Washington University Law Review Online
VOLUME 98 2020
COLD CASES FREEZE: LAW ENFORCEMENT LOCKED OUT OF DNA DATABASE USED FOR INVESTIGATIVE GENEALOGY AFTER CONSUMERS OBJECT TO BEING GENETIC INFORMANTS
NANCI K. CARR*
ABSTRACT
California’s infamous Golden State Killer, Joseph James DeAngelo, a serial killer and rapist, committed a string of crimes during the 1970s and 1980s, and avoided capture for more than 40 years until genetic data available online led to his arrest. His capture caused users of popular testing services such as Ancestry and 23andMe to question whether their genetic data was freely available to police investigators. By using one of these services to learn about their great-grandparents, users may not want law enforcement to use their data to solve a cold case involving one of their living relatives. To prevent that, GEDmatch, a free website for sharing DNA profiles, changed its terms of service and locked out law enforcement unless consumers agreed to permit access to their profiles. Does the value to society of solving the cold case outweigh any privacy issues of the consumer using the testing service? Should control over these decisions rest with a testing service that can change its terms of service on a whim?
* Nanci K. Carr is an Assistant Professor of Business Law at California State University, Northridge (“CSUN”). J.D., cum laude, Southwestern Law School; B.S., Business Administration, Ball State University. Thanks to research assistant Angeline Gomez, CSUN Class of 2019.
1
2 WASHINGTON UNIVERSITY LAW REVIEW ONLINE [VOL. 98:1
TABLE OF CONTENTS INTRODUCTION ...... 2 I. THE SCIENCE BEHIND DNA TEST KITS ...... 4 II. POLICE INVESTIGATIONS AND GEDMATCH ...... 6 III. PLEDGES TO PROTECT USER PRIVACY ...... 9 A. Federal Privacy Regulations ...... 9 B. Privacy Best Practices for Consumer Genetic Testing Services ...... 10 C. FamilyTreeDNA Removed from List of Best Practices’ Participants ...... 12 IV. GEDMATCH RESTRICTS LAW ENFORCEMENT ...... 13 CONCLUSION ...... 14
INTRODUCTION
Recently, there has been a significant rise in popularity of at-home DNA test kits, with over twenty-six million consumers 1 utilizing direct-to- consumer (“DTC”) genetic testing services2 to learn about their ancestry, family history, community, health risks, and family planning.3 For example, in a well-known television commercial for AncestryDNA, a man, surprised to learn that his ancestors were not German, but rather Irish, exclaims, “So, I traded in my lederhosen for a kilt!”4 Other commercials in the series reveal more pleasant surprises. 5 While such surprises may make for fun
1. Antonio Regalado, More Than 26 Million People Have Taken an at-Home Ancestry Test, MIT TECH. REV., (Feb. 11, 2019), https://www.technologyreview.com/s/612880/more-than-26-mi llion- people-have-taken-an-at-home-ancestry-test/ [https://perma.cc/MW7T-JCHE]. 2. What Is Direct-To-Consumer Genetic Testing?, GENETICS HOME REFERENCE, (Mar. 17, 2020), https://ghr.nlm.nih.gov/primer/dtcgenetictesting/directtoconsumer [https://perma.cc/4QBQ-X3K F] (“[G]enetic tests are marketed directly to customers via television, print advertisements, or the Internet, and the tests can be bought online or in stores. Customers send the company a DNA sample and receive their results directly from a secure website or in a written report . . . without . . . involving a healthcare provider or health insurance company . . . .”). 3. 3 Mistakes to Avoid When Shopping for a DNA Test: Your Free Guide to the Best Valued DNA Tests, GENETICS DIGEST, (2019) https://geneticsdigest.com/best_ancestry_genealogy_dna_test/ind ex_ctrl _n.html?gclid=EAIaIQobChMIv8bc08O5wIVUSCtBh1lugMSEAAYASAAEgJ3wvD_BwE& utm_expid=.a_tKXPb9TSiu456d3_Znig.2&utm_referrer=https%3A%2F%2Fwww.google.com%2F [h ttps://perma.cc/WS3C-Y4KT]. While there are many genetic testing services, the two largest and most popular organizations are Ancestry.com and 23andMe. Other smaller competitors include Family Tree DNA and MyHeritage. Elizabeth Weise, These Are the Top Companies Offering Genealogical DNA Testing to Learn About Your Family, USA TODAY, (Dec. 2, 2018, 8:19 PM ET), https://www.usatoday.c om/story/ news/2018/12/02/ genealogical-dna-testing-companies-ancestry-23-andme/2141344002/ [htt ps://perma.cc/D8H7-N69V]. There are ten million people in 23andMe’s data banks and more than fifteen million in Ancestry.com’s. Kashmir Hill & Heather Murphy, Your DNA Profile is Private? A Florida Judge Just Said Otherwise, N.Y. TIMES, (Dec. 30, 2019), https://www.nytimes.com/2019/11/05/business /dna-database-search-warrant.html [https://perma.cc/XS9K-W6QE]; see also FAMILYTREEDNA, https:/ /www.familytreedna.com (last visited Jan. 17, 2020) [https://perma.cc/A4GZ-VJLU?type=image]; MYHERITAGE, https://www.myheritage.com (last visited Jan. 17, 2020) [https://perma.cc/EHS4-7RB3]. 4. Ancestry, Kyle | Ancestry Stories | Ancestry, YOUTUBE, (June 13, 2016), https://www.youtub e.com/watch?v=84LnTrQ2us8 (listing 440,998 views as of Jan. 31, 2020). 5. See, e.g., OzLandTV, Ancestry DNA Kit TV Commercial 2016, YOUTUBE, (Mar. 18, 2017), https://www.youtube.com/watch?v=OJJzXXCI9EE; Ancestry, Katherine & Eric | Testimonial |
