Two States Pass Laws Limiting Law Enforcement Access To Private DNA Services

from the catching-up-with-the-cops-who-have-already-caught-up-with-the-tech dept

One of the more recent opportunities for law enforcement in the Third Party Doctrine space has been DNA databases. A number of companies offer on-demand DNA testing, allowing users to check themselves for potential markers that could indicate susceptibility to diseases or just to figure out where they fit in in the world by linking them to distant relatives they may not be aware of.

Since users are sharing this potentially-sensitive info with DNA companies and other users, law enforcement illogically thought they wouldn't mind sharing it with cops. At least one company believed this as well, informally deputizing its user base as involuntary providers of DNA evidence.

A whole lot of Wild Westing ensued. Some investigators used subpoenas, believing it was third party data that carried no expectation of privacy. Others used warrants, but used them to access the entire contents of third party DNA databases. Cops even created fake accounts to upload DNA samples to find matches in cases that had gone cold.

This mostly-voluntary patchwork of legal paperwork/legal theories is now being codified into something coherent and subject to at least some judicial oversight. As the New York Times reports, two states have recently passed laws governing the use of private companies' DNA databases by law enforcement.

Beginning on Oct. 1, investigators working on Maryland cases will need a judge’s signoff before using the method, in which a “profile” of thousands of DNA markers from a crime scene is uploaded to genealogy websites to find relatives of the culprit. The new law, sponsored by Democratic lawmakers, also dictates that the technique be used only for serious crimes, such as murder and sexual assault. And it states that investigators may only use websites with strict policies around user consent.

Montana’s new law, sponsored by a Republican, is narrower, requiring that government investigators obtain a search warrant before using a consumer DNA database, unless the consumer has waived the right to privacy.

The Maryland law is obviously the stronger of the two. It would steer investigators away from more law enforcement-receptive sites like FamilyTreeDNA, which opts users into sharing information with law enforcement by default. It would also prevent investigators from creating fake accounts to perform DNA searches, unless specifically approved by a judge.

It also mandates destruction of information obtained from DNA databases at the conclusion of investigations. And, perhaps most importantly, it forces investigators to utilize the government-owned DNA database (Codis) before approaching private third parties.

The Montana law is better than nothing, but it still needs more work. While it does erect a warrant provision, it allows that to be waived if the "consumer" consents to the search. Given that most databases attempt to link people by DNA, consent given by one person has the potential to subject lots of other people to searches they never agreed to.

But these are both positive steps. Just another 48 states to go. The relentless advance of technology often has cops claiming they're being left behind, outpaced by criminal early adopters. But the opposite is more often true. Law enforcement moves quickly to take advantage of new tech, rushing out ahead of court precedent and legislation to exploit tech advances legislators could never have anticipated. And when the loopholes begin closing, law enforcement will switch back to complaining about the "loss" of its lawless spaces. For now, two states are better protected than the rest of the nation. Hopefully, more legislatures will recognize this is an issue they can no longer ignore.

Filed Under: dna, dna databases, maryland, montana, third party doctrine

Cops Now Using Warrants To Gain Access To DNA Services' Entire Databases

from the one-affidavit-to-rule-them-all dept

Cops have discovered a new source of useful third-party records: DNA databases. Millions of people have voluntarily handed over personal information to a number of services in exchange for info on medical markers or distant family members.

Investigators are submitting DNA samples from cold cases in hopes of tracking down criminals who've managed to evade them for years. It has led to the closing of some cases, which is all agencies need to argue for continued access to DNA samples from millions of users.

Some DNA services are more protective of their customers' privacy than others. Of course, privacy protections in this context generate quite a bit of friction. For DNA databases to be useful, users must allow others to access their DNA info and expect others to do the same thing. Identifying info can be withheld, and definitely should be if users aren't interested in rebuilding a family tree. One company, however, has decided it's an unofficial arm of the law enforcement community and has involuntarily deputized its users.

When cops submit DNA seeking matches, they don't always identify themselves as law enforcement officers. Faux accounts are being used to gather matches with DNA services (and their users) unaware of the government's intrusion. Once investigators have gathered some promising hits, they reveal themselves to issue subpoenas demanding identifying info on the search results.

Things are getting even more troubling in this new Constitutional gray area. Kashmir Hill and Heather Murphy of the New York Times report law enforcement is now using warrants to force DNA services to open up their entire databases for investigators to dig through.

For police officers around the country, the genetic profiles that 20 million people have uploaded to consumer DNA sites represent a tantalizing resource that could be used to solve cases both new and cold. But for years, the vast majority of the data have been off limits to investigators. The two largest sites, Ancestry.com and 23andMe, have long pledged to keep their users’ genetic information private, and a smaller one, GEDmatch, severely restricted police access to its records this year.

Last week, however, a Florida detective announced at a police convention that he had obtained a warrant to penetrate GEDmatch and search its full database of nearly one million users.

Warrants are supposed to be targeted -- seeking evidence from a location or a person clearly defined in the warrant application. When a warrant is used to allow full access to the personal info of one million users, there's clearly no targeting. Investigators may have probable cause to believe they'll find evidence of a crime by searching an entire DNA database, but all the probable cause in the world doesn't allow officers to search a million people until they find the evidence they're looking for. That's what's happening here.

The abuses of warrant power will only get bigger. GEDmatch is small. 23andMe has 10 million users. Ancestry.com has 15 million users. They'll be the next targets of questionable warrants if they haven't already been hit with some.

In response to backlash following the first reports of officers anonymously submitting samples to obtain a list of suspects, DNA/genealogy companies tightened up their rules. Subpoenas now only net personal info of people who've opted into sharing their data with law enforcement. According to this report, only 185,000 of GEDmatch's 1.3 million have made that choice. That didn't sit well with this investigator, who decided he could talk a court into forcing the company to give him what he wanted.

In July, he asked a judge in the Ninth Judicial Circuit Court of Florida to approve a warrant that would let him override the privacy settings of GEDmatch’s users and search the site’s full database of 1.2 million users. After Judge Patricia Strowbridge agreed, Detective [Michael] Fields said in an interview, the site complied within 24 hours. He said that some leads had emerged, but that he had yet to make an arrest. He declined to share the warrant or say how it was worded.

There's a real danger here. If there's no pushback from companies and their users, law enforcement officers will be seeking the same access, effectively turning private DNA databases into law enforcement databases. On the flip side, if this does become the new normal for law enforcement, it runs the risk of burning its own source, so to speak.

Genetic genealogy experts said that until now, the law enforcement community had been deliberately cautious about approaching the consumer sites with court orders: If users get spooked and abandon the sites, they will become much less useful to investigators. Barbara Rae-Venter, a genetic genealogist who works with law enforcement, described the situation as “Don’t rock the boat.”

The boat is already rocking. Detective Fields has shown officers the way to get what they want when private companies decide they're not just going to be field offices for government agencies. Multiple officers and detectives asked for a copy of his warrant following his talk, which means Fields' Fourth Amendment experiment is going to become boilerplate. Customers and users who thought their personal info was shielded from law enforcement probing are now finding out these protections can be undermined by a warrant targeting anyone that matches a certain DNA profile.

Filed Under: 4th amendment, database search, dna, dna databases, police, unsolved crimes, warrant
Companies: 23andme, ancestry.com, gedmatch