We learned Thursday night that investigators used a genetic ancestry Web site to track down the alleged Golden State Killer. Here’s how that apparently worked, according to the New York Times:
Investigators used DNA from crime scenes that had been stored all these years and plugged the genetic profile of the suspected assailant into an online genealogy database. They found distant relatives of Mr. DeAngelo’s and, despite his years of eluding the authorities, traced their DNA to his front door.
Let’s emphasize this part: plugged the genetic profile . . . into an online genealogy database. What it sounds like is that the authorities uploaded the killer’s DNA profile to one of these Web sites and came up with a list of possible next-of-kin. From there, they might have used public records databases to expand the family tree, then narrow it down to a guy living in the area where the crimes occurred who was the same approximate age the suspected killer would be. From there, they placed the suspect under surveillance and picked up some of his “discarded DNA” (which we discussed yesterday). It apparently matched the DNA on file of the Golden State Killer.
Local television station KCRA said it was a “a relative” whose DNA was already in the database and whose actions in uploading it resulted in a connection to the killer’s DNA uploaded by the police. Later, the San Jose Mercury News reported that the Web site GEDmatch.com was the one used by the police.
The move by police is interesting. CODIS, the national law enforcement DNA database, contains information from criminals (arrestees, suspects, and offenders, depending on the collection laws of the various underlying states which use the system). It also contains information from missing persons (or their relatives) and from law enforcement staff (in case of contamination). CODIS is not a database of the DNA of the general public. The law enforcement use here of what is a general public database is presumably a new tactic. Here’s legally how it probably worked.
Was the Submission Lawful?
Let’s first tackle the issue of whether the police had the legal right to upload or submit the killer’s DNA to the database. This is a question of contract law. Uploading the killer’s DNA profile into an online educational ancestry database for comparison may have violated the terms and conditions of several Web sites, but probably not the terms and conditions of the Web site the police actually used here.
GEDmatch.com’s rather Spartan terms of use/privacy policy page does not speak to the issue of whether a site user can upload someone else’s data. Therefore, presumably, it is permissible, since the policy does not prevent it. That same policy says the site hosts three types of data: “private,” “public,” and “research.” It is unclear from the policy where the data comes from or whether it is all submitted by users.
Two of the more popular genealogical Web sites have starkly different policies. 23andMe.com’s Terms of Service (TOS), in relevant part, state:
“You are guaranteeing that any sample you provide is your saliva; if you are agreeing to these TOS on behalf of a person for whom you have legal authorization, you are confirming that the sample provided will be the sample of that person.”
AncestryDNA’s terms and conditions, in relevant part, state:
“Any saliva sample you provide is either your own or the saliva of a person for whom you are a parent or legal guardian.”
AncestryDNA’s current policy would not allow the police to upload a suspect’s DNA. Though 23andMe.com has a looser standard, it would still be problematic for the police. If the police had “legal authorization” (such as a warrant) to upload the killer’s DNA, that would satisfy part of the policy, but the police could not accept the site’s TOS “on behalf of” the suspect whose DNA would be submitted.
Are These Databases Wide Open for Police?
At this point, you’re probably wondering whether the police have unfettered access to these databases in general. The answer, for some sites, is yes. GEDmatch’s policy does not explicitly limit the type of DNA a user can upload. In other words, you apparently could upload anyone’s DNA you saw fit to upload. Plus, another popular site, 23andMe, says this:
“[Y]ou acknowledge and agree that 23andMe is free to preserve and disclose any and all Personal Information to law enforcement agencies or others if required to do so by law or in the good faith belief that . . . disclosure is reasonably necessary to . . . protect the rights, property, or personal safety of . . . the public.”
That means 23andMe.com can contractually turn over a user’s DNA information without a warrant to pretty much anyone if they consider someone dangerous. The site claims it will notify users if it does turn over their information, except where a court order requires secrecy. (The privacy policy says pretty much the same thing as the Terms of Service.)
AncestryDNA is different.
“[W]e . . . will not share your Genetic Information with law enforcement unless compelled by valid legal process as described in our Privacy Statement.”
That sounds like a warrant is required. AncestryDNA produces a yearly transparency report which indicates just what, exactly, it provides to law enforcement. In 2017, all warrants received involved “credit card misuse and identity theft.” In other words, according to the site, the site wasn’t giving out DNA profiles. Plus, AncestryDNA has a law enforcement information page which lays out pretty clearly that it prefers to not hand over the information of its users.
What’s This All Mean?
It means the police were probably very careful about which site they used and in which states they operated. Genetic privacy advocates are probably flipping out at the thought of a Web site gobbling up DNA profiles of unbeknownst subjects as submitted by surreptitious minions. (I could picture Newman submitting Seinfeld’s DNA, the antagonist that he is.) While some states have laws which attach privacy rights to DNA material and DNA testing to prevent such shenanigans, Florida, where GEDmatch is apparently incorporated, exempts law enforcement operations from the state’s DNA privacy law. Other states are silent on the matter. California law, where the police were operating, addresses DNA only in the context of criminal law (an offender registry), family law (adoption), and health insurance situations, but not apparently as a general privacy right.
It’s the age-old adage: first, humans invent something new; next, the law struggles to determine the right and the wrong ways to use the invention.
If police violated the user agreement or terms of service of a DNA Web site, generally, the police could potentially get kicked off of a site. That, however, is at the Web site’s discretion. In 23andMe.com’s legal speak, the site can “suspend or terminate your account and refuse any and all current or future use” for violating the terms of service. Here, though, the police used a Web site that appears to be rather wide open: anyone can upload anyone’s DNA to it, so long as underlying statutes allow it.
There are other potential legal issues here, such as Fourth Amendment search and seizure issues, but we’ll leave those for another day.
===============
UPDATE: After the publication of our original report, a representative of 23andMe.com sent us the following response, which we are providing here:
It is our policy to resist all law enforcement inquiries to protect customer privacy. In our 12 years 23andMe has never given customer information to law enforcement officials. Our platform is private, and does not support the comparison of genetic data processed by any third party to genetic profiles within our database. Further, we do not share customer data with any public databases, or with entities that may increase the risk of law enforcement access. Finally, 23andMe was not involved in assisting in this case.
[Editor’s note: this piece has been updated to include the response of 23andMe.com.]
Have a tip we should know? [email protected]
Follow Law&Crime:
