Cops Now Using Warrants To Gain Access To DNA Services' Entire Databases

from the one-affidavit-to-rule-them-all dept

Cops have discovered a new source of useful third-party records: DNA databases. Millions of people have voluntarily handed over personal information to a number of services in exchange for info on medical markers or distant family members.

Investigators are submitting DNA samples from cold cases in hopes of tracking down criminals who’ve managed to evade them for years. It has led to the closing of some cases, which is all agencies need to argue for continued access to DNA samples from millions of users.

Some DNA services are more protective of their customers’ privacy than others. Of course, privacy protections in this context generate quite a bit of friction. For DNA databases to be useful, users must allow others to access their DNA info and expect others to do the same thing. Identifying info can be withheld, and definitely should be if users aren’t interested in rebuilding a family tree. One company, however, has decided it’s an unofficial arm of the law enforcement community and has involuntarily deputized its users.

When cops submit DNA seeking matches, they don’t always identify themselves as law enforcement officers. Faux accounts are being used to gather matches with DNA services (and their users) unaware of the government’s intrusion. Once investigators have gathered some promising hits, they reveal themselves to issue subpoenas demanding identifying info on the search results.

Things are getting even more troubling in this new Constitutional gray area. Kashmir Hill and Heather Murphy of the New York Times report law enforcement is now using warrants to force DNA services to open up their entire databases for investigators to dig through.

For police officers around the country, the genetic profiles that 20 million people have uploaded to consumer DNA sites represent a tantalizing resource that could be used to solve cases both new and cold. But for years, the vast majority of the data have been off limits to investigators. The two largest sites, Ancestry.com and 23andMe, have long pledged to keep their users’ genetic information private, and a smaller one, GEDmatch, severely restricted police access to its records this year.

Last week, however, a Florida detective announced at a police convention that he had obtained a warrant to penetrate GEDmatch and search its full database of nearly one million users.

Warrants are supposed to be targeted — seeking evidence from a location or a person clearly defined in the warrant application. When a warrant is used to allow full access to the personal info of one million users, there’s clearly no targeting. Investigators may have probable cause to believe they’ll find evidence of a crime by searching an entire DNA database, but all the probable cause in the world doesn’t allow officers to search a million people until they find the evidence they’re looking for. That’s what’s happening here.

The abuses of warrant power will only get bigger. GEDmatch is small. 23andMe has 10 million users. Ancestry.com has 15 million users. They’ll be the next targets of questionable warrants if they haven’t already been hit with some.

In response to backlash following the first reports of officers anonymously submitting samples to obtain a list of suspects, DNA/genealogy companies tightened up their rules. Subpoenas now only net personal info of people who’ve opted into sharing their data with law enforcement. According to this report, only 185,000 of GEDmatch’s 1.3 million have made that choice. That didn’t sit well with this investigator, who decided he could talk a court into forcing the company to give him what he wanted.

In July, he asked a judge in the Ninth Judicial Circuit Court of Florida to approve a warrant that would let him override the privacy settings of GEDmatch’s users and search the site’s full database of 1.2 million users. After Judge Patricia Strowbridge agreed, Detective [Michael] Fields said in an interview, the site complied within 24 hours. He said that some leads had emerged, but that he had yet to make an arrest. He declined to share the warrant or say how it was worded.

There’s a real danger here. If there’s no pushback from companies and their users, law enforcement officers will be seeking the same access, effectively turning private DNA databases into law enforcement databases. On the flip side, if this does become the new normal for law enforcement, it runs the risk of burning its own source, so to speak.

Genetic genealogy experts said that until now, the law enforcement community had been deliberately cautious about approaching the consumer sites with court orders: If users get spooked and abandon the sites, they will become much less useful to investigators. Barbara Rae-Venter, a genetic genealogist who works with law enforcement, described the situation as “Don’t rock the boat.”

The boat is already rocking. Detective Fields has shown officers the way to get what they want when private companies decide they’re not just going to be field offices for government agencies. Multiple officers and detectives asked for a copy of his warrant following his talk, which means Fields’ Fourth Amendment experiment is going to become boilerplate. Customers and users who thought their personal info was shielded from law enforcement probing are now finding out these protections can be undermined by a warrant targeting anyone that matches a certain DNA profile.

