Consumer genetic-testing services are wrestling with a new threat to users’ privacy: detectives hauling a dragnet through their DNA.
In April, investigators arrested a suspect in the decades-old case of the Golden State Killer after sifting through online genetic data. The arrest has set off one of the most vigorous recent debates about privacy in the digital age.
A growing number of services say they can use a simple swab of a consumer’s genetic material to find long-lost family members or detect early warning signs of disease—and millions of users have eagerly shared their samples. But there has been little public discussion of where that data is stored, how it will be used beyond its initial applications and who can access it.
To help track down the alleged Golden State Killer, investigators matched DNA from a crime scene to genetic data belonging to the suspect’s relatives that was posted on an open-source genealogy website. Those methods have raised questions about how the growing and often public repository of consumers’ most intimate data could be used by authorities.
“We all want a serial killer caught,” said CeCe Moore, a genetic genealogist who often appears on television shows such as “Dr. Oz” and “Finding Your Roots.” “But what other applications could it be used for that maybe we would not be so in favor of?”
Questions about how personal data should be handled and how it might be abused are being asked more often and more urgently. Facebook Inc. has been trying to reassure users that they have control over how their data is shared. Last month, a woman in Oregon said an Amazon.com Inc. Echo device recorded a private conversation and shared it with one of her husband’s contacts. From payment apps to smart thermostats to personal digital assistants, software and devices are collecting more data about consumers than ever.
For online DNA services, the privacy issues have become entangled with guilt and innocence.
With more and more Americans logging on to genealogy websites, the services have become vast repositories of DNA—and a potential trove for law enforcement agencies attempting to resolve languishing investigations.
In some cases, investigators have combed through genetic material without informing the hosting companies. In the Golden State Killer case, police uploaded crime-scene data to GEDmatch.com to search for family members of the suspected murderer and rapist. Two hobbyists who run the site, a publicly searchable platform that lets users post raw genetic-data files to try to find distant relatives, said that the authorities never contacted them.
“Criminal court cases thus far have treated DNA data like a fingerprint,” said Jennifer Lynch, a senior attorney with the Electronic Frontier Foundation, adding that judges haven’t found genetic information to be protected under the Fourth Amendment, which bars unreasonable search and seizure. “There are no meaningful protections. And we need them.”
In criminal cases, DNA evidence is sometimes misused or misinterpreted. But the implications of such DNA dragnets could extend beyond murder cases. Following the California arrest, some members of the genealogy community raised the possibility that, for example, police might use genetic data pulled from the web to track down women who had illegal abortions, as they did in the case of an abandoned fetus in Georgia this year.
“The police are just going ahead and doing this without any oversight,” said Debbie Kennett, a British genealogist who has authored several books on the subject. Kennett argues that users should have a right to determine how their DNA data is used.
Investigators say that despite the availability of much more genetic information online, tracking suspects using DNA is still costly and labor-intensive. In the Golden State probe—even in GEDmatch’s database of a million people—the closest familial matches to the suspect were third cousins, said Paul Holes, a cold-case detective who helped crack the case.
“That is a huge undertaking,” Holes said. “It took us four months of genealogy work to eventually find the two top people that fit our offender’s profile.”
Holes said the amount of quality DNA needed to run the same tests many genealogy sites perform is often hard to come by when dealing with what is left behind at a crime scene. Such tests are also more extensive and expensive than those tests crime labs perform. Parabon NanoLabs, a Virginia-based forensic DNA company, told Bloomberg that it charges law enforcement officers about $5,000 to run such a test.
“It’s not something you’re going to do on a burglary or a petty theft,” said Holes. “It is going to be on your major, major homicide cases because it is so manpower-intensive. It is tough, tough work.”
The tension between consumers’ expectations of digital privacy and the needs of law enforcement has swelled as more people adopt technology that can suck up ever-more-personal information, often without users being aware that it’s happening.
In 2016, Apple Inc. refused a request from the Federal Bureau of Investigation to unlock an iPhone recovered from one of the perpetrators of a mass shooting that killed 14 people in San Bernardino, California. The company said investigators were asking to create a back door that could be exploited by hackers, a move that could tarnish its closely guarded reputation for security.
“The United States government has demanded that Apple take an unprecedented step which threatens the security of our customers,” Chief Executive Officer Tim Cook said in a statement at the time. “We oppose this order, which has implications far beyond the legal case at hand.”
Some of the largest genetic-testing companies have staked out positions similar to the stand taken by Apple, promising to safeguard consumer information from investigators.
