Washington University Law Review Online - Law Review at ...

Page created by Rick Cobb
 
CONTINUE READING
Washington University
        Law Review Online
VOLUME 98                                                                                   2020

   COLD CASES FREEZE: LAW ENFORCEMENT
   LOCKED OUT OF DNA DATABASE USED FOR
      INVESTIGATIVE GENEALOGY AFTER
    CONSUMERS OBJECT TO BEING GENETIC
               INFORMANTS
                                   NANCI K. CARR*

                                         ABSTRACT

    California’s infamous Golden State Killer, Joseph James DeAngelo, a
serial killer and rapist, committed a string of crimes during the 1970s and
1980s, and avoided capture for more than 40 years until genetic data
available online led to his arrest. His capture caused users of popular
testing services such as Ancestry and 23andMe to question whether their
genetic data was freely available to police investigators. By using one of
these services to learn about their great-grandparents, users may not want
law enforcement to use their data to solve a cold case involving one of their
living relatives. To prevent that, GEDmatch, a free website for sharing DNA
profiles, changed its terms of service and locked out law enforcement unless
consumers agreed to permit access to their profiles. Does the value to
society of solving the cold case outweigh any privacy issues of the consumer
using the testing service? Should control over these decisions rest with a
testing service that can change its terms of service on a whim?

    *      Nanci K. Carr is an Assistant Professor of Business Law at California State University,
Northridge (“CSUN”). J.D., cum laude, Southwestern Law School; B.S., Business Administration, Ball
State University. Thanks to research assistant Angeline Gomez, CSUN Class of 2019.

                                                1
2           WASHINGTON UNIVERSITY LAW REVIEW ONLINE                                            [VOL. 98:1

                              TABLE OF CONTENTS
INTRODUCTION............................................................................................ 2
I. THE SCIENCE BEHIND DNA TEST KITS ................................................... 4
II. POLICE INVESTIGATIONS AND GEDMATCH ........................................... 6
III. PLEDGES TO PROTECT USER PRIVACY .................................................. 9
    A. Federal Privacy Regulations ......................................................................... 9
    B. Privacy Best Practices for Consumer Genetic Testing Services .................. 10
    C. FamilyTreeDNA Removed from List of Best Practices’ Participants .......... 12
IV. GEDMATCH RESTRICTS LAW ENFORCEMENT .................................... 13
CONCLUSION ............................................................................................. 14

                                           INTRODUCTION

    Recently, there has been a significant rise in popularity of at-home DNA
test kits, with over twenty-six million consumers 1 utilizing direct-to-
consumer (“DTC”) genetic testing services2 to learn about their ancestry,
family history, community, health risks, and family planning.3 For example,
in a well-known television commercial for AncestryDNA, a man, surprised
to learn that his ancestors were not German, but rather Irish, exclaims, “So,
I traded in my lederhosen for a kilt!”4 Other commercials in the series reveal
more pleasant surprises. 5 While such surprises may make for fun

     1.     Antonio Regalado, More Than 26 Million People Have Taken an at-Home Ancestry Test,
MIT TECH. REV., (Feb. 11, 2019), https://www.technologyreview.com/s/612880/more-than-26-mi llion-
people-have-taken-an-at-home-ancestry-test/ [https://perma.cc/MW7T-JCHE].
     2.     What Is Direct-To-Consumer Genetic Testing?, GENETICS HOME REFERENCE, (Mar. 17,
2020), https://ghr.nlm.nih.gov/primer/dtcgenetictesting/directtoconsumer [https://perma.cc/4QBQ-X3K
F] (“[G]enetic tests are marketed directly to customers via television, print advertisements, or the
Internet, and the tests can be bought online or in stores. Customers send the company a DNA sample
and receive their results directly from a secure website or in a written report . . . without . . . involving a
healthcare provider or health insurance company . . . .”).
     3.     3 Mistakes to Avoid When Shopping for a DNA Test: Your Free Guide to the Best Valued
DNA Tests, GENETICS DIGEST, (2019) https://geneticsdigest.com/best_ancestry_genealogy_dna_test/ind
ex_ctrl _n.html?gclid=EAIaIQobChMIv8bc08O5wIVUSCtBh1lugMSEAAYASAAEgJ3wvD_BwE&
utm_expid=.a_tKXPb9TSiu456d3_Znig.2&utm_referrer=https%3A%2F%2Fwww.google.com%2F [h
ttps://perma.cc/WS3C-Y4KT]. While there are many genetic testing services, the two largest and most
popular organizations are Ancestry.com and 23andMe. Other smaller competitors include Family Tree
DNA and MyHeritage. Elizabeth Weise, These Are the Top Companies Offering Genealogical DNA
Testing to Learn About Your Family, USA TODAY, (Dec. 2, 2018, 8:19 PM ET), https://www.usatoday.c
om/story/ news/2018/12/02/ genealogical-dna-testing-companies-ancestry-23-andme/2141344002/ [htt
ps://perma.cc/D8H7-N69V]. There are ten million people in 23andMe’s data banks and more than fifteen
million in Ancestry.com’s. Kashmir Hill & Heather Murphy, Your DNA Profile is Private? A Florida
Judge Just Said Otherwise, N.Y. TIMES, (Dec. 30, 2019), https://www.nytimes.com/2019/11/05/business
/dna-database-search-warrant.html [https://perma.cc/XS9K-W6QE]; see also FAMILYTREEDNA, https:/
/www.familytreedna.com (last visited Jan. 17, 2020) [https://perma.cc/A4GZ-VJLU?type=image];
MYHERITAGE, https://www.myheritage.com (last visited Jan. 17, 2020) [https://perma.cc/EHS4-7RB3].
     4.     Ancestry, Kyle | Ancestry Stories | Ancestry, YOUTUBE, (June 13, 2016), https://www.youtub
e.com/watch?v=84LnTrQ2us8 (listing 440,998 views as of Jan. 31, 2020).
     5.     See, e.g., OzLandTV, Ancestry DNA Kit TV Commercial 2016, YOUTUBE, (Mar. 18, 2017),
https://www.youtube.com/watch?v=OJJzXXCI9EE; Ancestry, Katherine & Eric | Testimonial |
2020]                                     COLD CASES FREEZE                                              3

