Cops Now Using Warrants To Gain Access To DNA Services' Entire Databases
from the one-affidavit-to-rule-them-all dept
Cops have discovered a new source of useful third-party records: DNA databases. Millions of people have voluntarily handed over personal information to a number of services in exchange for info on medical markers or distant family members.
Investigators are submitting DNA samples from cold cases in hopes of tracking down criminals who've managed to evade them for years. It has led to the closing of some cases, which is all agencies need to argue for continued access to DNA samples from millions of users.
Some DNA services are more protective of their customers' privacy than others. Of course, privacy protections in this context generate quite a bit of friction. For DNA databases to be useful, users must allow others to access their DNA info and expect others to do the same thing. Identifying info can be withheld, and definitely should be if users aren't interested in rebuilding a family tree. One company, however, has decided it's an unofficial arm of the law enforcement community and has involuntarily deputized its users.
When cops submit DNA seeking matches, they don't always identify themselves as law enforcement officers. Faux accounts are being used to gather matches with DNA services (and their users) unaware of the government's intrusion. Once investigators have gathered some promising hits, they reveal themselves to issue subpoenas demanding identifying info on the search results.
Things are getting even more troubling in this new Constitutional gray area. Kashmir Hill and Heather Murphy of the New York Times report law enforcement is now using warrants to force DNA services to open up their entire databases for investigators to dig through.
For police officers around the country, the genetic profiles that 20 million people have uploaded to consumer DNA sites represent a tantalizing resource that could be used to solve cases both new and cold. But for years, the vast majority of the data have been off limits to investigators. The two largest sites, Ancestry.com and 23andMe, have long pledged to keep their users’ genetic information private, and a smaller one, GEDmatch, severely restricted police access to its records this year.
Last week, however, a Florida detective announced at a police convention that he had obtained a warrant to penetrate GEDmatch and search its full database of nearly one million users.
Warrants are supposed to be targeted -- seeking evidence from a location or a person clearly defined in the warrant application. When a warrant is used to allow full access to the personal info of one million users, there's clearly no targeting. Investigators may have probable cause to believe they'll find evidence of a crime by searching an entire DNA database, but all the probable cause in the world doesn't allow officers to search a million people until they find the evidence they're looking for. That's what's happening here.
The abuses of warrant power will only get bigger. GEDmatch is small. 23andMe has 10 million users. Ancestry.com has 15 million users. They'll be the next targets of questionable warrants if they haven't already been hit with some.
In response to backlash following the first reports of officers anonymously submitting samples to obtain a list of suspects, DNA/genealogy companies tightened up their rules. Subpoenas now only net personal info of people who've opted into sharing their data with law enforcement. According to this report, only 185,000 of GEDmatch's 1.3 million have made that choice. That didn't sit well with this investigator, who decided he could talk a court into forcing the company to give him what he wanted.
In July, he asked a judge in the Ninth Judicial Circuit Court of Florida to approve a warrant that would let him override the privacy settings of GEDmatch’s users and search the site’s full database of 1.2 million users. After Judge Patricia Strowbridge agreed, Detective [Michael] Fields said in an interview, the site complied within 24 hours. He said that some leads had emerged, but that he had yet to make an arrest. He declined to share the warrant or say how it was worded.
There's a real danger here. If there's no pushback from companies and their users, law enforcement officers will be seeking the same access, effectively turning private DNA databases into law enforcement databases. On the flip side, if this does become the new normal for law enforcement, it runs the risk of burning its own source, so to speak.
Genetic genealogy experts said that until now, the law enforcement community had been deliberately cautious about approaching the consumer sites with court orders: If users get spooked and abandon the sites, they will become much less useful to investigators. Barbara Rae-Venter, a genetic genealogist who works with law enforcement, described the situation as “Don’t rock the boat.”
The boat is already rocking. Detective Fields has shown officers the way to get what they want when private companies decide they're not just going to be field offices for government agencies. Multiple officers and detectives asked for a copy of his warrant following his talk, which means Fields' Fourth Amendment experiment is going to become boilerplate. Customers and users who thought their personal info was shielded from law enforcement probing are now finding out these protections can be undermined by a warrant targeting anyone that matches a certain DNA profile.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: 4th amendment, database search, dna, dna databases, police, unsolved crimes, warrant
Companies: 23andme, ancestry.com, gedmatch
Reader Comments
Subscribe: RSS
View by: Time | Thread
DNA and warrants
You might find the DoJ Guidelines on DNA investigations useful here: https://www.justice.gov/olp/page/file/1204386/download
Searching a DNA database is about finding someone who may be related to a perpetrator, not about finding evidence of a crime. Serious question as to whether the 4thA protects distant cousins' DNA or against compelling them to be a witness against current or future generations, and in fact, an unknowing witness b/c a match does not get notice that their sample has been examined or is related.
