Someone broke into a church in Centerville, Utah, last November and attacked the organist who was practicing there. In March, after a conventional investigation came up empty, a police detective turned to forensic consultants at Parabon NanoLabs. Using the publicly accessible website GEDmatch, the consultants found a likely distant genetic relative of the suspect, whose blood sample had been found near the church’s broken window.
Someone related to the person on GEDmatch did indeed live in Centerville: a 17-year-old high school student. Alerted by the police, a school resource officer watched the student during lunch at the school cafeteria and collected the milk carton and juice box he’d thrown in the garbage. The DNA on the trash was a match for the crime scene evidence. This appears to be the first time that this technique was used for an assault investigation.
The technique is known as genetic genealogy. It isn’t simply a matter of finding an identical genetic match between someone in a database and evidence from a crime scene. Instead, a DNA profile may offer an initial clue — that a distant cousin is related to a suspect, for instance — and then an examination of birth records, family trees and newspaper clips can identify a small number of people for further investigation.
The identification of Joseph DeAngelo in the Golden State Killer case also relied on genetic genealogy. He was charged with 26 counts of murder and kidnapping after a genealogist helped investigators in California identify a third cousin of Mr. DeAngelo’s through GEDmatch and other genealogical records.
While there may be broad public support for a technique that solved serial murders, just because technology allows for a new type of investigation doesn’t mean the government should be allowed to use it in all cases.
Genetic genealogy requires lots of DNA samples and an easy way to compare them. Americans have created millions of genetic profiles already. A 2018 study published in Science predicted that 90 percent of Americans of European descent will be identifiable from their DNA within a year or two, even if they have not used a consumer DNA service. As for easy access, GEDmatch’s website provides exactly this opportunity. Consumers can take profiles generated from other commercial genetic testing services, upload them free and compare them to other profiles. So can the police.
[If you use technology, someone is using your information. We’ll tell you how — and what you can do about it. Sign up for our limited-run newsletter.]
We should be glad whenever a cold case involving a serious crimes like rape or murder can be solved. But the use of genetic genealogy in the Centerville assault case raises with new urgency fundamental questions about this technique.
First, there is now no downward limit on what crimes the police might investigate through genetic genealogy. If the police felt free to use it in an assault case, why not shoplifting, trespassing or littering?
Second, there’s the issue of meaningful consent. You may decide that the police should use your DNA profile without qualification and may even post your information online with that purpose in mind. But your DNA is also shared in part with your relatives. When you consent to genetic sleuthing, you are also exposing your siblings, parents, cousins, relatives you’ve never met and even future generations of your family. Legitimate consent to the government’s use of an entire family tree should involve more than just a single person clicking “yes” to a website’s terms and conditions.
Third, there’s the question of why the limits on Americans’ genetic privacy are being fashioned by private entities. The Centerville police used GEDmatch because the site owners allowed an exception to their own rules, which had permitted law enforcement access only for murder and sexual assault investigations. After user complaints, GEDmatch expanded the list of crimes that the police may investigate on its site to include assault. It also changed default options for users so that the police may not gain access to their profiles unless users affirmatively opt-in. But if your relative elects to do so, there’s no way for you to opt out of that particular decision. And what’s to stop GEDmatch from changing its policies again?
Finally, the police usually confirm leads by collecting discarded DNA samples from a suspect. How comfortable should we be that a school resource officer hung around a high school cafeteria waiting to collect a teenager’s “abandoned” DNA?
All of these issues point to one problem: Police use of genetic genealogy is virtually unregulated. Law enforcement agencies and cooperating genetic genealogy websites are operating in a world of few limits. There are not only few rules about which crimes to investigate, but also unclear remedies in the case of mistakes, the discovery of embarrassing or intrusive information, or misuse of the information.
If these concerns sounds similar to other technology and privacy problems we’re facing, they should. Our genetic and digital identities raise similar questions of autonomy, civil liberties, and intrusion by public and private entities.
Without legal limits, genetic genealogy will become a more popular tool for the police. Rather than wait for the courts to deal with difficult and novel issues about genetic surveillance and privacy, state legislatures and attorneys general should step in and articulate guidelines on how far their law enforcement agencies should go. Congress and the Federal Trade Commission should take further steps to protect the privacy and security of consumer genetic data.
If the police are to be given unlimited access to the genetic information of your entire family tree, they should have it at the end of a public debate, not by default.
Elizabeth Joh is a professor of criminal law and procedure, constitutional law and policing at the University of California, Davis.
Like other media companies, The Times collects data on its visitors when they read stories like this one. For more detail please see our privacy policy and our publisher’s description of The Times’s practices and continued steps to increase transparency and protections.
Follow @privacyproject on Twitter and The New York Times Opinion Section on Facebook and Instagram.