No One Is Safeguarding Your DNA
(Bloomberg Businessweek) -- The growing popularity of consumer DNA testing has helped law enforcement make arrests in decades-old crimes that would otherwise have remained cold cases. That may not be entirely good news for the rest of us, because using the technology to trace DNA to suspected criminals requires police to use a whole lot of other people’s genetic data, too. Like cell phone data a decade ago, it’s hard to say how all this information might be employed in the future. Imagine drug companies using it to target ads, life insurers using vast networks of relatedness to determine risk, or a scorned ex-lover employing the technique in some very 21st century stalking.
Millions of U.S. consumers are paying genetic testing companies to analyze their spit, and the data of at least two leading genealogy websites are now accessible to law enforcement. Yaniv Erlich, a Columbia professor who’s the chief science officer at DNA testing company MyHeritage, estimates that only 2 percent of people with European ancestry—the majority of DNA testing customers—might need to share their data to identify samples from the other 98 percent. At this point, there’s little hope of keeping such information private, so experts are advocating for measures to protect it, such as the creation of one giant, central DNA database to which access could theoretically be controlled and regulated. “There is no absolute protection anymore for anyone’s data, genetic or not,” says Barbara Prainsack, a political scientist who studies ethics in forensics and life sciences at the University of Vienna.
The true power of genetic information, Prainsack says, is realized in conjunction with other online data culled from, say, public records and social networks. That became apparent last year, when police arrested a man they suspect to be the Golden State Killer based on profiles of his distant cousins on a mostly free genealogy website called GEDmatch. The suspect didn’t have to share his data: Investigators uploaded crime scene DNA and looked to see whose family bloodline matched it, then used other sources to help build those people’s family trees until they reached the suspect, whose background matched other relevant details.
GEDmatch has about 1 million users. In late January news broke that a second website, FamilyTreeDNA, opened its doors to law enforcement last year. FamilyTreeDNA’s cooperation with investigators roughly doubles the number of genetic profiles cops may use. With access to some 2 million people’s genetic data, investigators could potentially identify hundreds of millions more people from their DNA samples, using tactics like those employed in the Golden State Killer case.
The larger these databases become, the greater the potential for abuse. Once enough people share their information, it doesn’t matter how rigorously everyone else attempts to protect their privacy. That’s why controlling access may now be the only real option, says James Hazel, a researcher at the Center for Genetic Privacy and Identity in Community Settings at Vanderbilt University Medical Center in Nashville. “The recent revelations surrounding FamilyTreeDNA, coupled with law enforcement’s increasing reliance on public resources like GEDmatch, demonstrate that we continue to move closer to an underregulated, de facto universal database,” he says.
Law enforcement, of course, has already long had access to its own database of DNA from criminals, and sometimes police turn to it to help solve new crimes, checking to see if the DNA of an unknown suspect matches that of any relatives already in the system. Several states have strict laws governing this practice. Maryland and the District of Columbia have forbidden such searches altogether. But while government DNA databases have rules for who may access them and for what reasons, the consumer space is a genetic Wild West. The only rules are in each company’s terms of service. Even then, there may be little a company can realistically do to keep law enforcement agencies—or anyone else—from using its service however they like.
FamilyTreeDNA may have found itself in this situation. Although most genetic testing companies don’t let users upload genetic data from outside sources, FamilyTreeDNA does. Police could have easily made use of its database without the company’s explicit permission. “We have recognized this reality and believe it is our responsibility to give guidance to law enforcement as to how they can do their jobs effectively, without violating the privacy and confidentiality of our customers, while at the same time not deter them from the work they do to protect society from violent criminals,” Chief Executive Officer Bennett Greenspan said in a statement. GEDmatch founder Curtis Rogers says the use of this kind of DNA data requires a new conception of forensic privacy.
Laura Hercher, a genetic counselor and researcher at Sarah Lawrence College, says dictating the terms of access shouldn’t be left up to companies, and that new laws are needed to make such searches illegal except in rare circumstances. “We would create limits that would be analogous to search warrants and restrict access to law enforcement,” she says. “It’s a great way to catch serial killers, but less savory uses are easily imagined.”
To that end, in January, Maryland state legislator Charles Sydnor, a Democrat, proposed a bill to ban police use of DNA databases, calling such use an overreach of authority. Maryland has led on genetic privacy matters in the past, and other states may follow suit. So far, though, even the rules that govern state DNA databases vary widely. California, for example, has very strict criteria, only allowing police to turn to familial searching once all other options have been exhausted. But many government DNA databases have no rules at all.
In the wake of the Golden State case, Hazel and other researchers at Vanderbilt suggested the establishment of a nationwide DNA database that could establish a higher floor for privacy protections. Access to such a database would be heavily limited, they say, though they acknowledge the challenges of implementation. And it could contain a more limited set of genetic information than the data that can now be culled from consumer testing reports, allowing investigators to solve crimes without snooping quite so much on people who might simply be a suspect’s distant relative.
“Law enforcement already has potential access to the genetic information of a large segment of the population, either directly or through a relative,” Hazel says. “There is an urgent need for additional regulation of government access to the genetic information housed in public and private DNA databases.”
To contact the editor responsible for this story: Jeff Muskus at firstname.lastname@example.org, Rick Schine
©2019 Bloomberg L.P.