Why its implications are unclear
The genetic genealogy community has been in a tizzy since the disclosure by the New York Times on Tuesday that a Florida judge had issued a search warrant for the GEDmatch DNA database.
That warrant — disclosed by a police officer involved in the investigation at a law enforcement conference — overrode the privacy settings of GEDmatch users and opened information to police scrutiny even if the users had chosen not to allow police access to the data.1
The Legal Genealogist would love to be able to help folks understand just what this means for privacy for DNA data created for genealogical purposes, but there are just a few problems — and a quick Q&A will show just what they are.
Q. What crime was committed that gave rise to this investigation?
A. We don’t know.
Q. When did the crime occur?
A. We don’t know.
Q. What traditional police methods were used before turning to the private data of people who tested solely for genealogical research?
A. We don’t know.
Q. Had the police accessed the GEDmatch database before its users were allowed to choose whether to opt in or opt out?
A. We don’t know.
Q. What was the basis for the warrant issued by the Florida judge?
A. We don’t know.
Q. What facts were given to the judge to decide whether to issue the warrant?
A. We don’t know.
Q. Was the judge aware of the privacy settings of the users impacted?
A. We don’t know.
Q. Was the warrant specific, asking for information as to specific users? Or general, asking for access to all kits no matter what?
A. We don’t know.
Q. What exactly did the warrant require GEDmatch to disclose to the police?
A. We don’t know.
Q. Did the warrant extend to research kits, or only to kits that were public but opted out of police access?
A. We don’t know. (There was a hearsay report on a private mail list that research kits were not included, but no official confirmation by GEDmatch.2)
Q. How many opted-out kits were exposed as a result of the warrant?
A. We don’t know.
Q. Did GEDmatch make any effort to resist the scope of the warrant?
A. We don’t know for sure, but two facts suggest that it didn’t. First, the GEDmatch operators are very much in favor of police use of their database and have actively encouraged their users to allow it. Second, the police officer said the site complied with the warrant within 24 hours.
Q. Is this going to set a precedent, to open up all genealogical test data whenever one judge in one county of one state says so?
A. We don’t know. We know the police want access to all genealogical data — the detective who got the Florida warrant was chomping at the bit to get a chance to access the larger databases like Ancestry and 23andMe. But while GEDmatch data is clearly at risk because the site operators approve of police use of their customer data, and Family Tree DNA data likely at risk for the same reason, other testing platforms have clearly stated they will fight efforts to access their data. A public statement from Ancestry shortly after the Times article pledges to resist if possible: “Not only will we not share customer information with law enforcement unless compelled to by valid legal process, such as a court order or search warrant, we will also always advocate for our customers’ privacy and seek to narrow the scope of any compelled disclosure, or even eliminate it entirely.”3 MyHeritage’s chief executive officer Gilad Japhet has long taken the position that his company would: “…resist to the best of our ability. That means that anything that we can legally challenge or contest, we’ll do so to the max until we prevail or are forced by court to comply.”4 And the Times article quoted a spokesman for 23andMe, Christine Pai, as saying, “We never share customer data with law enforcement unless we receive a legally valid request such as a search warrant or written court order. Upon receipt of an inquiry from law enforcement, we use all practical legal measures to challenge such requests in order to protect our customers’ privacy.”5
So… until more information comes out… the reality is, we just don’t know.
We do know that the Fourth Amendment to the Constitution protects against unreasonable searches and seizures. That language is generally interpreted to mean that a court can issue a search warrant only when the police show probable cause to believe that evidence specific to a crime can be found in a specific location. Police are not allowed to fish for evidence — they can’t, for example, ask for a warrant to search every home in a town for evidence of a crime committed in that town. They have to show a specific reason why this home is likely to have evidence about that crime.
If the warrant application said “we already saw data about persons A and B, who have a relationship to C, our bad guy, and we want to see opted-out matches to A and B who also match C,” the warrant may well be within the proper scope of the Fourth Amendment. If the warrant application said “we already saw data about persons A and B, and we want to see all of A’s and B’s matches,” it may be stretching the limits of what’s allowed. And if the warrant application said “somebody in the database may possibly be related to C, our bad guy, so open the gates,” then the warrant likely was broader than the Constitution allows — and should have been challenged.
