I’ll never use a mail-in DNA test, but enough people already have that my choice doesn’t matter anymore.

By Max Eddy

On my shelf, I have two heavy, red volumes titled The Eddy Family In America. They are part of an (incomplete) set of books that traces my entire lineage back to a ship called the Handmaid, which landed in Plymouth Harbor on October 29th, 1630. In fact, they go back even further, to England, 1558 (or thereabouts). The book was painstakingly researched and published in 1930, and is periodically updated with large, additional tomes. It was the work of decades, but a DNA test combined with new investigatory techniques could have done it in a fraction of the time. The question is, should we worry about the privacy costs associated with this powerful technology, or is it too late to protect our genetic data?

While my paternal family is very well documented, that’s not true for everyone. But now, figuring out the rough outline of a family history is as easy as spitting in a tube. There are even other genealogical services out there that can connect those DNA results to more traditional family trees, and build out a few red books worth of information. Genetic information is more accessible than ever, but people are only really starting to recognize that DNA is a piece of private information that should be protected as steadfastly as a Social Security Number.

The last few years have seen the emergence of a new investigative technique used by law enforcement. When DNA is recovered from a crime scene, law enforcement may not be able to find a match because all they have to search against are DNA samples taken from people who have already had contact with police. If the DNA is from someone unknown to law enforcement, there won’t be a match.

While there might not be a national database of DNA to test against, home DNA testing and genealogical websites can sometimes fill the gap.

The capture of the Golden State Killer in 2018 is an excellent case study in how the process works. From the Washington Post:

“Initial DNA work identified distant relatives — not a suspect. Holes said a team of five investigators spent four months building out family trees, name by name. They pored over census records, newspaper obituaries, gravesite locaters, and police and commercial databases to find each relative[.]”

Starting with distant relatives in the 1800s, investigators were able to winnow down the family trees, removing people from the wrong time frame and location. Eventually, they settled on Joseph James DeAngelo, and used discarded DNA to link him directly to the case. In 2018, he was arrested for heinous, violent acts committed about 40 years prior.

Investigators were able to connect the DNA to genealogical information thanks to a site called GEDmatch, which lets individuals upload their genetic information. This can be used to link to other people on the site, or for research, or in this case: law enforcement investigations.

This process of using genetic information and traditional family tree construction is called genetic genealogy, and it has been used in other cold cases as well. In 2017, similar processes were used to identify some of the victims in the Bear Brook murders (Incidentally, there is an excellent podcast that covers that investigation).

To be clear: These are good stories, and a remarkable use of technology and historical research. They aren’t alone, either. In researching this article, I found an extensive list on Wikipedia of cases that used GEDmatch data. They should, and have been, celebrated.

Here comes the “but.”

But the same mechanisms that allow genetic genealogy to be used to catch bad guys also expose people who had nothing to do with the crimes and may not feel comfortable with their information being used in an investigation.

Our individual DNA is unique to each of us, but it also ties us to our families, our region, and even our species. While the person who submits their DNA to a site like GEDmatch might be perfectly comfortable with their data being used in an investigation, the rest of their family might not be. Writing in the Washington Post in 2018, Vera Eidelman, ACLU Staff Attorney, explained the problem. “In submitting our DNA for testing,” said Eidelman, “we give away data that exposes not only our own physical- and mental-health characteristics but also those of our parents, our grandparents and, as in DeAngelo’s case, our third cousins-not to mention relatives who haven’t been born yet.”

Eidelman’s article in the Post refers to this as “networked privacy,” which is an apt term. While it seems like an issue limited only to the world of genetics, Eidelman explains that networked privacy goes far beyond our DNA.

“It emerges any time we share information with others, including all the photographs shared online in which we’re often unwitting extras. It could also be infringed through social media relationships, as we saw for the tens of millions of Facebook users who recently had their information exposed to Cambridge Analytica because of choices only tens of thousands made.”

Eidelman went on to observe that investigators may have violated DeAngelo’s privacy rights by uploading his DNA to a public site without permission.

MIT Technology Review put the privacy situation in even starker terms. “As these databases grow, they have made it possible to trace the relationships between nearly all Americans, including those who never purchased a test.”

When privacy and law enforcement bump against one another, ease of accessing information is often what is at issue. Most people are probably comfortable with police accessing records and maybe even tapping phones when they have a warrant. Obtaining that permissions requires cause, engages with the judicial system, and (hopefully) limits the scope of surveillance.

Reading about genetic genealogy, it’s clear to me that this is still a highly labor-intensive process. Tackling the Golden State Killer case required enormous legwork to build family trees and investigate potential suspects. It wasn’t as simple as typing in a few keystrokes on a computer.

Individual services have also put some guard rails on how law enforcement can use these databases. After a change in its policy, GEDmatch now requires that users opt-in to have their information included in law enforcement investigations. This limited the pool of data from over 1 million entries to around 181,000 as of October, 2019, but the company complied with a warrant from the state of Florida in November, 2019, that appears to have granted access to law enforcement regardless of the user’s decision to opt-in. The site’s policy says that it will comply with legal warrants, and allows for authorized members of law enforcement to upload DNA information to the site.

For their part, Ancestry.com (which has its own DNA test, too) and 23andme say they do not cooperate with law enforcement although they would have to comply with a subpoena or warrant. FamilyTreeDNA does have a policy for cooperating with law enforcement investigations.

I really hate arguing with results. My history is carefully written, and preserved in books. I’ve never known the pain of losing someone to violence and waiting decades for justice. DNA testing can help catch killers, reunite long-lost relatives, or help them connect to a personal history that was interrupted by war, slavery, or political upheaval. But even those uplifting stories can come at a cost. In an article for the Guardian, Derecka Purnell explains the contradiction:

“This generation’s Back to Africa movement starts with a swab and an envelope. Millions of people use companies like AncestryDNA, 23andMe, FamilyTreeDNA, and Helix to sequence their DNA, discover their roots, or find common genetic patterns in a geographic location. […] Black people are particularly vulnerable: our DNA is disproportionately collected, stored, planted, and used against us in criminal proceedings. Handing over such intimate information heightens the risk for abuse.”

While I see lots of results in the realm of home genetic testing, I don’t see a lot of consistency. Different companies have different policies, and law enforcement appears to experience few barriers to access, even when individuals do not wish to have their genetic data searched. As is often the situation for privacy, technology has outpaced the law, but not law enforcement.

I also don’t see a lot of agency for people like you and me. A consequence of “networked privacy” is that the actions of one person has consequences for many others, willingly or not. I know it doesn’t matter whether or not I buy a test. Someone in my family already surely has, and therefore quite a bit of my genetic information is already out there, available to buy-for probably less than the cost of one of those big red Eddy family books.