Outing the unwitting
There’s an old adage that may date back — if internet sources are to be believed — as far as Roman times.
“It’s all fun and games until somebody gets hurt.”
That’s a lesson that the genealogical community may end up learning the hard way if we cannot convince certain players in the DNA testing world that there’s a big difference between opt-in and opt-out when it comes to informed consent — and if police and prosecutors don’t protect unwitting “genetic informants” in their unthinking quest to solve cold cases at all costs.
Because there are in fact personal and individual consequences to the person who tested his or her DNA purely for genealogical reasons, or even for mere curiosity as to ethnic origins, and whose results are then exposed to and used by police to investigate crime.
And those consequences can be something far far different than what we’re being sold — the whole “crowdsource justice” argument we’re hearing now, particularly from Family Tree DNA as it scrambles to defend its decision to allow law enforcement access to its matching database for crime scene kits.
This month, a Washington State woman learned that her identity as a distant relative of a man arrested for murder in Iowa had been disclosed in one of the search warrants issued in the case.1 She had uploaded her data to GEDmatch.com where it was used to identify the suspect.
Now in that particular case, at least so far, no-one close to the suspect has decided to take any action against the unwitting relative whose test was the key to identifying the suspect.
But let’s rewrite the story a little, shall we? Let’s say it’s one of us, sitting here reading this blog, and we wake up one morning to find that our DNA was used to identify a distant cousin as a cold-blooded killer. Congratulations, we’re told. We’ve helped crowdsource justice in that case.
And that distant cousin we never knew existed? Who now has our name and identifying information?
His name is Vito Corleone.
You do know who Vito Corleone was, don’t you? If not, you might want to see where you can access the Academy-award-winning 1972 film The Godfather and the 1974 Academy-award-winning sequel, The Godfather Part II. And pay particular attention to the revenge part…
Nobody but nobody can guarantee that this won’t happen, sooner or later. Some nut case in some branch of some family directly impacted by one of these cases is going to blame the unwitting genetic informant and go after that person — or that person’s loved ones — for helping identify the bad guy.
But hey… it’s just crowdsourcing justice, don’t you know?
This is all a good thing.
Give up your privacy, without being asked, and then — someday, for some person — maybe end up giving up your personal safety, or that of your loved ones.
Yes, indeedy — “It’s all fun and games until somebody gets hurt.”
Now there will be people out there who think the chances of this happening are small enough that they’re willing to take the risk. That’s absolutely their right. They can choose to accept any level of privacy loss, any level of personal risk, that they choose. Anyone has the right to make this decision and give informed consent to it.
But what about everybody else? All those people who tested and whose identities are now at risk of being disclosed as the unwitting informants in these cases — and who never affirmatively said yes to it?
Family Tree DNA has yet to accept that not saying “no I don’t want to run this risk” isn’t the same thing as saying “yes I’m willing to run this risk.”
It hasn’t yet learned just what informed consent is — and how a company can secure it from its customers.
Here’s a hint: telling customers that their data may very well be exposed to police investigators, and — now, we see — to the bad guys and their supporters as well, unless they opt-out of law enforcement matching is not informed consent.
Let’s look for a moment at the textbook definition of informed consent: “an agreement to do something or to allow something to happen, made with complete knowledge of all relevant facts, such as the risks involved or any available alternatives.”2
Agreement in this context can’t be passive. We never get informed consent from someone who doesn’t take some affirmative action to demonstrate agreement.
An example: you and I are attending a conference. We both want the aisle seat, second row, so we can see and hear the speaker. You got there first, and I come up to you and say, “If you don’t get out of that seat, I’m going to push you to the floor.” You ignore me.
Would anybody in the world seriously argue that I now have your informed consent to push you to the floor? Of course not. Your silence in the face of my demand is meaningless.
That’s exactly what an opt-out system is for law enforcement access to our DNA results. It’s demanding that we give up our privacy and potentially become that unwitting genetic informant unless we step forward and say no.
But we’re not agreeing to anything if we do nothing. We may not have received the notice. We may not understand the notice. The notice certainly doesn’t tell us our identities may well be disclosed to the bad guys, not just to the police, so we’re not being told about all the risks. Our silence in the face of that demand is meaningless.
Informed consent can never be secured when the form is “I’ll assume you’re fine with this unless you say no.” It can only be secured when the form is “You have to show me that you’re fine with this by saying yes.”
Opt-out is not informed consent.
And outing the unwitting, who’ve never given informed consent — “It’s all fun and games until somebody gets hurt.”