But we just don’t know… not yet.
Cite/link to this post: Judy G. Russell, “About that warrant…,” The Legal Genealogist (https://www.legalgenealogist.com/blog : posted 10 Nov 2019).
SOURCES
- See Kashmir Hill and Heather Murphy, “Your DNA Profile is Private? A Florida Judge Just Said Otherwise,” The New York Times, posted 5 Nov 2019 (https://www.nytimes.com/ : accessed 10 Nov 2019). ↩
- Because the hearsay was reported on a private mail list, I am not comfortable citing to it, identifying the poster or quoting the post. ↩
- Eric Heath, “Your Privacy is our Top Priority,” Ancestry Blog, posted 8 Nov 2019 (https://blogs.ancestry.com/ : accessed 10 Nov 2019). ↩
- Gilad Japhet, email, 4 Feb 2019. ↩
- Hill and Murphy, “Your DNA Profile is Private? A Florida Judge Just Said Otherwise,” The New York Times. ↩
I have additional questions:
1-Are the law enforcement officers who use DNA in cases experts in interpretation of DNA results?
2-If not, whose expertise are they relying on?
3-Can law enforcement and/or outside DNA analysis firms be held liable for injury caused to innocent parties who did not consent to the use of their DNA for law enforcement purposes?
4-Since law enforcement and lawyers need a court order to obtain copies of a specific individual’s financial and medical records, what makes DNA not subject to the same criteria?
5-What protections are in place to prevent the personal use of DNA for a vendetta against an individual by law enforcement officers?
What is the position regarding DNA from individuals who are citizens of other countries?
The USA is a country of immigrants, and those seeking a link to the Old Country may have asked potential relatives back there to test their DNA and post the results to GEDMatch.
So if a 4th cousin in the Old Country has built a family tree to go with the DNA test, do they have any obligation to share that with Florida’s police and judiciary?
Extraterritoriality is unknown territory when it comes to this stuff.
Michael, Without knowing the precise circumstances of the search warrant it’s difficult to know whose data has been breached. However, if the newspaper reports are correct, then the Orlando police have potentially been given access to a full match list. I can’t see that there would be any way of geographically restricting access so that only matches in Florida or in the US are disclosed to the Florida police. I have written to the Florida police and the judge as the first stage of a GDPR complaint. I’ve no idea if a complaint would be taken on by the regulator and, even if it were, if the regulator would take any action but I thought it would be interesting to test the system as there are important principles at stake here. See my blog post here: https://cruwys.blogspot.com/2019/11/search-warrant-granted-for-access-to.html
6. Do users of the website have standing to contest a warrant? Or is that limited to the owners of the website?
Users would never know about it until after it was done unless notified by the website.
This is a fine line “we the people” walk! Do we allow our precious Constitution to be walked on to catch a bad guy? Never! The problem is “interpretation” and this, if pushed far enough will be decided by our Supreme Court. So, if we have lines crossed by law enforcement, who carries the banner?
Interesting analysis from a 4th amendment perspective at:
https://reason.com/2019/11/06/legal-aspects-of-the-gedmatch-warrant/
by Orin Kerr, the well known 4th expert. My interpretation of his points: If you can do it, then the cops can, too..
Key difference: when I access GEDmatch, I do it after paying the “price” of uploading my own DNA for genealogical purposes.
Interesting how several genealogists are excited about this. It has been used to catch the wrong people in the past. It can easily be abused as “the bad cop” to get people to confuse especially if it becomes common practice. Hey we matched your DNA so you better confess. Once you confess its over they do not even need the DNA anymore. It would destroy the DNA Genealogy / healthcare test market. It would make crime fighting too easy not to expand on it like the Reed technique. I think it would put a lot of innocent people in jail. Plus it may take up to 8 generations before current DNA in the system not to be useful.
