA test kit.
For most of us, news of the police using a DNA/ancestry site to identify a murderer brought up questions of privacy policies. Do the police have access to my own DNA? Are there any privacy laws in place to prevent this? Should I be happy that a serial killer was caught, or concerned about my privacy?
These, and others, are important questions. Here are some of the main questions you might be asking and some answers to them.
Did the police use AncestryDNA or 23andMe to access DNA to convict people of crimes?
Following the arrest of the Golden State Killer, both AncestryDNA and 23andMe were vocal about not having any part in the acquisition of evidence against Joseph James DeAngelo, the man who was charged with the string of rapes and murders from the 70s-80s.
It was eventually released that authorities used the Florida-based site GEDMatch.
In one of the popular cases in early 2019—the arrest made in the 1993 murder of a Minnesota woman —the source of the DNA has not been shared, though it has been explained that the results were indeed obtained from an online ancestry website.
The other, an arrest made in the Newport Beach murder of an 11-year old from 1973, used the website FamilyTree.
What are the privacy policies for these sites? Are the police allowed to access anyone’s stored information?
An important distinction to make between AncestryDNA/23andMe and FamilyTree/GEDMatch (the two sites that were used in the aforementioned cases) comes from the privacy policies.
Both AncestryDNA and 23andMe have made statements saying that they do not share any information with law enforcement unless they receive a court order. According to a 23andMe article published in 2016 on their site, the company has received minimal requests over the years and has successfully fought them all, having yet to hand over any information to authorities concerning their member’s DNA.
To maintain the trust of their users and have full disclosure, 23andMe has also released a “Transparency Report” on their site that updates users on any access by law enforcement to personal profiles. As of February 2019, no information has been handed over by 23andMe to law enforcement.
AncestryDNA, on the other hand, has complied in a few cases under a proper subpoena/court order. In their own Transparency Report, however, it identifies all ten requests (seven of which they responded to) as having to do with identity theft, credit card misuse, and fraud. They further state that they “…received no valid requests for information related to genetic information of any Ancestry member, and we did not disclose any such information to law enforcement.”
As for GEDMatch and FamilyTree, both sites have (since the arrest of individuals based off their data) revised their privacy policies to make it clear that they allow law enforcement to access their databases. FamilyTree actually issued an apology to its users, since the previous privacy statement did not state this clearly.
Are all the DNA and ancestry sites the same?
No, and the distinction is an important one, as it appears to be GEDMatch that is being used most to solve cold cases.
About ten years ago, a Florida man in his 70s, Curtis Rogers, who had become fascinated with his family tree over the years, joined forces with an engineer in his 50s, John Olson, to create a website that would help people dive further into their ancestral backgrounds.
Together, they launched GEDMatch in 2010, a side-project that blossomed from a hobby, which turned into a website for all others who were enthusiastic about discovering more about their family of origin.
GEDMatch is just Rogers and Olsen serving people online. They don’t run a lab and they don’t test samples for DNA. It’s simply a website, with some sophistication, where anyone can upload their own DNA samples into the GEDMatch program which then reveals familial matches.
And by freely (willingly) uploading more DNA samples, the public expands the warehouse of DNA that GEDMatch is compiling.
But there’s an important catch.
A person using GEDMatch can upload a DNA sample that does not belong to them, which is radically different from both AncestryDNA and 23andMe.
It was this accessibility that turned investigators to GEDMatch it in the search for the Golden State Killer—without the knowledge of GEDMatch co-founder Carl Rogers, who had a shaky privacy statement on the website as it was.
Is GEDMatch within its right to share DNA profiles?
Although Rogers had been previously asked by a few private investigative companies to use his site (and had answered “no”), he knew that there wasn’t much he could do to stop them. It is, after all, a public collection of genetic information.
While initially surprised and angered that authorities had used his website to track DNA results without telling him, Olson started receiving an outpouring of support from the public, happy that a killer had been caught. Within a few days thousands of members had added, hoping to help solve more cold cases. Slowly, the support changed his mind.
Now the site makes it known that it allows the authorities/private investigative industries to access all data, and has even led to arrests in a number of cold cases since officially changing their policy. With this change, the founders alerted all members that they are able to remove their data at any point.
Why is this significant?
Because with the easy access of GEDMatch, law enforcement is no longer required to go about the long legal process of filing for a warrant or subpoena with no guarantees that a search will be granted. This means it is more likely that they will pass on the hassle of trying to get DNA from AncestryDNA and 23andMe.
Should the police be allowed to access this DNA? Aren’t there privacy laws in place to prevent these kinds of searches?
Though everyone is on board for an overdue capture of a murderer, the question of the ethics behind these arrests is up for debate. The law has plenty of restrictions for investigators searching the national criminal database for DNA (CODIS), so it seems strange that authorities can now search the DNA of thousands of people–without any consent and knowledge.
Because this is a very recent trend, the law does not currently reflect what privacy policies should be for such public access.
There is also a debate about the exact science of DNA matches in crimes, since they do not always equate guilt. A person’s DNA may be at a scene entirely unrelated to a crime, and yet a match may seem to identify them as the prime suspect.
Needless to say, the laws currently do not prohibit law enforcement from using public agencies like GEDMatch to obtain familial matches in investigations. But with our nation’s growing concern for privacy, there is no guarantee that this will be the case forever.
If you’re really worried, just don’t submit your DNA to any organizations. And don’t commit murder.
- Easy Prey Podcast
- General Topics
- Home Computing
- IP Addresses
- Online Privacy
- Online Safety
We’ve seen Twittersphere explode with bite-sized information security (InfoSec) news over the past few years and we’ve…[Read More]
Managing credit cards is the key to good credit. It's more important than low rates and credit...[Read More]
Using a data breach check tool is the best way to find out if you have accounts...[Read More]
Many are resigned to stay silent about the pain of being scammed, but today’s guest helps empower…[Read More]