when relevant content is
added and updated.
when relevant content is
added and updated.
As you may recall, last year police officers were able to track down a murderer through relatives in a genetic database. Now, it’s gone one step further: Police have succeeded in using warrants to gain access to genetic databases to search for suspects.
Police first started using genetic databases for law enforcement in 2015. In fact, in some cases, they started asking people for DNA samples to prove they weren’t suspects in cases.
In response to the 2018 case, genetic database companies started writing and following best practices guidelines regarding the use of their data in law enforcement. (The agreement, however, didn’t cover GEDMatch, the open source database used by law enforcement to track down the alleged “Golden State Killer.”) Even before that, in response to the 2018 case, people started making their genetic records private.
In September, the U.S. Department of Justice issued a policy limiting searches by federal law enforcement agencies to violent crimes and DNA profiles with user consent, writes Jocelyn Kaiser in Science. But that wasn’t enough.
“What experts really worry about is that police may seek warrants to access all of GEDMatch’s data,” Tina Hesman Saey wrote – presciently, as it turns out – in Science News in June.
Now, a police officer in Florida actually has gotten a search warrant for all the records in a GEDmatch database – including the ones that had made themselves private.
“A Florida detective announced at a police convention that he had obtained a warrant to penetrate GEDmatch and search its full database of nearly one million users,” write Kashmir Hill (who’s been writing about genetic databases since at least 2010) and Heather Murphy, in the New York Times. “Legal experts said that this appeared to be the first time a judge had approved such a warrant, and that the development could have profound implications for genetic privacy.”
While GEDmatch has about a million users, other genetic databases are much bigger, and now that a precedent has been set, law enforcement may go after those other databases as well, Hill and Murphy write. “DNA policy experts said the development was likely to encourage other agencies to request similar search warrants from 23andMe, which has 10 million users, and Ancestry.com, which has 15 million,” they write. “If that comes to pass, the Florida judge’s decision will affect not only the users of these sites but huge swaths of the population, including those who have never taken a DNA test. That’s because this emerging forensic technique makes it possible to identify a DNA profile even through distant family relationships.”
If GEDmatch isn’t very big, why did law enforcement professionals start there? Because GEDmatch is open source and was easiest to access, they add. (In fact, for the 2018 case, police didn’t even alert GEDmatch they were doing so.)
That said, one researcher was surprised that GEDmatch didn’t fight back against the warrant, and felt that bigger genetic database companies would probably protest such warrants more strongly.
And, in fact, 23andMe did write a blog post saying it would fight such warrants. “If we had received a warrant, we would use every legal remedy possible,” writes Kathy Hibbs, the company’s chief legal and regulatory officer.
But not even that might help, Kaiser writes, quoting Natalie Ram, a law professor at the University of Maryland’s Carey School of Law in Baltimore.
“It’s not clear whether the DNA company or a criminal defendant would have the right kind of interest in the DNA and privacy rights at issue to even be able to challenge the warrant effectively. (That is, it’s not clear either has ‘standing’),” Ram says. “So, we might discover that this is a situation in which, as a practical matter, there is no one who can effectively challenge this warrant. And that’s not a good place for the law to be.”
What makes that an issue? “Last year, researchers calculated that a database of about 3 million people would allow for the identification of virtually any American of European descent,” Saey writes. With access to those two companies’ databases, law enforcement would be solving cases every day, she quotes one genetic genealogist as saying.
Moreover, at around the same time, a University of Washington study found that genetic databases were subject to fraud. In other words, it was possible to create a fake person who was related to a real person.
“Researchers at the University of Washington have found that GEDmatch is vulnerable to multiple kinds of security risks,” writes Sarah McQuate for UW News. “An adversary can use only a small number of comparisons to extract someone’s sensitive genetic markers.”
How many? Just 20 – and it would take about ten seconds to do, she writes.
“The team played a game of 20 questions: They created 20 extraction profiles that they used for one-to-one comparisons on a target profile that they created,” McQuate writes. “Based on how the pixel colors changed, they were able to pull out information about the target sequence. For five test profiles, the researchers extracted about 92% of a test’s unique sequences with about 98% accuracy.”
It doesn’t stop there. “A malicious user could also construct a fake genetic profile to impersonate someone’s relative,” McQuate writes. “Once someone’s profile is exposed, the adversary can use that information to create a profile for a false relative. The team tested this by creating a fake child for one of their experimental profiles. Because children receive half their DNA from each parent, the fake child’s profile had their DNA sequences half matching the parent profile. When the researchers did a one-to-one comparison of the two profiles, GEDmatch estimated a parent-child relationship.An adversary could generate any false relationship they wanted by changing the fraction of shared DNA,”
Now, put those two things together. Will we have police creating fake relatives to justify gaining access to the DNA records of real suspects? The September policy is supposed to forbid that, but it applies only to federal searches, Kaiser writes.