Cops Now Using Warrants To Gain Access To DNA Services' Entire Databases

from the one-affidavit-to-rule-them-all dept

Cops have discovered a new source of useful third-party records: DNA databases. Millions of people have voluntarily handed over personal information to a number of services in exchange for info on medical markers or distant family members.

Investigators are submitting DNA samples from cold cases in hopes of tracking down criminals who've managed to evade them for years. It has led to the closing of some cases, which is all agencies need to argue for continued access to DNA samples from millions of users.

Some DNA services are more protective of their customers' privacy than others. Of course, privacy protections in this context generate quite a bit of friction. For DNA databases to be useful, users must allow others to access their DNA info and expect others to do the same thing. Identifying info can be withheld, and definitely should be if users aren't interested in rebuilding a family tree. One company, however, has decided it's an unofficial arm of the law enforcement community and has involuntarily deputized its users.

When cops submit DNA seeking matches, they don't always identify themselves as law enforcement officers. Faux accounts are being used to gather matches with DNA services (and their users) unaware of the government's intrusion. Once investigators have gathered some promising hits, they reveal themselves to issue subpoenas demanding identifying info on the search results.

Things are getting even more troubling in this new Constitutional gray area. Kashmir Hill and Heather Murphy of the New York Times report law enforcement is now using warrants to force DNA services to open up their entire databases for investigators to dig through.

For police officers around the country, the genetic profiles that 20 million people have uploaded to consumer DNA sites represent a tantalizing resource that could be used to solve cases both new and cold. But for years, the vast majority of the data have been off limits to investigators. The two largest sites, Ancestry.com and 23andMe, have long pledged to keep their users’ genetic information private, and a smaller one, GEDmatch, severely restricted police access to its records this year.

Last week, however, a Florida detective announced at a police convention that he had obtained a warrant to penetrate GEDmatch and search its full database of nearly one million users.

Warrants are supposed to be targeted -- seeking evidence from a location or a person clearly defined in the warrant application. When a warrant is used to allow full access to the personal info of one million users, there's clearly no targeting. Investigators may have probable cause to believe they'll find evidence of a crime by searching an entire DNA database, but all the probable cause in the world doesn't allow officers to search a million people until they find the evidence they're looking for. That's what's happening here.

The abuses of warrant power will only get bigger. GEDmatch is small. 23andMe has 10 million users. Ancestry.com has 15 million users. They'll be the next targets of questionable warrants if they haven't already been hit with some.

In response to backlash following the first reports of officers anonymously submitting samples to obtain a list of suspects, DNA/genealogy companies tightened up their rules. Subpoenas now only net personal info of people who've opted into sharing their data with law enforcement. According to this report, only 185,000 of GEDmatch's 1.3 million have made that choice. That didn't sit well with this investigator, who decided he could talk a court into forcing the company to give him what he wanted.

In July, he asked a judge in the Ninth Judicial Circuit Court of Florida to approve a warrant that would let him override the privacy settings of GEDmatch’s users and search the site’s full database of 1.2 million users. After Judge Patricia Strowbridge agreed, Detective [Michael] Fields said in an interview, the site complied within 24 hours. He said that some leads had emerged, but that he had yet to make an arrest. He declined to share the warrant or say how it was worded.

There's a real danger here. If there's no pushback from companies and their users, law enforcement officers will be seeking the same access, effectively turning private DNA databases into law enforcement databases. On the flip side, if this does become the new normal for law enforcement, it runs the risk of burning its own source, so to speak.

Genetic genealogy experts said that until now, the law enforcement community had been deliberately cautious about approaching the consumer sites with court orders: If users get spooked and abandon the sites, they will become much less useful to investigators. Barbara Rae-Venter, a genetic genealogist who works with law enforcement, described the situation as “Don’t rock the boat.”

