The Future

You have no control over your data, even your DNA

The arrest of the Golden State Killer has raised uncomfortable questions about information sharing by online genealogical databases.

The Future

Caught by the family genes

The Future

You have no control over your data, even your DNA

The arrest of the Golden State Killer has raised uncomfortable questions about information sharing by online genealogical databases.

The New York Times reported late yesterday that the “Golden State Killer,” responsible for at least 50 rapes and 12 murders during the 1970s and 80s, was identified as 72-year-old Joseph James DeAngelo and arrested shortly thereafter.

After decades of false leads and dead ends, what finally appears to have nailed him is GEDmatch—an online genetic database that allows users to display DNA information publicly, as reported by the Mercury News. In most cases, the information was acquired by the users from more mainstream services like 23andMe and reposted to GEDMatch, the News said. As reported by the Times, Sacramento county law enforcement got a tip that a distant relative of DeAngelo had genetic information stored in one of these databases. With access to that genetic information, law enforcement was able to use DNA evidence linking DeAngelo to his crimes.

While the arrest of DeAngelo makes the world a safer place, it also draws attention to the fact that in the case of genetic databases, complete, informed consent, particularly by people who aren’t using the service directly, is basically impossible.

Even if other genetic databases don't display genetic information publicly like GEDMatch, they share information with affiliates who could then give law enforcement access to that information—all in a manner that still technically abides by the terms laid out in a service’s privacy policy. But users, or even the genealogical services themselves, may not even know when information is shared in this way.

Genealogical services are legally required per the Health Insurance Portability and Accountability Act of 1996 to gain informed consent before sharing genetic information with researchers. However, even people paying for these services often don’t read these agreements in full. People who are just relatives of those people don’t see them at all. For the millions of people that have given their genetic information to private companies, this has major implications on how they or a family member could be implicated in a crime. Even if a person is guilty of the crime in question, this case blurs the lines between legal and illegal search and seizure.

And while giving up genetic information can clearly implicate a family member in a crime, it is also impossible for these companies to get informed consent from every person that could be impacted by a single donation.

In an email to The Outline, Steven Joffe, a professor of medical ethics and health policy at the University of Pennsylvania, the process of getting informed consent from every possible party could also undermine a person’s sense that they are entitled to the company’s services.

“While consent is needed from individuals who use the services of genomics companies, it’s both impractical and unnecessary to seek consent from multiple family members,” Joffe said. “If you require that my family members consent, you may unfairly prevent me from accessing some service that I want. That’s not right.”

Consenting to donate your information for “scientific, statistical, and historical research,” as some privacy policies request, sounds great—but depending on which organizations are conducting this research, there could be huge variation in the usefulness of this sharing, and how safeguarded that information is. According to Jonathan Moreno, a professor of bioethics at the University of Pennsylvania, this is a huge concern.

“As to these genealogy companies, the public doesn't realize that they don't have total control over their genetic information,” Moreno said. “The companies are really in the business of collecting data, not giving you individualized information. The value is in the data, not the amount they charge you for largely inconclusive [health] information.”

The privacy policies of these services have clauses that they may share information with law enforcement, if required by a court order, subpoena, warrant, or a simple request for cooperation with law enforcement. However, a genealogical services with DeAngelo’s information may have cooperated with law enforcement indirectly.

The business models of genetic testing and database services involve profiting from exchanging genetic information (with informed consent from the user) to non-profit or commercial medical and health research organizations.

While discloses that it collaborates with the University of Utah, the American Society of Human Genetics, and the National Marrow Donor Program, other testing services don’t offer that information publicly. Users often have very little way of knowing exactly which organizations are using their information, and how those organizations are sharing that information.

There’s also precedent for tech companies providing information to law enforcement. Third party communication apps like Skype, or apps with geographical information like FourSquare or Yelp, could be used to get incriminating information without a person. If a phone doesn’t have, say, a password, this could all go down without the direct involvement of a smartphone company like Apple, which may have made the device. The company may not even be aware information stored on their was used in this context.

But alternatively, Apple may cooperate with a U.S. National Security Order that may involve handing over information about a user. Apple claims that in the second half of 2016, it received somewhere between 5,750 and 5,999 National Security Orders. Although Apple famously refused to provide the FBI with an iPhone backdoor in the wake of the San Bernardino shooting, there’s still ample room for them to cooperate with law enforcement.

Even though family members have stakes in how that information gets shared, they typically aren’t involved in the consent process. 23andMe’s privacy policy does state, “Where you are disclosing information about a family member, you should make sure that you have permission from the family member to do so.” However, like sharing photos of others on Facebook, getting this permission is is not a requirement; it’s more of a courtesy than anything else.