Legal aspects of the GEDmatch warrant

If a DNA site tries to let the public in but keep the police out, can the police override that with a warrant?


The New York Times reports:

For police officers around the country, the genetic profiles that 20 million people have uploaded to consumer DNA sites represent a tantalizing resource that could be used to solve cases both new and cold. But for years, the vast majority of the data have been off limits to investigators. The two largest sites, and 23andMe, have long pledged to keep their users' genetic information private, and a smaller one, GEDmatch, severely restricted police access to its records this year.

Last week, however, a Florida detective announced at a police convention that he had obtained a warrant to penetrate GEDmatch and search its full database of nearly one million users. Legal experts said that this appeared to be the first time a judge had approved such a warrant, and that the development could have profound implications for genetic privacy.

"That's a huge game-changer," said Erin Murphy, a law professor at New York University. "The company made a decision to keep law enforcement out, and that's been overridden by a court. It's a signal that no genetic information can be safe."

I ended up tweeting a long thread about the legal issues in the case, and I figured I would also blog those thoughts here.  So here's my Twitter thread, slightly modified for blog format.

First, it's worth pointing out that the facts are not yet fully known. A detective applied for and obtained a warrant, and the company did what the warrant said the company had to without challenging it. We don't have a copy of the warrant, and there has been no litigation about it.

Here's what we do know about the facts.  Almost million people have uploaded DNA profiles to GEDmatch to enable anyone to search the profiles. When the police started searching the database for law enforcement reasons, GEDmatch enacted a new policy: The police can't do the same searches that the public can.

Under the policy, if you or I want to search GEDmatch, we can. But if police officers want to search it, they have to tell GEDmatch that they are police officers.  GEDmatch then only lets the officers search the profiles of users that have affirmatively opted in to having their profiles searched by the police. It's sort of like a bar or restaurant putting up a sign saying that police aren't welcome. Anyone can enter except for the police, who have to declare they are the police and then can't go inside.

According to the story, a Florida detective wanted to search the same database as anyone else could.  Presumably he could have gone undercover and pretended he was not a detective, as on the Internet, no one know you're a cop.  Instead, the detective obtained a warrant requiring GEDmatch to "override the privacy settings" of GEDmatch and let him search like a civilian.

In July, [the detective] asked a judge in the Ninth Judicial Circuit Court of Florida to approve a warrant that would let him override the privacy settings of GEDmatch's users and search the site's full database of 1.2 million users. After Judge Patricia Strowbridge agreed, Detective Fields said in an interview, the site complied within 24 hours. He said that some leads had emerged, but that he had yet to make an arrest. He declined to share the warrant or say how it was worded.

It's not clear from the story what "override the privacy settings" means. I would guess it just means that GEDmatch let the detective's police-marked accounts do what regular civilian accounts do. To continue the physical analogy, it's like a warrant allowing an officer to enter a bar or restaurant that has a "police not welcome" sign, to make sure that the officer wasn't committing a trespass by violating the policy indicated on the sign.

What to make of this as a legal matter? The Times story presents this as a radical new warrant, with ground-breaking implications. I am less sure.

First, it's not obvious to me that a warrant is needed. Granted, if an officer went undercover and did the full query, it would be a TOS violation. And ironically, Florida is in the 11th Circuit, the one federal circuit that has said (wrongly, I should add) that TOS violations also violate the Computer Fraud and Abuse Act (CFAA). But there's an express exception in the CFAA for law enforcement investigations, 18 U.S.C. 1030(f), so the CFAA probably couldn't limit such a query. Given that, it's not obvious to me that a warrant is needed under current law if the officer goes undercover and just signs up as a civilian and searches that way.

Here the officer obtained a warrant, of course. But was it legal, and if not, who could challenge it?  To be legal, the officer would need to show probable cause that there would be evidence of the crime picked up by the query, and to limit the search for that evidence. And it would need to describe with particularity the place to be searched, perhaps the GEDmatch database itself.

I would think that is doable under the Fourth Amendment. It may seem pretty broad to say that the entire database is the place to be searched, but I suspect that could be readily limited: The warrant should limit the place to be searched to the interface of GEDmatch that any member of the public sees and can access.  That way, it's clear from the warrant that all the warrant does is give the police the same access that all the rest of us have. Using the physical analogy, it just lets the officer enter the bar or restaurant so there is no trespass in light of the policy that police aren't welcome.

The net effect would be to impose a probable cause warrant requirement on accessing the public database, and to limit government queries to instances when the government can show probable cause to believe that there would be info relating to that one DNA profile.

In terms of who could challenge the warrant if it's invalid, I think GEDmatch could have challenged its part assisting with the warrant. But it didn't do that.  That's perhaps understandable as a legal matter, as I doubt that challenge would have gone so far given that the detective presumably could have executed the warrant without GEDmatch's assistance (by creating a civilian account and then searching).