Cite/link to this post: Judy G. Russell, “Opt-out is not informed consent,” The Legal Genealogist (https://www.legalgenealogist.com/blog : posted 31 Mar 2019).
SOURCES
- See “Distant relative learns her DNA led to arrest in Michelle Martinko slaying,” The (Cedar Rapids, Ia.) Gazette, posted 22 Mar 2019 (https://www.thegazette.com/ : accessed 30 Mar 2019). ↩
- Wex, Legal Information Institute, Cornell Law School (https://www.law.cornell.edu/wex : accessed 31 Mar 2019), “informed consent.” ↩
I agree that your scenario is possible but highly unlikely. In the first place, your scenario suggests that only one match id’d the killer and that is also very unlikely. Also, I think you may be unfairly singling out GEDMatch and FTDNA. Where I draw the line is if they use it for something less than violent crimes. For those people whose family have been the victims of a violent crime, I’m sure this seems a very small risk to take.
As long as you’re comfortable with this scenario, there’s no problem. You can agree to any risk — from 0.00001% probability to 99.9999% probability — for yourself. But none of us can agree to this for anyone else, and nobody can assume that someone has agreed because they haven’t said they don’t agree. Our sympathy for the families of victims doesn’t override the need to preserve the right of each individual to make a personal decision to accept this or not.
I agree with you 100%. One left over niggling concern: I’ve opted out. How do I know/verify my data is NO LONGER being used by law enforcement?? My trust level is very low in Ftdna right now.
I understand your concern, and can only refer you to FTDNA for an answer.
Judy, thank you once again for continuing to highlight the extensive issues involved here. And, I do mean extensive because it is not just for oneself that one is making the decision; one is exposing not only immediate family members but countless cousins who may or may not agree with the premise of allowing those not involved in family research to have access to this information. I wonder if those who are okay with law enforcement matching (LEM) have canvassed family members to get their opinions. I suspect that is not often done.
Having to actively opt out of LEM is clearly not okay and I continue to be dismayed at FTDNA leadership’s growing advocacy for the use of mainly hobbyists’ data for purposes other than originally intended. Changing course midway through is not acceptable. Since until recently, those who tested at FTDNA had done so for genealogy purposes, it should be assumed that they have not/not opted in to LEM – not the reverse. Any new testers should have the option to opt in (not have to opt out).
Judy raises very pertinent issues in that many users likely do not go back to the testing sites on a regular basis and may still, even now, be unaware of FTDNA’s ill-advised terms of service changes. Personally, I would not recommend FTDNA to anyone because of how poorly they have served their customer base.
There are still so many unanswered questions and issues still to be identified that we may not have even thought of yet. I wonder how long law enforcement keeps information they have obtained from these genealogy databases. Do they keep the information only for the span of the investigation of a particular case? How is the information then deleted? Are users whose information has been tapped by law enforcement or their proxies notified? Just a few questions that come to mind…
I do feel sympathy for the families of those who have gotten peace from the results of forensic genealogy. But, I do believe it’s a slippery slope to allow LEM without the proper protocols – search warrant, etc. And, I don’t believe the end justifies the means.
Despite my personal opinion of any individual who has been charged with a heinous crime, I strongly believe that individual is entitled to due process of law. I also strongly believe that the unwitting DNA donor(s) whose DNA helped locate a suspect is entitled to privacy and protection. I don’t think the Vito Corleone revenge idea is just a distant possibility, but more than likely a probability.
If an individual’s DNA is used by law enforcement after they have opted out because FtDNA allowed law enforcement access, what, if any, recourse would the individual have?
Is it required that the individual(s) who provided the matching DNA be revealed to the suspect and his/her attorneys? Would or could the court order such information sealed?
I would like to know how the court handles this type of personally identifiable information.
This information COULD be sealed and not disclosed. Identities of confidential informants (a legal term of art) are protected all the time unless there is a compelling need for disclosure than can’t be met by any less intrusive means. The problem is that the police and prosecutors aren’t treating DNA matches as confidential informants and not ensuring that their privacy is protected. But hey… we’re all crowdsourcing justice, so… (It makes me so angry that people’s rights to privacy are treated so cavalierly.)
And…would opting out close off looking for DNA matches for service men and women’s remains? Unidentified bodies?
I myself have a distant relative who was a serial killer and a close relative who has a criminal background. I don’t have any fears on their account as we are not of Italian or other families that may be prone to revenge as far as I know! I will take my chances because of the possible good my DNA could provide.
