Unbeknown to customers of popular genealogy services, much of their genetic data is accessible to LEOs during the course of criminal investigations, even when they aren’t a suspect or person of interest. Like the major social media platforms, genealogy companies are becoming the eyes and ears of the state and their customers are becoming unwitting dupes for another dragnet surveillance tool. But unlike social media, the nature of the information they are handing over doesn’t just compromise their own privacy but the privacy of their relatives as well regardless of whether their relatives have submitted DNA to genealogy services themselves.
The first warrant for a dragnet search of a Commercial DNA database (GEDmatch), then containing the DNA of 1 million people, was issued by a judge in Orlando in 2018. Since then few safeguards to protect the privacy of people not under criminal investigation and the 6th amendment rights of criminal defendants have been put in place: specifically the right to cross examine witnesses (and evidence) used to prosecute them. Not only has at least one man, a twin of a rape suspect, been falsely arrested on the basis of a genealogical match but DAs often falsely reclassify (i.e. lie) their cases from less serious property crimes to homicide and sexual assault to meet search guidelines set by both commercial databases and the DOJ, treating the uninformed customers in these databases as “confidential informants”, and concealing the genealogical search from the defense including the company they used. Police have even gone so far as lying to the relatives and parents of suspects in order to incriminate suspects with DNA from them and at least one DA (Ventura county) has formed a public private partnership with one of these genealogy services, FamilyTreeDNA, to cajole innocent customers into handing their DNA over to police.
While the largest genealogical companies bar police queries absent a warrant including Ancestry (23 million profiles), 23andME (14 million profiles), and MyHeritage (7 million profiles), some of the smaller databases such as FamilyTreeDNA and GEDmatch, which have a combined 1.8 million profiles, allow police queries without a warrant but allow customers to opt out of having their data available to police. Even when customers consciously choose to opt out of sharing their DNA data with police, forensic genealogists have found a loophole that allows them to see their profiles anyway by manipulating search fields without letting the company or customers know their DNA is being used in a criminal investigation. For GEDmatch in particular, the creation of the loophole started in 2019 when they changed the default privacy option from opt in to opt out. When their database was hacked in 2020 all customer profiles were switched to opt in to LEO queries. Margaret Press, the founder of the DNA DOE Project (a forensic genealogist NGO that assists LEOs) admitted to The Intercept that they exploit a bug in the software that gives them access to all GEDmatch profiles.
We have always been committed to abide by the Terms of Service for the databases we used, and take our responsibility to our law enforcement and medical examiner partner agencies extremely seriously. In hindsight, it’s clear we failed to consider the critically important need for the public to be able to trust that their DNA data will only be shared and used with their permission and under the restrictions they choose. We should have reported these bugs to GEDmatch and stopped using the affected reports until the bugs were fixed. Instead, on that first day when we found that all of the profiles were set to opt-out, I discouraged our team from reporting them at all. I now know I was wrong and I regret my words and actions.
Even the larger databases that prohibit queries absent a warrant are not safe from dragnet surveillance. For instance, the FBI and Riverside County Cold Case Team used the MyHeritage database, without a court order, to crack a case from 1996 and database owners will sometimes arbitrarily make profiles available to police, without the informed consent of their customers, when they feel a specific case justifies it, as GEDmatch did for an assault in Utah.
The FBI’s CODIS comes a close second to Ancestry with DNA profiles on 21.7 million Americans and growing at a rate of 90,000 samples per month. The FBI began compiling a DNA database in 1990 and by 1998 had combined samples from all 50 states into a national database called the Combined DNA Index System, allowing state, county and municipal LEOs across the country to query DNA from convicts and crime scenes across all 50 states. Police went from only submitting DNA profiles of convicted sex offenders and violent felons to including people simply arrested, but not convicted, of any felony crime, which SCOTUS rubber stamped in Maryland v. King, to, as of recently, including DNA from the relatives and parents of suspects who police duped into submitting their DNA. Thus, in the span of one generation CODIS went from collecting DNA profiles on sex offenders and violent felons to all persons of interests, and in the phony war on terror we are all persons of interests. In a recent budget request, director Christopher Wray, asked congress to expand their budget for DNA cataloging from $56.7 million to almost $110 million, as his agency plans to increase sample collection to 120,000 per month or 1.5 million per year which will include US citizens, permanent residents and foreign nationals detained by CBP. Rapid DNA analysis that can be conducted in a matter of hours has allowed both LEOs and private genealogists to exponentially expand their databases just in the past five years. Myheritage has predicted that the DNA of all 235 million white Americans could be identified from as few as 3 million profiles based on third cousin matches (they have 7 million profiles total). The DNA profiles compiled by all private genealogy services and CODIS has made a national DNA database, that can identify anyone of any background, all but inevitable: a genetic panopticon that will make both your past and present trackable and traceable.