The DNA testing market is already cooling off. It’s been happening since the Golden State Killer story broke
We use dna testing for purposes of understanding who we are & not to have our Constitutional rights stomped on. The rule of law sets us apart from other societies. Law enforcement agency risks an entire case being overturned on an appeal. Is justice served for the victims of crimes then?
23andMe also has a blog post with their full statement about law enforcement access and privacy. See https://blog.23andme.com/news/our-stance-on-protecting-customers-data/
Quoting from the blog: “”If the warrant application said “we already saw data about persons A and B, who have a relationship to C, our bad guy, and we want to see opted-out matches to A and B who also match C,” the warrant may well be within the proper scope of the Fourth Amendment.”
If that is constitutional, then every LE search will ultimately lead to a warrant to access the opted-out kits. Say I’m an LE genealogist and I use the opted-in database like I’m supposed to. I’ll get some matches, even if they’re awful. And then I can write in a warrant ““we already saw data about persons A and B, who have a relationship to C, our bad guy …”
Basically, there is no opt out. Ever.
This is all so troubling. I’ve been concerned since I first read the article days ago and am debating about withdrawing all my family’s DNA results.
Judy, have you any idea of the international implications? I’m Australian. Could a member of the Australian police force apply to a judge in Australia for a search warrant for the GEDmatch database?
Has this successful application set a legal precedent which will make it easier for further successful applications in the future?
If law enforcement has now found a way around access restrictions on the (relatively) smaller GEDmatch database, how long will it be before they try for the big players like Ancestry?
Finally – a big thank you for following this issue. Also for so meticulously citing your sources, such as the link to the actual New York Times article in this post. Much appreciated.
The extraterritorial impacts of this (across state or national borders) are entirely unclear. In general, when a court in one country issues an order impacting a person or business in another country, it’s necessary to get the courts of the second country to assist. In this case, however, we have what is in effect an international entity — GEDmatch — and we just don’t know how easy it might be to (a) secure a warrant outside of the US and (b) compel compliance by operators located in the US.
You are not the only one. I am not on GEDMATCH but I am on FTDNA. Ancestry I feel will be safest place because Genealogy is a huge part of the mormon faith. As I learned about my dutch ancestors. They burned there own historical records to prevent the NAZI from finding Jews during WWII. I not done it because once I do that info would just be lost and I think it would be a real shame. Some of that data already can not be replaced. I want to preserve it for future generations but not at the costs of innocent lives.
Just to clarify: Ancestry is not owned or operated by the Church of Jesus Christ of Latter-day Saints.
Never mind going after criminals, and never mind the errors that the gendarmes can (and in all likelihood, will) make; what concerns me more is the insurance industry’s potential abuses, from declining to write insurance policies and all the way down the slippery slope of dictating to the hospitals they effectively control the medical treatments to be administered and withheld on a patient-by-patient basis.
Someone was able to get a redacted version of the GEDmatch search warrant and they’ve shared it on Twitter. You can access it here:
https://twitter.com/rot13x2/status/1194325134653435904
I would be interested to hear Judy’s thoughts.
Thanks for sharing Debbie. So it’s clear from reading the search warrant that their main argument is that because other, non LE users can see all DNA matches they (the law enforcement) should get the same level of access.
For GEDmatch owners not even making an effort to protect the constitutional rights of their American users (not even talking about violating other countries privacy and data protection laws) speaks volume.
There is a reason why those people haven’t opted-in.
The search warrant clearly describes that even CeCe’s company estimates the chances to identify the suspect as “medium”, based on the fact that only 2 DNA tests with > 300 cM were found (2nd cousins or further).
This indeed comes very close to what was described here in the blog. Just because a crime happened in a street, it doesn’t allow the police to search every single house. Nor would any judge issue such a search warrant.
So it’s beyond me why this Florida judge wasn’t capable to see how this violates the 4th amendment.
This is what happens when a law enforcement officer gets too ambitious.
Like someone else wrote, who will protect GEDmatch users in a couple of years when your ethnicity becomes one that is targeted, for whatever reasons (for genocide or any other form of discrimination)?