The boat is already rocking. Detective Fields has shown officers the way to get what they want when private companies decide they're not just going to be field offices for government agencies. Multiple officers and detectives asked for a copy of his warrant following his talk, which means Fields' Fourth Amendment experiment is going to become boilerplate. Customers and users who thought their personal info was shielded from law enforcement probing are now finding out these protections can be undermined by a warrant targeting anyone that matches a certain DNA profile.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: 4th amendment, database search, dna, dna databases, police, unsolved crimes, warrant
Companies: 23andme, ancestry.com, gedmatch


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    A. Gidari, 6 Nov 2019 @ 11:04am

    DNA and warrants

    You might find the DoJ Guidelines on DNA investigations useful here: https://www.justice.gov/olp/page/file/1204386/download

    Searching a DNA database is about finding someone who may be related to a perpetrator, not about finding evidence of a crime. Serious question as to whether the 4thA protects distant cousins' DNA or against compelling them to be a witness against current or future generations, and in fact, an unknowing witness b/c a match does not get notice that their sample has been examined or is related.

    link to this | view in thread ]

  2. identicon
    Anonymous Coward, 6 Nov 2019 @ 11:05am

    This is pretty timely (there's a sale over at ancestry.com on their DNA service) and exactly why I haven't availed myself of this service. I'm not a criminal, I'm not wanted by law enforcement anywhere for anything and I'm not likely to ever be so. But DNA, properly used, is the ultimate permanent identifier for individuals and I really don't like the idea that I could be tracked without my consent. I'll pass, thanks.

    link to this | view in thread ]

  3. icon
    ECA (profile), 6 Nov 2019 @ 11:21am

    Who needs a tatoo

    Wit DNA, we can have a 1/2 full proof method of ID.
    the problems really come when they dont use it properly or using enough samples.

    What are the odds,m that Those incoming to our country will be First?
    Then temp Visa
    then Tourists..
    Then why not everyone else,.

    link to this | view in thread ]

  4. icon
    Norahc (profile), 6 Nov 2019 @ 11:23am

    The Fourth Amendment is dead....Long live the Police State.

    Law enforcement and the government don't care that their actions may "spook users" into abandoning these websites. After all, look at the warnings that were issued over FOSTA/SESTA which were ignored, only to come back and bite them in the ass.

    The ultimate goal is weaken each right, by legislation or court precedent, one by one until there is nothing left to hinder law enforcement in any way.

    link to this | view in thread ]

  5. identicon
    Anonymous Coward, 6 Nov 2019 @ 11:32am

    If this doesn't end up at the Supreme Court eventually it will only be because the lower courts slap the warrants down on appeal.

    link to this | view in thread ]

  6. identicon
    Anonymous Coward, 6 Nov 2019 @ 11:35am

    afaik, dna can be used to exonerate at a rather high level of confidence. Whereas the same can not be said about its match level of confidence.

    link to this | view in thread ]

  7. icon
    James Burkhardt (profile), 6 Nov 2019 @ 11:43am

    Re: DNA and warrants

    Yes, it is true that your 4th amendment right doesn't protect the genetic information of your distant cousin, but their 4th amendment right does. Assuming that the distant cousin has not committed the crime they matched your DNA to, this can negatively associate an innocent relative who may not even know you well or if at all. They may not be in your geographical region. I know there is a large contingent of my family in Michigan, but I haven't seen them since I was like 3. If I had done an ancestory.com test and suddenly Detroit PD was trying to get a hold of me about a distant relation, I'd find my getting involved and becoming a person of interest in a criminal investigation a serious concern to the violation of my forth amendment rights.

    There are serious questions about how these searches are conducted, and what information is retained by law enforcement that is not in connection

    link to this | view in thread ]

  8. identicon
    Sharur, 6 Nov 2019 @ 11:48am

    I'm just happy the police are using warrants...

    ...for once.

    Using warrants (and not shooting people for no reason, beating people for no reason, and arresting people for no reason) is all that I want from them.

    The rest can be laid on the judiciary for rubber-stamping them.

    link to this | view in thread ]

  9. identicon
    Anonymous Coward, 6 Nov 2019 @ 11:52am

    Re:

    Just because you didn't do it, doesn't mean the police can't find a way to make the DNA sample they have match your DNA. For that matter, the way police handle DNA, if you stay in a hotel room and a crime is committed in that room at a later time, they have a good chance of finding your DNA and arresting you. So keep that in mind.

    link to this | view in thread ]

  10. icon
    btr1701 (profile), 6 Nov 2019 @ 11:54am

    Warrant

    Customers and users who thought their personal info was shielded from law enforcement probing are now finding out these protections can be undermined by a warrant

    Not sure who these terminally naïve people are who thought that they could submit data to a corporation and it would somehow be immune from a search warrant, should a court issue one. No company is immune from that.

    link to this | view in thread ]

  11. icon
    Gary (profile), 6 Nov 2019 @ 12:03pm

    Re: Warrant

    No company is immune from that.