commercials, fifty-three--year-old Todd explains that “You can find
something you really don’t want to know.”6 He learned that his mother’s
sisters were not his aunts, but rather half-aunts, and he struggles with the
decision about whether to tell his mother the truth about her family.7 He said
“I think they should issue [a] warning” that there may be surprising results.8
While most such services do have warnings, many people miss them. 9
These types of surprises and their lack of warning have started raising
questions of privacy, as some distant relatives may not want to be found,
and some secrets regarding the parentage of children were intended to be
kept just that—secrets.10
    One of the biggest unwelcome surprises was endured by the family of
Joseph James DeAngelo, California’s infamous Golden State Killer, who
was tracked down and arrested through a DNA link to a distant relative.11
DeAngelo, a serial killer and rapist, committed a string of crimes during the
1970s and 1980s, and until recently had avoided capture for more than 40
years.12 The utilization of genetic data to create family trees and identify
criminal suspects is known as investigative genetic genealogy. 13 This is

Ancestry, YOUTUBE, (July 28, 2016), https://www.youtube.com/watch?v=GRZoV8abnNk. “‘Almost
every Ancestry customer finds something surprising as they embark on a self-discovery journey with us,
and for most customers it’s something exciting and enriching . . . ,’” said Ancestry.com’s chief scientific
officer in a statement to ABC News. Catherine Thorbecke & Sandra Temko, When a DNA Test Upends
Your Identity, Some Find ‘Family’ in Secret Facebook Group, GOOD MORNING AMERICA, (July 30,
2018), https://www.goodmorningamerica.com/news/story/dna-test-upends-identity-find-family-secret-
facebook-56904359 [https://perma.cc/64Z7-PEPW].
     6.      Sarah Zhang, When a DNA Test Shatters Your Identity, THE ATLANTIC, (July 17, 2018), https
://www.theatlantic.com/science/archive/2018/07/dna-test-misattributed-paternity/562928/ [https://perm
a.cc/5MY9-2883].
     7.      Id.
     8.      Id.
     9.      Id. (noting that 23andMe and AncestryDNA have warnings in their terms of service, and
“allow users to opt in or out of finding genetic matches”);see also Terms of Service, 23ANDME, (Sep.
30, 2019), https://www.23andme.com/about/tos/ [https://perma.cc/7YFM-ZZM4]; Ancestry Terms and
Conditions, ANCESTRY, (July 25, 2019), https://www.ancestry.com/cs/legal/termsandconditions [https:/
/perma.cc/6825-69P3].
     10.     Zhang, supra note 6; see also Your Privacy, ANCESTRY (Dec. 23, 2019), https://www.ancestr
y.com/cs/legal/privacystatement [https://perma.cc/7BXF-R9SW] (“You may discover unexpected facts
about yourself or your family when using our services. Once discoveries are made, we can’t undo
them.”). After receiving an AncestryDNA membership as a birthday gift from her brother, Catherine St.
Clair learned that the man who raised her was not her biological father. Thorbecke & Temko, supra note
5; Zhang, supra note 6.
     11.     Justin Jouvenal, To Find Alleged Golden State Killer, Investigators First Found his Great-
Great-Great-Grandparents, WASH. POST, (Apr. 30, 2018), https://www.washingtonpost.com/local/pu
blic-safety/to-find-alleged-golden-state-killer-investigators-first-found-his-great-great-great-grandpare
nts/2018/04/30/3c865fe7-dfcc-4a0e-b6b2-0bec548d501f_story.html?utm_term=.76c51cd2e556 [https:/
/perma.cc/HTV8-853M].
     12.     Id.
     13.     Investigative Genetic Genealogy FAQs, INT’L SOC’Y OF GENETIC GENEALOGY WIKI, https://
isogg.org/wiki/Investigative_genetic_genealogy_FAQs#What_is_investigative_genetic_g enealogy.3F
(last visited Mar. 25, 2020); see also Maggie Fox, DNA Databases Can Send the Police or Hackers to
Your Door, Study Finds, NBCNEWS (Oct. 11, 2018, 2:27 PM PDT), https://www.nbcnews.com/health/h
4           WASHINGTON UNIVERSITY LAW REVIEW ONLINE                                            [VOL. 98:1

what helped investigators to track down DeAngelo and has led users of
popular DTC genetic testing services to question whether their genetic data
is accessible not only in a limited way to other users of the service, but also
whether it is freely available to police investigators.14 This Article explores
that question and the actions taken by such genetic databases to block law
enforcement investigations in favor of protecting genetic privacy.

