This week’s question is from Haley via the form. Haley asks:

After listening to the Sinisterhood episodes on Kristin Smart, I couldn't stop thinking about this. What if you submit your DNA to a private company, and it happens to solve a case, are they required to notify you? Are there even laws or regulations for these types of situations? How is law enforcement getting the DNA from the private company (if that's a thing)? Thanks!

Great question, Haley! It’s also a timely question as Maryland and Montana just passed laws restricting how police can use DNA from online databases.

At the time the DNA website GEDMatch was used to capture the Golden State Killer in 2018, the site wasn’t meant for hunting murderers. Two guys created GEDMatch and had no idea police were searching the site’s database for suspects. They thought it was a cool way to find long-lost relatives.

Indeed, at the time, there was no legitimate way for police to search GEDMatch or the other site they used called FamilyTreeDNA. Instead they created a fake profile and uploaded the Golden State Killer’s DNA. Police got a match to a distant cousin and then built a family tree for the suspect in order to identify Joseph James DeAngelo, Jr., who ultimately pleaded guilty to the crimes.

According to The Atlantic, the news of the killer’s arrest was the first time GEDMatch’s creators ever got wind that cops were using their genealogy site to solve crimes. In the wake of the publicity, GEDMatch updated its terms of service to inform users that “DNA obtained and authorized by law enforcement” may be uploaded and used on the site to identify perpetrators of “violent crime.” Though that is defined as rape and murder, the site concedes that it has no way to monitor what crimes law enforcement is using the site for. FamilyTreeDNA followed suit and made similar changes it its privacy policy as well.

With that background, I’ll answer each of your questions in turn.

What if you submit your DNA to a private company, and it happens to solve a case, are they required to notify you?

On FamilyTreeDNA, users who elect to participate in law enforcement efforts are subject to the terms of FamilyTreeDNA’s Law Enforcement Guide. If law enforcement obtains a hit on a user’s DNA and requests more information on the user from FamilyTreeDNA, the website’s policy states that the site will “notify users of the request and supply a copy of the request prior to disclosure” of the user’s information, “unless we are legally barred from doing so.”

In the U.S., law enforcement agencies can get a court order that prevents the DNA website from notifying users. In that case, the user would have no idea they were the subject of an investigation or whether their DNA was being used in connection with an investigation. Usually the court would grant this request if informing the user would somehow impede the investigation, including: endangering the life or physical safety of an individual; causing flight from prosecution; causing the destruction of or tampering with evidence; leading to the intimidation of potential witnesses; or otherwise seriously jeopardizing an investigation or unduly delaying a trial.

If a court finds any of those factors (or any factors otherwise defined under state law), it would sign an order preventing the DNA website from telling you that law enforcement is asking for more information about you.

Are there even laws or regulations for these types of situations?

The overall schema of using a consumer-facing DNA database for purposes of criminal apprehension is governed by the Fourth Amendment and our constitutional right to be secure in our persons, houses, papers, and effects, against unreasonable searches and seizures.

Until recently, if a person turned over data to a third-party, like for instance information you give to a bank, that person would no longer have any Fourth Amendment protection for the information given to the third party. This was based on longstanding Supreme Court precedent that said, in essence: if you give your data to someone else, you should not expect it to remain private.

In a 2001 decision, Ferguson v. Charleston, the Supreme Court curtailed that slightly, holding that “material which a person voluntarily entrusts to someone else cannot be given by that person to the police, and used for whatever evidence it may contain.” That case involved a hospital testing medical urine samples for drugs and then turning that information over to the police.

Then in 2018, the Court decided Carpenter v. United States, holding that “a defendant has a legitimate expectation of privacy in the record of his physical movements as captured through cell-site location information.” This meant that just because you allow cell phone companies to know your location, does not mean that the companies can wholesale turn that information over to the cops.

Neither of these decisions discussed DNA websites directly, but reading them together, it’s reasonable to assume that personal, private genetic information may now be considered sufficiently sensitive and private to be protected against general searches by the government, even where you have turned that information over to a third party like GEDMatch.

Going further, starting October 1, in Montana and Maryland, the laws will change to protect information uploaded to a DNA website. In Maryland, the practice of uploading a suspect’s DNA to a site will require approval from a judge and will only be allowed in cases of sexual assault and murder. In Montana, law enforcement will have to obtain a search warrant, unless users have opted to allow police access to their DNA. Other states may soon follow suit and pass laws of their own.

How is law enforcement getting the DNA from the private company (if that's a thing)?

With the Golden State Killer, they just made a fake profile and uploaded it as if they were a regular user. After the news broke of how they got their information, the websites then created specific channels for law enforcement to upload suspects’ data going forward. For FamilyTreeDNA, law enforcement users are directed to follow certain procedures and email their requests to a special department. On GEDMatch, law enforcement users are directed to use the GEDMatch Pro site, rather than the regular consumer site, and must confirm that they are looking for perpetrators of a violent crime.

