Maryland and Montana: First States to Pass Laws Restricting Access to Consumer Genealogy Databases by Law Enforcement
by Casey J. Bastian
In recent years, law enforcement has realized the enormous potential to solve crimes by using genetic genealogy databases. New laws in Maryland and Montana seek to reconcile the usefulness of genetic genealogy data and consumer privacy. Consumer companies like FamilyTree DNA, 23andMe, Ancestry, and GEDmatch store data submitted by millions of Americans. Leah Larkin is a genetic genealogist who operates a genetic consulting business in the San Francisco Bay area, who warns, “I don’t think people fully appreciate how much is in your genetic data.” Such profiles can reveal propensities for diseases or what you might look like, not just who your family members and distant relatives are.
The genetic profile data are comprised of over 500,000 single nucleotide polymorphisms (“SNPs”). These SNPs encompass the full spectrum of the human genome. Law enforcement has begun relying on SNPs-generated genetic data profiles to identify perpetrators and solve crimes. Investigators access this very private and sensitive data during a process known as forensic genetic genealogy searching (“FGGS”). FGGS is quickly becoming an all-too-common investigative practice. Some privacy advocates argue that FGGS violates the expectation of genetic privacy of those who use consumer genetic genealogy services.
Genetic profile companies like 23andMe and Ancestry do not allow law enforcement to access their immense databases without a warrant. Others, such as FamilyTree DNA and GEDmatch, willingly provide access. The customer must have consented to the access and is usually given a choice. However, the default user setting within these companies is to “opt-in”; very little specific information about what “opt-in” entails is provided or explained. University of Maryland law professor and privacy advocate, Natalie Ram, pushed for the new Maryland law.
As Ram noted, “We know well that most people do not read these kinds of forms closely. This is likely to generate unwitting inclusion rather than consent.”
Larkin believes that unfettered FGGS by law enforcement is “the equivalent of the government going through all of your medical records and all of your family records just to identify you.” Larkin’s position is well-founded. Investigators utilize the same powerful algorithms created by the genetic companies to compare existing genetic data with unidentified forensic samples to identify familial relationships. This has allowed for hundreds of “cold cases” to be solved, some decades old. FGGS has exonerated innocent people as well. Even the Defense Department uses the process to identify World War II soldiers. All are very noble pursuits.
However, simply because a technique may be useful for law enforcement, that usefulness should not allow a citizen’s expectation of privacy in their genetic data to be violated without specific justification. But that’s precisely what FGGS facilitates and encourages law enforcement to do with respect to millions of Americans having no connection to the crime being investigated. The new legal restrictions in Maryland and Montana will hopefully eliminate such privacy-violating fishing expeditions. Ram says that these laws “demonstrate that people across the political spectrum find law enforcement use of consumer genetic data chilling, concerning, and privacy-invasive.”
Maryland drafted a comprehensive 16-page statute that is quite broad and goes beyond FGGS. The law now requires judicial authorization of FGGS and can only be requested when law enforcement certifies that it has already checked government-run databases like CODIS. Investigators must first pursue other “reasonable investigative leads” that fail to identify a suspect. A FGGS may only be run on private genetic databases if law enforcement secures consent from any of the consumers whose profiles may be searched. An exception to FGGS prohibitions is that if the criminal act(s) present “a substantial and ongoing threat to public safety or national security” or are crimes such as rape, murder, or felony sexual offenses. In addition, the new law places strict limits on, and judicial oversight of, covert DNA collections, e.g., an officer grabbing trash to secretly collect DNA samples.
The Maryland law requires destruction of DNA samples when the investigation ends, licensing requirements for DNA sequencing labs, and criminal penalties, as well as a private right of action, for violations of the new law. Also, criminal defendants now have access to FGGS. “This bill strikes a balance between this very important technology to identify people that do the very worst things to our Marylanders, yet it balances that against the privacy concerns and the trust that we need from the public,” said John Fitzgerald who serves as chief of the Chevy Chase Village Police Department.
Montana’s law is only a scant two pages. It does incorporate some of the same restrictions as the Maryland law, but Montana also restricts warrantless searches of both government-run and consumer databases. Unfortunately, the law allows for an exception if the “consumer whose information is sought previously waived the consumer’s right to privacy,” which is the exact problem identified by Ram.
Sources: eff.org, nytimes.com
As a digital subscriber to Criminal Legal News, you can access full text and downloads for this and other premium content.
Already a subscriber? Login