Yes, opting out closes off that possibility, because FTDNA and GEDmatch set it up that way. It’s all-or-nothing. It doesn’t HAVE to be that way, and people could make different decisions for each use if the databases were set up differently. And your choice is a perfectly reasonable choice for you. Nobody disputes that each and every individual has an absolute right to say yes or no to any use of his or her DNA results. The problem is, nobody but nobody can make the decision for anyone else (and that includes FTDNA for its customers).
Thank you for this wonderful post, Judy! I am wondering if search warrants are generally open – in some way – to the public, or if this information was likely leaked. I find it really scary that the names of these matches are being shared. And, the issue with FTDNA and their choice to choose opt in as the default is definitely disturbing. (Also, in regards to Terry’s comment about your possibly unfairly signaling out GEDMatch and FTDNA, those are the two companies we know have been used in law enforcement cases, so those two companies ARE who the genetic genealogy community is discussing.)
Search warrant applications are routinely unsealed once the case has been indicted and an arrest made. That means they become part of the publicly-available record, sometimes even online. They can be sealed, or sealed in part, or information redacted — but only if police and prosecutors are alert to the dangers. And right now it’s “solve cases at all costs,” and “the end justifies the means,” and “you must have something to hide if you don’t like this” — so we’re all at risk.
The Martinko case highlights the need for a policy on sealing search warrants (or at least redacting some information when releasing information to the press). That was done in the Golden State Killer case: see bottom paragraph of page 49
http://www.documentcloud.org/documents/4492712-P-v-DeAngelo-Redacted-Search-Warrant-Final.html
I have not tried to research any other search warrants to see how they were handled, but off-hand, I don’t recall any similar cases.
None of these cases have gone to trial yet. I wouldn’t think investigative leads from genetic genealogy would necessarily need to be incorporated into the trial. The case would rest on the match between the crime scene evidence and the suspect after his DNA had been directly obtained.
The hitch, of course, is that policies are not always followed. It’s the Wild West out there right now, with too many people pushing too far too fast without protections in place. “Trust us, it’ll be okay” is simply not good enough. We know have proof positive that the fact that the genetic informant was protected in one case doesn’t mean every one will be protected.
I still think it’s worthwhile to establish best practices guidelines for treating the DNA relatives as confidential informants, with confidentiality extending to themselves.
Incidentally, the word “informant” doesn’t seem quite appropriate. To me it has a connotation of taking direct action, but I gather that’s not the legal sense?
I couldn’t agree more than we need best practices — but I think that needs to start by demanding informed consent to the use. We dilute that absolutely critical message by suggesting quick fixes for things that can’t really be fixed. Sure we can provide some cover to people whose DNA is used. But we’d do better not to use their DNA if they haven’t consented (or a judge hasn’t ordered it).
And if you read detailed accounts of the woman in Vancouver, WA whose Gedmatch data was used in the Iowa cold case arrest; she said she uploaded her data to the site long ago and forgot about it. So she never opted in to anything and only learned of the use of her info when matches on the site from Iowa contacted her.
I hope the comment suggesting only Italians seek revenge was joking; as I could tell some pretty gruesome tales of convicts I encountered in a state court system and the truly bizarre things they’ve had done to folks they suspected of ” dry snitching”, even if the target was not the actual snitch. Sorry to say, but lots of ppl are just nuts and not logical thinkers.
And now FTDNA is using Ed Smart to solicit uploads from other DNA test sites smacks of a revenue- boosting strategy than some morally- based dedication to crimesolving. And there will be ” mission creep” into using this for other crimes– the case of the MD burglar/ serial fondler solved by Parabon is almost on that line.
I no longer trust FTDNA and opted out of all matching on all of my family’s kits I manage and may soon have everything deleted, including my full mtDNA sequence. Too bad I didn’t know I was paying hundreds to inadvertently help law enforcement, in addition to the taxes I’ve paid for many decades.
Mission creep is a very very real concern — and terrifying in its implications across international borders and more.
Karen Stone: The Vancouver woman uploaded to GEDmatch in June 2018, after the new TOS were in place (May 20, 2018).
http://www.spokesman.com/stories/2019/mar/26/vancouver-womans-dna-leads-to-arrest-in-1979-iowa-/
The above article also mentions that her brother did not want to upload his data. That gets into a whole topic for discussion!
Unfortunately, the journalism on this topic tends be poorly done, since the articles I read claimed she uploaded her data ” awhile ago” ( her words, not mine); and the next time she “needs to read the fine print” ( again, her words, not mine. And I thought, based on the writing in these articles I read ( primarily from the paper in Iowa) that he brother was cautioning her about uploading her own data, not his. As someone who once worked as a journalist, the reporting around these issues often leaves me frustrated. I can’t count the number of times I read articles claiming you can upload data to 23andMe and AncestryDNA for these purposes, when this is not true.
