The arrest of the infamous Golden State killer in April 2018 prompted controversy over law enforcement’s use of genealogy databases. The California case ran cold decades ago, but a well-preserved DNA sample was uploaded by detectives into the public database, GedMatch. GedMatch asserted that they did not directly provide information, but law enforcement was nevertheless able to upload the suspect’s DNA and gain the same access that any user uploading their own DNA would have. At the time, law enforcement’s use of public and commercial DNA databases was entirely unregulated.

Last week, the Department of Justice released an interim policy on Forensic Genetic Genealogical DNA Analysis and Searching (FGGS), announcing a commitment to “developing practices that protect reasonable interests in privacy, while allowing law enforcement to make effective use of FGGS to help identify violent criminals, exonerate innocent suspects, and ensure the fair and impartial administration of justice to all Americans.” The policy specifically addresses law enforcement’s use of “direct-to-consumer genetic genealogy services,” which are defined as “companies that offer a variety of DNA genomics tests and/or genetic genealogy services directly to the public (rather than through clinical health care providers), typically via customer access to secure online websites.” The policy will apply only to DOJ agencies, and state or local agencies that receive federal funding to complete genetic genealogy searches.

The DOJ guidelines are a step in the right direction, providing important restrictions on law enforcement’s use of commercial DNA databases. However, the guidelines have room for improvement, and still leave the door open for troubling privacy violations.

First, although the interim policy limits the types of investigations where FGGS can be used, an exception to the rule may leave too much room for discretion. The interim policy specifically  limits the use of FGGS to cases involving “an unsolved violent crime” (defined as a “homicide or sex crime, including…an attempt to identify the remains of a suspected homicide victim”), where “the candidate forensic sample is from a putative perpetrator.” This provision may allay concerns after commercial DNA website GedMatch violated its own terms of service, which provided only for law enforcement assistance in rape and murder cases, by allowing law enforcement access to investigate an assault in Utah. However, the interim policy does allow prosecutors an exception for investigations of crimes that present “a substantial and ongoing threat to public safety or national security.” The interpretation of this exception will determine the extent to which FGGS use is actually limited.

Second, the guidelines require notice to customers using the databases, but lack informed consent requirements. Under the DOJ interim policy, law enforcement can only search consumer databases that provide “explicit notice to their service users and the public that law enforcement may use their service sites.” The DOJ’s inclusion of the notice requirement appears to be responsive to the FamilyTreeDNA scandal. FamilyTreeDNA was the first commercial site to allow FBI access to some of its services and data without warrants or subpoenas. FamilyTreeDNA altered its user agreement without notifying customers, and many customers were not alerted until Buzzfeed broke the story. FamilyTreeDNA, in justifying its decision to allow access to the FBI, noted that law enforcement agencies appeared to also be utilizing other commercial DNA databases. These agencies uploaded DNA samples (from crime scenes), like other paying customers, but without disclosing their law enforcement status. The “explicit notice” guideline appears to prohibit law enforcement agencies from masquerading as a regular user in order to use sites that do not allow law enforcement access.

However, simply requiring notice is not sufficient to protect users from unwanted law enforcement intrusion. In the wake of the scandal, FamilyTreeDNA changed its terms of service to allow users to opt out of law enforcement access, but in order to do so, users had to log into their accounts and adjust their settings. Users relied on FamilyTreeDNA’s original policy prohibiting law enforcement access at the time that they submitted their profile. An email that could easily be overlooked or disregarded as spam should not be viewed as a satisfactory means of privacy protection. FamilyTreeDNA’s opt out approach avoids getting actual consent from users who may not realize the policy has changed. An opt in approach, whereby law enforcement only receives access when a user actively gives permission, would ensure that users approve of the site’s change. The DOJ policy should allow only the use of sites with opt in policies for users who submitted their information prior to the site’s decision to open their data to law enforcement.

The two largest direct-to-consumer genetic genealogy services, Ancestry and 23andMe, have law enforcement guides, which outline the procedures law enforcement must follow to obtain any of their records, posted to their websites. Ancestry specifies that “[c]ontents of communications and any data relating to the DNA of an Ancestry user will be released only pursuant to a valid search warrant from a government agency with proper jurisdiction.” 23andMe includes a similar requirement, and both companies’ policies include a provision that under most circumstances they will notify affected users of law enforcement access prior to turning over information. Although Ancestry and 23andMe are taking strong stands on information protection, without governmental regulations, consumers are vulnerable to unilateral user agreement changes — sites could eliminate these privacy protections at any time without the consent of users. 

The DOJ guidelines notably do not require a warrant for law enforcement’s use of public and commercial DNA databases. Although the Supreme Court has allowed law enforcement to collect DNA without a warrant, that decision was limited to circumstances that do not apply to these databases. The Supreme Court has held that law enforcement may, without a warrant, take DNA samples of arrestees charged with violent crimes, as part of a routine booking procedure. However, the Court relied heavily on the existence of probable cause for an arrest, the diminished expectation of privacy in police custody, and the state interest in identifying arestees and making informed bail decisions, as justification for allowing the DNA collection. Additionally, DNA evidence collected by law enforcement, is entered into a law enforcement database, CODIS, which is subjected to regulations regarding when and how law enforcement can use the information. The use of public and commercial databases circumvents the probable cause standard used for arrestees.

Further, giving law enforcement agencies access to commercial DNA databases implicates privacy concerns beyond those of even a consenting customer. An investigator using genetic genealogy begins the investigation by looking for DNA matches at the level of third cousin or closer. Most people have around 800 people who would fall into this category, meaning that if any of those 800 relatives choose to submit their DNA to a database, an investigator may be able to identify an individual who has not shared their own DNA. Government regulations can serve to protect not only the privacy interests of vulnerable customers, but also the many relatives exposed by one individual’s choice to provide their DNA. 

Privacy protections for DNA profiles are a tricky legal issue. The new DOJ interim policy is a solid first attempt at defining a new and previously unregulated tactic of law enforcement investigation. Public and commercial DNA databases can provide individuals with interesting and valuable information about their genealogy, and consumers should be able to make informed decisions about whether to participate in DNA information sharing. However, governmental regulation is necessary to protect the privacy of two key groups: genealogical site users who do not consent to law enforcement sharing, and individuals who do not use the sites but whose genetic information is exposed by their relatives. At a minimum, the DOJ interim policy should be revised to require a warrant for any use of public or commercial genealogical databases.