Maryland and Montana have become the first U.S. states to pass laws that make it tougher for law enforcement to access DNA databases.
The new laws, which aim to safeguard the genetic privacy of millions of Americans, focus on consumer DNA databases, such as 23andMe, Ancestry, GEDmatch and FamilyTreeDNA, all of which let people upload their genetic information and use it to connect with distant relatives and trace their family tree. While popular — 23andMe has more than three million users, and GEDmatch more than one million — many are unaware that some of these platforms share genetic data with third parties, from the pharmaceutical industry and scientists to law enforcement agencies.
When used by law enforcement through a technique known as forensic genetic genealogy searching (FGGS), officers can upload DNA evidence found at a crime scene to make connections on possible suspects, the most famous example being the identification of the Golden State Killer in 2018. This saw investigators upload into GEDmatch a DNA sample taken at the time of a 1980 murder linked to the serial killer and subsequently identify distant relatives of the suspect — a critical breakthrough that led to the arrest of Joseph James DeAngelo.
While law enforcement agencies have seen success in using consumer DNA databases to aid with criminal investigations, privacy advocates have long warned of the dangers of these platforms. Not only can these DNA profiles help trace distant ancestors, but the vast troves of genetic data they hold can divulge a person’s propensity for various diseases, predict addiction and drug response, and even be used by companies to create images of what they think a person looks like.
Ancestry and 23andMe have kept their genetic databases closed to law enforcement without a warrant; GEDmatch (which was acquired by a crime scene DNA company in December 2019) and FamilyTreeDNA have previously shared their databases with investigators.
To ensure the genetic privacy of the accused and their relatives, Maryland will, starting October 1, require law enforcement to get a judge's sign-off before using genetic genealogy, and will limit its use to serious crimes like murder, kidnapping and human trafficking. It also says that investigators can only use databases that explicitly tell users that their information could be used to investigate crimes.
In Montana, where the new rules are somewhat narrower, law enforcement would need a warrant before using a DNA database unless the users waived their rights to privacy.
The laws “demonstrate that people across the political spectrum find law enforcement use of consumer genetic data chilling, concerning and privacy-invasive,” said Natalie Ram, a law professor at the University of Maryland. “I hope to see more states embrace robust regulation of this law enforcement technique in the future.”
The introduction of these laws has also been roundly welcomed by privacy advocates, including the Electronic Frontier Foundation. Jennifer Lynch, surveillance litigation director at the EFF, described the restrictions as a “step in the right direction,” but called for more states — and the federal government — to crack down further on FGGS.
“Our genetic data is too sensitive and important to leave it up to the whims of private companies to protect it and the unbridled discretion of law enforcement to search it,” Lynch said.
“Companies like GEDmatch and FamilyTreeDNA have allowed and even encouraged law enforcement searches. Because of this, law enforcement officers are increasingly accessing these databases in criminal investigations across the country.”
A spokesperson for 23andMe told TechCrunch: "We fully support legislation that provides consumers with stronger privacy protections. In fact we are working on legislation in a number of states to increase consumer genetic privacy protections. Customer privacy and transparency are core principles that guide 23andMe’s approach to responding to legal requests and maintaining customer trust. We closely scrutinize all law enforcement and regulatory requests and we will only comply with court orders, subpoenas, search warrants or other requests that we determine are legally valid. To date we have not released any customer information to law enforcement."
Ancestry said it worked with lawmakers in Maryland to craft a law "that achieves their public policy goals while ensuring the privacy of our consumers."
"Protecting our customers’ privacy and being good stewards of their data is Ancestry’s highest priority and we do not voluntarily work with law enforcement. Ancestry will not share any information with law enforcement unless compelled to by valid legal process, such as a court order or search warrant," a company spokesperson said.
GEDmatch and FamilyTreeDNA, both of which opt users into law enforcement searches by default, told The New York Times that they have no plans to change their existing policies around user consent in response to the new regulation.
Updated with comment from Ancestry.