Select Page

FTDNA database now wide open to law enforcement

The Legal Genealogist has long been one of the biggest fans of the DNA testing company, Family Tree DNA (FTDNA), part of the Gene by Gene companies of Houston, Texas.

A company established by genealogists for genealogists, and the only major DNA testing company today that offers YDNA and mitochondrial DNA testing for genealogy, FTDNA has long been my company of choice for personal and family DNA testing for genealogical research.

But a story that broke yesterday may have brought that enthusiasm to a screeching halt.

The story, first published in Buzzfeed, reported that FTDNA has quietly, without any advance warning to customers and without any notice being sent afterwards to customers, changed its terms of service to allow law enforcement agencies access to customers’ test results — and that such access has already taken place.1

I’ve done my own checking on this and — sigh — that’s pretty much an accurate report of what’s happened here.

And, as a result, it surely appears, the floodgates are now wide open to the police.

floodgates

The prior version of FTDNA’s terms of use stated that users were not permitted to use its services “for any law enforcement purposes, forensic examinations, criminal investigations, and/or similar purposes without the required legal documentation and written permission from FamilyTreeDNA.”2 In that context, “required legal documentation” appeared to mean an appropriate court order or subpoena, issued with appropriate judicial oversight, especially when read in conjunction with the FTDNA Privacy Statement’s promise that personal information would be disclosed only “if we believe it is reasonably necessary to … comply with a valid legal process (e.g., subpoenas, warrants)…”3

As of today — and as of some unspecified point in December 2018 — the terms of use allow law enforcement to use the FTDNA database to try to find matches for any “DNA Sample submitted or Genetic Information supplied (that) was obtained and authorized by law enforcement to either: (1) identify a perpetrator of a violent crime, as defined in 18 U.S. Code § (924)(e)(2)(B), against another individual, including sexual assault, rape, and homicide; or (2) identify the remains of a deceased individual.”4

There is no date on the page showing exactly when the terms of use changed; an email from FTDNA’s publicists states: “In May of 2018, in response to GDPR (note: the European Union’s General Data Protection Regulation), FTDNA changed its Terms of Service. Those changes included law enforcement use which was broadly defined. Customers were informed of the changes to the Terms of Service at that time. In December of 2018, that paragraph was amended to more narrowly focus those restrictions to define violent crimes.”5

In announcing the new law enforcement access to the FTDNA service, a press release from FTDNA acknowledged the changed terms of use and stated that:

After receiving inquiries from the FBI, (FTDNA founder and president Bennett) Greenspan found himself asking whether, as a trusted guardian of consumer DNA data and consumer privacy according to U.S. News and World Reports, FamilyTreeDNA in good conscience and without violating consumers’ trust could help the FBI identify the remains of deceased persons or perpetrators of violent crimes (as defined in 18 U.S. Code § (924) (e) (2) (B)), saving lives and preventing others from becoming victims?”

 

“We came to the conclusion,” says Greenspan, “that if law enforcement created accounts, with the same level of access to the database as the standard FamilyTreeDNA user, they would not be violating user privacy and confidentiality. In order for the FBI to obtain any additional information, they would have to provide a valid court-order such as a subpoena or search warrant.”

 

Working with law enforcement to process DNA samples from the scene of a violent crime or identifying an unknown victim does not change our policy never to sell or barter our customers’ private information with a third party. Our policy remains fully intact and in force.”

 

As specified in FamilyTreeDNA’s Terms of Service – law enforcement can only receive information not already accessible to the standard user by providing FamilyTreeDNA with valid legal process, such as a subpoena or a search warrant.6

And, the press release goes on, DNA samples generated in criminal investigations can be uploaded to “all public DNA databases, one of which belongs to FamilyTreeDNA, by law enforcement officials in their effort to build the suspect’s or deceased individual’s family tree.”7

FTDNA’s publicity team explains today that: “FTDNA has not given access to law enforcement that is not already available to any member of the public worldwide. We are still promising privacy, unless there is a match of some sort, and we are served with a valid court ordered subpoena or search warrant. What we are reporting is that law enforcement is uploading samples and will continue to do so. It does not effect us genealogists unless we are protecting killers or rapists in our families.” 8

Now… that sounds perfectly reasonable, doesn’t it? After all, since May 2018 GEDmatch.com has been allowing access to its DNA database to investigate cases of rape and murder,9 — and who can be against solving heinous cases of rape and murder, right?

There are just a few problems here.

1. Until that press release yesterday, and the explanations today, nobody but nobody who tested with FTDNA would have read those May terms of use as allowing law enforcement access to the FTDNA database without a warrant or other court order. Maybe we should have, but considering the changes were to comply with the GDPR, and the GDPR flatly prohibits processing of genetic data unless express consent is given for a specific purpose, it’s perfectly reasonable that we didn’t read the changes that way.