                         I. THE SCIENCE BEHIND DNA TEST KITS

   In recent years, at-home DNA test kits15 have led consumers to share a
sample of their genetic information with privately held companies that have
collectively amassed one of the world’s largest collections of human
DNA.16 Once a consumer has collected their sample, they mail it to popular
genetic testing companies such as Ancestry17 and 23andMe.18 Upon receipt
of the sample, the company extracts DNA from the cells, then decodes the
information on a chip to identify around 600,000 single-nucleotide
polymorphisms (“SNPs”).19 SNPs are variations in a single base pair in a
DNA sequence and create biological differences in an individual’s genes,
which “influence a variety of traits such as appearance, disease
susceptibility or response to drugs.” 20 Genetic testing services use this
information to provide information to their users, such as family ancestry
and certain genetic predispositions.21
   Prior to the popularity of the DTC genetic testing services, law
enforcement used DNA information to solve crimes, but in a more limited
way. For example, if DNA was recovered from a crime victim or a crime
scene, that DNA could sometimes be connected to a suspect if the suspect

ealth-news/dna-databases-can-send-police-or-hackers-your-door-study-n919236 [https://perma.cc/82Z
N-FXRE] (“Genetic genealogy databases act like a GPS system for anonymous DNA,” said Yaniv
Erlich, chief science officer of MyHeritage, a DTC genetic testing service. “The family trees set a
coordinate system, in which the DNA of each individual in these databases is like a beacon that
illuminates hundreds of the individual’s relatives who are not in the database. . . . Therefore, even if a
specific individual is not in these databases, a relative of theirs could be, which is enough to identify
them.”).
     14.    Susan Scutti, What the Golden State Killer Case Means for Your Genetic Privacy, CNN,
(May 1, 2018, 12:01 AM), https://www.cnn.com/2018/04/27/health/golden-state-killer-genetic-privacy/
index.html [https://perma.cc/UCX3-ENUV].
     15.    The test kits range in cost, with a basic kit being available for as little as $59. Regalado, supra
note 1.
     16.    Id. (noting that such testing requires the user to spit into a tube or swab the inside of their
cheek to supply a DNA sample to the testing service).
     17.    See ANCESTRY, https://www.ancestry.com (last visited Jan. 17, 2020).
     18.    See 23ANDME, https://www.23andme.com (last visited Jan. 17, 2020).
     19.    Regalado, supra note 1.
     20.    What Are SNPs?, 23ANDME, https://www.23andme.com/gen101/snps/ (last visited Apr. 4,
2020).
     21.    Now Your DNA Reveals so Much More with AncestryHealth, ANCESTRY, https://www.ancest
ry.com/health (last visited Apr. 8, 2020).
2020]                                   COLD CASES FREEZE                                            5

had been previously arrested and had provided a DNA sample. This
procedure was challenged in Maryland v. King,22 when Alonzo Jay King,
Jr. was arrested in 2009 for “first- and second-degree assault charges.”23
During his booking, the police collected a cheek swab DNA sample from
King.24 They matched the sample to an unsolved 2003 rape, and King was
charged for the crime. 25 King attempted to suppress the genetic match,
arguing that the Maryland DNA Collection Act26 that led to the collection
of his genetic sample was in violation of the Fourth Amendment. 27
However, the Supreme Court found that DNA swabs taken from individuals
arrested for violent crimes do not violate the Fourth Amendment clause of
“unreasonable search and seizure,” despite the DNA sample being collected
without consent.28 The Court found that “taking and analyzing a cheek swab
of the arrestee’s DNA is, like fingerprinting and photographing, a legitimate
police booking procedure that is reasonable under the Fourth
Amendment.”29
    When a criminal suspect is arrested, law enforcement officials use the
Short Tandem Repeat (STR) technique, which extracts biologically relevant
information from DNA, such as disease, eye, and skin color, and use that as
a means of identifying a suspect from whom they have collected that DNA,
much like a fingerprint.30 That information is stored in the Combined DNA
Index System, or CODIS, a government administered DNA database,31 and
organized into three hierarchal levels: local, state, and national. 32 The
National DNA Index System (NDIS) is one part of CODIS that operates at
the national level.33 NDIS contains genetic profiles “contributed by federal,
state, and local participating forensic laboratories.”34 As of March 2020, the
NDIS “contains over 14,150,851 offender profiles, 3,897,457 arrestee
profiles and 1,004,891 forensic profiles.”35

    22.      569 U.S. 435 (2013).
    23.      Id. at 435.
    24.      Id.
    25.      Id.
    26.      Md. Code Ann., Pub. Safety § 2-501. (LexisNexis 2011 Repl. Vol.).
    27.      U.S. CONST. AMEND. IV.; King, 569 U.S. at 435.
    28.      King, 569 U.S. at 435; U.S. CONST. AMEND. IV.
    29.      King, 569 U.S. at 435.
    30.      Brian Resnick, How Your Third Cousin’s Ancestry DNA Test Could Jeopardize Your
Privacy, VOX, (Oct. 15, 2018, 10:20 AM), https://www.vox.com/science-and-health/2018/10/12/17957
268/science-ancestry-dna-privacy [https://perma.cc/9ZX7-8NXV].
    31.      Id.
    32.      See Frequently Asked Questions on CODIS and NDIS, FBI, https://www.fbi.gov/services/lab
oratory/biometric-analysis/codis/codis-and-ndis-fact-sheet (last visited May 16, 2020).
    33.      Id.
    34.      Id.
    35.      CODIS - NDIS Statistics, FBI, https://www.fbi.gov/services/laboratory/biometric-analysis/c
odis/ndis-statistics (noting that offender profiles include convicted offenders, detainees, and legal
profiles) (last visited May 16, 2020).
6          WASHINGTON UNIVERSITY LAW REVIEW ONLINE                                     [VOL. 98:1

   The DTC genetic testing services have now provided law enforcement
with the opportunity to take advantage of this DNA to solve crimes by
matching the data in CODIS to relatives in ancestry databases. The ability
to make these data matches was demonstrated in a sample of 872 people,
where “30 percent could be matched via cross-referencing STR data with
the ancestry data.”36 The question some consumers are asking is whether
law enforcement should be allowed to access the genetic information they
provide to DTC genetic testing services.37

