The Volokh Conspiracy
Mostly law professors | Sometimes contrarian | Often libertarian | Always independent
The New York Times reports:
For police officers around the country, the genetic profiles that 20 million people have uploaded to consumer DNA sites represent a tantalizing resource that could be used to solve cases both new and cold. But for years, the vast majority of the data have been off limits to investigators. The two largest sites, Ancestry.com and 23andMe, have long pledged to keep their users' genetic information private, and a smaller one, GEDmatch, severely restricted police access to its records this year.
Last week, however, a Florida detective announced at a police convention that he had obtained a warrant to penetrate GEDmatch and search its full database of nearly one million users. Legal experts said that this appeared to be the first time a judge had approved such a warrant, and that the development could have profound implications for genetic privacy.
"That's a huge game-changer," said Erin Murphy, a law professor at New York University. "The company made a decision to keep law enforcement out, and that's been overridden by a court. It's a signal that no genetic information can be safe."
I ended up tweeting a long thread about the legal issues in the case, and I figured I would also blog those thoughts here. So here's my Twitter thread, slightly modified for blog format.
First, it's worth pointing out that the facts are not yet fully known. A detective applied for and obtained a warrant, and the company did what the warrant said the company had to without challenging it. We don't have a copy of the warrant, and there has been no litigation about it.
Here's what we do know about the facts. Almost million people have uploaded DNA profiles to GEDmatch to enable anyone to search the profiles. When the police started searching the database for law enforcement reasons, GEDmatch enacted a new policy: The police can't do the same searches that the public can.
Under the policy, if you or I want to search GEDmatch, we can. But if police officers want to search it, they have to tell GEDmatch that they are police officers. GEDmatch then only lets the officers search the profiles of users that have affirmatively opted in to having their profiles searched by the police. It's sort of like a bar or restaurant putting up a sign saying that police aren't welcome. Anyone can enter except for the police, who have to declare they are the police and then can't go inside.
According to the story, a Florida detective wanted to search the same database as anyone else could. Presumably he could have gone undercover and pretended he was not a detective, as on the Internet, no one know you're a cop. Instead, the detective obtained a warrant requiring GEDmatch to "override the privacy settings" of GEDmatch and let him search like a civilian.
In July, [the detective] asked a judge in the Ninth Judicial Circuit Court of Florida to approve a warrant that would let him override the privacy settings of GEDmatch's users and search the site's full database of 1.2 million users. After Judge Patricia Strowbridge agreed, Detective Fields said in an interview, the site complied within 24 hours. He said that some leads had emerged, but that he had yet to make an arrest. He declined to share the warrant or say how it was worded.
It's not clear from the story what "override the privacy settings" means. I would guess it just means that GEDmatch let the detective's police-marked accounts do what regular civilian accounts do. To continue the physical analogy, it's like a warrant allowing an officer to enter a bar or restaurant that has a "police not welcome" sign, to make sure that the officer wasn't committing a trespass by violating the policy indicated on the sign.
What to make of this as a legal matter? The Times story presents this as a radical new warrant, with ground-breaking implications. I am less sure.
First, it's not obvious to me that a warrant is needed. Granted, if an officer went undercover and did the full query, it would be a TOS violation. And ironically, Florida is in the 11th Circuit, the one federal circuit that has said (wrongly, I should add) that TOS violations also violate the Computer Fraud and Abuse Act (CFAA). But there's an express exception in the CFAA for law enforcement investigations, 18 U.S.C. 1030(f), so the CFAA probably couldn't limit such a query. Given that, it's not obvious to me that a warrant is needed under current law if the officer goes undercover and just signs up as a civilian and searches that way.
Here the officer obtained a warrant, of course. But was it legal, and if not, who could challenge it? To be legal, the officer would need to show probable cause that there would be evidence of the crime picked up by the query, and to limit the search for that evidence. And it would need to describe with particularity the place to be searched, perhaps the GEDmatch database itself.
I would think that is doable under the Fourth Amendment. It may seem pretty broad to say that the entire database is the place to be searched, but I suspect that could be readily limited: The warrant should limit the place to be searched to the interface of GEDmatch that any member of the public sees and can access. That way, it's clear from the warrant that all the warrant does is give the police the same access that all the rest of us have. Using the physical analogy, it just lets the officer enter the bar or restaurant so there is no trespass in light of the policy that police aren't welcome.
The net effect would be to impose a probable cause warrant requirement on accessing the public database, and to limit government queries to instances when the government can show probable cause to believe that there would be info relating to that one DNA profile.
In terms of who could challenge the warrant if it's invalid, I think GEDmatch could have challenged its part assisting with the warrant. But it didn't do that. That's perhaps understandable as a legal matter, as I doubt that challenge would have gone so far given that the detective presumably could have executed the warrant without GEDmatch's assistance (by creating a civilian account and then searching).
The other way to challenge the warrant would have been on a motion to suppress if the search ends up being successful. But that's unlikely to get very far for a number of reasons, most importantly standing. It's unlikely that the defendant's own DNA profile would be in the database. And if it is, the defendant would have uploaded the DNA profile voluntarily for everyone to search, likely eliminating Fourth Amendment rights under the third party doctrine. A defendant could try to argue that the GEDmatch policy created a reasonable expectation of privacy because it allowed in all members of the public but excluded police, but that seems like an uphill battle. And that's only standing: Once standing is established, the defendant would need to show not just that the warrant was invalid but that the violation was clear under the good faith exception, at least assuming it's in a jurisdiction that recognizes the good faith exception.
Finally, I realize that some readers may be upset that I am only discussing the legal questions raised by this fact pattern, instead of the many other issues it raises. That's true, but it's the legal issues that seemed particularly interesting to me based on the story. For my broader views about government queries of DNA databases, see my 2018 post, Tentative Thoughts on the Use of Genealogy Sites to Solve Crimes.