BY TIM CUSHING
TECHDIRT
Cops have discovered a new source of useful third-party records: DNA databases. Millions of people have voluntarily handed over personal information to a number of services in exchange for info on medical markers or distant family members.
Investigators are submitting DNA samples from cold cases in hopes of tracking down criminals who’ve managed to evade them for years. It has led to the closing of some cases, which is all agencies need to argue for continued access to DNA samples from millions of users.
Some DNA services are more protective of their customers’ privacy than others. Of course, privacy protections in this context generate quite a bit of friction. For DNA databases to be useful, users must allow others to access their DNA info and expect others to do the same thing. Identifying info can be withheld, and definitely should be if users aren’t interested in rebuilding a family tree. One company, however, has decided it’s an unofficial arm of the law enforcement community and has involuntarily deputized its users.
When cops submit DNA seeking matches, they don’t always identify themselves as law enforcement officers. Faux accounts are being used to gather matches with DNA services (and their users) unaware of the government’s intrusion. Once investigators have gathered some promising hits, they reveal themselves to issue subpoenas demanding identifying info on the search results.
Things are getting even more troubling in this new Constitutional gray area. Kashmir Hill and Heather Murphy of the New York Times report law enforcement is now using warrants to force DNA services to open up their entire databases for investigators to dig through.
For police officers around the country, the genetic profiles that 20 million people have uploaded to consumer DNA sites represent a tantalizing resource that could be used to solve cases both new and cold. But for years, the vast majority of the data have been off limits to investigators. The two largest sites, Ancestry.com and 23andMe, have long pledged to keep their users’ genetic information private, and a smaller one, GEDmatch, severely restricted police access to its records this year.
Last week, however, a Florida detective announced at a police convention that he had obtained a warrant to penetrate GEDmatch and search its full database of nearly one million users.
Warrants are supposed to be targeted — seeking evidence from a location or a person clearly defined in the warrant application. When a warrant is used to allow full access to the personal info of one million users, there’s clearly no targeting. Investigators may have probable cause to believe they’ll find evidence of a crime by searching an entire DNA database, but all the probable cause in the world doesn’t allow officers to search a million people until they find the evidence they’re looking for. That’s what’s happening here.
The abuses of warrant power will only get bigger. GEDmatch is small. 23andMe has 10 million users. Ancestry.com has 15 million users. They’ll be the next targets of questionable warrants if they haven’t already been hit with some.
In response to backlash following the first reports of officers anonymously submitting samples to obtain a list of suspects, DNA/genealogy companies tightened up their rules. Subpoenas now only net personal info of people who’ve opted into sharing their data with law enforcement. According to this report, only 185,000 of GEDmatch’s 1.3 million have made that choice. That didn’t sit well with this investigator, who decided he could talk a court into forcing the company to give him what he wanted.
In July, he asked a judge in the Ninth Judicial Circuit Court of Florida to approve a warrant that would let him override the privacy settings of GEDmatch’s users and search the site’s full database of 1.2 million users. After Judge Patricia Strowbridge agreed, Detective [Michael] Fields said in an interview, the site complied within 24 hours. He said that some leads had emerged, but that he had yet to make an arrest. He declined to share the warrant or say how it was worded.
There’s a real danger here. If there’s no pushback from companies and their users, law enforcement officers will be seeking the same access, effectively turning private DNA databases into law enforcement databases. On the flip side, if this does become the new normal for law enforcement, it runs the risk of burning its own source, so to speak.
Genetic genealogy experts said that until now, the law enforcement community had been deliberately cautious about approaching the consumer sites with court orders: If users get spooked and abandon the sites, they will become much less useful to investigators. Barbara Rae-Venter, a genetic genealogist who works with law enforcement, described the situation as “Don’t rock the boat.”
The boat is already rocking. Detective Fields has shown officers the way to get what they want when private companies decide they’re not just going to be field offices for government agencies. Multiple officers and detectives asked for a copy of his warrant following his talk, which means Fields’ Fourth Amendment experiment is going to become boilerplate. Customers and users who thought their personal info was shielded from law enforcement probing are now finding out these protections can be undermined by a warrant targeting anyone that matches a certain DNA profile.