Are the Cops Using Our Genealogy Databases?

This post has been updated.

The genealogy world is ablaze with the revelation that our beloved GEDmatch was used to track down the Golden State Serial Killer. Despite universal approval of the outcome, some genealogists and ethicists are dismayed that this “off label” use of a nerdy genealogy website by law enforcement might have been a breach of privacy and might have unintended consequences for our field.

To address whether law enforcement could be using databases other than GEDmatch, I looked at the terms of service and privacy policies at each of the main testing companies. Here’s what I found and my (not-a-lawyer) interpretation of that information:

 

AncestryDNA

Law enforcement could not submit a crime-scene sample to AncestryDNA without violating the Terms and Conditions: “By using the DNA Services you also agree: …. Any saliva sample you provide is either your own or the saliva of a person for whom you are a parent or legal guardian”.

23andMe

The Terms of Service at 23andMe explicitly prohibit forensic uses: “you agree not to …. use any information received through the Services to attempt to identify other customers, to contact other customers (other than through features for contacting other users such as DNA Relatives offered pursuant to the Services), or for any forensic use” [emphasis mine].

 

MyHeritage

Likewise, MyHeritage recently updated their Terms and Conditions to say “using the DNA Services for law enforcement purposes, forensic examinations, criminal investigations and/or similar purposes, without a court order and without prior explicit written permission from MyHeritage, is strictly prohibited. It is our policy to resist law enforcement inquiries to protect the privacy of our customers.”

 

Living DNA

Living DNA does not currently offer relative matching (necessary for the kind of investigation that identified the Golden State Killer), but they plan to add it soon. Per their Terms & Conditions, law enforcement could not use forensic samples in their database: “You undertake, promise and agree as follows: …. That you are an individual, are aged over 18, and that the sample you provide will be your own sample, or the sample of a child in respect of whom you have legal entitlement to take a sample and to submit it for testing.”

 

Family Tree DNA

As of 25 May 2018, the Terms of Service for Family Tree DNA state “You agree to not use the Services for any law enforcement purposes, forensic examinations, criminal investigations, and/or similar purposes without the required legal documentation and written permission from FamilyTreeDNA” (Section 6.B.xiii). Under what conditions Family Tree DNA will give “written permission” is unclear.

 

Court Orders

Note that all of the companies could be required to release personal information (including real name, contact information, and genetic data) in response to a legal request from US law enforcement, such as a warrant or subpoena. Both AncestryDNA (in their Privacy Statement) and 23andMe (in their Terms of Service) say that they would notify the customer before complying with such a request, unless prohibited by law. FTDNA does not mention court orders at all in their Privacy Policy and Terms of Service. Both Living DNA and MyHeritage are foreign companies, so the subpoena process would be complicated by the need to go through international proceedings.

23andMe publishes a Transparency Report, updated quarterly, that says they have never released customer information in response to a government request. AncestryDNA’s Transparency Report states that they have responded to several government requests related to credit card fraud and identity theft; once, in 2014, have they complied with a search warrant to identify a person based on a DNA sample. That person’s DNA profile had been public in a database Ancestry.com had acquired. None of the other companies provide information on whether they have complied with government requests for customer DNA data.

 

This post was updated on 27 May 2018 to reflect the new Terms of Service at Family Tree DNA.

13 thoughts on “Are the Cops Using Our Genealogy Databases?”

  1. People who are focusing on the use of genealogy test sites and privacy need to calm down. If they want something to be upset about they need to watch the documentary movie, A Good American. Now that is scary. The long and short of it, if someone in law enforcement wants your DNA they have ways to get it and will use whatever means they can to track it.

      1. I agree 100%, I didn’t say they shouldn’t.

        DNA is currently in the spotlight and some people are outraged. No one stops to think that every time they use a debit or credit card someone is tracking everything they purchase, right down to the type of toilet paper they purchase, where, and how frequently.

        There is a TV series where DNA is used for cold case files. Thousands of DNA kits sit waiting to be tested because there is not enough funding. And then as you have shared, there are groups working to identify victims of crimes and that that DNA testing needs funding too. A worthy cause in my opinion.

        I am glad that an alleged rapist and killer has been apprehended using whatever means they could. Let’s see if laws have been violated and if the case sticks.

        I do not think police departments are going to have the manpower and funding they provided in this case to repeat efforts like this very often. My understanding is they followed the DNA from a 4th great-grandfather and had a team of almost 30 to do it. These people learned to follow the DNA AND follow other clues. They also had to follow names, dates and logical geographic locations. So that includes census records, probably public obituaries, and public trees. I haven’t read how long it took them from the the time they identified the MRCA. But let’s admit, it appears they did the job. The tools at GEDmatch did what they are designed to do. Find genetic family matches. But they had to use other public information as well to put the entire puzzle together. Including “odds” on the likely relationships as they progressed.

        It is not the fault of GEDmatch if people did not read disclaimers. If they have not read and understood and asked for clarification if they didn’t, then those people shouldn’t be crying foul now.

