There must be some sort of Murphy’s Law that when a database reaches a certain size, law enforcement is going to want to get their hands on it.
We’ve seen this recently with 23andme, a database of information compiled through voluntarily offered genetic material (spit, actually), which recently hit a million users.
If you don’t remember 23andme, they made headlines in 2007 by offering people the chance to test their genetics for susceptibility for a number of various diseases, as well as look at their ancestry. People who couldn’t resist the opportunity to find out just what percentage of Neanderthal they had were soon coughing up $99 for the chance to spit at these people and, in the process, find out what weaknesses their flesh might be heir to.
This, however, caught the attention of the U.S. Food and Drug Administration, which declared in 2013 that the company was offering tests that the FDA hadn’t approved, and the company pulled the test kits off the market.
The kits were still available for ancestral testing, though, and people continued to submit their genetic material, albeit more slowly. While the company had 500,000 subscribers by 2013, it took until this year to hit a million, according to the New York Times.
That’s when the cops started getting interested.
It’s not unusual for police officers to obtain DNA evidence at crime scenes. And here was a database of a million people’s DNA. Did the police really think that criminals were coincidentally also having their ancestries tested? No, but certain components of DNA are passed down through the father and mother. It could happen that a relative of a criminal would be tested and in the database, which would help narrow down the search.
“People who submitted genetic samples for reasons of health, curiosity, or to advance science could now end up in a genetic line-up of criminal suspects,” writes Kashmir Hill in Fusion. “If you’re a cop trying to solve a crime, and you have DNA at your disposal, you’re going to want to use it to further your investigation. But the fact that your signing up for 23andMe or Ancestry.com means that you and all of your current and future family members could become genetic criminal suspects is not something most users probably have in mind when trying to find out where their ancestors came from.”
Hill has been on the forefront of this issue; as long ago as 2010, she was warning in Forbes about the possibility. “How far should law enforcement be allowed to go?” she wrote then. “Should prosecutors be allowed to subpoena a company’s DNA database of thousands of people if they suspect it contains a match to a crime suspect?”
The problem is, such genetic testing isn’t foolproof; among other things, someone could be adopted, illegitimate, or cuckolded, and never know it. That may be what happened in one case earlier this year, when police officials used a similar database, operated by Ancestry.com, to compare it with DNA material from a crime scene. (Ancestry.com has since taken the database down, Hill writes.) Police then looked up all the relatives of the person in the database who matched, found a likely prospect, and got him to submit a DNA sample – which ended up exonerating the person, but still.
Meanwhile, 23andme and Ancestry.com come right out and says they’ll cooperate with law enforcement when served with a warrant. And they don’t really have any choice. Since they’re not doctors, Health Insurance Portability and Accountability Act (HIPAA) and other laws that could protect people don’t play into it.
This concerns a number of civil liberties organizations, such as the Electronic Frontier Foundation. “if the cops can access private databases—especially private databases like Ancestry.com and 23 and Me that collect matrilineal and patrilineal markers—everyone’s risk increases,” the organization writes. “People should be able to learn about their ancestors and relatives and about possible risks for genetic diseases without fear that their data will be shared with the cops without their consent.”
“Civil liberties groups have called for laws that would prohibit the use of private genetic databases for law enforcement purposes, but until one comes into existence, the only thing standing between police and the spit you send to a private DNA company is the company’s lawyers,” Hill writes.
What 23andme is doing, like companies such as Facebook and Google, is hiring a privacy officer and publishing a quarterly government transparency report that tracks how many such requests it gets. It just published its first report, which notes that it’s had five requests. It will be interesting to see how it trends; similar reports from other vendors have shown sharp increases over time.
Interestingly, just a week after news got out about police requesting the data, the FDA decided to give 23andme permission to once again offer the genetic tests, meaning it will be able to collect even more data. (Not to mention, that knocked all the stories about police access to the database off the front page as well.) Is it getting too much into black helicopter territory to wonder whether law enforcement agencies asked the FDA to lay off of 23andme so that it could help them do their jobs?