[ link to this | view in thread ]
This is pretty timely (there's a sale over at ancestry.com on their DNA service) and exactly why I haven't availed myself of this service. I'm not a criminal, I'm not wanted by law enforcement anywhere for anything and I'm not likely to ever be so. But DNA, properly used, is the ultimate permanent identifier for individuals and I really don't like the idea that I could be tracked without my consent. I'll pass, thanks.
[ link to this | view in thread ]
Who needs a tatoo
Wit DNA, we can have a 1/2 full proof method of ID.
the problems really come when they dont use it properly or using enough samples.
What are the odds,m that Those incoming to our country will be First?
Then temp Visa
then Tourists..
Then why not everyone else,.
[ link to this | view in thread ]
The Fourth Amendment is dead....Long live the Police State.
Law enforcement and the government don't care that their actions may "spook users" into abandoning these websites. After all, look at the warnings that were issued over FOSTA/SESTA which were ignored, only to come back and bite them in the ass.
The ultimate goal is weaken each right, by legislation or court precedent, one by one until there is nothing left to hinder law enforcement in any way.
[ link to this | view in thread ]
If this doesn't end up at the Supreme Court eventually it will only be because the lower courts slap the warrants down on appeal.
[ link to this | view in thread ]
afaik, dna can be used to exonerate at a rather high level of confidence. Whereas the same can not be said about its match level of confidence.
[ link to this | view in thread ]
Re: DNA and warrants
Yes, it is true that your 4th amendment right doesn't protect the genetic information of your distant cousin, but their 4th amendment right does. Assuming that the distant cousin has not committed the crime they matched your DNA to, this can negatively associate an innocent relative who may not even know you well or if at all. They may not be in your geographical region. I know there is a large contingent of my family in Michigan, but I haven't seen them since I was like 3. If I had done an ancestory.com test and suddenly Detroit PD was trying to get a hold of me about a distant relation, I'd find my getting involved and becoming a person of interest in a criminal investigation a serious concern to the violation of my forth amendment rights.
There are serious questions about how these searches are conducted, and what information is retained by law enforcement that is not in connection
[ link to this | view in thread ]
I'm just happy the police are using warrants...
...for once.
Using warrants (and not shooting people for no reason, beating people for no reason, and arresting people for no reason) is all that I want from them.
The rest can be laid on the judiciary for rubber-stamping them.
[ link to this | view in thread ]
Re:
Just because you didn't do it, doesn't mean the police can't find a way to make the DNA sample they have match your DNA. For that matter, the way police handle DNA, if you stay in a hotel room and a crime is committed in that room at a later time, they have a good chance of finding your DNA and arresting you. So keep that in mind.
[ link to this | view in thread ]
Warrant
Not sure who these terminally naïve people are who thought that they could submit data to a corporation and it would somehow be immune from a search warrant, should a court issue one. No company is immune from that.
[ link to this | view in thread ]
Re: Warrant
No company is immune from that.
Except Apple. :)
Encrypt all the things.
[ link to this | view in thread ]
A quick reminder on how DNA is not 100% reliable evidence should be mentioned somewhere. There are multiple cases of DNA "evidence" turning out to point to completely unrelated individuals.
Between cases where the DNA was deposited by the police or lab workers, or even the manufacturer of the DNA collection tools... cases where the DNA was too broken and/or limited in quantity for properly targeted matches... and lots of other problems.
DNA should only be used once you already have a suspect, and even then with great caution, and definitely not to find a suspect in the first place. (DNA matching tends to return enough false positives that it's unreliable for this purpose.). But of course, that's not the opinion of some law enforcement officers who need someone to pin a crime on more than the actual perpetrator.