The other way to challenge the warrant would have been on a motion to suppress if the search ends up being successful.   But that's unlikely to get very far for a number of reasons, most importantly standing. It's unlikely that the defendant's own DNA profile would be in the database.  And if it is, the defendant would have uploaded the DNA profile voluntarily for everyone to search, likely eliminating Fourth Amendment rights under the third party doctrine. A defendant could try to argue that the GEDmatch policy created a reasonable expectation of privacy because it allowed in all members of the public but excluded police, but that seems like an uphill battle.  And that's only standing: Once standing is established, the defendant would need to show not just that the warrant was invalid but that the violation was clear under the good faith exception, at least assuming it's in a jurisdiction that recognizes the good faith exception.

Finally, I realize that some readers may be upset that I am only discussing the legal questions raised by this fact pattern, instead of the many other issues it raises.  That's true, but it's the legal issues that seemed particularly interesting to me based on the story.  For my broader views about government queries of DNA databases, see my 2018 post, Tentative Thoughts on the Use of Genealogy Sites to Solve Crimes.


NEXT: Sandworm and the GRU's global intifada

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. I’m no Fourth Amendment lawyer, but it would seem like there might be a probable cause problem here.

    You need probable cause that the database contains evidence of the crime. If the only probable cause is “the database contains 20 million people, therefore we think that there might be a relative of the perpetrator in there”, that shouldn’t be sufficient. Maybe it is under the caselaw, but it shouldn’t be. I mean, the city of Los Angeles contains a few million houses. It is likely that if all of them are searched, evidence of X crime will be found. But that’s not probable cause to support a dragnet search.

    What should be the law is that if the cop has sufficient evidence to establish probable cause that one person’s, or some small group of person’s, specific genetic profile or profiles will yield evidence, fine, that’s sufficient for the search warrant. If you just want to search the whole database, no way.

    1. IMHO a better analogy would be using a specific keyword search for exact match on a database like Google, Facebook, etc. The one searching does not have access to the database nor its data; only the search results.

      1. The difference is Google and Facebook are not restricted databases and the cop doesn’t need a search warrant to bypass TOS and utilize them.

        We can discuss what cops can do without obtaining a search warrant, but if a search warrant is sought, “it’s probable that there is a needle somewhere in this haystack” should not be sufficient to show probable cause. You need to say “we have sufficient information to suspect that the needle will be in this much smaller portion of hay, so we need to search there rather than the full stack”.

        1. I agree with this. Recall all the nasty legal fights where men in a city voluntarily gave up DNA to help find a murderer. Then the police decided to keep the database.

          You aren’t giving up your DNA for rifling by the police in either situation. Yes, the warrant should ne denied. This is private medical info given up for your reason, and remains akin to private papers.

          You can’t go searching through a medical database of millions looking for potential one-armed assassins.

    2. I was wondering the exact same thing as Dilan. Of course a proper warrant would override the T&C of the website, just as it overrides one’s objection to a cop entering one’s house. But how could there be PC that there’s evidence of a crime in their database? I’d like to see the warrant application.

  2. It sounds as if the police officer received a search warrant to comb through some million or so anonymous (guessing) users of a private service looking for DNA evidence tying unknown suspects to every unsolved crime within the officer’s jurisdiction? And this all is probably totally legitimate? Do I hit the high notes here?

    1. Edit to: “tying unknown suspects to ANY unsolved crime”

  3. If the officer received permission to search as a civilian why would that “limit government queries to instances when the government can show probable cause to believe that there would be info relating to that one DNA profile.”

    Perhaps he was looking to identify people with specific genetic markers, based on DNA evidence of a crime?

    Anther question not mentioned is it legal to bar police from a location open to the general public? Aren’t they part of the public?

    1. It definitely should be legal. Cops are not a protected class, and turning private information over to a third party should not be considered a blanket consent to dragnets by nosy cops with no actual evidence that you have committed any crime. (I realize that is not the law now, but it should be the law.)

      As a public policy matter, it is pernicious to treat cops as if they are nothing more than private citizens. For instance, the fact that an ordinary person can take out a cell phone and record video on your street which captures images, through a window, of what you are doing in your house does not mean that cops should be able to stand in the street and record through your window. Cops have guns and arrest powers and, not to put a fine point on it, often have bullying, violent, racist personalities. They aren’t ordinary citizens, and we shouldn’t pretend they are.

      1. Yet that is where they get the nonsense of qualified immunity. They are “special”. They are uber-citizens. They need special status.

        As repugnant as it is for the government to go fishing, when everybody else can, what is left to hide? Suppose cheap dash cams get to the point where they also scan license plates and upload them to databases which everybody can search. What would be the point of saying cops cannot? They would anyway.

      2. I don’t think anyone has liberty to shoot photographs through windows into peoples’ houses. Maybe that differs a bit in various places. But I would be careful before relying on it.

        1. Stephen, there may be an intrusion upon seclusion claim if you point a camera at a window of a private residence and zoom in to capture private activity.