As for my own Animus toward the Gedmatch situation, I was offline for nearly a year due to illness and other personal difficulties; so I guess I was one of those “hermit’s” who are supposedly the ” only people” who didn’t know that the site was being accessed by law enforcement. This whole ” you should have known” argument seems disingenuous to me; and has totally destroyed my faith in the ppl who became the face of this supposed “hobby”.
Regardless of my own comfort level and thoughts on such participation, I am surprised that a company with a global customer base can do this. I spent my career in a large multinational organization. For health care related contracts, we always operated on the principle that according to laws in many European countries, one must opt in for consent – failure to opt out is not considered consent (exactly what you are saying). Assuming that this company has customers also in Europe, I wonder how they are able to do this and remain within those laws. Or perhaps they do operate differently there…..
FTDNA did remove all EU kits from law enforcement matching, so any EU kit from the past has to opt in. But it has taken the position for the future that opting in to matching at all means opting in to every kind of matching, including law enforcement matching, so all customers — EU or not — will have to opt out in the future.
Wouldn’t FTDNA be LIABLE if an innocent person is harmed due to FTDNA allowing that person’s DNA to be used by the authorities and then the suspect hurts the donor of the DNA? Can smell a multi-million dollar lawsuit and I am beginning to wonder if it will happen sooner rather than later.
Judy, thank you for staying on this.
I completely lost one kit I had paid for at FTDNA when the owner found out what was going on. A second kit I paid for allowed me to upload their info to My Heritage, after Gilad Japhet stated so adamantly that he would not allow his site to be used in this way. Two more are ‘thinking about it.’
For my own kit, I opted out of LE matching once they started their big advertising push. I see no reason why I should reward them financially (by contributing to the size of their ‘donor pool’) for their poor customer treatment.
Frankly… I will likely simply delete my kit there soon. I’m not sure I want a continued relationship with such a company.
I have been waiting all week to see what you would write.
I write a blog for a genealogy group and skipped mentioning one of FTDNA’s sales after its actions were revealed. (No we are not an affiliate.) I just didn’t feel good about the actions of the owner/company. After the ability to opt-out was added, I decided to mention the most recent savings BUT I included a reminder and caution clearly stating what has been happening and that a person’s disagreement may not necessarily be about the use of DNA to solve cases but with the privacy issues and the Fourth Amendment rights of citizens of the United States of America.
Then I heard of his/the company’s new marketing test plans. That just floored me. While discussing another unrelated topic, a congresswoman recently said something like we have one mouth … And two ears to hear both sides when we shut our one mouth. (I don’t know if she was quoting someone.) I think he/the company still isn’t hearing the other side.
Family Tree DNA was founded to offer DNA analysis to individuals for a genealogical purpose. Not to crowd source justice as you put it. An Opt-In physical choice (meaning everyone is set to opt-out by default not just EU customers) is the right way. The wrong way is the Opt-Out physical choice which those who haven’t heard of the issue or are dead can not do.
Here’s an idea for him/FTDNA. He/It already has a few divisions with specific, separate DNA purposes so instead of trampling on its FTDNA customers’ privacy/Fourth Amendment rights and endangering the FTDNA division to EU law, how about setting up another separate division that is specifically designed to help law enforcement. So individuals who are clearly informed prior to uploading their OWN DNA data for free that the purpose of this particular division/website is to help law enforcement. And Law Enforcement and their third-parties are the one’s that pay for access/submissions with tools similar to FTDNA to compare DNA matches. And that it is clear to those administrating kits for others at other sites, that they can only submit those administered kits with the informed permission (for this specific purpose) of the actual spit owner tested. And no one’s test from FTDNA is automatically entered onto that separate division/website. It has to be a physical choice of the individual — the person whose spit it is.
Yes, it will take time to build a match pool for the new division/website. But if he/it is so sure about crowd sourced justice it shouldn’t take that long to build a consenting DNA pool of potential matches. BUT they’re still going to have to figure out the terms to protect those that submit their DNA to help law enforcement from any potential exposure that may potentially cause them harm if the tester’s name is revealed and the person charged learns of it.
And he/FTDNA can remove law enforcement access to FTDNA and return it to its original genealogy purpose. Then FTDNA’s statement they don’t sell our DNA data to third-parties will mean something again.
That would be the perfect solution, yes.
While one of the more egregious instances, this kind of corporate shapeshifting is widespread. Do you think that one potential solution is a legislated requirement that the terms of service in force at the time an individual makes an account must remain in force for the life of the account? When the Greenspans, Zuckerbergs, etc. modify the terms to suit their latest whim, existing customers would be protected, and new customers would know what they were getting into.