Filed Under: , , , , , ,
Companies: 23andme, ancestry.com, gedmatch

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Cops Now Using Warrants To Gain Access To DNA Services' Entire Databases”

Subscribe: RSS Leave a comment
31 Comments
A. Gidari says:

DNA and warrants

You might find the DoJ Guidelines on DNA investigations useful here: https://www.justice.gov/olp/page/file/1204386/download

Searching a DNA database is about finding someone who may be related to a perpetrator, not about finding evidence of a crime. Serious question as to whether the 4thA protects distant cousins’ DNA or against compelling them to be a witness against current or future generations, and in fact, an unknowing witness b/c a match does not get notice that their sample has been examined or is related.

James Burkhardt (profile) says:

Re: DNA and warrants

Yes, it is true that your 4th amendment right doesn’t protect the genetic information of your distant cousin, but their 4th amendment right does. Assuming that the distant cousin has not committed the crime they matched your DNA to, this can negatively associate an innocent relative who may not even know you well or if at all. They may not be in your geographical region. I know there is a large contingent of my family in Michigan, but I haven’t seen them since I was like 3. If I had done an ancestory.com test and suddenly Detroit PD was trying to get a hold of me about a distant relation, I’d find my getting involved and becoming a person of interest in a criminal investigation a serious concern to the violation of my forth amendment rights.

There are serious questions about how these searches are conducted, and what information is retained by law enforcement that is not in connection

Michael Grimes says:

Re: DNA and warrants

When you turn your information over to a private third party, you have given up the constitutional protections of privacy. Law enforcement routinely gets warrants for third party databases and aggregates the findings. Whether it is cell phone data, dna or any other kind of normally private data, once you give it to a third party, the bar is very low for law enforcement to access it.

I had warned the owner of gedmatch a month ago that this was going to happen, but he was in denial. He rolled immediately when given the warrant.

So, if you do not want law enforcement to get your information, do not provide it to third parties.

Anonymous Coward says:

This is pretty timely (there’s a sale over at ancestry.com on their DNA service) and exactly why I haven’t availed myself of this service. I’m not a criminal, I’m not wanted by law enforcement anywhere for anything and I’m not likely to ever be so. But DNA, properly used, is the ultimate permanent identifier for individuals and I really don’t like the idea that I could be tracked without my consent. I’ll pass, thanks.

Anonymous Coward says:

Re: Re:

Just because you didn’t do it, doesn’t mean the police can’t find a way to make the DNA sample they have match your DNA. For that matter, the way police handle DNA, if you stay in a hotel room and a crime is committed in that room at a later time, they have a good chance of finding your DNA and arresting you. So keep that in mind.

Norahc (profile) says:

The Fourth Amendment is dead….Long live the Police State.

Law enforcement and the government don’t care that their actions may "spook users" into abandoning these websites. After all, look at the warnings that were issued over FOSTA/SESTA which were ignored, only to come back and bite them in the ass.

The ultimate goal is weaken each right, by legislation or court precedent, one by one until there is nothing left to hinder law enforcement in any way.

btr1701 (profile) says:

Warrant

Customers and users who thought their personal info was shielded from law enforcement probing are now finding out these protections can be undermined by a warrant

Not sure who these terminally naïve people are who thought that they could submit data to a corporation and it would somehow be immune from a search warrant, should a court issue one. No company is immune from that.

Wyrm (profile) says:

A quick reminder on how DNA is not 100% reliable evidence should be mentioned somewhere. There are multiple cases of DNA "evidence" turning out to point to completely unrelated individuals.
Between cases where the DNA was deposited by the police or lab workers, or even the manufacturer of the DNA collection tools… cases where the DNA was too broken and/or limited in quantity for properly targeted matches… and lots of other problems.
DNA should only be used once you already have a suspect, and even then with great caution, and definitely not to find a suspect in the first place. (DNA matching tends to return enough false positives that it’s unreliable for this purpose.). But of course, that’s not the opinion of some law enforcement officers who need someone to pin a crime on more than the actual perpetrator.

Anonymous Coward says:

Sounds like a perfect opening for an overseas-based DNA company to enter the market, perhaps from Switzerland or someplace like that where the US government and police have no authority – they could use a promo blurb like "Unlike U.S.-based companies, we aren’t going to bend over to government and law enforcement demands. With us, your DNA and info aren’t going anywhere you don’t know about."

