Can the Fourth Amendment Save Us from the Coming Era of Pervasive Biometric Surveillance?

New technologies mean new crimesolving techniques—and new threats to privacy and liberty.


More and more, police have been using "biometric" technologies—facial recognition, DNA matching, forensic genetic genealogy, and other techniques that are supposed to discern and verify people's personal identities. As civil libertarians worry about such identification techniques' effects on our constitutional rights, the techniques themselves are improving, the databases are getting larger, and the technologies are starting to converge. (It will soon be possible to match faces to DNA found at crime scenes.) What limits do we need to put on how the police use these new powers?

Courts have ruled that the cops can compel arrestees to submit to fingerprinting and DNA cheek swabbing. These data are matched with profiles cataloged in growing biometric databases. The FBI's Integrated Automated Fingerprint Identification System contains fingerprint records from more than 70 million accused or convicted criminals, plus 31 million non-criminal fingerprint records such as those of federal employees. And the agency's National DNA Index contains nearly 14 million offender genetic profiles, 3.5 million arrestee profiles, and 1 million forensic profiles as of April 2019.

Forensic genetic genealogy is the latest way for police to use biometric information to identify persons of interest. Paragon Nanolabs, one of the leading commercial practitioners of this art, defines the field as a "combination of genetic analysis with traditional historical and genealogical research to study family history." It works by comparing a DNA sample from a crime scene with database of DNA from volunteer participants to determine whether the source of the sample has any relatives in the database and how closely related they are. Genealogists then cross-reference those data with traditional genealogical sources, such as census records, birth and death certificates, and so forth.

Forensic genetic genealogy first gained wide public attention last year, when California police used it to trace, identify, and arrest Joseph James DeAngelo. DeAngelo is alleged to be the so-called Golden State Killer, who committed a series of rapes and murders in the 1970s and 1980s. Since that case, police across the country have resorted to the technique to identify suspects in scores of once-moribund criminal cases.

Some 26 million Americans have taken direct-to-consumer genetic tests to find out more about our health and our ancestry. For example, 23andMe tells me that I have 1,216 genetic relatives, including two first cousins of whom I know nothing. Furthermore, I have posted my genetic test information in public where anyone can take a look. So any of my relatives tempted by a life of crime should really reconsider that path.

Police in the Golden State Killer case used genetic information made publicly available by users of the GEDmatch service. The cops collected DNA from crime scenes and submitted the genetic test results to GEDmatch, hoping to identify his distant relatives. Connecting the family trees pointed to DeAngelo as a suspect. Police then collected his DNA from discarded items, which were found to match the crime scene DNA.

In the wake of the Golden State Killer case, many of the genetic genealogy companies worried that clients would become reluctant to use their services and changed their police access policies. At GEDmatch, for example, users are now required to affirmatively opt in to let law enforcement see their genetic test results and relative matches.

No limits so far have been set on how, when, and where police may use forensic genetic genealogy. Jesse Bjerke, who is accused of rape in Virginia, has been identified as a suspect by means of forensic genetic genealogy. His attorneys argue that the DNA evidence should be thrown out because the police violated his privacy rights by surreptitiously collecting his DNA without a warrant. They argue that a warrant is required because Bjerke did not knowingly expose his DNA to public view.

In that case, police submitted DNA collected from two rapes to Parabon Nanolabs, which matched it to users of a genetic ancestry tracing site, who turned out to be Bjerke's cousins. Police then monitored Bjerke and eventually obtained his DNA from discarded beer cans and straws. This evidently matched DNA found at the crime scene. Among other things, Bjerke's attorneys argue that Bjerke did not knowingly expose his DNA to public view by leaving his DNA in public.

Many courts have ruled, citing cases involving photographs and fingerprints, that the Fourth Amendment does not give us a reasonable expectation that the police will not pick up any stray DNA that we happen to leave in public. Some scholars argue that loading suspect DNA into open-source public databases violates innocent relatives' right to privacy in their own genetic data. On the other hand, those relatives have already exposed their genetic test results by uploading them into public databases themselves. (A November 2018 study in Science calculated that so many white people have uploaded their DNA test results that soon 90 percent of Americans of European descent will be identifiable from DNA through genealogy sites.)

While we're working out that constitutional tangle, facial recognition is presenting us with yet another set of questions. This technology works by scanning photos or videos to create face prints based on the unique geometry of individuals' facial landmarks. The face prints are distilled to a mathematical formula that police then compare to a database of known faces. At a recent congressional hearing, the FBI acknowledged it has access to more than 640 million headshots. Courts have ruled that people in public can be photographed without their permission because they have no reasonable expectation of privacy.

In a recent New York Times op-ed, New York Police Commissioner James O'Neill argues that police use of facial recognition makes us safer. The technology, he notes, matches photos or videos collected at crime scenes with a database consisting solely of arrest photos.

Using face prints in that way does seem little different from using fingerprints to identify criminal suspects. But civil libertarians fear that the technology will not stop there. As the Chinese social credit scoring scheme shows, facial recognition technology can be deployed as a real-time mass surveillance system. Each of us leaves lots of DNA and fingerprints in our wakes, but those biometric data exhausts do not enable real-time surveillance. Such concerns have led some jurisdictions to ban police use of the technology for now.

Now genetic and facial recognition biometrics are beginning to converge. A new study in Nature Communications reports that a team of researchers is trying to combine genetic identification with facial recognition. Under this system, police who have a DNA crime sample that does not match any genetic database profiles would check it against a database of faces. Instead of going from DNA to face, researchers go from face to DNA: Special software measures each face and checks whether any is a possible outcome based on the crime-scene DNA sample left by an unknown person.

Parabon currently offers a converse service: DNA phenotyping that translates genetic information from an unknown individual's DNA sample into predictions of ancestry and physical appearance traits, such as skin color, hair color, eye color, freckling, and even face morphology. While not identifying specific individuals, this process can exclude suspects and provide additional leads. It is not too farfetched to imagine police feeding such DNA-derived faces into real-time facial recognition surveillance systems in hopes of identifying and apprehending suspects on the streets. In the future, eyewitness police sketches could be superseded by rapid DNA scans inputted into facial phenotyping algorithms.

Biometric identification contains an inherent tradeoff. Right now, police generally cannot compel you to identify yourself or show identification in public without a reasonable suspicion to believe you're involved in illegal activity. Adopting ever more effective and overlapping biometric identification technologies will amount to the moral equivalent of compelling citizens to carry ID cards and show them on demand to law enforcement agents. And while that's good to the extent that it's used to identify, catch, and gather evidence against rapists and killers, it can obviously be abused as well.

So what must be done? A bill in California would ban police use of realtime facial recognition technology; that seems a good first step. Although the court precedents for fingerprint evidence are not promising, legislatures should perhaps pass laws requiring police to obtain warrants to access other types of our biometric data exhaust, such as DNA in shed skin cells. In any case, when police use these biometric identification technologies, their actions must be made transparent and subject to audit by outside public interest groups.

Back in 2014, when the biggest civil libertarian concern was the revelation that federal spy agencies were secretly keeping track of our telephone conversations, the Privacy and Civil Liberties Oversight Board warned that this information could "be misused to harass, blackmail, or intimidate, or to single out for scrutiny particular individuals or groups." The "danger of abuse may seem remote," the board noted, but "given historical abuse of personal information by the government during the twentieth century, the risk is more than merely theoretical." That same warning applies at least as strongly to biometric policing.