Some kind of limit on changes that are forced on people would be wonderful, but another problem we all have is trusting the legislatures to do the right thing rather than foul it up even more.
I wonder how many law enforcement and FTdna workers/owners have posted their own DNA results on Gedcom and FTdna sites? If they are sincere in believing that opting out amounts to shirking a civic responsibility, surely they would be the first in line to be tested and to post their results?
Interesting question… and one we’ll never know the answer to, of course.
After reading this and the comments as well as the comments on Facebook, I went to my FTDNA account and opted out of LE for all the kits I manage. But how do I do the same with GEDmatch and Genesis? Is there such an option? Or do I just have to delete all my kits from those sites? (I rarely use them anyway anymore and use MyHeritage and Ancestry since those sites are much more user-friendly these days.)
At GEDmatch and GEDmatch Genesis, you change your kit(s) to research kit(s). Below your list of kit(s) resources is a link that reads “EDIT or DELETE your DNA resource profiles.” Click on that and on the page headed Manage User Resources, click the Select radio button all the way in the right column of any kit you want to change, then click Edit at the bottom. On that page you can choose Public / Private / Research. The Research option keeps your kit from showing up on anyone else’s match list. On Genesis, click on the pencil to the right of the name for any kit, and the Public / Private / Research option is a radio button towards the bottom labeled New Public Access, and the options are yes (public), no (private) and research.
Thank you, Judy. I assume Research also means I don’t see matches to my kits either. What a shame that this has all been converted to uses that no one anticipated when posting their DNA.
No, it doesn’t mean that. You can still use most tools on your own kit but others won’t see you as a match.
OK, I just switched them over. It seems many kits must have been converted to research only because I am certainly showing far fewer matches. As I said, it’s a shame.
Am I interpreting your proposed opting solution right? You reply to a query:
“I assume Research also means I don’t see matches to my kits either… [Judy]..
No, it doesn’t mean that. You can still use most tools on your own kit but others won’t see you as a match.”
If that’s the case, and most everyone opted out as you seem to prefer, it would be a pretty empty data base and you wouldn’t find matches with anyone. Except those dumb enough not to opt out, of course, and who’d want to be related to them? 🙂
I don’t prefer either decision on behalf of anyone else. I only insist on informed consent. If this floats your boat, go for it. Opt in. 100% entirely your decision and your right. Just don’t force anyone else to do so, is all I ask.
OK. but my fundamental question remains – if everyone opted out, matching would go to zero, right? DNA testing would become meaningless except for the cocktail party ethnicity. Did you opt out?
At GEDmatch, my personal kit is not opted out. At FTDNA, it is.
I opted out on all my kits on both GEDmatch and FTDNA. I plan to rely on MyHeritage and Ancestry (I haven’t gotten much out of FTDNA or GEDmatch anyway). But I am curious, Judy—why opt out of FTDNA but not GEDmatch?
GEDmatch is a free service that I chose to use and where I can do quite a bit to protect my identity and my family’s identity. Family Tree DNA has way too much of my data — and it’s utterly out of my control there since the company has chosen to make my decisions for me.
I do use pseudonyms on GEDmatch, but still—my email is there with my full name. I guess I will see what I think I am missing. Thanks!
I haven’t yet taken all the steps I could, but consider using a throwaway free email account just for GEDmatch…
Judy, given what was just publicized today regarding GEDmatch – I am curious if you have a recommendation on a particular throwaway e-mail service to use with them (and FTDNA) that would *not* be traceable by LE. Exploring my options before making a decision whether or not to pull some kits out completely. Thanks!
If LE wants to find you badly enough, they will do so and there’s no such thing really as a completely untraceable email address. But you’ll have the best chance of remaining as unfindable as possible if you use something like GMail (not a recommendation, just something to look at) and DO NOT link it to another email or phone account and DO NOT log in without going through an anonymizer to hide the IP address of the log-in.
What does this mean, if courts can order any of these DNA companies to provide access to DNA data regardless of customers’ opt-in/opt-out choice?
Any court can order access to anything IF it finds (a) probable cause to believe a crime has been committed AND (b) probable cause to believe that specific items in a specific location will produce evidence of the crime, and sometimes even (c) probable cause to believe the evidence can’t be obtained in any other way. That’s what the Fourth Amendment to the Constitution guarantees: that a neutral and detached judge will make that decision, whether it’s as to evidence that may be in a database or evidence that might be in our homes.