Maryland and Montana have become the first states to pass laws restricting the ways law enforcement can access DNA databases from private genetic genealogy companies such as AncestryDNA and 23andMe.
Maryland's law, passed on May 30, requires police to have court authorization before beginning an investigation using information from such companies. To get this authorization, they must have probable cause—and the crime being probed must be a murder, a rape, a felony sexual offense, or a "criminal act involving circumstances presenting a substantial and ongoing threat to public safety or national security."
Montana's similar but less robust law, passed on May 7, says the government "may not obtain DNA search results from a consumer DNA database" unless it has "a search warrant issued by a court on a finding of probable cause" or if the consumer whose information is sought waived their right to privacy.
As many as 26 million people have used genetic genealogy services. Police have secretly used DNA information from these companies without a warrant or subpoena.
Law enforcement agencies caught the Golden State Killer and more than a dozen other suspects by sending in DNA evidence from crime scenes under a fake profile, as though the investigator was an ordinary user. This process gives them a list of a suspect's genetic relations, possibly allowing police to triangulate their identity.
AncestryDNA and 23andMe both prohibit such investigations using an ordinary user profile. But other companies, such as FamilyTreeDNA and GEDMatch, have indicated that they allow police to use their databases, even without court approval. GEDMatch was the service used in the Golden State Killer case; after the murderer was captured, the company addressed the news with a banner at the top of its website. "Although we were not approached by law enforcement or anyone else about this case or about the DNA," it said, "it has always been GEDmatch's policy to inform users that the database could be used for other uses, as set forth in the Site Policy….While the database was created for genealogical research, it is important that GEDmatch participants understand the possible uses of their DNA, including identification of relatives that have committed crimes or were victims of crimes."
Of all of the direct-to-consumer genetic genealogy companies, GEDMatch is the most amenable to law enforcement. And although it has one of the smaller databases, a 2018 study in Science found that if you are a white American—the most highly represented group in these databases—there's a 60 percent chance that your identity could be discovered using a search of your DNA on the site. All it takes is a third cousin who has uploaded his or her DNA to let law enforcement home in on who you are. And those chances have likely increased, as the database has grown since 2018.
The "language of the Fourth Amendment, which requires probable cause for every search and particularity for every warrant, precludes dragnet warrantless searches like these," argues Jennifer Lynch of the Electronic Frontier Foundation. "A technique's usefulness for law enforcement does not outweigh people's privacy interests in their genetic data."
As genetic genealogy websites become increasingly popular, DNA privacy becomes increasingly important. Let's hope other states follow Montana and Maryland's lead to keep the government's genetic snoops within their constitutional bounds.
This piece has been updated to reflect changes in which crimes are affected by Maryland's law.