2020] COLD CASES FREEZE 3
commercials, fifty-three--year-old Todd explains that “You can find something you really don’t want to know.”6 He learned that his mother’s sisters were not his aunts, but rather half-aunts, and he struggles with the decision about whether to tell his mother the truth about her family.7 He said “I think they should issue [a] warning” that there may be surprising results.8 While most such services do have warnings, many people miss them.9 These types of surprises and their lack of warning have started raising questions of privacy, as some distant relatives may not want to be found, and some secrets regarding the parentage of children were intended to be kept just that—secrets.10 One of the biggest unwelcome surprises was endured by the family of Joseph James DeAngelo, California’s infamous Golden State Killer, who was tracked down and arrested through a DNA link to a distant relative.11 DeAngelo, a serial killer and rapist, committed a string of crimes during the 1970s and 1980s, and until recently had avoided capture for more than 40 years.12 The utilization of genetic data to create family trees and identify criminal suspects is known as investigative genetic genealogy.13 This is
Ancestry, YOUTUBE, (July 28, 2016), https://www.youtube.com/watch?v=GRZoV8abnNk. “‘Almost every Ancestry customer finds something surprising as they embark on a self-discovery journey with us, and for most customers it’s something exciting and enriching . . . ,’” said Ancestry.com’s chief scientific officer in a statement to ABC News. Catherine Thorbecke & Sandra Temko, When a DNA Test Upends Your Identity, Some Find ‘Family’ in Secret Facebook Group, GOOD MORNING AMERICA, (July 30, 2018), https://www.goodmorningamerica.com/news/story/dna-test-upends-identity-find-family-secret- facebook-56904359 [https://perma.cc/64Z7-PEPW]. 6. Sarah Zhang, When a DNA Test Shatters Your Identity, THE ATLANTIC, (July 17, 2018), https ://www.theatlantic.com/science/archive/2018/07/dna-test-misattributed-paternity/562928/ [https://perm a.cc/5MY9-2883]. 7. Id. 8. Id. 9. Id. (noting that 23andMe and AncestryDNA have warnings in their terms of service, and “allow users to opt in or out of finding genetic matches”);see also Terms of Service, 23ANDME, (Sep. 30, 2019), https://www.23andme.com/about/tos/ [https://perma.cc/7YFM-ZZM4]; Ancestry Terms and Conditions, ANCESTRY, (July 25, 2019), https://www.ancestry.com/cs/legal/termsandconditions [https:/ /perma.cc/6825-69P3]. 10. Zhang, supra note 6; see also Your Privacy, ANCESTRY (Dec. 23, 2019), https://www.ancestr y.com/cs/legal/privacystatement [https://perma.cc/7BXF-R9SW] (“You may discover unexpected facts about yourself or your family when using our services. Once discoveries are made, we can’t undo them.”). After receiving an AncestryDNA membership as a birthday gift from her brother, Catherine St. Clair learned that the man who raised her was not her biological father. Thorbecke & Temko, supra note 5; Zhang, supra note 6. 11. Justin Jouvenal, To Find Alleged Golden State Killer, Investigators First Found his Great- Great-Great-Grandparents, WASH. POST, (Apr. 30, 2018), https://www.washingtonpost.com/local/pu blic-safety/to-find-alleged-golden-state-killer-investigators-first-found-his-great-great-great-grandpare nts/2018/04/30/3c865fe7-dfcc-4a0e-b6b2-0bec548d501f_story.html?utm_term=.76c51cd2e556 [https:/ /perma.cc/HTV8-853M]. 12. Id. 13. Investigative Genetic Genealogy FAQs, INT’L SOC’Y OF GENETIC GENEALOGY WIKI, https:// isogg.org/wiki/Investigative_genetic_genealogy_FAQs#What_is_investigative_genetic_g enealogy.3F (last visited Mar. 25, 2020); see also Maggie Fox, DNA Databases Can Send the Police or Hackers to Your Door, Study Finds, NBCNEWS (Oct. 11, 2018, 2:27 PM PDT), https://www.nbcnews.com/health/h
4 WASHINGTON UNIVERSITY LAW REVIEW ONLINE [VOL. 98:1
what helped investigators to track down DeAngelo and has led users of popular DTC genetic testing services to question whether their genetic data is accessible not only in a limited way to other users of the service, but also whether it is freely available to police investigators.14 This Article explores that question and the actions taken by such genetic databases to block law enforcement investigations in favor of protecting genetic privacy.
