Legal Question: How Private is Your DNA in the Cloud?
This week’s question is from Haley via the form. Haley asks:
After listening to the Sinisterhood episodes on Kristin Smart, I couldn't stop thinking about this. What if you submit your DNA to a private company, and it happens to solve a case, are they required to notify you? Are there even laws or regulations for these types of situations? How is law enforcement getting the DNA from the private company (if that's a thing)? Thanks!
Great question, Haley! It’s also a timely question as Maryland and Montana just passed laws restricting how police can use DNA from online databases.
At the time the DNA website GEDMatch was used to capture the Golden State Killer in 2018, the site wasn’t meant for hunting murderers. Two guys created GEDMatch and had no idea police were searching the site’s database for suspects. They thought it was a cool way to find long-lost relatives.
Indeed, at the time, there was no legitimate way for police to search GEDMatch or the other site they used called FamilyTreeDNA. Instead they created a fake profile and uploaded the Golden State Killer’s DNA. Police got a match to a distant cousin and then built a family tree for the suspect in order to identify Joseph James DeAngelo, Jr., who ultimately pleaded guilty to the crimes.
According to The Atlantic, the news of the killer’s arrest was the first time GEDMatch’s creators ever got wind that cops were using their genealogy site to solve crimes. In the wake of the publicity, GEDMatch updated its terms of service to inform users that “DNA obtained and authorized by law enforcement” may be uploaded and used on the site to identify perpetrators of “violent crime.” Though that is defined as rape and murder, the site concedes that it has no way to monitor what crimes law enforcement is using the site for. FamilyTreeDNA followed suit and made similar changes it its privacy policy as well.
With that background, I’ll answer each of your questions in turn.
What if you submit your DNA to a private company, and it happens to solve a case, are they required to notify you?
On FamilyTreeDNA, users who elect to participate in law enforcement efforts are subject to the terms of FamilyTreeDNA’s Law Enforcement Guide. If law enforcement obtains a hit on a user’s DNA and requests more information on the user from FamilyTreeDNA, the website’s policy states that the site will “notify users of the request and supply a copy of the request prior to disclosure” of the user’s information, “unless we are legally barred from doing so.”
In the U.S., law enforcement agencies can get a court order that prevents the DNA website from notifying users. In that case, the user would have no idea they were the subject of an investigation or whether their DNA was being used in connection with an investigation. Usually the court would grant this request if informing the user would somehow impede the investigation, including: endangering the life or physical safety of an individual; causing flight from prosecution; causing the destruction of or tampering with evidence; leading to the intimidation of potential witnesses; or otherwise seriously jeopardizing an investigation or unduly delaying a trial.
If a court finds any of those factors (or any factors otherwise defined under state law), it would sign an order preventing the DNA website from telling you that law enforcement is asking for more information about you.
Are there even laws or regulations for these types of situations?
The overall schema of using a consumer-facing DNA database for purposes of criminal apprehension is governed by the Fourth Amendment and our constitutional right to be secure in our persons, houses, papers, and effects, against unreasonable searches and seizures.
Until recently, if a person turned over data to a third-party, like for instance information you give to a bank, that person would no longer have any Fourth Amendment protection for the information given to the third party. This was based on longstanding Supreme Court precedent that said, in essence: if you give your data to someone else, you should not expect it to remain private.
In a 2001 decision, Ferguson v. Charleston, the Supreme Court curtailed that slightly, holding that “material which a person voluntarily entrusts to someone else cannot be given by that person to the police, and used for whatever evidence it may contain.” That case involved a hospital testing medical urine samples for drugs and then turning that information over to the police.
Then in 2018, the Court decided Carpenter v. United States, holding that “a defendant has a legitimate expectation of privacy in the record of his physical movements as captured through cell-site location information.” This meant that just because you allow cell phone companies to know your location, does not mean that the companies can wholesale turn that information over to the cops.
Neither of these decisions discussed DNA websites directly, but reading them together, it’s reasonable to assume that personal, private genetic information may now be considered sufficiently sensitive and private to be protected against general searches by the government, even where you have turned that information over to a third party like GEDMatch.
Going further, starting October 1, in Montana and Maryland, the laws will change to protect information uploaded to a DNA website. In Maryland, the practice of uploading a suspect’s DNA to a site will require approval from a judge and will only be allowed in cases of sexual assault and murder. In Montana, law enforcement will have to obtain a search warrant, unless users have opted to allow police access to their DNA. Other states may soon follow suit and pass laws of their own.
How is law enforcement getting the DNA from the private company (if that's a thing)?
With the Golden State Killer, they just made a fake profile and uploaded it as if they were a regular user. After the news broke of how they got their information, the websites then created specific channels for law enforcement to upload suspects’ data going forward. For FamilyTreeDNA, law enforcement users are directed to follow certain procedures and email their requests to a special department. On GEDMatch, law enforcement users are directed to use the GEDMatch Pro site, rather than the regular consumer site, and must confirm that they are looking for perpetrators of a violent crime.
For general users with a profile on either FamilyTreeDNA or GEDMatch, the decision whether to make their DNA data available to law enforcement is an option to toggle on or off in the privacy settings area of the website.
Since data like DNA uploaded to a website implicates privacy concerns that extend well into Fourth Amendment territory, law enforcement officials are no longer able to misuse the consumer-facing website for investigative purposes, at least not in Montana or Maryland. If they do it in other states, they may face challenges to use of the data on Fourth Amendment grounds, especially in the wake of the 2018 Supreme Court decision in Carpenter.
I hope that answers your questions, Haley! Thanks for submitting.
Got a question? Submit it here. They can be legal what-if questions, questions on current events, or questions about the legality of actions in TV shows or movies you’ve seen. I never ever want to answer your personal legal questions, so don't send those. Love you, but I don’t do that.
***
This piece first appeared in Sunday Morning Hot Tea. Subscribe so you don’t miss another piece.