2. Until that press release yesterday, nobody but nobody who tested with FTDNA would have considered the paid company service to be a “public DNA database.” The DNA-testing-company-owned-and-run databases have always been thought of as proprietary and private, and thus very different from non-commercial open-access databases or registered-user databases like GEDmatch. Defining company databases as “public DNA databases” is a game-changer in a fundamental way.

3. The information a standard user has access to can be fairly substantial information that can and typically does include a user’s full name, email address, and family tree data, and — depending on the type of test taken — matching autosomal segment data, YDNA haplogroup and markers and mitochondrial DNA haplogroup and characteristics. Much of that isn’t open to “any member of the public worldwide” but only to customers with customer log-in identifications. And, of course, a law enforcement agency isn’t a standard FamilyTreeDNA user, using the data for the same reasons as that standard user.

4. The definition of allowable law enforcement uses adopted by FTDNA is in no way limited to rape and murder. Using 18 U.S.C. §924(e)(2)(B) as a definition allows any law enforcement agency anywhere to use the database to investigate any “violent felony” — defined as “any crime punishable by imprisonment for a term exceeding one year, or any act of juvenile delinquency involving the use or carrying of a firearm, knife, or destructive device”. The definition reaches any crime involving “the use, attempted use, or threatened use of physical force against the person of another … or … conduct that presents a serious potential risk of physical injury to another.”10

In other words, law enforcement can use the FTDNA database to investigate just about any felony anywhere under any circumstances even if no-one was actually harmed. While the press release and other comments have spoken only about the FBI, and only highlight cases involving rape or murder, there’s no such limit in the terms of use whatsoever.

The floodgates have been opened to almost unlimited police use of data collected solely for genealogical purposes, without the informed consent of users, and without any realistic prospect of gaining informed consent, since so many FTDNA test-takers who were early adopters of this technology are now deceased. Users who are in a position to decide for themselves can only prevent this use of their data in the database by deleting their accounts or opting out of matching — which pretty much defeats the whole purpose of testing with FTDNA.

The Fourth Amendment, protecting people against unreasonable searches and seizures, has pretty much been written out of genealogical DNA testing now. No judge will ever be asked to review what the police intend to do with this information before they get access to it. With the way the court system works, it can’t even be challenged in a criminal case resulting from an identification using FTDNA data: a criminal has no reasonable expectation of privacy in DNA left at a crime scene; the defendant can’t raise the privacy rights of other FTDNA customers in their data; and those other customers have no voice (“standing” in the words of the law) to be heard in the criminal case.

Frankly, I’m flummoxed — downright gobsmacked. To say that this “does not effect us genealogists unless we are protecting killers or rapists in our families” is like saying we shouldn’t care about keeping police out of our houses unless we’re hiding evidence of crime there.

At one time here in America, we thought that privacy existed whether or not our homes, papers or effects might contain evidence the police might be interested in — and whether or not we might have crime suspects in our family trees … or in our DNA match lists.

Apparently, not any more.


Cite/link to this post: Judy G. Russell, “Opening the DNA floodgates,” The Legal Genealogist, posted 1 Feb 2019 (https://www.legalgenealogist.com/blog : accessed (date)).

SOURCES

  1. Salvador Hernandez, “One Of The Biggest At-Home DNA Testing Companies Is Working With The FBI,” Buzzfeed, posted 31 Jan 2019 (https://www.buzzfeednews.com/ : accessed 1 Feb 2019).
  2. December 2018 version, Paragraph 6(B)(xii), “Your Use of the Services: Requirements for Using the Services,” in “Terms of Service,” FamilyTreeDNA (https://www.familytreedna.com/ : accessed 1 Feb 2019).
  3. Paragraph 5D, “How FamilyTreeDNA shares your information: For Legal or Regulatory Process” in “FamilyTreeDNA Privacy Statement”, FamilyTreeDNA (https://www.familytreedna.com/legal/privacy-statement).
  4. Current version, Paragraph 6(B)(xii), “Your Use of the Services: Requirements for Using the Services,” in “Terms of Service,” FamilyTreeDNA (https://www.familytreedna.com/ : accessed 1 Feb 2019).
  5. Hapner Hart Media to Judy G. Russell, email, 1 Feb 2019.
  6. “Pioneers in Direct-to-Consumer DNA Test Kits Work with F.B.I. to Catch Killers,” FamilyTreeDNA Press Release via Harper Hart Media, 31 Jan 2019, received by email 1 Feb 2019.
  7. Ibid.
  8. Hapner Hart Media to Judy G. Russell, email, 1 Feb 2019.
  9. Terms of Service and Privacy Policy: Raw DNA Data Provided to GEDmatch,” revised 20 May 2018, GEDmatch (https://www.gedmatch.com/ : accessed 1 Feb 2019).
  10. See 18 U.S.C. 924.