SALT LAKE CITY — We leave an invisible trail of it behind us everywhere we go and of late, millions of us have voluntary harvested and submitted it to find out more about who we are and where we come from.
While once only a theoretical mystery, It’s been well over a decade since the international Human Genome Project announced reaching the end of its “inward voyage of discovery,” successfully completing a project that provided the world the “ability, for the first time, to read nature’s complete genetic blueprint for building a human being.”
Since then, genomic innovations have advanced at a dramatic rate, including the development of technology that has enabled a new realm of direct-to-consumer genetic testing services that are cheap, fast and ubiquitous. Spit into a tube, send it out the door and in mere weeks you can find out the ethnic and geographic origins of your ancestors and, more personally, some pretty minute details about what physical and psychological anomalies may be coming your way.
A collateral outcome of this new volume of genetic testing are massive new databases holding troves of genetic data, veritable gateways to the most personal information about tens of millions of individuals.
Where is the line?
Now civil rights advocates are joining Utah lawmakers in the effort to establish some basic protections on this data as law enforcement and other government agencies are increasingly accessing this information as a genetic blueprint for building the perfect criminal case.
Connor Boyack, president of Utah-based libertarian public advocacy group Libertas Institute, said while the technology is a boon to amateur genealogists, the way it is being leveraged by government agencies raises concerns.
“In the past couple of years, law enforcement around the country have identified a new opportunity to use DNA to find and catch bad guys,” Boyack said. “At first blush, many might think this is an exciting new tool to catch criminals, however, when you look at it more closely, it’s actually a very profound violation of privacy.”
DNA samples harvested by local, state and federal law enforcement agencies have been in use for years via the federally managed Combined DNA Index System, but Boyack said his concerns are focused on law enforcement access to public and privately managed DNA databases. Some DNA testing services like Ancestry.com and 23andMe assert they will staunchly defend unwarranted law enforcement access while other service providers in the sphere of genetic analysis have taken markedly different stances.
DNA as a crime-fighting tool
One company, GEDMatch, is not a testing service but instead provides a platform that allows consumers who have had their DNA tested elsewhere to upload their results with the hope of connecting with unknown family members or to find out more about their DNA profiles. The company was founded nine years ago with the goal of providing a tool for amateur genealogists.
GEDMatch was acquired by San Diego-based forensic genealogy firm Verogen earlier this month but has previously made its database, which currently includes some 1.3 million samples, accessible to law enforcement. It’s a practice that’s earned the company headlines for its involvement in helping close outstanding criminal cases like that of California’s Golden State Killer, and closer to home, recently helping Clearfield police apprehend a suspect in a horrific assault case. In May, the company drastically increased restrictions on warrantless law enforcement scanning, limiting access to DNA test results from those users who have expressly issued consent for that purpose. Before that change, however, the site had reportedly been used to solve some 70 criminal cases.
Boyack said the proposal he’s been working on with stakeholders, industry experts and lawmakers would create privacy protections around consumer-side DNA databases that would require law enforcement to adhere to the particularity mandate of the Fourth Amendment.
“Our bill would allow law enforcement to take their DNA sample and run it through (Combined DNA Index System) as well as other state and local law enforcement DNA databases of known criminals,” Boyack said. “However, it would prohibit dragnet-style familial searches of consumer databases.
“If law enforcement has some blood or evidence obtained from other investigatory methods that identify ‘Bob’ is a suspect, they can get a warrant for Bob’s blood or saliva and even without a warrant collect DNA from Bob’s trash. That would still be allowed because, again, there’s a suspect. Beyond that our proposal would deny law enforcement the ability to go on fishing expeditions. No mass searching of private or public databases without an individual suspicion.”
The American Civil Liberties Union of Utah is participating in drafting the proposal and, like Libertas, has concerns centered on unfettered law enforcement access to the DNA data of millions of individuals.
“This moment in time demonstrates that we really need to try and figure out clear roles around secondary uses (of DNA data),” said Marina Lowe, the ACLU of Utah’s legislative and policy counsel. “People will submit an Ancestry test kit to find about their family’s ethnic heritage or help identify health risks in their family lineage. Law enforcement gaining access to this is a secondary use that people may not be expecting. My hope is this legislation will make that clear — if you sign up for one of these programs you’re doing so for a particular purpose and law enforcement shouldn’t have open access to information that was clearly shared for a different purpose.”
A dearth of rules when it comes to our genome
There is little in the way of existing legislation at either the state or federal level that has sought to specifically regulate how, when and where law enforcement or other government agencies can access DNA data, outside the DNA data already under their purview.
While creating bright line definitions of the circumstances under which this data can be accessed is the focus of the current and still evolving Utah proposal, there could be other ways to limit so-called fishing expeditions.
Teneille Brown is a professor at the University of Utah’s S.J. Quinney College of Law and an expert in health law and medical ethics. Brown has had a chance to review the potential Utah legislation and believes there may be other ways to bolster privacy protections as they relate to consumer DNA test data.
Brown noted that the user agreements every consumer consents to when submitting a sample for DNA testing are fungible and the ability for a company to change those agreements, whether motivated by internal policy revisions or via an acquisition or ownership change, is a point of concern.
“Law enforcement access (of consumer DNA databases) to identify relatives connected to crime scene DNA is not where I see privacy concerns,” Brown said. “What the real weak points are is the people who are uploading (DNA) snip profiles. Do they understand what that action means? They’re downloading their profile and uploading it to a service or website, but they need to be aware of and worried about the consent they’re granting. And how hard it may be to opt out later if and when that agreement changes.”
Brown explained that the owners of DNA databases could — and should — create protections for the deeper, underlying data that can reveal very personal insights about individuals. She noted law enforcement agencies can access the DNA data they need for a familial match for a criminal investigation and don’t need and shouldn’t get to see the deeper DNA information.
“The (genetic test snip) data is the genetic mutation data that could be used to make predictions about someone’s health,” Brown said. “But the cops don’t have that, and they don’t need it. GEDMatch, 23andMe and Ancestry have that raw (snip) data in their databases, and the user can download their own, if they want to, but there would be no reason to share this data with law enforcement.
“Law enforcement doesn’t need the raw data to make a match with a relative. GEDMatch’s algorithm just spits out a match, and does not share the (snip) data of the third or fourth cousin. Similarly, Ancestry’s algorithm predicts relationships and if provided by the user, could render a name. Because law enforcement does not need the (genetic snip) data itself to render a name/match to a distant relative, denying them access would just make our DNA privacy better, at very little cost to solving cold crimes.”
Utah proposal in the pipeline
While the fine-tuning of the proposal’s specific language is likely to continue, Rep. Craig Hall, R-West Valley City, said he’s set to sponsor the effort in the upcoming legislative session. Hall said he believes it is necessary to establish some statutory privacy protections when it comes to law enforcement access to DNA data.
“There are certain companies out there that do genetic testing that will strongly fight against any law enforcement searching in their database,” Hall said. “Ancestry and 23andMe, they resist searches by law enforcement. And there are some databases that are more publicly available ... and some of those individuals using those services may ‘quote-unquote consent’ to letting the government search their own DNA but the challenge with this is when one person submits their DNA, they’re not only submitting their own information, but that of their family members who not only may not have consented, but who in fact may strongly dissent.”
Hall said creating new rules to govern how an individual’s DNA data is used requires navigating the territory between appropriate law enforcement procedures and the constitutional rights of every individual.
“We all want to hold criminals accountable, but in the balancing act of privacy and due process, the mass search of genetic databases is too problematic to allow,” Hall said.