Maryland and Montana recently became the first states in the nation to pass laws limiting law enforcement's use of DNA databases to solve crimes. The strategy, sometimes called genetic genealogy, has been used to find dozens of people accused of violent crimes, including the Golden State Killer, but raises genetic privacy concerns.
The laws focus on consumer DNA databases, which let people upload their genetic information and use it to connect with relatives. Over the past few years, law enforcement officers have started using the databases to track down suspects: they can upload DNA found at a crime scene and use matches with relatives to narrow their pool of suspects, and in some cases find the alleged criminal.
Maryland legislation now requires law enforcement to get a judge's sign-off before using this technique, and limits it to crimes like murder, kidnapping, and human trafficking. It also says that investigators can only use databases that explicitly tell users that their information could be used to investigate crimes. In Montana, law enforcement would need a warrant before using a DNA database unless the users waived rights to privacy.
The laws are an important step toward more robust genetic privacy standards, Natalie Ram, a law professor at the University of Maryland, told The New York Times. After genetic genealogy was used to identify the Golden State Killer in 2018, experts and privacy advocates noted that people uploading their information to genetic databases may not know that it could be used for a criminal investigation. Any relatives of people who upload information could also be unwittingly swept up in that net. It’s not limited to immediate relatives, either: one study found that a database of around 1.3 million people could theoretically be used to identify around 60 percent of people with European ancestry in the United States.
In response to those concerns, the databases GEDmatch — the one used to identify the Golden State Killer — and FamilyTreeDNA changed their terms to only allow law enforcement to use data from users who opted into those searches. But the opt-in settings are on by default. In December 2019, GEDmatch was acquired by a crime scene DNA company, making the relationship with law enforcement more explicit and frustrating genealogists who didn’t want to see the service used for those purposes.
As it stands, the new genetic genealogy legislation in Maryland and Montana may not be enough of an incentive for companies like GEDmatch and FamilyTreeDNA to change their existing policies around user consent. The companies told The New York Times that they have no plans to make changes at this time. Other companies, like Ancestry and 23andMe, already ask for a warrant before police officers can search their databases.
Legislatures in Utah and Washington state have also proposed rules limiting the use of genetic genealogy: a Utah lawmaker introduced a bill in early 2020 banning the practice entirely, and Washington state legislators considered requiring law enforcement officers to get court orders to use genetic databases.