Professor Ronny says:

There's a real danger here

There’s a real danger here.

There is another danger and it is a danger to the DNA companys’ bottom line. While I have done nothing wrong, I don’t want my DNA searched by law enforcement so I’m simply not going to use a DNA service. If enough people make the same decision, their revenue will take a hit.

mephistophocles (profile) says:

Maybe an easy solution

This might be naive, but what if these companies complied with the cops’ request and provided the data – but in a format practically impossible to search?

I imagine the average cop IT dept probably ain’t exactly Deepmind, so this could possibly even be done without being too malicious. 1 million user database? Sure, we have it, in freetext with no headers and random spacing / delims / etc. In exactly 37 million text files and another 52 million PDFs. With random cutoffs and every file has uses a unique carriage return.

I’m sure you can figure that out Mr Cop. Have fun searching.

Personanongrata says:

Judges, Jesters and Marsupials

The abuses of warrant power will only get bigger. GEDmatch is small. 23andMe has 10 million users. Ancestry.com has 15 million users. They’ll be the next targets of questionable warrants if they haven’t already been hit with some.

How does casting a gigantic fishing net (large enough to search tens of millions of innocent persons) while trolling for evidence meet the requirements called out in The US Bill of Rights 4th Amendment?

Amendment IV

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

https://www.archives.gov/founding-docs/bill-of-rights-transcript

This is nothing short of an open ended police fishing expedition rubber stamped by Ninth Judicial Circuit Court of Florida marsupial court jester (ie judge) Patricia Strowbridge.

https://www.newworldencyclopedia.org/entry/Marsupial

Bruce C. says:

Isn't DNA encoding...

subject to expectation of privacy under HIPAA? Since your genome can contain markers for various health issues and predispositions, there is a medical privacy scope involved here.

Even without recent supreme court rulings that narrow the scope of the 3rd party doctrine, this warrant is shaky. Seems like another rubber-stamping by the judge without examining the particulars of the warrant. I hope the judge makes note of this article (or the NYT article) and is more diligent in the future.

Dyspeptic-Curmudgeon (profile) says:

Time for Ancestry.com to move the database to Switzerland

If (big IF) ancestry.com wants to avoid being sued, it is time for them to sell the database side of the business to a parallel entity based in say, Switzerland. So the testing can be carried out here, but the data resides elsewhere under the control of a completely different set of individuals. Which persons deal individually with the sample providing customers. Making the DNA testing portion merely a service.

If ancestry.com USA *holds* no data, it cannot respond to a warrant. And the Swiss corp will not either!

Dyspeptic-Curmudgeon says:

Time for Ancestry.com to move the database to Switzerland

If (big IF) ancestry.com wants to avoid being sued, it is time for them to sell the database side of the business to a parallel entity based in say, Switzerland. So the testing can be carried out here, but the data resides elsewhere under the control of a completely different set of individuals. Which persons deal individually with the sample providing customers. Making the DNA testing portion merely a service.

If ancestry.com USA *holds* no data, it cannot respond to a warrant. And the Swiss corp will not either!

Dyspeptic-Curmudgeon (profile) says:

The warrant is likely defective

From my meager reading of US 4th Amendment law, I understood that a warrant can only be obtained where the place to e searched is expected to contain *evidence of a crime*. Seems to me that a DNA database almost by definition could not contain evidence of a crime. And there is no actual evidence that the suspected perpetrator’s DNA is contained in the database.
The warrant does not ask for Joe Perp’s DNA, it asks for matches to unknown Joe Perp’s DNA, some of whom are not Joe Perp.
Anyone know more about this aspect of 4thAM law??

Dyspeptic-Curmudgeon says:

The warrant is likely defective

From my meager reading of US 4th Amendment law, I understood that a warrant can only be obtained where the place to e searched is expected to contain *evidence of a crime*. Seems to me that a DNA database almost by definition could not contain evidence of a crime. And there is no actual evidence that the suspected perpetrator’s DNA is contained in the database.
The warrant does not ask for Joe Perp’s DNA, it asks for matches to unknown Joe Perp’s DNA, some of whom are not Joe Perp.
Anyone know more about this aspect of 4thAM law??

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...