{"id":11863,"date":"2019-10-03T09:08:49","date_gmt":"2019-10-03T13:08:49","guid":{"rendered":"https:\/\/journals.law.harvard.edu\/crcl\/?p=11863"},"modified":"2019-10-03T09:08:49","modified_gmt":"2019-10-03T13:08:49","slug":"new-doj-policy-gives-genealogy-website-users-weak-privacy-protections-from-law-enforcement","status":"publish","type":"post","link":"https:\/\/journals.law.harvard.edu\/crcl\/new-doj-policy-gives-genealogy-website-users-weak-privacy-protections-from-law-enforcement\/","title":{"rendered":"New DOJ Policy Gives Genealogy Website Users Weak Privacy Protections From Law Enforcement"},"content":{"rendered":"

The <\/span>arrest<\/span><\/a> of the infamous Golden State killer in April 2018 prompted controversy over law enforcement\u2019s use of genealogy databases. The California case ran cold decades ago, but a well-preserved DNA sample was uploaded by detectives into the public database, GedMatch. GedMatch <\/span>asserted <\/span><\/a>that they did not directly provide information, but law enforcement was nevertheless able to upload the suspect\u2019s DNA and gain the same access that any user uploading their own DNA would have. At the time, law enforcement\u2019s use of public and commercial DNA databases was entirely <\/span>unregulated<\/span><\/a>.<\/span><\/p>\n

Last week, the Department of Justice released an <\/span>interim policy<\/span><\/a> on Forensic Genetic Genealogical DNA Analysis and Searching (FGGS), announcing a commitment to \u201cdeveloping practices that protect reasonable interests in privacy, while allowing law enforcement to make effective use of FGGS to help identify violent criminals, exonerate innocent suspects, and ensure the fair and impartial administration of justice to all Americans.\u201d The policy specifically addresses law enforcement\u2019s use of \u201cdirect-to-consumer genetic genealogy services,\u201d which are defined as \u201ccompanies that offer a variety of DNA genomics tests and\/or genetic genealogy services directly to the public (rather than through clinical health care providers), typically via customer access to secure online websites.\u201d The policy will <\/span>apply<\/span><\/a> only to DOJ agencies, and state or local agencies that receive federal funding to complete genetic genealogy searches.<\/span><\/p>\n

The DOJ guidelines are a step in the right direction, providing important restrictions on law enforcement\u2019s use of commercial DNA databases. However, the guidelines have room for improvement, and still leave the door open for troubling privacy violations.<\/span><\/p>\n

First, although the interim policy limits the types of investigations where FGGS can be used, an exception to the rule may leave too much room for discretion. The interim policy specifically\u00a0 limits the use of FGGS to cases involving \u201can unsolved violent crime\u201d (defined as a \u201chomicide or sex crime, including…an attempt to identify the remains of a suspected homicide victim\u201d), where \u201cthe candidate forensic sample is from a putative perpetrator.\u201d This provision may allay concerns after commercial DNA website GedMatch <\/span>violated<\/span><\/a> its own terms of service, which provided only for law enforcement assistance in rape and murder cases, by allowing law enforcement access to investigate an assault in Utah. However, the interim policy does allow prosecutors an exception for investigations of crimes that present \u201ca substantial and ongoing threat to public safety or national security.\u201d The interpretation of this exception will determine the extent to which FGGS use is actually limited.<\/span><\/p>\n

Second, the guidelines require notice to customers using the databases, but lack informed consent requirements. Under the DOJ interim policy, law enforcement can only search consumer databases that provide \u201cexplicit notice to their service users and the public that law enforcement may use their service sites.\u201d The DOJ\u2019s inclusion of the notice requirement appears to be responsive to the FamilyTreeDNA scandal. <\/span>FamilyTreeDNA was the <\/span>first commercial site<\/span><\/a> to allow FBI access to some of its services and data without warrants or subpoenas. FamilyTreeDNA altered its user agreement without notifying customers, and many customers were not alerted until <\/span>Buzzfeed<\/span><\/a> broke the story. FamilyTreeDNA, in justifying its decision to allow access to the FBI, <\/span>noted<\/span><\/a> that law enforcement agencies appeared to also be utilizing other commercial DNA databases. These agencies uploaded DNA samples (from crime scenes), like other paying customers, but without disclosing their law enforcement status. The \u201cexplicit notice\u201d guideline appears to prohibit law enforcement agencies from masquerading as a regular user in order to use sites that do not allow law enforcement access.<\/span><\/p>\n

However, simply requiring notice is not sufficient to protect users from unwanted law enforcement intrusion. In the wake of the scandal, FamilyTreeDNA <\/span>changed<\/span><\/a> its terms of service to allow users to opt out of law enforcement access, but in order to do so, users had to log into their accounts and adjust their settings. Users relied on FamilyTreeDNA\u2019s original policy prohibiting law enforcement access at the time that they submitted their profile. An email that could easily be overlooked or disregarded as spam should not be viewed as a satisfactory means of privacy protection. FamilyTreeDNA\u2019s opt out approach avoids getting actual consent from users who may not realize the policy has changed. An opt in approach, whereby law enforcement only receives access when a user actively gives permission, would ensure that users approve of the site\u2019s change. The DOJ policy should allow only the use of sites with opt in policies for users who submitted their information prior to the site\u2019s decision to open their data to law enforcement.<\/span><\/p>\n

