Back in May, Graham Coop and Doc Edge, geneticists at UC Davis, wrote a blog post asking, “How lucky was the genetic investigation in the Golden State Killer case?” Their back-of-the-envelope calculations suggested that the investigators’ luck was just about average. Erlich and his team used real data and came to a similar conclusion. “It was interesting to see all of the ideas being demonstrated in a very strong empirical way,” Coop says of the new study.
This summer, genetic-testing companies including 23andMe, AncestryDNA, and MyHeritage banded together with the Future of Privacy Forum, a think tank and advocacy group, to publish a “best practices” guide for the industry. That report said companies can hand over data when legally forced to. So far, they haven’t had to, because investigators in the recently publicized cases, including that of the alleged Golden State Killer, could simply use GEDmatch. The site has since updated its terms of service to note that law enforcement is searching through it.
AncestryDNA and 23andMe, the two leading genetic-testing companies, both say they have never handed over a customer’s genetic information to law enforcement. But it’s worth noting that both have databases bigger than GEDmatch: 10 million people for AncestryDNA and 5 million for 23andMe. That’s probably big enough to identify most Americans through a relative’s DNA already.
At the end of his paper, Erlich, who worked as a white-hat hacker before turning to genetics, also sketched out how companies like MyHeritage could use cryptographic signatures to prevent the misuse of data on third-party sites like GEDmatch. John Verdi, the vice president of policy at the Future of Privacy Forum, told me technical strategies like cryptography could play a role, but policy was the important lever. States, for example, could pass laws limiting the use of sites like GEDmatch for less serious crimes, though it doesn’t appear that they’re currently eager to: Verdi hadn’t heard of any states introducing such legislation yet.
I asked Verdi why he thinks the focus should be on the privacy of genetic data. DNA profiles alone would not have solved these cases; they also required looking up public records and often social media profiles. Why not think about privacy for that data as well? “This is a question of cultural norms,” Verdi said. “I think it’s probably a heavy lift to think about modifying those norms.” But the norms around DNA are all still very new. And we have an opportunity to shape them.
We want to hear what you think about this article. Submit a letter to the editor or write to letters@theatlantic.com.
is a staff writer at The Atlantic.