[ link to this | view in thread ]
Sounds like a perfect opening for an overseas-based DNA company to enter the market, perhaps from Switzerland or someplace like that where the US government and police have no authority - they could use a promo blurb like "Unlike U.S.-based companies, we aren't going to bend over to government and law enforcement demands. With us, your DNA and info aren't going anywhere you don't know about."
[ link to this | view in thread ]
Kill the Database
I still say that someone needs to organize a campaign to send in blood samples with fake names and addresses in order to poison the database, thereby rendering it useless to police.
[ link to this | view in thread ]
There's a real danger here
There is another danger and it is a danger to the DNA companys' bottom line. While I have done nothing wrong, I don't want my DNA searched by law enforcement so I'm simply not going to use a DNA service. If enough people make the same decision, their revenue will take a hit.
[ link to this | view in thread ]
Nothing to hide, nothing to fear, and your relatives will give up most of your DNA anyway.
Privacy is as dead as copyright.
[ link to this | view in thread ]
Re:
Until some foreign military takes over the country that hosts the DNA company.
[ link to this | view in thread ]
There used to be these questionnaires people forwarded by e-mail and filled out with their full name, birthday, and a lot of personal info.
Our DNA isn't very smart.
[ link to this | view in thread ]
I guess I don't understand how stupid people could have been (including my own nephew) to have not forseen the outcome of seeking DNA information from a website which was under no obligation to do or not do anything with the data. Unfortunately, in this case, the negative implications go way beyond the idiot who decided to be an idiot.
[ link to this | view in thread ]
Re: Kill the Database
[ link to this | view in thread ]
Maybe an easy solution
This might be naive, but what if these companies complied with the cops' request and provided the data - but in a format practically impossible to search?
I imagine the average cop IT dept probably ain't exactly Deepmind, so this could possibly even be done without being too malicious. 1 million user database? Sure, we have it, in freetext with no headers and random spacing / delims / etc. In exactly 37 million text files and another 52 million PDFs. With random cutoffs and every file has uses a unique carriage return.
I'm sure you can figure that out Mr Cop. Have fun searching.
[ link to this | view in thread ]
Judges, Jesters and Marsupials
The abuses of warrant power will only get bigger. GEDmatch is small. 23andMe has 10 million users. Ancestry.com has 15 million users. They'll be the next targets of questionable warrants if they haven't already been hit with some.
How does casting a gigantic fishing net (large enough to search tens of millions of innocent persons) while trolling for evidence meet the requirements called out in The US Bill of Rights 4th Amendment?
Amendment IV
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
https://www.archives.gov/founding-docs/bill-of-rights-transcript
This is nothing short of an open ended police fishing expedition rubber stamped by Ninth Judicial Circuit Court of Florida marsupial court jester (ie judge) Patricia Strowbridge.
https://www.newworldencyclopedia.org/entry/Marsupial
[ link to this | view in thread ]
Exoneration
The very first use of DNA in a criminal investigation exonerated someone who had confessed to a crime.
[ link to this | view in thread ]
Re: DNA and warrants
When you turn your information over to a private third party, you have given up the constitutional protections of privacy. Law enforcement routinely gets warrants for third party databases and aggregates the findings. Whether it is cell phone data, dna or any other kind of normally private data, once you give it to a third party, the bar is very low for law enforcement to access it.
I had warned the owner of gedmatch a month ago that this was going to happen, but he was in denial. He rolled immediately when given the warrant.
So, if you do not want law enforcement to get your information, do not provide it to third parties.
[ link to this | view in thread ]
Re: Re: Kill the Database
It might be worth it if everyone says their name is Donald Trump and they live at 1600 Pennsylvania Ave.
[ link to this | view in thread ]
Isn't DNA encoding...
subject to expectation of privacy under HIPAA? Since your genome can contain markers for various health issues and predispositions, there is a medical privacy scope involved here.
Even without recent supreme court rulings that narrow the scope of the 3rd party doctrine, this warrant is shaky. Seems like another rubber-stamping by the judge without examining the particulars of the warrant. I hope the judge makes note of this article (or the NYT article) and is more diligent in the future.
[ link to this | view in thread ]
Re: Isn't DNA encoding...
Not if you supply the sample without any assurance of how the results will be used. Caveat emptor
[ link to this | view in thread ]
Time for Ancestry.com to move the database to Switzerland
[ link to this | view in thread ]
The warrant is likely defective
[ link to this | view in thread ]