Today, researchers published a paper detailing how governments can use public genetic databases to identify criminal suspects. These activities raise real questions about when it’s appropriate for law enforcement to analyze genetic information, and how best to protect individuals whose genetic data has been analyzed as part of a commercial service, but who are not accused of a crime.
FPF recently published Privacy Best Practices for Consumer Genetic Testing Services. The document includes strong protections for genetic data, particularly with regard to government access: law enforcement should obtain a warrant before seeking the disclosure of genetic data from companies; firms should demand valid legal process before disclosing genetic data and publish annual transparency reports. If government representatives are deviating from this approach, lawmakers or courts should impose clear, common-sense restrictions.
The sort of law enforcement search described in the paper would not be permitted by the FPF Best Practices. The search involves uploading genetic information discovered at crime scenes to an online database to identify an individual or an individual’s relatives. We require that companies only process genetic information uploaded with an individual’s permission; a crime scene upload necessarily occurs without the unknown subject’s permission. Further, leading companies require legal process before they will disclose genetic information to the government and have vigorously pushed back against law enforcement access to genetic data, many times declining to provide data in response to what they determined to be inappropriate requests. It is hard to imagine judges issuing warrants for the sort of general searches contemplated in the paper.
It’s worth noting that the public database at the center of the current discussion – GEDMatch – explicitly tells users that their genetic data will be shared with others without granular consent and subject to government access without a warrant. GEDMatch’s policies conflict with FPF’s Best Practices and are out of step with leading companies, which restrict this kind of access. GEDMatch’s practices are also different in another key way: the service permits users to upload digital genetic profiles. Prominent companies do not typically provide for such uploads, making crime scene genetic data less susceptible to matching without valid legal process.
There are clear benefits of using genetic data to help consumers better understand their health and ancestry. Genetic data, properly obtained and analyzed, can also help law enforcement solve crimes and improve public safety. However, unfettered law enforcement access to genetic information on commercial services would present substantial privacy risks. FPF’s Best Practices articulate a framework that can prevent many of these risks while preserving the public safety value of limited, narrow genetic searches predicated on probable cause and conducted pursuant to appropriate process. As we move forward, it is worth considering additional measures, including restrictions on government activities, technical safeguards, or other steps, that could bolster trust and safety.