I. THE SCIENCE BEHIND DNA TEST KITS
In recent years, at-home DNA test kits15 have led consumers to share a sample of their genetic information with privately held companies that have collectively amassed one of the world’s largest collections of human DNA.16 Once a consumer has collected their sample, they mail it to popular genetic testing companies such as Ancestry17 and 23andMe.18 Upon receipt of the sample, the company extracts DNA from the cells, then decodes the information on a chip to identify around 600,000 single-nucleotide polymorphisms (“SNPs”).19 SNPs are variations in a single base pair in a DNA sequence and create biological differences in an individual’s genes, which “influence a variety of traits such as appearance, disease susceptibility or response to drugs.” 20 Genetic testing services use this information to provide information to their users, such as family ancestry and certain genetic predispositions.21 Prior to the popularity of the DTC genetic testing services, law enforcement used DNA information to solve crimes, but in a more limited way. For example, if DNA was recovered from a crime victim or a crime scene, that DNA could sometimes be connected to a suspect if the suspect ealth-news/dna-databases-can-send-police-or-hackers-your-door-study-n919236 [https://perma.cc/82Z N-FXRE] (“Genetic genealogy databases act like a GPS system for anonymous DNA,” said Yaniv Erlich, chief science officer of MyHeritage, a DTC genetic testing service. “The family trees set a coordinate system, in which the DNA of each individual in these databases is like a beacon that illuminates hundreds of the individual’s relatives who are not in the database. . . . Therefore, even if a specific individual is not in these databases, a relative of theirs could be, which is enough to identify them.”). 14. Susan Scutti, What the Golden State Killer Case Means for Your Genetic Privacy, CNN, (May 1, 2018, 12:01 AM), https://www.cnn.com/2018/04/27/health/golden-state-killer-genetic-privacy/ index.html [https://perma.cc/UCX3-ENUV]. 15. The test kits range in cost, with a basic kit being available for as little as $59. Regalado, supra note 1. 16. Id. (noting that such testing requires the user to spit into a tube or swab the inside of their cheek to supply a DNA sample to the testing service). 17. See ANCESTRY, https://www.ancestry.com (last visited Jan. 17, 2020). 18. See 23ANDME, https://www.23andme.com (last visited Jan. 17, 2020). 19. Regalado, supra note 1. 20. What Are SNPs?, 23ANDME, https://www.23andme.com/gen101/snps/ (last visited Apr. 4, 2020). 21. Now Your DNA Reveals so Much More with AncestryHealth, ANCESTRY, https://www.ancest ry.com/health (last visited Apr. 8, 2020).
2020] COLD CASES FREEZE 5
had been previously arrested and had provided a DNA sample. This procedure was challenged in Maryland v. King,22 when Alonzo Jay King, Jr. was arrested in 2009 for “first- and second-degree assault charges.”23 During his booking, the police collected a cheek swab DNA sample from King.24 They matched the sample to an unsolved 2003 rape, and King was charged for the crime.25 King attempted to suppress the genetic match, arguing that the Maryland DNA Collection Act26 that led to the collection of his genetic sample was in violation of the Fourth Amendment. 27 However, the Supreme Court found that DNA swabs taken from individuals arrested for violent crimes do not violate the Fourth Amendment clause of “unreasonable search and seizure,” despite the DNA sample being collected without consent.28 The Court found that “taking and analyzing a cheek swab of the arrestee’s DNA is, like fingerprinting and photographing, a legitimate police booking procedure that is reasonable under the Fourth Amendment.”29 When a criminal suspect is arrested, law enforcement officials use the Short Tandem Repeat (STR) technique, which extracts biologically relevant information from DNA, such as disease, eye, and skin color, and use that as a means of identifying a suspect from whom they have collected that DNA, much like a fingerprint.30 That information is stored in the Combined DNA Index System, or CODIS, a government administered DNA database,31 and organized into three hierarchal levels: local, state, and national. 32 The National DNA Index System (NDIS) is one part of CODIS that operates at the national level.33 NDIS contains genetic profiles “contributed by federal, state, and local participating forensic laboratories.”34 As of March 2020, the NDIS “contains over 14,150,851 offender profiles, 3,897,457 arrestee profiles and 1,004,891 forensic profiles.”35
22. 569 U.S. 435 (2013). 23. Id. at 435. 24. Id. 25. Id. 26. Md. Code Ann., Pub. Safety § 2-501. (LexisNexis 2011 Repl. Vol.). 27. U.S. CONST. AMEND. IV.; King, 569 U.S. at 435. 28. King, 569 U.S. at 435; U.S. CONST. AMEND. IV. 29. King, 569 U.S. at 435. 30. Brian Resnick, How Your Third Cousin’s Ancestry DNA Test Could Jeopardize Your Privacy, VOX, (Oct. 15, 2018, 10:20 AM), https://www.vox.com/science-and-health/2018/10/12/17957 268/science-ancestry-dna-privacy [https://perma.cc/9ZX7-8NXV]. 31. Id. 32. See Frequently Asked Questions on CODIS and NDIS, FBI, https://www.fbi.gov/services/lab oratory/biometric-analysis/codis/codis-and-ndis-fact-sheet (last visited May 16, 2020). 33. Id. 34. Id. 35. CODIS - NDIS Statistics, FBI, https://www.fbi.gov/services/laboratory/biometric-analysis/c odis/ndis-statistics (noting that offender profiles include convicted offenders, detainees, and legal profiles) (last visited May 16, 2020).