                   II. POLICE INVESTIGATIONS AND GEDMATCH

    “People who submit DNA for ancestor testing are unwittingly becoming
genetic informants on their innocent family.”38 While millions of consumers
are participating in this popular DNA testing trend, that does not mean that
they want law enforcement to access their DNA test results from services
like 23andMe and become involuntary genetic informants. 39 While some
DNA testing services put privacy practices into place to protect their users’
information,40 “[t]he ability of third parties, the police or others to see that
data is not clear.” 41 DTC genetic testing users “have fewer privacy
protections than convicted offenders whose DNA is contained in regulated
databanks.”42 Cases spurring these fears involved the use of a public genetic
database known as GEDmatch, 43 a crowdsourced database, containing

     36.    Resnick, supra note 30.
     37.    Scutti, supra note 14.
     38.    Michael Balsamo & Jonathan J. Cooper, Genealogy Site Didn’t Know It Was Used to Seek
Serial Killer, WASH. POST, (Apr. 27, 2018, 2:59 PM), https://www.washingtonpost.com/national/use-of
-dna-in-serial-killer-probe-sparks-privacy-concerns/2018/04/27/3c6bde16-49e9-11e8-8082-105a446d1
9b8_story.html [https://perma.cc/5Q82-2YLH] (quoting Steve Mercer, the chief attorney for the forensic
division of the Maryland Office of the Public Defender).
     39.    Ashley May, Took an Ancestry DNA Test? You Might be a ‘Genetic Informant’ Unleashing
Secrets About your Relatives, USA TODAY, (May 1, 2018, 7:16 AM ET), https://www.usatoday.com/stor
y/tech/nation-now/2018/04/27/ancestry-genealogy-dna-test-privacy-golden-state-killer/557263002/ [htt
ps://perma.cc/7U7U-3U9E] (quoting a 23andMe spokesman who said that the company “will not share
member information with law enforcement ‘unless compelled to by valid legal process’” and “has never
given customer information to law enforcement officials”); see also Fiza Pirani, Can Police Legally
Obtain Your DNA from 23andMe, Ancestry?, THE ATLANTA J.-CONST., (May 11, 2018), https://www.aj
c.com/news/national/can-police-legally-obtain-your-dna-from-23andme-ancestry/8eZ24WN7VisoQiH
AFbcmjP/ [https://perma.cc/K2W5-PU94] (“Ancestry’s Transparency Report states that the company
received nine valid law enforcement requests in 2016 and provided information on eight of the requests
to government agencies. All were related to credit card misuse and identity theft.”).
     40.    Carson Martinez, Privacy Best Practices for Consumer Genetic Testing Services, FUTURE OF
PRIVACY FORUM, (July 31, 2018), https://fpf.org/2018/07/31/privacy-best-practices-for-consumer-gene
tic-testing-services/ [https://perma.cc/4GK5-Z6VS].
     41.    Arthur Caplan, director of the Division of Medical Ethics at New York University’s School
of Medicine. May, supra note 39.
     42.    Balsamo & Cooper, supra note 38.
     43.    GEDMATCH, https://www.gedmatch.com/login1.php (last visited Jan. 17, 2020). Curtis
Rogers, age 81, founded GEDmatch in 2010, inspired by his personal genealogy search. While popular
2020]                                    COLD CASES FREEZE                                              7

about 1,000,000 DNA sets. 44 Individuals utilizing GEDmatch download
their genetic code from popular testing services such as Ancestry, and
voluntarily upload the data into GEDmatch’s database.45 Because the site is
public, investigators do not need a court order to utilize genetic information
found in the database.46 Curtis Rogers, the founder of GEDmatch, had no
idea that his site would be used in that way, so he imposed some restrictions
on law enforcement, permitting them to pursue leads on major crimes like
homicides and rapes, but not lesser crimes like assault.47
    While law enforcement officers were not breaking any laws by utilizing
GEDmatch, consumers remain concerned about privacy due to
investigators’ ability to cross-reference genetic information to identify
relatives of GEDmatch users—the same technique used by police to identify
the Golden State Killer. 48 The Investigators in that case had the killer’s
unidentified DNA from the crime scene and tried to match it to the one
million records in GEDmatch. 49 The partial matches helped to create a
family tree of distant relatives of the killer, providing a major break in the
investigation, and eventually leading to Joseph James DeAngelo’s arrest.50
Since that crime was solved, more than fifty other rape and homicide cases
in twenty-nine states have been solved using this groundbreaking technique
of investigative genetic genealogy.51
    Another arrest from cross referencing genetic information from
GEDmatch is that of Robert Brian Thomas, now sixty-one years old, for two

among genealogists, he was unaware of law enforcement’s use of his site until the announcement of the
arrest of the Golden State Killer. A year ago, Rogers said, “I am not totally comfortable with GEDmatch
being used to catch violent criminals but I doubt it would be possible to prevent it.” Schuppe, infra note
47. GEDmatch was later acquired by Verogen, Inc. who has operated the site since December 9, 2019.
GEDmatch.Com Terms of Service and Privacy Policy, GEDMATCH, (Dec. 9, 2019) https://www.gedmat
ch.com/tos.htm [https://perma.cc/A7P8-FV38].
    44.      Tony Romm & Drew Harwell, Ancestry, 23andMe Say They Will Follow These Rules When
Giving DNA Data to Businesses or Police, CHI. TRIB., (Jul. 31, 2018, 11:29 AM), https://www.chicagotri
bune.com/news/nationworld/ct-ancestry-genealogy-dna-data-police-20180731-story.html [https://perm
a.cc/J6QR-69SQ].
    45.      Barbara Anguiano, Using Genetic Genealogy to Identify Unknown Crime Victims, Sometimes
Decades Later, NPR, (Jan. 8, 2019, 3:54 PM), https://www.npr.org/2019/01/08/682925589/using-geneti
c-genealogy-to-identify-unknown-crime-victims-sometimes-decades-later [https://perma.cc/8SFR-JKC
V].
    46.      Cyrus Farivar, CSI: Paypal Edition – GEDmatch, a Tiny DNA Analysis Firm, Was Key for
Golden State Killer Case, ARSTECHNICA, (Apr. 27, 2018, 9:25 AM), https://arstechnica.com/tech-policy/
2018/04/gedmatch-a-tiny-dna-analysis-firm-was-key-for-golden-state-killer-case/ [https://perma.cc/5V
6B-P9WJ].
    47.      Jon Schuppe, Police Were Cracking Cold Cases with a DNA Website. Then the Fine Print
Changed., NBCNEWS, (Oct. 25, 2019, 6:53 AM PDT), https://www.nbcnews.com/news/us-news/police
-were-cracking-cold-cases-dna-website-then-fine-print-n1070901 [https://perma.cc/PQB5-8XBW].
    48.      Romm & Harwell, supra note 44; Jouvenal, supra note 11.
    49.      Regalado, supra note 1.
    50.      Id.
    51.      Schuppe, supra note 47.
8          WASHINGTON UNIVERSITY LAW REVIEW ONLINE                                    [VOL. 98:1