For general users with a profile on either FamilyTreeDNA or GEDMatch, the decision whether to make their DNA data available to law enforcement is an option to toggle on or off in the privacy settings area of the website.

Since data like DNA uploaded to a website implicates privacy concerns that extend well into Fourth Amendment territory, law enforcement officials are no longer able to misuse the consumer-facing website for investigative purposes, at least not in Montana or Maryland. If they do it in other states, they may face challenges to use of the data on Fourth Amendment grounds, especially in the wake of the 2018 Supreme Court decision in Carpenter.

I hope that answers your questions, Haley! Thanks for submitting.

Got a question? Submit it here. They can be legal what-if questions, questions on current events, or questions about the legality of actions in TV shows or movies you’ve seen. I never ever want to answer your personal legal questions, so don't send those. Love you, but I don’t do that.

***

This piece first appeared in Sunday Morning Hot Tea. Subscribe so you don’t miss another piece.

This week’s question is from Julissa on Instagram. Julissa asks:

So I’m seeing with all the apps you can use to swap your face with a celebrity’s face there are now TikToks of people just using the app and doing funny videos while pretending to be a celebrity like @deeptomcruise for example. My question is what kind legal protections exist to protect your likeness and how it can and can’t be used? Thank you!!!

Thanks for asking, Julissa!

As a lawyer fighting scams, I think Deep Fakes are the next biggest threat to scam victims, especially seniors. One way I tell seniors to try and avoid romance scams or celebrity scams is to ask to video chat with the person reaching out to them. Now, if scammers can put a celebrity’s face onto their own and pretend to be someone they’re not, how can we keep ourselves safe?

As a person who has seen Face/Off, I am equally as concerned about facial transplant surgery. But this question is about deepfakes, so let’s go with that.

What are Deep Fakes?

In case you are not familiar, the term “deepfake” can refer to manipulated media, either photo, video, or audio, that creates a false piece of new media. Scientists (or scammers) can use a special type of computing system to analyze photos, videos, or audio of a person to determine how to recreate them in the new media. For instance, when creating a deepfake video, the program may track what mouth shapes are linked to various sounds in order to mimic them.

These algorithms work best where there is tons of footage of a person – Tom Cruise, Tom Hanks, Tom Holland. Also other famous people not named Tom like Barack Obama, George W. Bush, and Hilary Clinton.

It’s funny to watch a person who appears to be Tom Cruise fall down in an upscale store. Believe me, I’ve laughed at it. But it is scary how much cheaper and easier it is becoming to create more and more credible deepfakes. There are even apps now that allow you to perform a deepfake live during a video chat, making my advice to always ask for a video chat pretty useless.

Just compare the 2018 Barack Obama deepfake linked above with the 2020-2021 Tom Cruise deepfakes from TikTok. The Obama video is fun to watch, especially knowing it’s Jordan Peele behind the fake, but you can tell there’s something just beneath the surface that’s not quite real. On the other hand, the Tom Cruise videos are so spot on that the creator made a breakdown video just to show how it was done and calm people’s fears.

There is also this incredibly realistic and funny, but wildly inappropriate, video created by the South Park guys featuring our most recent former president and a handful of other celebs including Julie Andrews and Michael Caine. The voices are clearly silly exaggerations, but to my untrained eye, the videos seem flawless.

What kind legal protections exist to protect your likeness and how it can and can’t be used?

The good news is we don’t need to rush to make a bunch of new laws to keep up with this new technology. Good old fashioned common law can serve to protect you from being victimized by deepfakes in most cases. There are a couple of torts (tort = a reason for suing someone) you could use to recover after being the victim of one of these videos.

One such tort is called “false light.” False light is recognized in some states, though not Texas. According to the Restatement (Second) of Torts, when you sue someone for false light, you have to prove:

1. The defendant/deepfaker published the information widely (i.e., not to just a single person, as in defamation);

2. the publication identifies the plaintiff/you;

3. it places the plaintiff/you in a "false light" that would be highly offensive to a reasonable person; and

4. the defendant/deepfaker was at fault in publishing the information.

False light claims can be similar to defamation claims, which is actually why Texas doesn’t recognize false light as a cause of action. Texas courts have said that behaviors that other states would recognize as “false light” are covered under Texas defamation laws. Any expansion, the courts said, would have an impermissible chilling effect on free speech and run afoul of the First Amendment. So in Texas, someone may try to sue a deepfaker for defamation.

When bringing a claim for something like defamation, the law distinguishes a private figure from a public one. Private figures are ordinary, non-famous citizens. If a citizen who has no public persona sues for defamation, they would only need to claim that the bad actor was negligent regarding the truth or falsity of the defamatory statement at issue. On the other hand, public figures would have to prove that the bad actor knew the statement was false, or recklessly disregarded whether it was false.

This makes it particularly hard for politicians, who are generally considered to be public figures, to recover under defamation suits. However, if a deepfake is “fake” by its very nature, would it be so difficult to prove that the bad actor knew it was false? They created the falsity themselves.