6 WASHINGTON UNIVERSITY LAW REVIEW ONLINE [VOL. 98:1
The DTC genetic testing services have now provided law enforcement with the opportunity to take advantage of this DNA to solve crimes by matching the data in CODIS to relatives in ancestry databases. The ability to make these data matches was demonstrated in a sample of 872 people, where “30 percent could be matched via cross-referencing STR data with the ancestry data.”36 The question some consumers are asking is whether law enforcement should be allowed to access the genetic information they provide to DTC genetic testing services.37
II. POLICE INVESTIGATIONS AND GEDMATCH
“People who submit DNA for ancestor testing are unwittingly becoming genetic informants on their innocent family.”38 While millions of consumers are participating in this popular DNA testing trend, that does not mean that they want law enforcement to access their DNA test results from services like 23andMe and become involuntary genetic informants.39 While some DNA testing services put privacy practices into place to protect their users’ information,40 “[t]he ability of third parties, the police or others to see that data is not clear.” 41 DTC genetic testing users “have fewer privacy protections than convicted offenders whose DNA is contained in regulated databanks.”42 Cases spurring these fears involved the use of a public genetic database known as GEDmatch, 43 a crowdsourced database, containing
36. Resnick, supra note 30. 37. Scutti, supra note 14. 38. Michael Balsamo & Jonathan J. Cooper, Genealogy Site Didn’t Know It Was Used to Seek Serial Killer, WASH. POST, (Apr. 27, 2018, 2:59 PM), https://www.washingtonpost.com/national/use-of -dna-in-serial-killer-probe-sparks-privacy-concerns/2018/04/27/3c6bde16-49e9-11e8-8082-105a446d1 9b8_story.html [https://perma.cc/5Q82-2YLH] (quoting Steve Mercer, the chief attorney for the forensic division of the Maryland Office of the Public Defender). 39. Ashley May, Took an Ancestry DNA Test? You Might be a ‘Genetic Informant’ Unleashing Secrets About your Relatives, USA TODAY, (May 1, 2018, 7:16 AM ET), https://www.usatoday.com/stor y/tech/nation-now/2018/04/27/ancestry-genealogy-dna-test-privacy-golden-state-killer/557263002/ [htt ps://perma.cc/7U7U-3U9E] (quoting a 23andMe spokesman who said that the company “will not share member information with law enforcement ‘unless compelled to by valid legal process’” and “has never given customer information to law enforcement officials”); see also Fiza Pirani, Can Police Legally Obtain Your DNA from 23andMe, Ancestry?, THE ATLANTA J.-CONST., (May 11, 2018), https://www.aj c.com/news/national/can-police-legally-obtain-your-dna-from-23andme-ancestry/8eZ24WN7VisoQiH AFbcmjP/ [https://perma.cc/K2W5-PU94] (“Ancestry’s Transparency Report states that the company received nine valid law enforcement requests in 2016 and provided information on eight of the requests to government agencies. All were related to credit card misuse and identity theft.”). 40. Carson Martinez, Privacy Best Practices for Consumer Genetic Testing Services, FUTURE OF PRIVACY FORUM, (July 31, 2018), https://fpf.org/2018/07/31/privacy-best-practices-for-consumer-gene tic-testing-services/ [https://perma.cc/4GK5-Z6VS]. 41. Arthur Caplan, director of the Division of Medical Ethics at New York University’s School of Medicine. May, supra note 39. 42. Balsamo & Cooper, supra note 38. 43. GEDMATCH, https://www.gedmatch.com/login1.php (last visited Jan. 17, 2020). Curtis Rogers, age 81, founded GEDmatch in 2010, inspired by his personal genealogy search. While popular
2020] COLD CASES FREEZE 7
about 1,000,000 DNA sets.44 Individuals utilizing GEDmatch download their genetic code from popular testing services such as Ancestry, and voluntarily upload the data into GEDmatch’s database.45 Because the site is public, investigators do not need a court order to utilize genetic information found in the database.46 Curtis Rogers, the founder of GEDmatch, had no idea that his site would be used in that way, so he imposed some restrictions on law enforcement, permitting them to pursue leads on major crimes like homicides and rapes, but not lesser crimes like assault.47 While law enforcement officers were not breaking any laws by utilizing GEDmatch, consumers remain concerned about privacy due to investigators’ ability to cross-reference genetic information to identify relatives of GEDmatch users—the same technique used by police to identify the Golden State Killer.48 The Investigators in that case had the killer’s unidentified DNA from the crime scene and tried to match it to the one million records in GEDmatch.49 The partial matches helped to create a family tree of distant relatives of the killer, providing a major break in the investigation, and eventually leading to Joseph James DeAngelo’s arrest.50 Since that crime was solved, more than fifty other rape and homicide cases in twenty-nine states have been solved using this groundbreaking technique of investigative genetic genealogy.51 Another arrest from cross referencing genetic information from GEDmatch is that of Robert Brian Thomas, now sixty-one years old, for two
among genealogists, he was unaware of law enforcement’s use of his site until the announcement of the arrest of the Golden State Killer. A year ago, Rogers said, “I am not totally comfortable with GEDmatch being used to catch violent criminals but I doubt it would be possible to prevent it.” Schuppe, infra note 47. GEDmatch was later acquired by Verogen, Inc. who has operated the site since December 9, 2019. GEDmatch.Com Terms of Service and Privacy Policy, GEDMATCH, (Dec. 9, 2019) https://www.gedmat ch.com/tos.htm [https://perma.cc/A7P8-FV38]. 44. Tony Romm & Drew Harwell, Ancestry, 23andMe Say They Will Follow These Rules When Giving DNA Data to Businesses or Police, CHI. TRIB., (Jul. 31, 2018, 11:29 AM), https://www.chicagotri bune.com/news/nationworld/ct-ancestry-genealogy-dna-data-police-20180731-story.html [https://perm a.cc/J6QR-69SQ]. 45. Barbara Anguiano, Using Genetic Genealogy to Identify Unknown Crime Victims, Sometimes Decades Later, NPR, (Jan. 8, 2019, 3:54 PM), https://www.npr.org/2019/01/08/682925589/using-geneti c-genealogy-to-identify-unknown-crime-victims-sometimes-decades-later [https://perma.cc/8SFR-JKC V]. 46. Cyrus Farivar, CSI: Paypal Edition – GEDmatch, a Tiny DNA Analysis Firm, Was Key for Golden State Killer Case, ARSTECHNICA, (Apr. 27, 2018, 9:25 AM), https://arstechnica.com/tech-policy/ 2018/04/gedmatch-a-tiny-dna-analysis-firm-was-key-for-golden-state-killer-case/ [https://perma.cc/5V 6B-P9WJ]. 47. Jon Schuppe, Police Were Cracking Cold Cases with a DNA Website. Then the Fine Print Changed., NBCNEWS, (Oct. 25, 2019, 6:53 AM PDT), https://www.nbcnews.com/news/us-news/police -were-cracking-cold-cases-dna-website-then-fine-print-n1070901 [https://perma.cc/PQB5-8XBW]. 48. Romm & Harwell, supra note 44; Jouvenal, supra note 11. 49. Regalado, supra note 1. 50. Id. 51. Schuppe, supra note 47.