    Except Apple. :)

    Encrypt all the things.

    link to this | view in thread ]

  12. icon
    Wyrm (profile), 6 Nov 2019 @ 12:05pm

    A quick reminder on how DNA is not 100% reliable evidence should be mentioned somewhere. There are multiple cases of DNA "evidence" turning out to point to completely unrelated individuals.
    Between cases where the DNA was deposited by the police or lab workers, or even the manufacturer of the DNA collection tools... cases where the DNA was too broken and/or limited in quantity for properly targeted matches... and lots of other problems.
    DNA should only be used once you already have a suspect, and even then with great caution, and definitely not to find a suspect in the first place. (DNA matching tends to return enough false positives that it's unreliable for this purpose.). But of course, that's not the opinion of some law enforcement officers who need someone to pin a crime on more than the actual perpetrator.

    link to this | view in thread ]

  13. identicon
    Anonymous Coward, 6 Nov 2019 @ 12:22pm

    Sounds like a perfect opening for an overseas-based DNA company to enter the market, perhaps from Switzerland or someplace like that where the US government and police have no authority - they could use a promo blurb like "Unlike U.S.-based companies, we aren't going to bend over to government and law enforcement demands. With us, your DNA and info aren't going anywhere you don't know about."

    link to this | view in thread ]

  14. icon
    Koby (profile), 6 Nov 2019 @ 12:26pm

    Kill the Database

    I still say that someone needs to organize a campaign to send in blood samples with fake names and addresses in order to poison the database, thereby rendering it useless to police.

    link to this | view in thread ]

  15. identicon
    Professor Ronny, 6 Nov 2019 @ 12:52pm

    There's a real danger here

    There's a real danger here.

    There is another danger and it is a danger to the DNA companys' bottom line. While I have done nothing wrong, I don't want my DNA searched by law enforcement so I'm simply not going to use a DNA service. If enough people make the same decision, their revenue will take a hit.

    link to this | view in thread ]

  16. identicon
    Anonymous Coward, 6 Nov 2019 @ 1:15pm

    Nothing to hide, nothing to fear, and your relatives will give up most of your DNA anyway.

    Privacy is as dead as copyright.

    link to this | view in thread ]

  17. identicon
    Anonymous Coward, 6 Nov 2019 @ 1:16pm

    Re:

    Until some foreign military takes over the country that hosts the DNA company.

    link to this | view in thread ]

  18. identicon
    Anonymous Coward, 6 Nov 2019 @ 1:18pm

    There used to be these questionnaires people forwarded by e-mail and filled out with their full name, birthday, and a lot of personal info.

    Our DNA isn't very smart.

    link to this | view in thread ]

  19. identicon
    bobob, 6 Nov 2019 @ 1:35pm

    I guess I don't understand how stupid people could have been (including my own nephew) to have not forseen the outcome of seeking DNA information from a website which was under no obligation to do or not do anything with the data. Unfortunately, in this case, the negative implications go way beyond the idiot who decided to be an idiot.

    link to this | view in thread ]

  20. identicon
    jonson mcbig, 6 Nov 2019 @ 1:43pm

    Re: Kill the Database

    this doesn't make sense, also you don't send them blood also you would have to pay them 100 per time you wanted to send them your spit. so it wouldn't be a very cost effective approach as opposed to arson or something else.

    link to this | view in thread ]

  21. icon
    mephistophocles (profile), 6 Nov 2019 @ 2:52pm

    Maybe an easy solution

    This might be naive, but what if these companies complied with the cops' request and provided the data - but in a format practically impossible to search?

    I imagine the average cop IT dept probably ain't exactly Deepmind, so this could possibly even be done without being too malicious. 1 million user database? Sure, we have it, in freetext with no headers and random spacing / delims / etc. In exactly 37 million text files and another 52 million PDFs. With random cutoffs and every file has uses a unique carriage return.

