This piece was originally published by The Washington Post.
When DNA evidence led to the arrest of Joseph James DeAngelo in the Golden State Killer case last month, there was considerable relief and celebration among investigators, survivors, and the public-at-large. But as the public learned the details of the investigation — that investigators had uploaded a detailed genetic profile created from crime-scene DNA to a public genealogical database to find matches to relatives — companies such as 23andMe and Ancestry.com were quick to announce that they hadn’t been involved.
Testing DNA holds immense promise: It can help us identify and ultimately treat health risks, teach us about our origins and even reunite families. But those benefits are only possible because our DNA holds deeply sensitive information about us — and about our relatives. In submitting our DNA for testing, we give away data that exposes not only our own physical- and mental-health characteristics but also those of our parents, our grandparents and, as in DeAngelo’s case, our third cousins — not to mention relatives who haven’t been born yet.
This sort of “networked privacy” isn’t unique to genetic material. It emerges any time we share information with others, including all the photographs shared online in which we’re often unwitting extras. It could also be infringed through social media relationships, as we saw for the tens of millions of Facebook users who recently had their information exposed to Cambridge Analytica because of choices only tens of thousands made.
We should be able to access the benefits of technological advances without giving up our rights.
For starters, private companies have an important role to play in safeguarding sensitive information. 23andMe already has a commendable policy explaining that its results cannot be considered “proof in a legal context” because the company lacks “the means to reliably connect any particular DNA sample or account to an individual.” The company also bars law enforcement from submitting samples from incarcerated people or those charged with a crime for testing.
But 23andMe and similar companies such as Ancestry.com also state that they will comply with “valid legal process” seeking consumer information. It is not clear from the companies’ terms of service whether that applies only to usernames, photos, and credit-card information, or if it extends to genetic material as well. All of these companies should make clear that the genetic material they collect from users is not available to serve as legal proof and that law enforcement cannot use their services to test prisoners and arrested individuals or to conduct investigations. Otherwise, the public may have to choose between accessing the benefits of genetic science and maintaining its privacy rights.
Even if companies take these much-needed steps, the onus remains on government actors to protect our rights. We shouldn’t have to rely on changeable company policies to protect such private information.
Moreover, the privacy concerns raised by the Golden State Killer investigation don’t disappear just because GEDmatch, the genealogical database investigators reportedly used, was a public site. In fact, investigators’ decision to upload a detailed genetic profile generated from crime-scene DNA to a public website likely violated the alleged perpetrator’s privacy rights. Even if DeAngelo is found guilty of the crimes he is accused of, penalties for such crimes do not typically entail releasing a person’s entire genetic makeup. People may not be so troubled by such an intrusion when it comes to a serial killer, but imagine the implications of using this technique for shoplifters or trespassers.
The lines we draw for this case may well provide a roadmap for investigations of crimes in the future. And the techniques used here are likely only the tip of the iceberg when it comes to what investigators will soon have the technological power to do.
Now is the time for legislators, the courts and law enforcement to ensure that the benefits of genetic-science technology don’t come at the cost of our privacy rights. And our legal system should also recognize that just because information isn’t secret doesn’t mean that people don’t have an interest in controlling who can see it.
Blockbuster investigations, as gratifying as they are, shouldn’t obscure the very real dangers of government access to sensitive information.