8 WASHINGTON UNIVERSITY LAW REVIEW ONLINE [VOL. 98:1
sexual battery cases in Florida in 1998.52 The Florida Department of Law Enforcement approached the case in December 2018 as part of its genealogy mapping program and was able to match Thomas’ fourth cousin, with whom Thomas shared a great-great-grandparent.53 That narrowed the search to one genetic line, and a list of five suspects, who were then investigated, leading to Thomas’s arrest. 54 In another example, from Tacoma, Washington, Michella Welch was raped and murdered on March 26, 1986.55 DNA was collected from the crime scene, but at that time, searches of state and national databases did not lead to any suspects.56 However, in 2018, genetic genealogy databases allowed investigators to create a family tree, identifying two brothers as suspects. 57 Investigators followed Gary Hartman, one of the suspects, to a restaurant, where detectives collected a napkin Hartman had used during breakfast. 58 His DNA on the napkin matched the DNA collected from the crime scene.59 The argument in favor of using publicly available genetic test results to solve cold cases is simple: society is safer when criminals who pose a risk to society are behind bars. However, CeCe Moore, 60 head of Parabon NanoLabs, who helps police solve cold cases through her skills as a genetic researcher, is troubled when her investigation points to a suspect who, decades later, is leading a productive, crime-free life.61 In one such twenty -year-old case, the suspect she identified was married, had children and a successful business.62 He was not hiding, as he was engaged in social media and was well known in his community.63 It appeared that he committed one
52. Joshua Rhett Miller, Genealogy Database Leads to Michigan Man’s Arrest for 1998 Florida Rapes, N.Y. POST, (Dec. 17, 2019, 1:21 PM), https://nypost.com/2019/12/17/genealogy-database-leads- to-michigan-mans-arrest-for-1988-florida-rapes/ [https://perma.cc/VB8A-ZYPC]. 53. Id. 54. Id. 55. Chris Daniels, et al., DNA on Napkin Leads to Charges in 32-Year-Old Cold Case, USA TODAY, (June 23, 2018, 3:00 PM), https://www.usatoday.com/story/news/nation-now/2018/06/23/dna- napkin-leads-charges-32-year-old-cold-case/728082002/ [https://perma.cc/KLU5-KNUG]. 56. Id. 57. Id. 58. Id. 59. Id.; see also Jay O’Brien, et al., Brazos County Sheriff Announces Suspect in Decades-Old Murder of Virginia Freeman, KCENTV, (June 25, 2018, 9:42 PM CDT), https://www.kcentv.com/articl e/news/brazos-county-sheriff-announces-suspect-in-decades-old-murder-of-virginia-freeman/499-5673 41120 [https://perma.cc/EAE3-PPN5] (describing how DNA analyzed for ancestry information identified a suspect’s second cousins and great grandparents, leading authorities to the suspect). 60. ABC recently announced a new documentary series featuring Ms. Moore titled “The Genetic Detective.” Jessica Pena, The Genetic Detective: ABC News Series Follows Investigative Genealogist, TV SERIES FINALE, (April 14, 2020), https://tvseriesfinale.com/tv-show/the-genetic-detective-abc-news -series-follows-investigative-genealogist/ [https://perma.cc/5NK6-TFJ9]. 61. Antonio Regalado & Brian Alexander, The Citizen Scientist Who Finds Killers from Her Couch, MIT TECH. REV., (June 22, 2018), https://www.technologyreview.com/s/611529/the-citizen-scie ntist-who-finds-killers-from-her-couch/ [https://perma.cc/6JWX-94L7]. 62. Id. 63. Id.
