In recent years, websites such as 23andMe and Ancestry DNA have exploded in popularity, with a growing number submitting DNA samples in exchange for insights into their health or ancestry. According to MIT Technology Review, more than 26 million people have taken some form of at-home ancestry test, as of February 2019.
Although the prospect of unlocking new insights into DNA data is exciting, the large volume of biometric data now being stored is creating privacy concerns on an unprecedented scale.
One company that has found itself at the heart of this issue is GEDMatch. Although the genomics database is designed to help “amateur and professional researchers and genealogists”, such as those trying to find family members, it has gained significant public attention over the past year due to its role in several criminal investigations.
Last year, law enforcement in California used GEDMatch in an attempt to uncover the identity of the Golden State Killer, who committed at least 13 murders and 50 rapes between 1974 to 1986. Investigators uploaded a DNA profile of the serial killer to GEDMatch, and were then able to link this to identify distant relatives, which helped them identify a suspect.
Since then, GEDMatch has been used to aid investigators in a number of cases, helping to identify suspects and leading to a conviction in 2018, when Roy Charles Waller was charged with 40 counts of rape after DNA evidence was matched with a relative registered on GEDMatch.
GEDMatch database used to solve crimes
Earlier this week, the New York Times reported that a state judge granted a search warrant to law enforcement in Florida, permitting them to search GEDMatch’s genetic database as part of an investigation into a serial rapist. While having access to the genetic profiles of thousands or even millions has the potential to identify suspects or shed new light on unsolved criminal cases, this landmark decision has cast serious doubt on the privacy of those whose data is stored within these databases.
Since May, the website has restricted this only to users who have given permission for their genetic data to be searched by law enforcement, and only for cases of “murder, nonnegligent manslaughter, aggravated rape, robbery or aggravated assault”. However, the new ruling grants access to all 1.3 million users, regardless of whether their permission has been obtained.
According to the New York Times, Ancestry.com and 23andMe, the largest companies in this area, have pledged to keep their data private, with 23andMe stating that it “has never turned over any customer data to law enforcement or any other government agency”. However, this landmark case casts doubt on their ability to bar officials from gaining access and has ignited a debate over the extent to which law enforcement should have access to private biometric databases.
“This case can prove to be a double-edged sword, said Javvad Malik, security awareness advocate at cybersecurity firm KnowBe4. “On one hand, having access to DNA data can be very beneficial, on the other hand, this does not bode well from a privacy perspective.”
“This is one of those issues which does not sit as black or white, but rather considered from a risk perspective. Much like how major tech companies like Google, Microsoft, and others, companies should only release information upon receiving a valid legal request. In addition, publishing a transparency report detailing the number of law enforcement requests annually would also be beneficial.”
New insights from DNA
According to Science, for a database of 1.3m people, 60% of white Americans would have a third cousin or closer in this database, meaning millions can be connected to the DNA samples a company holds, even if they themselves have never provided a sample.
As the study of genetics advances, it may be possible to unlock new insights from DNA, such as predicting medical or mental health conditions. Although this holds huge potential in some ways, the potential for this data to be misused, or for it to be used to track individuals without their knowledge, is high and raises a myriad of ethical and privacy concerns.
The State of Technology This Week
Privacy advocates are now worried that the granting of search warrants for private DNA data could encourage other authorities to attempt to obtain the same permission, with the anonymity of those whose data is stored within these databases at risk.
Many are alarmed by the lack of robust privacy laws for genetic data. Paul Bischoff, privacy advocate at Comparitech.com believes that more clarity is needed on the extent to which genetic data is protected by privacy laws as well as clarity on, the collecting and storing of biometric data, and who then has access to it.
New DNA laws needed
According to Wired, the US currently has a “patchwork of laws” that apply to genetic data, meaning that for individuals who have uploaded their data to a private website, it is almost impossible to guarantee that it will not be accessed by government authorities. Bischoff said:
“Genetic data is woefully under-protected by US privacy laws like HIPAA. HIPAA only applies to healthcare entities like hospitals, insurers, and pharmacies. GINA prevents discrimination based on genetic information but doesn’t protect privacy. Ancestry, 23andMe, and GEDmatch aren’t covered by HIPAA. The US needs a law like HIPAA to prevent all genetic databases from becoming police databases. People have a right to access health information related to their genealogy without fearing for their privacy and the privacy of their family members.”
The Future of Privacy Forum, a think tank and advocacy group, has released Privacy Best Practices for Consumer Genetic Testing Services, calling for clarity on how genetic data is stored and used and a ban on the sharing of genetic data with third parties including governments.
As the collection of genetic data becomes increasingly common, it is clear that the laws governing how such data is used and by whom are lagging behind the pace of technological development, with the role of the private companies in safeguarding it called into question.
Malik believes that, unless a robust privacy law protecting DNA data comes into place, users of websites such as GEDMatch should assume that their data may be accessed:
“Ultimately, this does become a decision for individuals who use such services. Whenever one gives up personal data including DNA, the assumption should be made that the data can be accessed by law enforcement, if not today, some time in the future. And make their decisions to use such services accordingly.”