Introduction

Lately, we have seen numerous cases that were unsolved for decades, where the use of forensic genealogy provided authorities with answers.

Checking people’s family trees based on characteristics from the DNA sample on file has given us a string of cases where a suspect has now been identified. The media started to pick up on these investigations with the arrest of the Golden State Killer.

Joseph James DeAngelo, Jr had not been on the police radar before. He was not named in any file, report, etc. Sacramento police found him by using genealogy websites that held genetic information from a relative, the Sacramento County District Attorney’s Office confirmed on April 26, 2018.

Police used DNA from one of the crime scenes and compared it to genetic online profiles in various commercial ancestry databases. First, they checked family trees, filtered people based on gender, race, age, etc., which resulted in a pool of possibilities. Then, they added surveillance, got DNA from a discarded item, compared that to the DNA from the crime scene, and found a match. This is of course, a simplified description of the entire process, but it gives you an idea how it works.

This method has been hailed as the solution for murder victim families and has been successfully applied in several cases. Some examples are:

Most people enter their DNA in commercial (non-governmental) genealogy websites to find lost relatives, check out their heritage, etc. Some have pleasant experiences finding family members in other parts of the country, but others discover less pleasant news such as not being blood-related at all. However, people didn’t know that their DNA might now be used by law enforcement to try and solve crimes. This is becoming an ethical dilemma.

Investigation limitations

Sometimes police have DNA from a crime scene, but they cannot find a match in CODIS, the FBI’s Combined DNA Index System. However, there might be a match in other online databases, such as those used for (commercial) genealogy. While samples can be entered in a federal database only once a year, there are no limits for online commercial databases.

The solution could be a partnership between old-fashioned investigative methods, such as canvassing and surveillance, aided by modern forensic technology, such as new DNA gathering methods, and by genealogy analysis using online databases. Authorities can build complete family trees with the results of DNA matching, and they can combine these with online information from obituaries (they always mention the family lines often with locations, schools, organizations, etc.), online court records, criminal records, credit scores, social media, etc.

To many people, this new partnership is not disturbing, as solving old cases is foremost on their minds. But to others, it is worrisome. They point to:

A: Privacy Issues

People who use commercial genealogy sites do so with a specific goal (see above) and their consent is based on that specific goal. Crime-solving, in general, was not their intention, when they gave their DNA to be entered into those databases.

When these sites came up, DNA matching was not as prominent a crime-fighting tool as it is now. In other words, user consent was based on limited expectations. Now the usage has been expanded, and the expansion was often not announced to each user.

Despite changes in the Terms of Services (TOS) of several such sites (adding clarifications, etc.), people claim that they cannot be retro-actively applied. All users should be allowed to opt out of new usage of their data when the TOS are changed.

Another privacy issue concerns users’ bloodlines. You entered your data online but in doing so, you entered online data about all your relatives without their knowledge and consent.

B: Possibility of Errors

Complex samples of combined DNA profiles and deteriorated DNA from less well-preserved samples can lead to incorrect matches or false positives and result in wrongful accusations or worse, convictions.

In this article, you can read that in the Golden State Killer case, police first got the wrong man. “By casting such a wide net, authorities risk compromising the privacy of anyone whose genetic data appears online, along with their relatives, experts say.”

To be under police suspicion may not be publicly visible or noticeable but what if being investigated by the authorities becomes publicly known? What if questions asked from an employer raise suspicions in the company? What if the wrong name keeps popping up in search engine results? The emotional damage, loss of trust in authority, tarnished reputation, etc. should not be brushed aside as ‘collateral damage.’

The authors bring up the crux that many wish would be fixed on the federal level: “We may be comfortable requiring individuals who engage in the personal genetic landscape to accept the risk that law enforcement will search their data. But those whose genetic identities are being shared online without their knowledge are not aware that they are participating in this landscape and so cannot be said to have accepted its risks. When the police reach through participants to identify their relatives, those relatives also are unknowing and therefore non-consenting.”

As pointed out before, DeAngelo was not on anyone’s radar, but because a wide net was casted authorities eventually zoomed in on him. Then, they investigated him following accepted practices, and built a case around him with a warrant.

The Fourth Amendment

“The District of Columbia and Maryland are the only two jurisdictions in the country with laws barring searches for familial DNA and partial match analysis, and Maryland was the first to ban searches for blood relatives statewide” according to Delegate Charles Sydnor. He wants to prohibit searches of consumer genealogical databases for the purpose of identifying an offender in connection with a crime through their biological relative’s DNA samples (House Bill 30).

