Ever since American police tracked down the alleged Golden State Killer with a public DNA database, those sites have been privacy minefields for people who just want to learn more about their genetics. Now, a Florida judge has signed a warrant that allows authorities to search even the DNA of people who opted out of being part of police searches.
Forensic genealogy has helped law enforcement solve decades-old cold cases, but law enforcement’s new enthusiasm for the technique is a privacy issue for anyone who has used an open genetics database like GEDmatch. That’s because people who uploaded their own DNA didn’t necessarily consent to having it used for law enforcement searches—and because their relatives who aren’t in the system definitely didn’t consent. But if your cousin’s DNA is in a database somewhere, that means some of yours is, too.
I want to be clear about how these searches work. Some of these DNA databases, including GEDmatch and FamilyTreeDNA, allow users (you and me) to upload genetic data. Basically, I can go to one of these sites with a data file and say “here is my DNA, please let me know if anyone on this service seems to be related to me.” It’s a handy tool for people who are into genealogy or who are looking for long-lost relatives.
Depending on the website’s policy, law enforcement may be allowed to do the same. GEDmatch at first allowed anybody to upload; then they added a statement to their terms of service that acknowledges police are on the site and that you shouldn’t use it if you aren’t comfortable with that. Later, they changed the policy so that law enforcement only has access to the DNA of people who have opted in to those searches.
(23andme and Ancestry are not user-upload databases. To search for relatives, you have to send the company a vial of saliva. So far, they have been good about safeguarding users’ privacy against law enforcement, and state in transparency reports that they have not turned over any genetic data. Here is 23andme’s report, and Ancestry’s report.)
The groundbreaking thing about the Florida warrant is that the judge reportedly allowed law enforcement to search the entire database. (The details of the warrant aren’t public, but my guess is that the warrant said they could upload as a user without having to disclose that they were law enforcement.)
What does this mean for your privacy? The New York Times spoke to “DNA policy experts” who said they fear that more judges around the world will feel emboldened to write similar warrants, even for databases that are currently not used by law enforcement.
It’s unclear how that would even work for a site like 23andme. Maybe they would have to create a fake saliva sample with the suspect’s DNA and mail it in, or perhaps the idea is that the company would have to give police a way to upload a data file. This is all speculation, so far. Personally I’d avoid having DNA on a user-upload database, and wait and see what happens with the other kind. But global law enforcement seems eager to get as much access as it can to these databases, and we don’t yet know what future laws and policies will allow.