2020] COLD CASES FREEZE 9
horrible crime decades in the past and had been a model citizen since.64 Moore struggled with the case, wondering, “[h]ow is that possible? How could this person be capable of this?”65 She knew that his arrest would likely destroy his family and business, and unsettle the community.66 And one may wonder if society is at risk of harm from this suspect, and whether genetic research causes more harm than good. However, Moore balances those thoughts with her knowledge of “the unfairness that the person they murdered is gone and this person has gone on to live a normal life.”67
III. PLEDGES TO PROTECT USER PRIVACY
A. Federal Privacy Regulations
While there are federal and state laws regulating genetic testing and the resulting data, it is unclear which and how they apply to DTC genetic testing services, which leaves open the question of what privacy protection a consumer can reasonably expect.68 The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the privacy regulations promulgated thereunder (the “Privacy Rule”), protect the use and disclosure of individually identifiable health information.69 However, the DTC genetic testing services do not qualify as covered entities under HIPAA, and therefore are not required to comply with the Privacy Rule.70 The Genetic Information Nondiscrimination Act of 2008 (“GINA”) limits the use and disclosure of genetic information by employers and health insurers, but again, does not explicitly apply to DTC genetic testing services.71 That leaves consumers with the burden of carefully reviewing the privacy policies and terms of use of the DTC genetic testing services to learn the scope of their right to privacy of the genetic information they have voluntarily disclosed to such service.72 Even if consumers do read the terms
64. Id. 65. Id. 66. Id. 67. Id. 68. Mary Fraker & Anne-Marie Mazza, Direct-to-Consumer Genetic Testing: Summary of a Workshop, THE NAT’L ACADEMIES PRESS 1, 15, https://www.ncbi.nlm.nih.gov/books/NBK209643/pdf/ Bookshelf_NBK209643.pdf, (last visited Apr. 8, 2020). 69. Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104–191, 110 Stat. 1936 (45 C.F.R. pt. 160). 70. Id.; Fraker & Mazza, supra note 68, at 15. 71. Genetic Information Nondiscrimination Act of 2008, Pub. L. No. 110–233, 122 Stat. 881 (42 U.S.C.A. § 2000ff–1 (West 2012)); Fraker & Mazza, supra note 68, at 15. 72. See, e.g., 23andMe Privacy Statement, 23ANDME, (Jan. 1, 2020), https://www.23andme.com /about/privacy/ [https://perma.cc/YSL8-PVKE]; 23andMe Terms of Service, 23ANDME, (Sep. 30, 2019), https://www.23andme.com/about/tos/ [https://perma.cc/4BC8-PM4B]; see also Claire Abrahamson, Guilt by Genetic Association: The Fourth Amendment and the Search of Private Genetic Databases by
10 WASHINGTON UNIVERSITY LAW REVIEW ONLINE [VOL. 98:1
of service, which often does not happen, they are subject to change at any time at the whim of the database, meaning that any privacy rights a consumer thought they had when they gave their data to the DTC genetic testing service could be revoked at any time.73
B. Privacy Best Practices for Consumer Genetic Testing Services
In response to user privacy concerns, some DTC genetic testing services provide their consumers with transparency reports detailing the number of law enforcement requests they received and answered.74 For example, in 2017, 23andMe received five requests but did not provide law enforcement with any data, while Ancestry received thirty-four requests and provided genetic information for thirty-one cases.75 Ancestry and 23andMe have also pledged 76 to obtain their customers’ “separate express consent,” before providing businesses and other third parties with individual genetic information,77 but it should be noted that the companies are not promising to withhold such data from law enforcement. Instead, the organizations are promising to “attempt to notify” consumers when they can of law enforcement requests.78 While this action has merit, there is no guarantee that the companies will be fully able to take such steps if investigators obtain gag orders, preventing the notification of consumers.79 The other step that some DTC genetic testing services are taking is a pledge to protect consumer privacy by agreeing to abide by the Privacy Best Practices for Consumer Genetic Testing Services (the “Best Practices”), voluntary privacy guidelines.80 The Best Practices were released on July 31, 2018, by Future of Privacy Forum, a Washington, D.C.-based think tank that aids in the development of business practices that include privacy and
Law Enforcement, 87 FORDHAM L. REV. 1539, 1551–1554 (2019) (discussing the differences in privacy policies and terms of service between DTC services). 73. Caroline Cakebread, You’re Not Alone, No One Reads Terms of Service Agreements, BUSINESS INSIDER, (Nov. 15, 2017, 6:30 AM), https://www.businessinsider.com/deloitte-study-91-perc ent-agree-terms-of-service-without-reading-2017-11 [https://perma.cc/8CK6-U7XX]; Logan Koepke, “We Can Change These Terms at Anytime”: The Detritus of Terms of Service Agreements, MEDIUM, (Jan. 18, 2015), https://medium.com/@jlkoepke/we-can-change-these-terms-at-anytime-the-detritus-of- terms-of-service-agreements-71240 9e2d0f1. 74. James Vincent, 23andMe and Other DNA-Testing Firms Promise Not to Share Data Without Consent, THE VERGE, (Aug. 1, 2018, 8:55 AM), https://www.theverge.com/2018/8/1/17638680/genetic- data-privacy-consumer-rights-guidelines-23andme-ancestry [https://perma.cc/UUX5-YXGK]. 75. Id. 76. In accordance with the best Practices established at The Future of Privacy Forum. Martinez, supra note 40. 77. Id. 78. Romm & Harwell, supra note 44. 79. Id. 80. Martinez, supra note 40.