“We treat law enforcement inquiries, such as a valid subpoena or court order, very seriously,” 23andMe Inc.’s privacy chief, Kate Black, said in an interview. “23andMe policies prohibit our voluntary cooperation with law enforcement in order to protect our customers’ privacy. To date, we have successfully challenged the law enforcement requests we’ve received.”
Police searches aren’t the only privacy threat to such data. Large-scale hacking incidents at Home Depot Inc., JPMorgan Chase & Co. and Anthem Inc. have also shaken consumers. DNA sites aren’t immune to such intrusions: Israel-based MyHeritage said last week that 92 million accounts were compromised.
Ultimately, in the Apple case, investigators found their own way into the disputed iPhone, spending $900,000 on a tool to crack it. In the case of DNA sites, no extraordinary measures may be necessary, as such services as GEDmatch, MyHeritage and Family Tree DNA allow investigators to view voluntarily posted data, including files from services like 23andMe and Ancestry that don’t permit users to upload material from other sources. The only things now governing how police might use consumer genealogical databases are the terms of service.
How a DNA Detective Thawed a Cold Case
CeCe Moore is revered as a pioneer in using DNA to help adoptees locate their birth parents. In one episode of the television show “Finding Your Roots,” she found evidence that rapper LL Cool J’s mother was adopted, and she introduced him to his biological grandmother.
She’s now turning her talents to catching killers.
To help find a suspect in a long-dormant Washington murder investigation, Moore was able to use DNA evidence she found online to connect with a relative of the killer almost immediately.
Moore said GEDmatch revealed two people that appeared to be second cousins of the killer, whose DNA police believe they discovered at the crime scene. The cousins, though, weren’t from the same branch of the family tree, so Moore needed to identify the missing link connecting them.
Moore reconstructed the cousins’ family trees, digging through census records, newspaper archives and social media for a common ancestor. An obituary she found late one weekend night revealed that the two trees had converged in a marriage. It turned out that the wedded couple had several daughters and one son. The son seemed to be the only person with the right mix of DNA for a match. Moore forwarded the suspect’s name to police.
“When I’m researching, you kind of get to know the family, to get a sense of them,” she said. “I felt very bad knowing [these people] were going to find out their brother likely murdered a young couple.”
A Snohomish County, Washington, Sheriff’s Office spokesperson said that investigators have found genealogy sites to be great tools and are looking at using them in as many as 30 additional cases.
For one family, the moment brought closure after three decades. For another, it was the beginning of a nightmare they had probably never imagined.
“When I found that obituary, it was a very heavy moment,” Moore said. “I think I probably cried.”
Amid the privacy debate, genealogy sites are already giving rise to a new breed of criminal investigators.
A few weeks before the Golden State Killer case made headlines, a nonprofit group called the DNA Doe Project that works with local police departments used GEDmatch to identify a 1981 Ohio murder victim who had previously been known only as the Buckskin Girl.
DNA Doe crowdfunds many of its cases. Last month, on the heels of the Golden State Killer arrest, it decided to try crowdsourcing data, too. In a recent case known as the “Belle in the Well,” an unidentified victim appeared to mainly have DNA matches on GEDmatch in a three-state area surrounding Cabell County, West Virginia. On Facebook, DNA Doe encouraged people who live in those regions to upload their raw DNA file to GEDmatch. The Utah Cold Case Coalition has put out a similar call for citizens to donate their DNA info to solve murders.
The American Civil Liberties Union has cautioned against sharing such information.
“All of these companies should make clear that the genetic material they collect from users is not available to serve as legal proof and that law enforcement cannot use their services to test prisoners and arrested individuals or to conduct investigations,” wrote the ACLU’s Vera Eidelman in an op-ed in the Washington Post. “Otherwise, the public may have to choose between accessing the benefits of genetic science and maintaining its privacy rights.”
Moore, the genetic genealogist, had long thought she might use her knack for tracking down birth parents to hunt for murderers. But she wasn’t sure the close-knit genealogy community would approve.
“That all changed when the Golden State Killer case got so much publicity and such positive reaction,” Moore said.
She signed on as the head of genetic genealogy for Parabon NanoLabs. Parabon had also read the case as a green light and asked GEDmatch for permission to start digging through its data for leads in dozens of cold cases. It didn’t take long to get a hit: On May 18, police arrested a suspect in a 1987 Washington double murder after Moore sniffed out new leads on GEDmatch.
Nevertheless, others in the field fear what may be coming.
“There is actually no control over genealogists who are doing this type of search,” said Kennett, the U.K. genealogist. “CeCe Moore is really, really good, but once the floodgates are open, there’s a potential for genealogists who are not ethical to cause a lot of harm.”