FamilyTreeDNA Agreement with FBI Creates Privacy Risks

|

Company’s Deal with Law Enforcement Surprises Consumers and Is Out-of-Step with Industry Norms and Best Practices 

By John Verdi and Carson Martinez

Last week, FamilyTreeDNA announced an agreement with the FBI to allow agents to test DNA samples from crime scenes, develop genetic profiles, and identify familial matches. This agreement marks the first time a prominent private company has agreed to voluntarily provide law enforcement with routine access to customers’ data. Genetic data, properly obtained and analyzed, can help law enforcement solve crimes and improve public safety. However, unfettered law enforcement access to genetic information on commercial services presents substantial privacy risks.

The FamilyTreeDNA agreement is outside industry norms and inconsistent with consumer expectations. FamilyTreeDNA should terminate the company’s agreement with the FBI and take steps to ensure that law enforcement does not access users’ data without appropriate legal process.

Leading genetic testing companies do not turn over consumer data to the government upon request. They require legal process such as a warrant before allowing law enforcement to access genetic data. Constitutional and statutory warrant requirements are longstanding mechanisms that support important values – they can help police solve crimes and protect individuals’ privacy. Warrants are issued based on evidence, typically target a specific individual, and allow a neutral judge to determine whether there is probable cause to suspect that a particular individual is linked to a crime. FBI genetic searches should be predicated on probable cause and conducted pursuant to appropriate process.

FamilyTreeDNA’s agreement is out of step with consumer expectations. Leading genetic testing companies understand that when users send in their DNA to learn more about their health or heritage, they do not expect their genetic data to become part of an FBI genetic lineup. FamilyTreeDNA users have not received a meaningful notice or opportunity to opt-in or opt-out of these searches. If this agreement remains in place and valid legal process is not obtained before access to genetic data is provided to the FBI, individuals may be erroneously swept up in investigations simply because their DNA was found near a crime scene or at a location where a victim or suspect lived or worked. Genetic profiles turned over to the FBI may also be covertly reused by the FBI on other commercial sites.

Furthermore, FamilyTreeDNA’s agreement conflicts with the Privacy Best Practices for Consumer Genetic Testing Services that FPF published last year. At the time, FamilyTreeDNA announced their support of the Best Practices as a clear articulation of how firms should protect consumers’ privacy. The Best Practices state that genetic data should not be disclosed to or made accessible to third parties, in particular to government agencies, except as required by law or with the separate express consent of the person concerned. The Best Practices also require that companies only process DNA samples and genetic data uploaded by the relevant individual, or with that individual’s permission. These are strong protections for sensitive genetic data.

The approach that the FBI would use to identify individuals by sending DNA samples from a crime scene to FamilyTreeDNA for testing and analysis would occur without a warrant. In light of the new agreement, FamilyTreeDNA has been removed as a supporter of the Best Practices.

Law enforcement should obtain a warrant before seeking disclosure of genetic data from companies, and companies should demand valid legal process before disclosing genetic data. Companies should only process DNA samples and genetic information uploaded with an individual’s permission. That way, genetic data can be used to identify suspects and victims – and consumer privacy can be respected.