2020] COLD CASES FREEZE 11
ethical norms.81 Companies agreeing to abide by the guidelines include 23andMe, Ancestry, Helix, MyHeritage, Habit, African Ancestry, and Living DNA.82 According to its introduction, “[t]he Best Practices provide a policy framework for the collection, retention, sharing, and use of Genetic Data generated by consumer genetic and personal genomic testing services,”83 recognizing that Genetic Data “warrants a high standard of privacy protection”84 because: • It may be used to identify predispositions, disease risk, and predict future medical conditions; • It may reveal information about the individual’s family members, including future children; • It may contain unexpected information or information of which the full impact may not be understood at the time of collection; and • It may have cultural significance for groups or individuals.85 The Best Practices guide the DTC genetic testing services by recommending that their privacy practices include: “Detailed transparency about how Genetic Data is collected, used, shared, and retained including a high-level summary of key privacy protections posted publicly and made easily accessible to consumers;” “Separate express consent for transfer of Genetic Data to third parties and for incompatible secondary uses;” and “Valid legal process for the disclosure of Genetic Data to law enforcement and transparency reporting on at least and annual basis.”86 Of course, these are only guidelines, there is no enforcement mechanism, and not all genetic databases, including GEDmatch and FamilyTreeDNA, agreed to comply.87 However, it is important to remember that DNA matches may only give investigators a place to begin in the investigation. Building the family tree that may lead to criminal suspects includes an examination of birth, death,
81. Privacy Best Practices for Consumer Genetic Testing Services, FUTURE OF PRIVACY FORUM, (July 31, 2018), https://fpf.org/wp-content/uploads/2018/07/Privacy-Best-Practices-for-Consumer-Gen etic-Testing-Services-FINAL.pdf. 82. Id. at 1; Martinez, supra note 40 (noting that FamilyTreeDNA has been removed from the list of supporters due to its conflicting deal with the Federal Bureau of Investigation). In that agreement, FamilyTreeDNA agreed to periodically test investigation samples on a case by case basis. Kristen V. Brown & Bloomberg, A Major DNA-Testing Company Is Sharing Some of Its Data with the FBI. Here’s Where It Draws the Line, FORTUNE, (Feb. 1, 2019, 6:47 PM EST), http://fortune.com/2019/02/01/geneti c-testing-consumer-dna-familytreedna-fbi/. 83. Privacy Best Practices for Consumer Genetic Testing Services, supra note 81, at 1. The Best Practices define Genetic Data as “Any data that, regardless of its format, concerns information about an individual’s inherited or acquired genetic characteristics, including at least an individual’s Raw Data, the Report of the Analyzed Data, and Self-Reported Health Data,” as each of those terms are defined therein. Id. at 11. 84. Id. at 1. 85. Id. 86. Martinez, supra note 40. 87. Id.
12 WASHINGTON UNIVERSITY LAW REVIEW ONLINE [VOL. 98:1
and marriage certificates, as well as obituaries, many of which are publicly available.88
C. FamilyTreeDNA Removed from List of Best Practices’ Participants
FamilyTreeDNA is an early pioneer in genetic testing services89 and created a stir when it made an agreement with the FBI resulting in its removal from the list of participants in the Best Practices. 90 FamilyTreeDNA confirmed in February 2019 that the company had voluntarily agreed to test DNA samples for the FBI on a case by case basis.91 Results of such testing would allow law enforcement to view familial matches to crime scene DNA samples.92 Not surprisingly, this initiative by FamilyTreeDNA has many customers apprehensive about their genetic privacy. 93 The company’s founder and chief executive officer, Bennet Greenspan, has assured users that they will not provide the FBI with “unfettered access” to their database.94 Greenspan’s assertion may prove to be of little value however, given that FamilyTreeDNA possesses a vast trove of genetic data comprised of nearly two million records.95 Due to FamilyTreeDNA’s agreement with the FBI, the amount of DNA that law enforcement already had access to in GEDmatch more than doubled. 96 However, since the announcement of their agreement, FamilyTreeDNA has revealed that it has received “less than 10 samples” from the FBI. 97 FamilyTreeDNA representatives have acknowledged, though, that they have worked with both state and city law enforcement in addition to the FBI in an attempt to resolve cold cases.98 Since its initial agreement with the FBI, FamilyTreeDNA has revised its terms of service, now requiring police to request permission to use the database and restricting such use to “homicide, sexual assault, or child
88. Tina Hesman Saey, What FamilyTreeDNA Sharing Genetic Data with Police Means for You, SCIENCENEWS, (Feb. 6, 2019, 7:00 AM), https://www.sciencenews.org/article/family-tree-dna-sharing- genetic-data-police-privacy; How to Build a Family Tree: Tracing Your Ancestors, NAT’L GENEALOGICAL SOC’Y, https://www.ngsgenealogy.org/free-resources/build-family-tree/ (last visited Apr. 8, 2020). 89. FAMILYTREEDNA, https://www.familytreedna.com (last visited Mar. 25, 2020) (noting that the company was founded in 2000 and a pioneer in the field). 90. See supra note 82. 91. Brown & Bloomberg, supra note 82. 92. Id. 93. See id. 94. Id. 95. Id. 96. Id. 97. Bloomberg, Major DNA Testing Company Is Sharing Genetic Data with the FBI, L.A. TIMES, (Feb. 1, 2019, 2:55 PM), https://www.latimes.com/business/la-fi-dna-fbi-familytreedna-20190201-story .html [https://perma.cc/AQ9R-N444]. 98. Id.