The states of California, Colorado, Texas, and Virginia allow the use of genealogy database searches leading to familial DNA matches but only after all other avenues have been exhausted.

Authorities say that when you upload your DNA (or give permission for it to be entered in an ancestry database) you have indicated to accept the TOS that may include the use of your data by law enforcement. “Because of this, there’s absolutely no expectation of privacy, according to the Maryland Chiefs of Police and Sheriffs’ Association.” Some compare it to an anonymous tip.

I think that most genetic service providers now warn their users that their DNA can potentially be used by third parties including law enforcement. But how many people really read the privacy rules and conditions, the terms of services, the fine print?

Consent

In the US Supreme Court’s recent decision in Carpenter v. U.S. (Supreme Court of the U.S. 22 June 2018. 138 S. Ct. 2206), it was held that “individuals have a legitimate expectation of privacy in historical cell phone information that bars police from accessing those data without a warrant. To the extent that police access to familial genetic data should depend on investigative purpose, however, the challenge is distinguishing those criminal circumstances that are sufficiently serious to justify access from those that are not.”

In other words, the government violates the Fourth Amendment by accessing historical records with the physical locations of cellphones without a search warrant. The question in Carpenter v. US was: “Does the warrantless search and seizure of cell phone records, which include the location and movements of cell phone users, violate the Fourth Amendment?”

The parts about changed expectations in the digital age and the level of intrusiveness are key elements of privacy. Consider the information on your mobile phone; most people would not just hand over a mobile phone, even if the case that police are investigating involves violent crime. Why? Privacy. Not just your own but also that of your contacts.

You may have pictures on your phone, text messages, etc. that form a personal communication between you and someone else. By handing over your phone you give law enforcement access to all that information without having first obtained the consent of your contact. Such a violation of privacy is not socially acceptable. We ask ourselves first “are police merely browsing for information or conducting an active search” and then we decide. This is the main concern behind the ethics issues of forensic genealogy.

Supporting Law Enforcement

The majority of people support police when they investigate violent crimes such as rape, murder, kidnapping, etc., especially when it involves the elderly or children. In those cases, people also support law enforcement’s use of commercial ancestry sites. However, this support drops when the crimes involved are non-violent such as car thefts, burglaries, vandalism, etc.

When people feel the purpose is justified and/or socially accepted, support grows. But that is exactly the worry of those who point to the House Bill. They point to privacy concerns. However, privacy isn’t the only concern. Erroneous use or interpretation of any kind of evidence is always a legal problem. Those who fear for wrongful convictions want to know if the purpose is justified and/or socially accepted. And if so, should there be federal regulations, or do we wish to leave this up to the States?

The perception of privacy and the consequences of violations, however small, need to be researched further.

Ethical behavior of companies

If we want forensic genealogy to succeed, we need to rethink the parameters of privacy and policy. Privacy laws for genetic and medical information currently do not cover genealogical DNA data that people upload voluntarily in commercial ancestry databases.

On Feb 4, 2019 the “president of FamilyTreeDNA, one of the country’s largest at-home genetic testing companies, has apologized to its users for failing to disclose that it was sharing DNA data with federal investigators working to solve violent crimes.”

Without informing its users, the company secretly opened up their database with more than two million profiles to the FBI. Again, we support the authorities in fighting crime, but FamilyTreeDNA was marketing themselves as “a leader of consumer privacy and a fierce protector of user data, refusing, unlike some of its competitors, to sell information to third parties,” so this violated their users’ trust.

Either the company should have asked their users for their consent, e.g. every account holder should have been contacted about changes in TOS, and asked to consent to those changes or, have their data removed. At the least the company should have alerted those users in the pool of profiles the FBI was checking. That would have been the appropriate procedure however, it would still have been too late for some users to opt out.

“While investigators have used open-source sites such as GEDmatch, which is free, to find DNA matches and possible relatives, the arrangement with FamilyTreeDNA includes the first known commercial site to provide some services without a subpoena or warrant.”

Changes in TOS without people’s consent or the right to opt out and have your DNA profile removed from the company’s databases should not be possible. What if it had not been the FBI but a commercial company? What if it had been an agreement with Facebook to allow them to use uploaded information to aid their quest to combine personal information from your wall with medical data? They made exactly that attempt last year.

“While the data shared would obscure personally identifiable information, such as the patient’s name, Facebook proposed using a common computer science technique called “hashing” to match individuals who existed in both sets. Facebook says the data would have been used only for research conducted by the medical community.”