sexual battery cases in Florida in 1998.52 The Florida Department of Law
Enforcement approached the case in December 2018 as part of its genealogy
mapping program and was able to match Thomas’ fourth cousin, with whom
Thomas shared a great-great-grandparent.53 That narrowed the search to one
genetic line, and a list of five suspects, who were then investigated, leading
to Thomas’s arrest. 54 In another example, from Tacoma, Washington,
Michella Welch was raped and murdered on March 26, 1986.55 DNA was
collected from the crime scene, but at that time, searches of state and
national databases did not lead to any suspects.56 However, in 2018, genetic
genealogy databases allowed investigators to create a family tree,
identifying two brothers as suspects. 57 Investigators followed Gary
Hartman, one of the suspects, to a restaurant, where detectives collected a
napkin Hartman had used during breakfast. 58 His DNA on the napkin
matched the DNA collected from the crime scene.59
   The argument in favor of using publicly available genetic test results to
solve cold cases is simple: society is safer when criminals who pose a risk
to society are behind bars. However, CeCe Moore, 60 head of Parabon
NanoLabs, who helps police solve cold cases through her skills as a genetic
researcher, is troubled when her investigation points to a suspect who,
decades later, is leading a productive, crime-free life.61 In one such twenty
-year-old case, the suspect she identified was married, had children and a
successful business.62 He was not hiding, as he was engaged in social media
and was well known in his community.63 It appeared that he committed one

     52.    Joshua Rhett Miller, Genealogy Database Leads to Michigan Man’s Arrest for 1998 Florida
Rapes, N.Y. POST, (Dec. 17, 2019, 1:21 PM), https://nypost.com/2019/12/17/genealogy-database-leads-
to-michigan-mans-arrest-for-1988-florida-rapes/ [https://perma.cc/VB8A-ZYPC].
     53.    Id.
     54.    Id.
     55.    Chris Daniels, et al., DNA on Napkin Leads to Charges in 32-Year-Old Cold Case, USA
TODAY, (June 23, 2018, 3:00 PM), https://www.usatoday.com/story/news/nation-now/2018/06/23/dna-
napkin-leads-charges-32-year-old-cold-case/728082002/ [https://perma.cc/KLU5-KNUG].
     56.    Id.
     57.    Id.
     58.    Id.
     59.    Id.; see also Jay O’Brien, et al., Brazos County Sheriff Announces Suspect in Decades-Old
Murder of Virginia Freeman, KCENTV, (June 25, 2018, 9:42 PM CDT), https://www.kcentv.com/articl
e/news/brazos-county-sheriff-announces-suspect-in-decades-old-murder-of-virginia-freeman/499-5673
41120 [https://perma.cc/EAE3-PPN5] (describing how DNA analyzed for ancestry information
identified a suspect’s second cousins and great grandparents, leading authorities to the suspect).
     60.    ABC recently announced a new documentary series featuring Ms. Moore titled “The Genetic
Detective.” Jessica Pena, The Genetic Detective: ABC News Series Follows Investigative Genealogist,
TV SERIES FINALE, (April 14, 2020), https://tvseriesfinale.com/tv-show/the-genetic-detective-abc-news
-series-follows-investigative-genealogist/ [https://perma.cc/5NK6-TFJ9].
     61.    Antonio Regalado & Brian Alexander, The Citizen Scientist Who Finds Killers from Her
Couch, MIT TECH. REV., (June 22, 2018), https://www.technologyreview.com/s/611529/the-citizen-scie
ntist-who-finds-killers-from-her-couch/ [https://perma.cc/6JWX-94L7].
     62.    Id.
     63.    Id.
2020]                                   COLD CASES FREEZE                                           9

horrible crime decades in the past and had been a model citizen since.64
Moore struggled with the case, wondering, “[h]ow is that possible? How
could this person be capable of this?”65 She knew that his arrest would likely
destroy his family and business, and unsettle the community.66 And one may
wonder if society is at risk of harm from this suspect, and whether genetic
research causes more harm than good. However, Moore balances those
thoughts with her knowledge of “the unfairness that the person they
murdered is gone and this person has gone on to live a normal life.”67

                      III. PLEDGES TO PROTECT USER PRIVACY

A. Federal Privacy Regulations

    While there are federal and state laws regulating genetic testing and the
resulting data, it is unclear which and how they apply to DTC genetic testing
services, which leaves open the question of what privacy protection a
consumer can reasonably expect. 68 The Health Insurance Portability and
Accountability Act of 1996 (“HIPAA”) and the privacy regulations
promulgated thereunder (the “Privacy Rule”), protect the use and disclosure
of individually identifiable health information.69 However, the DTC genetic
testing services do not qualify as covered entities under HIPAA, and
therefore are not required to comply with the Privacy Rule.70 The Genetic
Information Nondiscrimination Act of 2008 (“GINA”) limits the use and
disclosure of genetic information by employers and health insurers, but
again, does not explicitly apply to DTC genetic testing services. 71 That
leaves consumers with the burden of carefully reviewing the privacy
policies and terms of use of the DTC genetic testing services to learn the
scope of their right to privacy of the genetic information they have
voluntarily disclosed to such service.72 Even if consumers do read the terms