2020] COLD CASES FREEZE 13
abduction.” 99 In addition, customers may now decide whether to allow police to access their profiles, a major step forward in privacy. But since the default setting is to opt in, customers must be vigilant about reading the terms of service and carefully choosing to opt out if they are hesitant to be genetic informants.100
IV. GEDMATCH RESTRICTS LAW ENFORCEMENT
As they became aware of increasing consumer privacy concerns, GEDmatch implemented rules restricting law enforcement searches to major crimes.101 However, it bent those rules and allowed Utah police to search for the perpetrator of a violent assault on an elderly woman.102 The assailant turned out to be a seventeen-year-old great-nephew of someone with a profile in the database. 103 While the police made a compelling argument that the perpetrator was a public risk,104 backlash from the public led to an another change in the terms of services of GEDmatch.105 On May 18, 2019, GEDmatch changed the terms to excludes law enforcement searches unless members opt in by clicking a police-shield icon on the GEDmatch website to allow authorities to see their profile.106 This change is intended to protect consumers from becoming genetic informants. 107 Overnight, the number of profiles available to law enforcement dropped
99. Terms of Service, § 5, FAMILYTREEDNA, https://www.familytreedna.com/legal/terms-of- service; see also FamilyTreeDNA Law Enforcement Guide, FAMILYTREEDNA, https://www.familytree dna.com/legal/law-enforcement-guide (last visited Feb. 10, 2020). 100. FamilyTreeDNA Privacy Statement, § 5.E., FAMILYTREEDNA, https://www.familytreedna.c om/legal/privacy-statement (last visited Apr. 8, 2020). 101. Peter Aldhous, This Genealogy Database Helped Solve Dozens of Crimes. But Its New Privacy Rules Will Restrict Access by Cops, BUZZFEEDNEWS, (May 19, 2019, 3:41 PM ET), https://ww w.buzzfeednews.com/article/peteraldhous/this-genealogy-database-helped-solve-dozens-of-crimes-but [https://perma.cc/Y8ZU-ZFPP]. 102. Id. 103. Peter Aldhous, The Arrest of a Teen on an Assault Charge Has Sparked New Privacy Fears About DNA Sleuthing, BUZZFEEDNEWS, (May 14, 2019, 10:15 PM ET), https://www.buzzfeednews.co m/article/peteraldhous/genetic-genealogy-parabon-gedmatch-assault [https://perma.cc/JZ5S-Y9MT]. 104. GEDmatch founder Curtis Rogers said, “‘[t]his case was as close to a homicide as you can get’. . . ‘The victim was reportedly in great fear that he would return to end her life. It was a difficult decision but I decided to allow [the] use of genetic genealogy in this one case and take full responsibility for this decision.’” The suspect placed the 71-year-old organist in a chokehold, causing her to pass out several times. Id. 105. Schuppe, supra note 47; GEDmatch.Com Terms of Service and Privacy Policy, GEDMATCH, (Dec. 9, 2019), https://www.gedmatch.com/tos.htm (noting that the crimes for which law enforcement searches are allowed are limited to “murder, nonnegligent manslaughter, aggravated rape, robbery, or aggravated assault”). 106. Schuppe, supra note 47(noting that while all users have not yet opted in, a survey conducted by Baylor College of Medicine, “91 percent of respondents favored law enforcement using consumer DNA databases to solve violent crimes, and 46 percent for nonviolent crimes”). 107. Id.
14 WASHINGTON UNIVERSITY LAW REVIEW ONLINE [VOL. 98:1
from over one million to zero.108 While the number of accessible profiles has grown slowly to 181,000 since then, it could be years before law enforcement has access to a million or more records, leaving cold cases unsolved.109 Law enforcement officials and private investigative genetic genealogy companies acknowledge the privacy concerns but hope the public will permit their profiles to be accessed by law enforcement. 110 Rogers, from GEDmatch, has sent his members emails, trying to persuade them to opt in to aid law enforcement in solving crimes, going so far as to include a link to a video message from the a Golden State Killer’s victim’s family.111 If consumers do choose to opt in, at least they will knowingly make the choice, rather than finding out later that they were unwittingly genetic informants.
CONCLUSION
The DNA testing services industry has been informally deemed a “Wild West” of genetic information.112 Because this area of consumer services is still relatively new, laws protecting consumers’ data are still developing. Despite developments such as the Privacy Best Practices for Consumer Genetic Testing Services113 and terms of service restricting law enforcement access, there are still many gray areas in the industry concerning which types of genetic data sharing are permissible and which may violate privacy rights. One of the biggest challenges facing those who are arguing for privacy in their genetic testing results is the fact that they voluntarily gave their DNA sample to the DTC genetic testing service subject to terms of service that can be changed by the service at any time, resulting in the loss of control over the testing results.114 “[O]ur DNA, just like our posts on social media or our location data, is at the mercy of user agreements none of us have any control over or even bother to read.”115 As consumers, we
108. Id. 109. Id. 110. Id. 111. Rogers said in this emails, “‘Many of these families have suffered for decades. They need your support.’ . . . ‘We hope you will encourage others who have been genealogically DNA tested to also add their information. We believe it is the caring thing to do.’” Id. 112. Stuart Leavenworth, DNA Testing Is Like the ‘Wild West’; Should It Be More Tightly Regulated?, IMPACT2020, (May 16, 2019, 1:32 PM), https://www.mcclatchydc.com/news/nation-world/ article212256094.html [https://perma.cc/KFE3-GTAS] (quoting New York University law professor Erin Murphy who said “[t]here is a wild-west aspect to all of this”). 113. Martinez, supra note 40. 114. Stuart Leavenworth, Ancestry Wants Your Spit, Your DNA and Your Trust. Should You Give Them All Three?, MCCLATCHYDC, (Aug. 15, 2018, 4:02 PM), https://www.mcclatchydc.com/news/nati on-world/article210692689.html [https://perma.cc/2EG3-99N7] (noting that AncestryDNA has a reputation for changing its terms of service, most notably when they ended MyFamily.com, a social networking site, that resulted in the loss of posted family photos for more than 1.5 million members). 115. Regalado, supra note 1.
2020] COLD CASES FREEZE 15
are trusting operators of privately run DTC genetic testing services to balance individual privacy rights with the benefit of catching suspects, and manage the structure of their terms of service accordingly. Debbie Kennett, a genealogist and honorary research associate at University College London said, “They are reacting on the fly, making up the rules as they go along.”116 While these private services may not be the best choice to make decisions about how our genetic privacy, as rapidly as technology and investigative techniques are changing, we have no immediate alternative.
116. Aldhous, supra note 101.