Do you really trust them to not identify people after the Cambridge Analytica scandal? Can we trust consumer-based companies not to sell highly sensitive data secretly without announcing a change to their TOS? No. “The issue of patient consent did not come up in the early discussions, one of the people said.” Facebook has been involved in many cases of research without their users’ consent.

Secret changes in TOS are in direct contrast to the purpose of making people agree with your TOS in the first place. And, you cannot agree with statements you do not know about.

Abandonment doctrine

Some bring up the abandonment doctrine that was part of the Golden State Killer case, “could DeAngelo have an expectation of privacy when he tossed away items that police picked up to find DNA?” The law says no. The abandonment doctrine means there is no expectation of privacy in abandoned materials.

When you toss your napkin after eating out, you abandon the napkin and the DNA you left on it. No expectation of privacy. Police may pick it up, test it, all without a warrant. Does this doctrine apply to DNA and ancestry websites? At this point the law says yes. However, many people disagree. If you give your DNA to a company for analysis in ancestry you do not abandon your DNA. You gave it for a specific purpose: ancestry.

Solutions

I think that forensic genealogy will be vigorously challenged in court. It needs to withstand the Daubert standard, i.e. prove that the method is in general accepted by the scientific community. That is where I see the first road block.

To find out whether something is accepted in general by the scientific community, that scientific community must have tested the method, researched the use, assessed that a method is sufficiently reliable, and test the method for the possibility of false positives. In other words, companies that use forensic genealogy to assist police in their investigations would have to open up their research to independent scientists.

The second road block is defining what category of crime we wish to solve by using forensic genealogy. As we saw earlier, most people support expanded investigation techniques in cases of violent crimes however, support drops when the crimes involved are non-violent such as car thefts, burglaries, vandalism, etc.

Conclusion

We want to apprehend all criminals who thought that they had gotten away with their crimes. But that doesn’t mean we should not have the discussion about the ethics of forensic genealogy and its application in police investigations.

As Del. Sydnor points out, when you enter your DNA in a database you expose your whole bloodline to a potential police investigation. I have seen people disagree with this. “You do not expose a whole family but only the ones with a DNA match.” But this is wrong.

Unless a criminal’s DNA is already in those commercial databases any result will always be a partial match. And that exposes many people related to the criminal to police investigations based on just a partial match. The reaction that if you didn’t do anything wrong you have nothing to fear is just an easy way to try to end the discussion.

As indicated before, mistakes are made and companies break their word. What we should aim for are guidelines to prevent abuse, expose sudden changes in TOS, safeguards to prevent wrongful arrests, and still support law enforcement while remaining within the scope of the Fourth Amendment.

This is new territory. As with email, we had to sort out the legal status of a digital message. The same needs to be done here. Supporting that research doesn’t mean that you do not want crimes solved. To the contrary, you do want those crimes solved but at the same time you wish to keep an eye on the power of the government, the ethical behavior of companies, the rights of every person, and the changing values in society. Absent federal regulations, it may be up to the courts to strike a fair balance.

**

In the series “Case of the Month” I usually highlight old unsolved cases. However, there are times that another topic related to cold cases must be discussed. This is one of them and it is posted earlier than I normally do. However, in light of the recent cases involving concerns with the application of forensic genealogy (think about the case of Theresa Bentaas) and the latest security breach with Facebook I thought it best to post earlier.

In the case of Theresa Bentaas, The Wired posted a concern expressed by Colleen Fitzpatrick, who cofounded the nonprofit DNA Doe Project with fellow genealogist Margaret Press. “Bentaas, who would have been 18 or 19 at the time of the incident and, according to an affidavit cited in the Argus Leader, too scared and ashamed to tell anyone about the pregnancy, is different. A Baby Doe case is a special category,” says Colleen Fitzpatrick. “It breaks apart this neat dichotomy between finding criminals who might still be dangerous and finding victims.” For Fitzpatrick the category of crime matters.

Even in the high-profile case of Michelle Martinko, concerns are expressed. From The Gazette, comes the quote below. It is from Brandy Jennings who lives in Vancouver, Washington. She had uploaded her DNA to GEDMatch to find out more about her family from father’s side. Through her DNA, the suspect in the Martinko murder, Jerry Burns, was found.

“The discovery, she said, has taught her to pay attention to the “fine print” before submitting something to a public site because she didn’t know law enforcement could access the DNA without her knowledge.” She uploaded her DNA for ancestry purposes and now finds out her DNA was used by law enforcement. She was not told about that. In the article she is relieved Burns got caught but she is clearly uneasy with the use of her DNA by authorities without her knowing that was possible.