The two <\/span>largest<\/span><\/a> direct-to-consumer genetic genealogy services, <\/span>Ancestry<\/span><\/a> and <\/span>23andMe<\/span><\/a>, have law enforcement guides, which outline the procedures law enforcement must follow to obtain any of their records, posted to their websites. Ancestry specifies that \u201c[c]ontents of communications and any data relating to the DNA of an Ancestry user will be released only pursuant to a valid search warrant from a government agency with proper jurisdiction.\u201d 23andMe includes a similar requirement, and both companies\u2019 policies include a provision that under most circumstances they will notify affected users of law enforcement access prior to turning over information. Although Ancestry and 23andMe are taking strong stands on information protection, without governmental regulations, consumers are vulnerable to unilateral user agreement changes \u2014 sites could eliminate these privacy protections at any time without the consent of users.\u00a0<\/span><\/p>\n

The DOJ guidelines notably do not require a warrant for law enforcement\u2019s use of public and commercial DNA databases. Although the Supreme Court has allowed law enforcement to collect DNA without a warrant, that decision was limited to circumstances that do not apply to these databases. The Supreme Court has <\/span>held<\/span><\/a> that law enforcement may, without a warrant, take DNA samples of arrestees charged with violent crimes, as part of a routine booking procedure. However, the Court relied heavily on the existence of probable cause for an arrest, the diminished expectation of privacy in police custody, and the state interest in identifying arestees and making informed bail decisions, as justification for allowing the DNA collection. Additionally, DNA evidence collected by law enforcement, is entered into a law enforcement database, CODIS, which is subjected to regulations regarding when and how law enforcement can use the information. The use of public and commercial databases circumvents the probable cause standard used for arrestees.<\/span><\/p>\n

Further, giving law enforcement agencies access to commercial DNA databases implicates privacy concerns beyond those of even a consenting customer. An investigator using genetic genealogy begins the investigation by looking for DNA matches at the level of <\/span>third cousin<\/span><\/a> or closer. Most people have around<\/span> 800 people<\/span><\/a> who would fall into this category, meaning that if any of those 800 relatives choose to submit their DNA to a database, an investigator may be able to identify an individual who has not shared their own DNA. Government regulations can serve to protect not only the privacy interests of vulnerable customers, but also the many relatives exposed by one individual\u2019s choice to provide their DNA.<\/span>\u00a0<\/span><\/p>\n

Privacy protections for DNA profiles are a tricky legal issue. The new DOJ interim policy is a solid first attempt at defining a new and previously unregulated tactic of law enforcement investigation. Public and commercial DNA databases can provide individuals with interesting and valuable information about their genealogy, and consumers should be able to make informed decisions about whether to participate in DNA information sharing. However, governmental regulation is necessary to protect the privacy of two key groups: genealogical site users who do not consent to law enforcement sharing, and individuals who do not use the sites but whose genetic information is exposed by their relatives. At a minimum, the DOJ interim policy should be revised to require a warrant for any use of public or commercial genealogical databases.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

The DOJ guidelines are a step in the right direction, providing important restrictions on law enforcement\u2019s use of commercial DNA databases. However, the guidelines have room for improvement, and still leave the door open for troubling privacy violations.<\/p>\n","protected":false},"author":101909,"featured_media":11865,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[3,45,1217,1210],"tags":[1551],"coauthors":[1550],"class_list":["post-11863","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-amicus","category-criminal-justice","category-policing-and-law-enforcement","category-privacy-and-technology","tag-dna-department-of-justice-doj"],"jetpack_featured_media_url":"https:\/\/journals.law.harvard.edu\/crcl\/wp-content\/uploads\/sites\/80\/2019\/10\/AdobeStock_291020010.jpeg","jetpack_shortlink":"https:\/\/wp.me\/peZrWS-35l","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/journals.law.harvard.edu\/crcl\/wp-json\/wp\/v2\/posts\/11863","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/journals.law.harvard.edu\/crcl\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/journals.law.harvard.edu\/crcl\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/journals.law.harvard.edu\/crcl\/wp-json\/wp\/v2\/users\/101909"}],"replies":[{"embeddable":true,"href":"https:\/\/journals.law.harvard.edu\/crcl\/wp-json\/wp\/v2\/comments?post=11863"}],"version-history":[{"count":0,"href":"https:\/\/journals.law.harvard.edu\/crcl\/wp-json\/wp\/v2\/posts\/11863\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/journals.law.harvard.edu\/crcl\/wp-json\/wp\/v2\/media\/11865"}],"wp:attachment":[{"href":"https:\/\/journals.law.harvard.edu\/crcl\/wp-json\/wp\/v2\/media?parent=11863"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/journals.law.harvard.edu\/crcl\/wp-json\/wp\/v2\/categories?post=11863"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/journals.law.harvard.edu\/crcl\/wp-json\/wp\/v2\/tags?post=11863"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/journals.law.harvard.edu\/crcl\/wp-json\/wp\/v2\/coauthors?post=11863"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}