          But what I was referring to was incidentally seeing things through a window while you are filming something else. Let’s say you are taking pictures of your dog out on the street and in the background, you can see through someone’s window. That’s not actionable as an invasion of privacy. But it also doesn’t mean that police should be able to film through the window.

      3. Who are you kidding? Cops are definitely a protected class. Ask anyone in Cali-for-nia or New-Jork about who is allowed to carry standard capacity magazines and who is limited to 10 rounds or fewer. Make no mistake, in almost every state there are the few who are “more equal than others” and those few undoubtedly include cops.

  4. You don’t mention another possibility. From what I understand (I haven’t used any DNA sites) when a consumer loads their DNA data on the site it might find a list of possible relatives but doesn’t provide names. Instead you can communicate through a messaging service supported by the site. If this is the case going in as a normal user would require convincing the person who matched to communicate. I wonder if instead the police officer wants to bypass normal privacy and have the site provide the name of the match directly.

    1. Having used there is an opt-out that theoretically denies anyone from matching your profile, including yourself. That means you’re largely looking to see how deep your roots are in a global region and not at all interested in finding potential extant cousins.

      In short, if you’ve opted in to discovering if your granny was right about your 1/512 native american ancestry and opted out of finding out who are any genetic 4th cousins 7 times removed it strikes me as governmental over-reach. If you’ve opted in to finding out who you’re granny is so granny can find you – not so much.

  5. I simply don’t think people have any expectation of privacy once they upload personal details to Facebook, Apple, Google, or GEDmatch. People would like there to be one, but there isn’t, because a third party then owns and stores the data. And possession as they say is 9/10ths of the law (in this case, possession of the bytes of data).

    The only hope in my opinion for there to be a fig leaf of privacy would be if Congress were to establish that people have a personal (intellectual?) property interest in their own data, so that a company like GEDmatch would be forced to secure permission to search from each of the 1 million users, each time there was a warrant (“I give a license to use my property for x,y,z, but not for p,d,q”). It would be a very tiny leaf, at that. And even then, you cannot unring a bell, so if the database were hacked and law enforcement grabbed a copy… too bad, so sad.

    1. There is no intellectual property when facts are concerned. Contrary to the banks belief that your mother’s maiden name is a security measure it is also a matter of public record. Once you upload a “fact” in the form of a picture or anything else it’s a part of the public record.

      Short story – don’t upload facts to “fact” collection businesses. Full stop.

      1. No… I have likeness rights. I can certainly control how my likeness and personal attributes are used for commercial purposes. Mostly people envision those currently to be photos.

        But its not a stretch to extend those likeness rights over personal attributes to other personal attributes like DNA. GEDmatch is not a “public record” it’s a private database and GEDmatch is a for profit company last I checked.

        Now, the misuse here is not commercially exploitative in the sense that GEDmatch did not make money off the detectives’, there is a contract (terms of service) which probably waived rights. Still, it’s not a stretch to think people have a property (likeness) rights to their DNA, and it could be strengthened so that companies must seek explicit consent for certain uses.

        But generally I agree if your “likeness” (DNA) somehow becomes part of the “public” domain one loses control. But GEDmatch is not public.

    2. “I simply don’t think people have any expectation of privacy once they upload personal details to Facebook, Apple, Google, or GEDmatch. People would like there to be one, but there isn’t, because a third party then owns and stores the data.”

      You’re assuming the company owns the data. But do they? Or, more importantly, should they?

      1. What does the contract/terms of service say?

  6. There are good arguments both ways… on the one hand, if the police have access to these databases, they can match “unknown subject” DNA to known subject DNA, and make identification. Used well and wisely, this leads to more convictions of more criminals.

    On the other hand, privacy concerns might cause some people to avoid submitting genetic material to these databases… which costs the proprietors of the databases money due to lost would-be customers. They have a reason to avoid becoming police databases.

    There are a couple of possible fixes. One could be “opt-in”… if you allow your DNA information to be accessed by law-enforcement agencies, there’s no reason to block access to agencies.
    Another is to keep the searches in the hands of the company rather than law-enforcement,… and the agencies should pay for access, to balance what the company loses in customers concerned enough about privacy to avoid submitting DNA.

  7. This makes me think about my kid and his Instasnaptagram phone app that tells him where all of his friends are located at any given moment. “Your honor, we need to know where all of these people were located so we can rule all of them out as suspects, into perpetuity.”

  8. “It’s sort of like a bar or restaurant putting up a sign saying that police aren’t welcome” — bad analogy. Police officers are welcome to do searches in their capacity as private individuals, just not for their job. Right analogy is a bar saying police can’t enter in full uniform to intimidate people in the bar, or can’t do mass document checks in the bar, or can’t sweep all discarded glasses in the bar for patrons’ DNA.

    1. Police officers are welcome to do searches in their capacity as private individuals,

      I don’t know what this means, or why you think it’s true.

Please to post comments