DOJ doesn’t go far enough to limit searches of consumer DNA services
From the 2018 arrest of the Golden State Killer to this year’s revelation that FamilyTreeDNA made a secret deal with the FBI, news regarding police use of data held by consumer genetic services has captured national attention.
Last week, the U.S. Department of Justice (DOJ) released a landmark policy affecting how investigators access commercial DNA databases. The policy allows law enforcement to search genetic profiles from commercial databases if they first try and fail to identify a suspect through a search of the FBI’s Combined DNA Index System (CODIS).
When used appropriately, DNA analysis can be a powerful tool to catch criminals and exonerate innocent suspects. But powerful tools require powerful safeguards, and the DOJ policy does not provide meaningful privacy protections for American consumers who use DNA testing services.
The interim policy will affect all law enforcement agencies that receive federal funding. The DOJ plans to release its final policy on forensic genetic genealogy in 2020.
The policy has some positive aspects. By requiring law enforcement officers to identify themselves prior to searching consumer genetic databases, it limits the problematic practice of officers posing as civilian users while uploading crime scene DNA. The policy also requires investigators to obtain prosecutor approval to run a search, which may temper abuses by rogue cops. The policy bars law enforcement from running searches to determine a suspect’s genetic predisposition for diseases, other medical conditions, or psychological traits.
People use genetic services to connect with family members, learn about potential health risks, and study their genealogy. Although consumers may see the use of such services as innocuous, the DOJ sees their potential to increase criminal leads. The department’s press release says, “As genetic genealogy websites become more popular … the more biological information there is to compare with DNA samples from crime scenes.”
There are numerous issues when it comes to informed consent and meaningful notice in the context of genetic searches. The DOJ policy notes that law enforcement should only use services that “provide explicit notice to their service users,” but research indicates that few people read privacy policies prior to signing up for a service. Leading consumer genetic services have pledged to uphold the privacy best practices created by the Future of Privacy Forum — which articulate commonsense limits on government access to DNA data — but others have not made these promises to customers.
Unfortunately, the DOJ policy does not limit searches strictly to potential offenders but allows law enforcement to identify people with a close “kinship relationship” to service users. While both users of commercial sites and non-users deserve protections, it is particularly egregious to run familial searches against individuals who have simply had the bad luck of being related to someone who has used a genetic testing service.
The DOJ’s policy states that law enforcement can acquire “reference samples” from potential biological family members. Familial matching, the act of examining biological relatedness, casts suspicion over entire families and causes the invasion of people’s privacy simply because they are perceived to be related to a suspect. States understand the drawbacks of using familial matching for crime-solving, and 38 states do not permit familial matching through CODIS.
Finally, the DOJ policy is unclear when it comes to the department’s stance on warrants. Requiring law enforcement to obtain a warrant based on probable cause prior to engaging in a search is a fundamental legal safeguard. Although the interim policy allows only for searches of DNA databases following a substantial threat to public safety, or the commission or attempt of a violent crime, it is important to note that without further guidance, the definition of what constitutes a public threat is in the hands of law enforcement.
When revising the interim policy for 2020, the DOJ should address critical lapses in consumer privacy by clearing up the process for notice and consent, disallowing familial matching and clarifying the need for a warrant prior to engaging in genetic searches. The interim policy does not go nearly far enough to limit law enforcement’s potentially invasive attempts at a widespread genetic surveillance scheme.
Katelyn Ringrose is the Christopher Wolf Diversity Law Fellow at the Future of Privacy Forum, a nonprofit organization in Washington that advances principled data practices in support of emerging technologies. A former teacher, she founded Impowerus, an online company connecting juvenile immigrants to pro bono legal aid, while in law school. Follow her on Twitter @k_ringrose.