A warrant to search GEDmatch’s genetic data sparks privacy concerns

A Florida state judge has reportedly allowed police to search the entirety of the public genealogy website GEDmatch — home to the DNA profiles of more than a million Americans. The decision, the first of its kind, has alarmed some legal experts and sparked fears that similar searches will be sanctioned at genetic testing giants, like 23andMe and AncestryDNA.

A detective with the Orlando Police Department had petitioned a judge in July to circumvent GEDmatch’s privacy protections so he could compare genetic samples from a series of rapes with DNA profiles in the database, the New York Times reported on November 5. This technique, called forensic genetic genealogy, uses closely matching profiles to build family trees and identify suspects (SN: 6/7/18). Since its 2018 debut, such DNA sleuthing has resulted in criminal charges being filed against dozens of suspects.

In May, GEDmatch updated its privacy settings so users’ DNA profiles were no longer accessible to law enforcement by default. That policy change followed public outcry after the company granted police in Utah access to the database without informing users. Experts warned that the move could lead to police writing warrants to access all data from GEDmatch (SN: 6/10/19), and being granted that access by courts.

Now that day has arrived. The judge’s order is “a huge game changer,” law professor Erin Murphy, of New York University, is quoted by the Times as saying. “The company made a decision to keep law enforcement out, and that’s been overridden by a court. It’s a signal that no genetic information can be safe.”

Science News spoke with lawyer and bioethicist Kayte Spector-Bagdady of the University of Michigan in Ann Arbor about the decision’s implications for genetic privacy.

Does the decision mean law enforcement can access anyone’s genetic data?

The search warrant issued by the judge gives only Orlando law enforcement access to all of GEDmatch’s genetic data. Other agencies would have to seek their own warrants for their own access, Spector-Bagdady says. Florida detectives are “presumably pursing a crime committed in their county, but they are fishing a database with a wider reach, accessing data from people across the country,” she says.

The decision doesn’t affect private direct-to-consumer DNA services, such as 23andMe and AncestryDNA, which have many more people’s DNA in their databases than GEDmatch. AncestryDNA, for example, has more than 15 million people’s DNA in its database; 23andMe has more than 10 million customers. 

What does this warrant mean for other genetic testing companies?

“It doesn’t set much of a precedent,” Spector-Bagdady says. Police might be able to get more of these types of warrants. But “companies still have the right to challenge warrants in court. When the 9th Judicial Circuit Court of Florida tells a large national company to do something that they don’t want to do, the company generally appeals,” she says. GEDmatch didn’t do that.

“I’m stunned that they rolled over so quickly,” she says. “I hope the much larger genetic testing companies would fight a warrant harder than GEDmatch has.”

In reaction to the news, 23andMe reaffirmed the company’s stance on protecting customer privacy, noting in a blog post that it “would use every legal remedy possible” to fight similar warrants. There might come a day when a private genetic testing company loses an appeal, Spector-Bagdady says, validating large-scale searches as a method of investigation. “But we are not there yet.”

What can people do to protect their genetic privacy?

“Individuals don’t have much recourse,” Spector-Bagdady says. Those who’ve had their DNA tested by a company can request to have their data removed from its databases. But there’s no guarantee that all of that data will be erased (SN: 6/5/18).

People who haven’t had their DNA tested could also be affected (SN: 10/12/18). “The likelihood that someone you’re related to having done genetic testing is astronomical,” she says. “If you’re white, recent research has found that there’s a 60 percent chance that you can be identified through relatives in these databases. The number will only continue to grow over the coming years,” as more genetic profiles are added to databases.

Spector-Bagdady notes that the best way to resolve privacy concerns in the United States would be through federal and state policy changes. Some states, such as Maryland, are already working on legislation that would ban police searches of genetic genealogy databases. “It’s not time to panic yet,” she says. “But this is a really important conversation to have before it’s too late.”

Read more here: Source link