        I think it is good to have discussions about these issues. I have always appreciated the power of collaboration.

  2. GEDmatch raw DNA upload utility –

    Please acknowledge that any sample you
    submit is either your DNA or the DNA of
    a person for whom you are a legal
    guardian or have obtained authorization
    to upload their DNA to GEDmatch:
    (You will not be able to make comparisons
    if you do not answer yes)

    So all companies have similar policies. The fact is, they were not complied with on this occasion, and may not have been on other occasions. For the other companies to appear ‘holier than thou’ is misleading. DNA may well have been uploaded to them as well, in contravention of their policies.

    Please do not make Gedmatch appear the ‘bad guy’.

    Margaret

    1. I’ll address your points individually:
      (1) No, the companies do not have similar policies. The Terms and/or Privacy Policies at AncestryDNA, 23andMe, MyHeritage, and Living DNA would all prevent law enforcement (or subcontractors/volunteers) from using their databases. Yes, LE could ignore the policies, but that would jeopardize the legal case once it got to court.

      (2) A fair argument could be made that law enforcement had “authorization” to upload the GSK’s DNA data to GEDmatch. I assume that’s the same logic being used by the DNA Doe Project when it uploads to GEDmatch. The upload is not the problem. A government search of 900,000 innocent people is the problem.

      (3) This post doesn’t even mention GEDmatch, so I don’t know why you think I’m making them out to be the bad guy. There is no bad guy here. The genealogy community needs to dispense with that line of thinking altogether. GEDmatch provides tools that we use and love. And law enforcement did good. No, not good … great … amazing! They captured a monster who deserves to rot. We need to find a way for nerds to do their genealogy and for law enforcement to keep us safe without exposing anyone to an unwanted search. The only fault I can find with GEDmatch is that their Site Policy leaves too much to the imagination of the reader. I can’t imagine that most people read it and thought immediately “Hey, I’m consenting to being part of a murder investigation!”

      1. After I posted, I reread the individual policies as quoted by your self, and agree with you, the only policy it is similar to, in this post at least, is ancestryDNA. I haven’t read the individual sites terms and conditions recently.

        “This post doesn’t even mention GEDmatch”

        I think you are incorrect there, you mention them twice.

        Your opening paragraph is –

        “The genealogy world is ablaze with the revelation that our beloved GEDmatch was used to track down the Golden State Serial Killer. Despite universal approval of the outcome, some genealogists and ethicists are dismayed that this “off label” use of a nerdy genealogy website by law enforcement might have been a breach of privacy and might have unintended consequences for our field.

        To address whether law enforcement could be using databases other than GEDmatch, I looked at the terms of service and privacy policies at each of the main testing companies. Here’s what I found and my (not-a-lawyer) interpretation of that information”

        “So I don’t know why you think I’m making them out to be the bad guy. There is no bad guy here.”

        I agree there is no ‘bad guy’, was merely saying that Gedmatch has similar policies to the others. There (presumably, I know nothing of US law) was nothing to prevent law enforcement officers in the past from uploading DNA to any of the sites that was not rightfully theirs to submit.

        If US law allows companies to legally prevent people from uploading the DNA of others, that still makes Gedmatch no different from the rest of the companies.

        Rightly or wrongly, I also do not consider myself to be a nerd or a geek for taking an interest​ in my family history.

        Not trying to be confrontational!!

        Regards Margaret

        1. I assume you meant that the only policy similar to GEDmatch’s is FTDNA’s (not AncestryDNA’s). The other four sites do not allow this usage of their databases. FTDNA and GEDmatch are the outliers.

          Okay, you got me: I used the word “GEDmatch” twice. Even so, the post isn’t even about them; it’s about the Terms and the Privacy Policies.

          Oh, and “nerd” and “geek” are compliments! Unlike when we were young, it’s cool to be smart and engaged now.

  3. Kudos to the Cops for being creative and circuitious in their investigation!!!

    There is more than one way to get from here to there.

    You go, Guys!

  4. Dear Leah,
    Thank you for your information about the privacy policies and your insightful comments to follow. It is essential we all know the truth about our exposure and potential protections regarding the DNA we provide and manage. I appreciate your continued efforts to uncover and enlighten the facts in this case.
    Sincerely,
    Patricia Ann Kellner

    1. You’re welcome. Thank you for highlighting that the goal is give people the information they need to make informed choices.

  5. I shared this somewhere else but felt compelled to comment similarly here-

    It is entirely appropriate for everyone to point out what you have, and share your concerns. We need to both personally and collectively understand and openly discuss the ramifications, as well as the inevitability of DNA testing, matching, and sharing along with a keen eye to technology that is yet to be invented or discovered. I personally agree that it is a double-edged sword that likely cuts deeper in one direction than the other.

    I must comment that my “User Manual on Living” attributes everyone having common DNA as far back as a bit before common calendars. My manual also recommends that we do unto others as we would have done unto us, and that the truth will set you free. fwiw.

    Having said that, it’s known that some who don’t necessarily use the same manual as I will go to extreme lengths to get what they want. Breath taker beware. 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.