    I'm sure you can figure that out Mr Cop. Have fun searching.

    link to this | view in thread ]

  22. identicon
    Personanongrata, 6 Nov 2019 @ 3:02pm

    Judges, Jesters and Marsupials

    The abuses of warrant power will only get bigger. GEDmatch is small. 23andMe has 10 million users. Ancestry.com has 15 million users. They'll be the next targets of questionable warrants if they haven't already been hit with some.

    How does casting a gigantic fishing net (large enough to search tens of millions of innocent persons) while trolling for evidence meet the requirements called out in The US Bill of Rights 4th Amendment?

    Amendment IV

    The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

    https://www.archives.gov/founding-docs/bill-of-rights-transcript

    This is nothing short of an open ended police fishing expedition rubber stamped by Ninth Judicial Circuit Court of Florida marsupial court jester (ie judge) Patricia Strowbridge.

    https://www.newworldencyclopedia.org/entry/Marsupial

    link to this | view in thread ]

  23. identicon
    Whoever, 6 Nov 2019 @ 3:22pm

    Exoneration

    afaik, dna can be used to exonerate at a rather high level of confidence.

    The very first use of DNA in a criminal investigation exonerated someone who had confessed to a crime.

    link to this | view in thread ]

  24. identicon
    Michael Grimes, 6 Nov 2019 @ 5:01pm

    Re: DNA and warrants

    When you turn your information over to a private third party, you have given up the constitutional protections of privacy. Law enforcement routinely gets warrants for third party databases and aggregates the findings. Whether it is cell phone data, dna or any other kind of normally private data, once you give it to a third party, the bar is very low for law enforcement to access it.

    I had warned the owner of gedmatch a month ago that this was going to happen, but he was in denial. He rolled immediately when given the warrant.

    So, if you do not want law enforcement to get your information, do not provide it to third parties.

    link to this | view in thread ]

  25. identicon
    Anonymous Coward, 6 Nov 2019 @ 5:07pm

    Re: Re: Kill the Database

    It might be worth it if everyone says their name is Donald Trump and they live at 1600 Pennsylvania Ave.

    link to this | view in thread ]

  26. identicon
    Bruce C., 7 Nov 2019 @ 1:53am

    Isn't DNA encoding...

    subject to expectation of privacy under HIPAA? Since your genome can contain markers for various health issues and predispositions, there is a medical privacy scope involved here.

    Even without recent supreme court rulings that narrow the scope of the 3rd party doctrine, this warrant is shaky. Seems like another rubber-stamping by the judge without examining the particulars of the warrant. I hope the judge makes note of this article (or the NYT article) and is more diligent in the future.

    link to this | view in thread ]

  27. identicon
    bobob, 7 Nov 2019 @ 12:46pm

    Re: Isn't DNA encoding...

    Not if you supply the sample without any assurance of how the results will be used. Caveat emptor

    link to this | view in thread ]

  28. identicon
    Dyspeptic-Curmudgeon, 12 Nov 2019 @ 2:18pm

    Time for Ancestry.com to move the database to Switzerland

    If (big IF) ancestry.com wants to avoid being sued, it is time for them to sell the database side of the business to a parallel entity based in say, Switzerland. So the testing can be carried out here, but the data resides elsewhere under the control of a completely different set of individuals. Which persons deal individually with the sample providing customers. Making the DNA testing portion merely a service. If ancestry.com USA *holds* no data, it cannot respond to a warrant. And the Swiss corp will not either!

    link to this | view in thread ]

  29. identicon
    Dyspeptic-Curmudgeon, 12 Nov 2019 @ 2:26pm

    The warrant is likely defective

    From my meager reading of US 4th Amendment law, I understood that a warrant can only be obtained where the place to e searched is expected to contain *evidence of a crime*. Seems to me that a DNA database almost by definition could not contain evidence of a crime. And there is no actual evidence that the suspected perpetrator's DNA is contained in the database. The warrant does not ask for Joe Perp's DNA, it asks for matches to unknown Joe Perp's DNA, some of whom are not Joe Perp. Anyone know more about this aspect of 4thAM law??

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.