    64.    Id.
    65.    Id.
    66.    Id.
    67.    Id.
    68.    Mary Fraker & Anne-Marie Mazza, Direct-to-Consumer Genetic Testing: Summary of a
Workshop, THE NAT’L ACADEMIES PRESS 1, 15, https://www.ncbi.nlm.nih.gov/books/NBK209643/pdf/
Bookshelf_NBK209643.pdf, (last visited Apr. 8, 2020).
    69.    Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104–191, 110 Stat.
1936 (45 C.F.R. pt. 160).
    70.    Id.; Fraker & Mazza, supra note 68, at 15.
    71.    Genetic Information Nondiscrimination Act of 2008, Pub. L. No. 110–233, 122 Stat. 881 (42
U.S.C.A. § 2000ff–1 (West 2012)); Fraker & Mazza, supra note 68, at 15.
    72.    See, e.g., 23andMe Privacy Statement, 23ANDME, (Jan. 1, 2020), https://www.23andme.com
/about/privacy/ [https://perma.cc/YSL8-PVKE]; 23andMe Terms of Service, 23ANDME, (Sep. 30, 2019),
https://www.23andme.com/about/tos/ [https://perma.cc/4BC8-PM4B]; see also Claire Abrahamson,
Guilt by Genetic Association: The Fourth Amendment and the Search of Private Genetic Databases by
10         WASHINGTON UNIVERSITY LAW REVIEW ONLINE                                      [VOL. 98:1

of service, which often does not happen, they are subject to change at any
time at the whim of the database, meaning that any privacy rights a
consumer thought they had when they gave their data to the DTC genetic
testing service could be revoked at any time.73

B. Privacy Best Practices for Consumer Genetic Testing Services

   In response to user privacy concerns, some DTC genetic testing services
provide their consumers with transparency reports detailing the number of
law enforcement requests they received and answered.74 For example, in
2017, 23andMe received five requests but did not provide law enforcement
with any data, while Ancestry received thirty-four requests and provided
genetic information for thirty-one cases.75 Ancestry and 23andMe have also
pledged 76 to obtain their customers’ “separate express consent,” before
providing businesses and other third parties with individual genetic
information,77 but it should be noted that the companies are not promising
to withhold such data from law enforcement. Instead, the organizations are
promising to “attempt to notify” consumers when they can of law
enforcement requests.78 While this action has merit, there is no guarantee
that the companies will be fully able to take such steps if investigators obtain
gag orders, preventing the notification of consumers.79
   The other step that some DTC genetic testing services are taking is a
pledge to protect consumer privacy by agreeing to abide by the Privacy Best
Practices for Consumer Genetic Testing Services (the “Best Practices”),
voluntary privacy guidelines.80 The Best Practices were released on July 31,
2018, by Future of Privacy Forum, a Washington, D.C.-based think tank
that aids in the development of business practices that include privacy and

Law Enforcement, 87 FORDHAM L. REV. 1539, 1551–1554 (2019) (discussing the differences in privacy
policies and terms of service between DTC services).
    73.     Caroline Cakebread, You’re Not Alone, No One Reads Terms of Service Agreements,
BUSINESS INSIDER, (Nov. 15, 2017, 6:30 AM), https://www.businessinsider.com/deloitte-study-91-perc
ent-agree-terms-of-service-without-reading-2017-11 [https://perma.cc/8CK6-U7XX]; Logan Koepke,
“We Can Change These Terms at Anytime”: The Detritus of Terms of Service Agreements, MEDIUM,
(Jan. 18, 2015), https://medium.com/@jlkoepke/we-can-change-these-terms-at-anytime-the-detritus-of-
terms-of-service-agreements-71240 9e2d0f1.
    74.     James Vincent, 23andMe and Other DNA-Testing Firms Promise Not to Share Data Without
Consent, THE VERGE, (Aug. 1, 2018, 8:55 AM), https://www.theverge.com/2018/8/1/17638680/genetic-
data-privacy-consumer-rights-guidelines-23andme-ancestry [https://perma.cc/UUX5-YXGK].
    75.     Id.
    76.     In accordance with the best Practices established at The Future of Privacy Forum. Martinez,
supra note 40.
    77.     Id.
    78.     Romm & Harwell, supra note 44.
    79.     Id.
    80.     Martinez, supra note 40.
2020]                                     COLD CASES FREEZE                                             11

ethical norms. 81 Companies agreeing to abide by the guidelines include
23andMe, Ancestry, Helix, MyHeritage, Habit, African Ancestry, and
Living DNA.82
   According to its introduction, “[t]he Best Practices provide a policy
framework for the collection, retention, sharing, and use of Genetic Data
generated by consumer genetic and personal genomic testing services,”83
recognizing that Genetic Data “warrants a high standard of privacy
protection”84 because:
   •    It may be used to identify predispositions, disease risk, and predict
future medical conditions;
   •    It may reveal information about the individual’s family members,
including future children;
   •    It may contain unexpected information or information of which the
full impact may not be understood at the time of collection; and
   •    It may have cultural significance for groups or individuals.85
   The Best Practices guide the DTC genetic testing services by
recommending that their privacy practices include: “Detailed transparency
about how Genetic Data is collected, used, shared, and retained including a
high-level summary of key privacy protections posted publicly and made
easily accessible to consumers;” “Separate express consent for transfer of
Genetic Data to third parties and for incompatible secondary uses;” and
“Valid legal process for the disclosure of Genetic Data to law enforcement
and transparency reporting on at least and annual basis.”86 Of course, these
are only guidelines, there is no enforcement mechanism, and not all genetic
databases, including GEDmatch and FamilyTreeDNA, agreed to comply.87
However, it is important to remember that DNA matches may only give
investigators a place to begin in the investigation. Building the family tree
that may lead to criminal suspects includes an examination of birth, death,