New laws may also help politician-victims of deepfakes. In Texas, we now have our very own anti-deepfake law. In 2019, Texas became the first state to outlaw political deepfakes by statute, making it a crime to create videos “with intent to injure a candidate or influence the result of an election” that are “published and distributed within 30 days of an election.” California passed its own version of the bill in 2019 as well.

Some have warned that these laws are unconstitutional, but because the laws are new they have not yet been challenged.

It’s not just political videos to worry about. A 2018 study cited by the MIT Technology Review found that 90% and 95% of deepfake videos are not whimsical Tom Cruise gaffs or political videos but are, instead, nonconsensual pornography. Then, about 90% of those videos are nonconsensual porn featuring women, both famous and non-famous. Current revenge porn laws don’t cover deepfake pornography made without the subject’s consent.

Even so, other laws may be effective in stopping nonconsensual deepfake porn. Creators of these harmful videos could find themselves subject to criminal penalties like harassment, cyberbullying, or even extortion for making and distributing these videos without the subjects’ consent.

Can celebrities sue for deepfakes?

Not easily. Jay-Z found himself the subject of vocal deepfakes. The iconic rapper has such a unique way of rapping/speaking that a YouTube channel called Vocal Synthesis was able to upload videos of him supposedly rapping the “To be or not to be” soliloquy from Hamlet and the lyrics to Billy Joel’s “We Didn’t Start the Fire” (shout out Billy Joel!) Both videos were vocal deepfakes.

Hova’s legal team issued Digital Millennium Copyright Act (DMCA) take down notices to YouTube to remove the videos for violating copyright, but their requests failed. Why? You can’t copyright someone’s manner of speaking.

Both Jay-Z’s Shakespearean monologue and the Billy Joel bit would fall under Fair Use parody anyway, as would things like the Tom Cruise deepfakes showing a mad cap Cruise tripping and falling. Things change when someone tries to make money off the sound-alikes, though.

It doesn’t have to be a fake video posted online, either. In the late 1980s, McDonald’s introduced the Mac Tonight, moon-headed crooner who played piano and invited customers to enjoy late night meals. His singing style was a little too close to the then-deceased singer Bobby Darin whose estate sued McDonald’s for trademark infringement, causing McD’s to nix the commercials.

In a completely unrelated turn, Mac Tonight has since become an alt-right white supremacist meme because we apparently can’t have nice things. You’re welcome for that bizarre rabbit hole.

Along those lines, Texas and other states recognize the Right of Publicity – that is, the right of a person to make money off their name and likeness. It is actually considered a property right under statute. This law would protect someone from having a deepfake of them used for commercial purposes.

Under Texas common law, an individual could also make a similar claim for “misappropriation” which courts have broken down into three elements:

1.  that the defendant/deepfaker appropriated the plaintiff's name or likeness for the value associated with it, and not in an incidental manner or for a newsworthy purpose;

2. that the plaintiff can be identified from the publication; and

3. that there was some advantage or benefit to the defendant.

So if (1) a deepfaker appropriated your name/likeness for the value – that is, to make money, (2) the fake media is identifiably you, and (3) the deepfaker is advantaged or benefitted by the deepfake, you could possibly prevail on a claim of misappropriation.

What can we do to stop deepfakes?

To sum it up, civil causes of action like defamation, false light, right of publicity, and misappropriation should work to protect most deepfake victims from having their faces used for inappropriate or commercial purposes. However, things like Fair Use/parody and high bars of recovery for defamation of public figures may make that difficult in some cases.

Criminal laws prohibiting harassment, cyberbullying, and extortion may also be used to help victims of deepfakes. However, the most common use for deepfakes – nonconsensual porn – isn’t explicitly covered by current revenge porn laws, not yet at least. States like Texas and California have passed deepfake laws to try and prevent meddling in elections by criminalizing deepfakes, but those laws may be on the constitutional chopping block by courts if ever challenged.

Of course, we don’t want to criminalize parody videos or restrict speech. Watching Tom Cruise slip and fall in a fancy store is hilarious. WE MUST PROTECT IT AT ALL COSTS!

But should there be some protection for the public from these tricky videos, photos, and audio? Probably, considering a company lost $243,000 when scammers used a deepfake voice to mimic a CEO’s voice and demand the hefty funds transfer. With the increasing accessibility of the technology and the unceasing motivation of scammers to steal money by any means possible, this is only the beginning.

Next time you watch a video, ask yourself, like Shakespeare would: “doth mine eyes deceive me?” Is that Shakespeare or was it the bard Shawn Carter? 🤔 Either way, we can’t trust photos/video/audio we see on the internet. We can ONLY trust what we see in person. If we see someone in person, we know it’s them and not an imposter, right? RIGHT!?!?

Oh no.

Thanks for the question, Julissa!

Got a question? Submit it here. They can be legal what-if questions, questions on current events, or questions about the legality of actions in TV shows or movies you’ve seen. I never ever want to answer your personal legal questions, so don't send those. Love you, but I don’t do that.

***

This piece first appeared in Sunday Morning Hot Tea. Subscribe so you don’t miss another piece.