Skip to navigationSkip to content

Do you know who’s using your DNA data?

Examining DNA evidence in Mexico.
Reuters/Henry Romero
Authorities could be using your DNA evidence in criminal investigations right now.
By Ephrat Livni
Published Last updated This article is more than 2 years old.

You’re in search of your roots, on a quest to uncover your ancestors. You submit DNA to a public genealogy service and in exchange get information about your people. Success!

But from a constitutional perspective, in the US, you’re also abandoning evidence, which means criminal investigators can use your data. They don’t need a search warrant and you have no reasonable expectation of privacy.

That doesn’t mean you shouldn’t do it, but you should think carefully, according to a May 29 paper in the Annals of Internal Medicine (paywall) by US National Institutes of Health bioethicists Benjamin Berkman and Christine Grady, and lawyer Wynter Miller. They point out the ethical questions raised by use of public genetic databases in criminal investigations, and argue for more public discussion.

On the one hand, public genealogy databases have helped investigators crack difficult cases and track down killers that eluded them for decades. So that’s good.

On the other hand, reliance on genetic evidence can be problematic. This kind of evidence is very delicate. “[E]vidence may be compromised if collected without extraordinary care,” the NIH writers warn. Mistakes are easily made. They point to a murder case in Germany, where genetic analysis of evidence collected with a contaminated cotton swab led police to erroneously target Romani communities before discovering their error. So that’s bad. As is the possibility of public genetic databases being more widely used for genetic discrimination in other situations, like providing insurance coverage or employment.

First, more on the good news. In April, California police announced they had finally arrested a suspect in the Golden State Killer case after uploading decades-old genetic evidence to an open-source genealogical database, the GEDmatch. When they did, they identified a genetic family tree to which the DNA belonged; eventually, the investigators whittled it down to one suspect.The suspected killer was Joseph James DeAngelo, a former police officer, who is believed to be responsible for 12 murders, 50 rapes, and over 100 burglaries committed between 1974 and 1986.

Similarly, in May, Washington state law enforcement used GEDmatch to close an investigation of a 1987 crime. William Earl Talbott II was arrested for the brutal murder of a Canadian couple. This prompted Wired to conclude in June that, “The key to cracking cold cases might be genealogy websites.”

The NIH writers don’t dispute the usefulness of these sites, but they are extremely wary and they want you to be too. Even if you’re willing, in theory, to submit your evidence to a public database that’s available to criminal investigators you should understand just what you’re a part of and what you’re giving up.

Sites offer varying degrees of privacy. For example, 23andMe and Ancestry won’t share genetic information with law enforcement without a court order. But public sites offering access to DNA databases might, and they tend not to be very explicit in their terms of service about the possibility of data being used in criminal investigations.

The sites themselves are not always aware of how or even if law enforcement uses the DNA they store. According to Wired, GEDmatch didn’t actually authorize California police to use its database for the Golden State Killer investigation. The police didn’t need to get permission, because the database is public. Only after the arrest was announced did the service issue a statement to users admitting their data was just used in a major criminal investigation.

The NIH writers think there should be a separate section in all terms of service agreements that discusses consent to participation in criminal investigations, something users can’t just ignore. “It’s much worse to hide the ball and have people be surprised than it is to be clear and transparent, up front, in a way that lets people understand and internalize that their data might be used in this way,” the NIH’s Berkmann told Healthcare Analytics News.

In the Talbott case, investigators spoke to GEDmatch in advance of using information from its nearly 1 million contributors. On May 20, after Talbott’s arrest was announced, the company changed its terms of service and now states that it will use data sought by law enforcement when a warrant is presented or to identify a deceased person or a suspect in a violent crime, which the site defines as “homicide or sexual assault.”

Still, DNA evidence doesn’t show that a person committed a crime. What it does demonstrate is that an individual’s genetic material was found at a particular location. The person may not have been present during an offense or be guilty of it, which means the evidence should be viewed with some suspicion and isn’t enough to warrant a conviction.

Authorities seem reluctant to admit that they rely on public DNA databases, say the writers. “If law enforcement is using this technology, the adoption of formalized standards and mechanisms of accountability is appropriate,” they argue.

The bioethicists believe limits should be placed on the use of DNA evidence and that “justice concerns might warrant limiting criminal genealogy searching to cold cases involving crimes in which other investigative methods have failed.” Basically, they’re arguing it should be a last resort and not a primary investigative tool.

“I think this is an interesting technique, and I am not at all interested in shooting it down, I just want people to have a conversation about the tradeoffs,” Berkman told Healthcare Analytics News. “And maybe we as a society are okay with the potential ramifications. Like with any new technology, let’s be conscious and deliberate before rushing headlong into it.”

📬 Kick off each morning with coffee and the Daily Brief (BYO coffee).

By providing your email, you agree to the Quartz Privacy Policy.