      81.    Privacy Best Practices for Consumer Genetic Testing Services, FUTURE OF PRIVACY FORUM,
(July 31, 2018), https://fpf.org/wp-content/uploads/2018/07/Privacy-Best-Practices-for-Consumer-Gen
etic-Testing-Services-FINAL.pdf.
      82.    Id. at 1; Martinez, supra note 40 (noting that FamilyTreeDNA has been removed from the
list of supporters due to its conflicting deal with the Federal Bureau of Investigation). In that agreement,
FamilyTreeDNA agreed to periodically test investigation samples on a case by case basis. Kristen V.
Brown & Bloomberg, A Major DNA-Testing Company Is Sharing Some of Its Data with the FBI. Here’s
Where It Draws the Line, FORTUNE, (Feb. 1, 2019, 6:47 PM EST), http://fortune.com/2019/02/01/geneti
c-testing-consumer-dna-familytreedna-fbi/.
      83.    Privacy Best Practices for Consumer Genetic Testing Services, supra note 81, at 1. The Best
Practices define Genetic Data as “Any data that, regardless of its format, concerns information about an
individual’s inherited or acquired genetic characteristics, including at least an individual’s Raw Data,
the Report of the Analyzed Data, and Self-Reported Health Data,” as each of those terms are defined
therein. Id. at 11.
      84.    Id. at 1.
      85.    Id.
      86.    Martinez, supra note 40.
      87.    Id.
12         WASHINGTON UNIVERSITY LAW REVIEW ONLINE                                   [VOL. 98:1

and marriage certificates, as well as obituaries, many of which are publicly
available.88

C. FamilyTreeDNA Removed from List of Best Practices’ Participants

   FamilyTreeDNA is an early pioneer in genetic testing services 89 and
created a stir when it made an agreement with the FBI resulting in its
removal from the list of participants in the Best Practices. 90
FamilyTreeDNA confirmed in February 2019 that the company had
voluntarily agreed to test DNA samples for the FBI on a case by case basis.91
Results of such testing would allow law enforcement to view familial
matches to crime scene DNA samples.92 Not surprisingly, this initiative by
FamilyTreeDNA has many customers apprehensive about their genetic
privacy. 93 The company’s founder and chief executive officer, Bennet
Greenspan, has assured users that they will not provide the FBI with
“unfettered access” to their database.94 Greenspan’s assertion may prove to
be of little value however, given that FamilyTreeDNA possesses a vast trove
of genetic data comprised of nearly two million records.95
   Due to FamilyTreeDNA’s agreement with the FBI, the amount of DNA
that law enforcement already had access to in GEDmatch more than
doubled. 96 However, since the announcement of their agreement,
FamilyTreeDNA has revealed that it has received “less than 10 samples”
from the FBI. 97 FamilyTreeDNA representatives have acknowledged,
though, that they have worked with both state and city law enforcement in
addition to the FBI in an attempt to resolve cold cases.98
   Since its initial agreement with the FBI, FamilyTreeDNA has revised its
terms of service, now requiring police to request permission to use the
database and restricting such use to “homicide, sexual assault, or child

     88.    Tina Hesman Saey, What FamilyTreeDNA Sharing Genetic Data with Police Means for You,
SCIENCENEWS, (Feb. 6, 2019, 7:00 AM), https://www.sciencenews.org/article/family-tree-dna-sharing-
genetic-data-police-privacy; How to Build a Family Tree: Tracing Your Ancestors, NAT’L
GENEALOGICAL SOC’Y, https://www.ngsgenealogy.org/free-resources/build-family-tree/ (last visited
Apr. 8, 2020).
     89.    FAMILYTREEDNA, https://www.familytreedna.com (last visited Mar. 25, 2020) (noting that
the company was founded in 2000 and a pioneer in the field).
     90.    See supra note 82.
     91.    Brown & Bloomberg, supra note 82.
     92.    Id.
     93.    See id.
     94.    Id.
     95.    Id.
     96.    Id.
     97.    Bloomberg, Major DNA Testing Company Is Sharing Genetic Data with the FBI, L.A. TIMES,
(Feb. 1, 2019, 2:55 PM), https://www.latimes.com/business/la-fi-dna-fbi-familytreedna-20190201-story
.html [https://perma.cc/AQ9R-N444].
     98.    Id.
2020]                                     COLD CASES FREEZE                                             13

abduction.” 99 In addition, customers may now decide whether to allow
police to access their profiles, a major step forward in privacy. But since the
default setting is to opt in, customers must be vigilant about reading the
terms of service and carefully choosing to opt out if they are hesitant to be
genetic informants.100

                  IV. GEDMATCH RESTRICTS LAW ENFORCEMENT

   As they became aware of increasing consumer privacy concerns,
GEDmatch implemented rules restricting law enforcement searches to
major crimes.101 However, it bent those rules and allowed Utah police to
search for the perpetrator of a violent assault on an elderly woman.102 The
assailant turned out to be a seventeen-year-old great-nephew of someone
with a profile in the database. 103 While the police made a compelling
argument that the perpetrator was a public risk,104 backlash from the public
led to an another change in the terms of services of GEDmatch.105 On May
18, 2019, GEDmatch changed the terms to excludes law enforcement
searches unless members opt in by clicking a police-shield icon on the
GEDmatch website to allow authorities to see their profile.106 This change
is intended to protect consumers from becoming genetic informants. 107
Overnight, the number of profiles available to law enforcement dropped

