A judge said police can search the DNA of 1 million Americans without their consent. What’s next?

For the first time, a state judge has forced a public genealogy site, GEDmatch, to allow police to search its entire database of DNA profiles. A detective wanted to find distant relatives of a serial rapist in hopes that their family trees could help him home in on a suspect—even though most of the 1.3 million people who have shared their DNA data with the site haven’t agreed to such a search.

The search warrant, reported this week by The New York Times , raises the alarming possibility of similar police searches of giant direct-to-consumer DNA sites such as Ancestry.com and 23andMe that are now closed to everyone except company customers who willingly submit a saliva sample.

Since police tracked down the suspected Golden State Killer in April 2018 by uploading crime-scene DNA to GEDmatch, forensic genealogy has led to arrests in scores of cold criminal cases. But privacy concerns have arisen because users didn’t know their DNA data were being searched, and because relatives who never took a DNA test could come under suspicion. In May, GEDmatch restricted police searches to participants who had given consent, cutting the number of available DNA profiles to 185,000. Then in September, the U.S. Department of Justice (DOJ) eased some concerns by issuing a policy that limits searches by federal law enforcement agencies to violent crimes and DNA profiles with user consent.

The new search warrant, issued by a state judge in Florida in response to a detective’s request, disregards such privacy protections by compelling GEDmatch to open up its full database. Science Insider spoke with Natalie Ram, a law professor at the University of Maryland’s Carey School of Law in Baltimore, about the implications. This interview has been edited for clarity and brevity.

Q: Is this search warrant really a big deal?

A: Maybe. A lot turns on the specifics of the affidavit submitted to secure the warrant. If they said we did some preliminary work before the GEDmatch opt-in policy, so we knew that there were some relatives but we didn’t get enough information to aid our investigation, that would be less panic-inducing. Because it would mean that this is sort of a special circumstance.

But if it says, here’s this article in Science by Yaniv Erlich and colleagues indicating that if you have a database of 1.3 million people, 60% of Americans of European descent will have a third cousin or closer in this database, which makes them trackable, and the police say, “Let us in,” that is quite general. That statement is true for virtually every such American if we include the databases at the big companies.

To me, that is as if the police stop someone because the person was in a bad neighborhood, which the police would say made it more likely that they could be up to no good. Courts have said being in a bad neighborhood on its own is insufficient to support probable cause for a search or seizure. So, if that’s the only thing that warrant says, the warrant would be quite problematic in my view.

Q: GEDmatch is a tiny operation. But if 23andMe or Ancestry.com received such a search warrant, would you expect them to challenge it in court?

A: 23andme has said explicitly “If you bring us a warrant, we will fight you on it.” I suspect that their argument would be that merely saying there’s a statistical likelihood that there's a reasonably close relative in the database is not sufficiently individualized to constitute a valid warrant.

If one of these companies declines to comply with the warrant and challenges the basis of it, that may be the most direct route for evaluating whether and how these warrants can and must be worded in order to be valid.

Alternatively, if [the gene testing companies] provide the information, then it’s possible that someone who faces prosecution could raise a Fourth Amendment argument [against illegal searches], which would entail judicial consideration of that warrant.

But it’s complicated. It’s not clear whether the DNA company or a criminal defendant would have the right kind of interest in the DNA and privacy rights at issue to even be able to challenge the warrant effectively. (That is, it’s not clear either has “standing.”) So, we might discover that this is a situation in which, as a practical matter, there is no one who can effectively challenge this warrant. And that’s not a good place for the law to be.

Q: What will happen next?

A: If these kinds of warrants are issued frequently and receive widespread judicial blessing, then I think this is going to be a really big problem for all the DNA sites.

There are a couple of avenues for what could happen. No. 1, if there is a public outcry, that will incentivize database holders to demand more narrowly tailored warrants. Or to challenge the warrant.

No. 2, the antidote to freely issued warrants can be legislation like a bill I’ve been involved in in Maryland [that would ban forensic genealogy searches by state law enforcement agencies].

All of this underscores that regulation like the DOJ interim policy and legislation like the proposed Maryland bill may be the best way to impose enforceable limits on investigative genetic genealogy.

*Update, 8 November, 9:35 a.m.: 23andMe has posted a blog message stating that if the company receives a warrant like the one that allowed police to search GEDmatch, it will “use every legal remedy possible” to challenge the order, as it has successfully done for government requests for data on individual customers.