Familial DNA Searching: Troubling Civil Liberties Challenges

The technique of familial DNA searching has been in the news lately for having resulted in the arrest of a suspected serial killer in California, as well as an arrest in a recent Washington homicide case, but the use of such techniques raises significant civil liberties concerns. In both cases, police uploaded crime scene data to the website GEDmatch, which allows users to upload their genetic profiles—generated via other services—to find relatives and ancestries by searching for “partial” DNA matches. That technique identified a number of individuals related to the suspects. The suspects were then surveilled and their “abandoned” DNA collected and matched to the crime scene DNA, resulting in the arrests.

A number of troubling civil liberties challenges arise from this scenario.

Data Privacy and Informed Consent

DNA is not just for identification—it is a treasure trove of an individual’s (and their relatives’) most private medical information, potentially including sexuality, susceptibility to disease, and much more. The familial searching at issue relies on the individuals’ informed consent, but it is far from clear that these websites meaningfully inform users that the information could be used for law enforcement purposes when they share their genetic profile for the purpose of finding family members.

Taking that a step further, the information can be used to implicate not only an individual, but also other members of the individual’s family who had no say in the uploading of the profile. (See also O’Neill, O. (2001). Informed Consent and Genetic Information. Studies in History and Philosophy of Science Part C: Studies in History and Philosophy of Biological and Biomedical Sciences, 32(4), 698-704. ScienceDirect.) And policies can change midstream, meaning people’s information can become vulnerable in ways they had not predicted when first signing up.

In the California instance, the website appears to have added a law enforcement use provision to their terms of service after the fact. The privacy policy on GEDmatch.com as of April 27, 2018, three days after the arrest of the suspect, accessed via the Internet Archive’s Wayback Machine, includes no reference to allowable use by law enforcement. The policy as it stands as of June 4, 2018, last updated May 20, 2018, includes a provision allowing law enforcement use for investigation of violent crime.

While data privacy laws in the U.S. have yet to effectively regulate this space, it is telling that at least one such website has already gone dark due to the more stringent European data privacy standards that took effect in May. The website in question currently displays a message on its landing page indicating that it is “no longer accessible as a result of the EU General Data Protection Regulation (GDPR) that went into effect on May 25th 2018.”

This wide net of deeply private information—in the U.S. at least—remains largely unprotected and vulnerable to abuse.

Accuracy, Bias, and False Positives

There are a number of reasons to question the accuracy of familial DNA searches in instances like this. Websites like GEDmatch have no transparency around their methodology, meaning no independent ability to verify how matches or family trees are generated.

Some techniques rely on rare genetic mutations that risk targeting vulnerable populations, which may have a higher incidence of certain mutations. And familial matching is an inexact tool by its very nature—a partial match may involve only a portion of alleles or gene variants, meaning a large number of innocent people, more than 100 partial matches in the California case, will potentially be cast under suspicion through no fault of their own. And indeed, in multiple instances, overbroad familial DNA searching has resulted in innocent individuals being arrested or identified as a prime suspect.

Questionable Law Enforcement Techniques

More broadly, familial DNA searches represent a significant leap in breadth of search, beyond the DNA collection done by governments upon conviction of certain crimes, which itself suffers from problems around database accuracy, privacy, and disproportionality. (Washington does not allow this practice for arrestees, although other states do.)

Familial searching turns traditional law enforcement techniques on their head. Instead of building up a case based on evidence that flags a single or small number of individuals, these searches instead allow law enforcement to employ a dragnet approach that flags a large number of individuals. The exact parameters and required process for familial searching by law enforcement are legally undefined, making law enforcement’s use of the technique the “Wild West” of criminal investigation.

In the California case, uploading a genetic profile to GEDmatch, at the time, most likely required consent of the person from whom the DNA came. Although law enforcement clearly had no such consent, they appear to have represented to the website that they did, setting a troubling precedent. (Recall that the DNA in question comes from a person not yet convicted of any crime, yet their information was added to the database without their knowledge or consent. See also: Suter, S. M. (2010). All in the family: Privacy and DNA familial searching. Harvard Journal of Law Technology 23(2), 309-400; HeinOnline.)

Later on, law enforcement surveilled the suspect and collected his “abandoned” DNA, sequencing it without a warrant. Yet we all leave behind DNA everywhere we go—so this warrantless sequencing means all of us are susceptible to the deeply intrusive search of having our DNA sequenced at any time by law enforcement, without a warrant.

This is far from an exhaustive examination of the civil liberties concerns around familial DNA searches, and each issue raised here is deserving of its own in-depth examination. But these points do highlight the grave civil liberties concerns that familial DNA searches raise.