     99.     Terms of Service, § 5, FAMILYTREEDNA, https://www.familytreedna.com/legal/terms-of-
service; see also FamilyTreeDNA Law Enforcement Guide, FAMILYTREEDNA, https://www.familytree
dna.com/legal/law-enforcement-guide (last visited Feb. 10, 2020).
     100. FamilyTreeDNA Privacy Statement, § 5.E., FAMILYTREEDNA, https://www.familytreedna.c
om/legal/privacy-statement (last visited Apr. 8, 2020).
     101. Peter Aldhous, This Genealogy Database Helped Solve Dozens of Crimes. But Its New
Privacy Rules Will Restrict Access by Cops, BUZZFEEDNEWS, (May 19, 2019, 3:41 PM ET), https://ww
w.buzzfeednews.com/article/peteraldhous/this-genealogy-database-helped-solve-dozens-of-crimes-but
[https://perma.cc/Y8ZU-ZFPP].
     102. Id.
     103. Peter Aldhous, The Arrest of a Teen on an Assault Charge Has Sparked New Privacy Fears
About DNA Sleuthing, BUZZFEEDNEWS, (May 14, 2019, 10:15 PM ET), https://www.buzzfeednews.co
m/article/peteraldhous/genetic-genealogy-parabon-gedmatch-assault [https://perma.cc/JZ5S-Y9MT].
     104. GEDmatch founder Curtis Rogers said, “‘[t]his case was as close to a homicide as you can
get’. . . ‘The victim was reportedly in great fear that he would return to end her life. It was a difficult
decision but I decided to allow [the] use of genetic genealogy in this one case and take full responsibility
for this decision.’” The suspect placed the 71-year-old organist in a chokehold, causing her to pass out
several times. Id.
     105. Schuppe, supra note 47; GEDmatch.Com Terms of Service and Privacy Policy, GEDMATCH,
(Dec. 9, 2019), https://www.gedmatch.com/tos.htm (noting that the crimes for which law enforcement
searches are allowed are limited to “murder, nonnegligent manslaughter, aggravated rape, robbery, or
aggravated assault”).
     106. Schuppe, supra note 47(noting that while all users have not yet opted in, a survey conducted
by Baylor College of Medicine, “91 percent of respondents favored law enforcement using consumer
DNA databases to solve violent crimes, and 46 percent for nonviolent crimes”).
     107. Id.
14         WASHINGTON UNIVERSITY LAW REVIEW ONLINE                                     [VOL. 98:1

from over one million to zero.108 While the number of accessible profiles
has grown slowly to 181,000 since then, it could be years before law
enforcement has access to a million or more records, leaving cold cases
unsolved. 109 Law enforcement officials and private investigative genetic
genealogy companies acknowledge the privacy concerns but hope the
public will permit their profiles to be accessed by law enforcement. 110
Rogers, from GEDmatch, has sent his members emails, trying to persuade
them to opt in to aid law enforcement in solving crimes, going so far as to
include a link to a video message from the a Golden State Killer’s victim’s
family.111 If consumers do choose to opt in, at least they will knowingly
make the choice, rather than finding out later that they were unwittingly
genetic informants.

                                         CONCLUSION

    The DNA testing services industry has been informally deemed a “Wild
West” of genetic information.112 Because this area of consumer services is
still relatively new, laws protecting consumers’ data are still developing.
Despite developments such as the Privacy Best Practices for Consumer
Genetic Testing Services113 and terms of service restricting law enforcement
access, there are still many gray areas in the industry concerning which
types of genetic data sharing are permissible and which may violate privacy
rights. One of the biggest challenges facing those who are arguing for
privacy in their genetic testing results is the fact that they voluntarily gave
their DNA sample to the DTC genetic testing service subject to terms of
service that can be changed by the service at any time, resulting in the loss
of control over the testing results.114 “[O]ur DNA, just like our posts on
social media or our location data, is at the mercy of user agreements none
of us have any control over or even bother to read.”115 As consumers, we

     108. Id.
     109. Id.
     110. Id.
     111. Rogers said in this emails, “‘Many of these families have suffered for decades. They need
your support.’ . . . ‘We hope you will encourage others who have been genealogically DNA tested to
also add their information. We believe it is the caring thing to do.’” Id.
     112. Stuart Leavenworth, DNA Testing Is Like the ‘Wild West’; Should It Be More Tightly
Regulated?, IMPACT2020, (May 16, 2019, 1:32 PM), https://www.mcclatchydc.com/news/nation-world/
article212256094.html [https://perma.cc/KFE3-GTAS] (quoting New York University law professor
Erin Murphy who said “[t]here is a wild-west aspect to all of this”).
     113. Martinez, supra note 40.
     114. Stuart Leavenworth, Ancestry Wants Your Spit, Your DNA and Your Trust. Should You Give
Them All Three?, MCCLATCHYDC, (Aug. 15, 2018, 4:02 PM), https://www.mcclatchydc.com/news/nati
on-world/article210692689.html [https://perma.cc/2EG3-99N7] (noting that AncestryDNA has a
reputation for changing its terms of service, most notably when they ended MyFamily.com, a social
networking site, that resulted in the loss of posted family photos for more than 1.5 million members).
     115. Regalado, supra note 1.
2020]                                COLD CASES FREEZE                     15

are trusting operators of privately run DTC genetic testing services to
balance individual privacy rights with the benefit of catching suspects, and
manage the structure of their terms of service accordingly. Debbie Kennett,
a genealogist and honorary research associate at University College London
said, “They are reacting on the fly, making up the rules as they go along.”116
While these private services may not be the best choice to make decisions
about how our genetic privacy, as rapidly as technology and investigative
techniques are changing, we have no immediate alternative.

   116.   Aldhous, supra note 101.
You can also read