This is a very interesting issue with sending your DNA to sites like 23andme. This means that a police officer can get a warrant to submit a DNA sample to the site, and get back anyone who matches. (Or in this case, their relatives.)
The reason I think it's particularly interesting is that it passes one of the basic tests I have for whether something should be searchable by law enforcement: Do they have a target in mind and a warrant to search for that target? For PRISM and the other things that Snowden warned us about, the answer was no: the government was doing dragnet surveillance of all sorts of data warehouses to find people who fit a profile, without knowing who they're looking for ahead of time. With this, they have to have a DNA sample found at a crime scene, and they're using that combined with a warrant to do a targeted search for people with matching DNA. It just happens to be a website that people send their DNA to, rather than a police database.
So I'm actually inclined to say I think this is ok? But I'm not 100% sure how I feel yet.
EDIT: ok it looks like this was done not necessarily with a warrant, but with the officer just submitting the DNA as if they're a customer of the site. But actually my point still stands if they changed their technique to instead use a warrant and ask the site directly, not hiding that they were police officers... it's just that in this case they didn't even need to because it's so easy to just send others' DNA samples to these sites? It really seems like the lack of a warrant was a technicality here and could have easily gone the other way and still got to the same result.
You should feel upset and scared. Sites like 23andMe are just a small subset of genes and variations of them. The number of false positives due to this limit is significant. In whole database fishing searches by non-experts (ie, police) it will result in false positives every single time.
>In 2013, geneticist Michael Coble of the National Institute of Standards and Technology in Gaithersburg, Maryland, set up a hypothetical scenario in which a mix of DNA from several people had been found on a ski mask left at a crime scene after a series of robberies. Coble asked 108 labs across the country to determine whether a separate DNA sample, which he posited had come from a suspect in the robberies, was also part of the mix. Seventy-three of the labs got it wrong, saying the suspect's DNA was part of the mix when, in fact, it was not.
Police, judges and lawyers probably don't know the difference between a DNA test and a DNA test. People used to go to jail because they had the same blood type as the criminal.
Right, but the issues with using geneology-resolution DNA to match a specific individual are already understood---you yourself have highlighted them.
A defendant is one expert witness away from undermining a case that relies on that low of a resolution of matching alone. In this case, that data was only used as a pointer to suggest to police that deeper scrutiny of the identified suspect was warranted.
DNA-based evidence led to a lot of wrong convictions in the early stages but methods have improved significantly. No judge would send someone to jail because a sample at 23andme matches. But they could issue a warrant to allow a further DNA test of the suspect.
There is significant lag between false convictions and proof of innocence. So, it might seem like a huge improvement but it's far smaller difference than you might think.
If anything, I'd expect people to have more concern about the fact that the police in California are allowed to steal your stuff and grab DNA off of it than the risks from them being allowed to submit your DNA to a privately-owned database full of voluntary DNA submissions.
First off, if you discard something in the trash you no longer are laying a claim to it and giving it up for the trash handlers.
Secondly, it was established in California v. Greenwood that you don't have a privacy right to trash left out on the public curb for pickup; which obviously implies that you don't have a privacy right to trash placed in a public bin.
I dont think thats a good analogy. a better one is your neighbor discarded trash, and your trash is like your neighbors.
I personally think privacy laws need to be set up right away. I think it should be illegal, even in cases of national security, to infer something from your DNA from others, such as relatives without the use of a warrant.
you should not end up in what is effectively a police line up just because your brother submitted his dna to the public domain. people should not be able to use information about his dna, in any way imaginable to infer anything about you.
Why? That seems like a broad restriction that we don't apply to other things like "Your fingerprints partially match some prints at a crime scene" or "You drive the same car as a suspect." People can and do end up in a police lineup for being the same gender and living in the same apartment complex as a perpetrator; I think that's reasonable, because a lineup isn't a conviction.
There's a world of difference between evidence submittable at a trial and evidence making someone worthy of suspicion and further investigation. I agree the bar on the former should be high; the bar on the latter being low on average leads to faster perpetrator identification and a safer community.
our DNA is private. they should not be able to look at it without a warrant even if someone else slimier to you recklessly throws it in the public domain.
Imagine I could read your mind by reading someone else mind. are you ok with me having access to your private thoughts just because someone gave me access to their mind?
> Imagine I could read your mind by reading someone else mind. are you ok with me having access to your private thoughts just because someone gave me access to their mind?
Even if you and I were parent and child, I don't think there's a reasonable philosophy of ownership on which you could hinge the notion that I can't donate the DNA in my cells to a cause because the pattern of half of the (physically completely independent) DNA in your body has a relationship to my own.
I do think you're touching upon possibly an interesting wrinkle in the way our current philosophy of ownership treats data about groups vs. data about an individual. Similar lines of thought underpin the question of whether your friends are culpable for sending data about themselves to Cambridge Analytica if it allows CA to extrapolate information about you.
However, I currently know of no philosophy of ownership that makes the described scenario bad apart from the general "it's a dick move if you do it on purpose to screw someone else over" (but that hinges on the general category of "Don't screw people over on purpose," not on any concept of joint ownership of data).
To pull another analogy: imagine I had dated a rapist and although I didn't have enough evidence to get him convicted of a crime, I told all my friends he was dangerous and now they won't date him. Is this bad? Quite the opposite; it's the system that is already of necessity in place to protect people from bad actors that the legal system fails to handle.
It's the essence of who you are, your uniqueness against every other living thing on the planet.
I can see how psychologically compelling that idea is, even though I disagree.
What I mean is: should I be able to stop my identical twin from uploading his DNA to a genealogy site without my consent because we have identical DNA?
Legally, the answer is pretty much "no" right now, and I think it's morally also "no."
I agree that the use of a public genealogy database is problematic but the way in which the police obtained the genetic material is not.
Once a person discards any material as trash in a public space, it's fair game. The police didn't begin doing this sort of thing when DNA tests were invented.
Does anyone know which professions in the US that are government related that the DNA information is preserved? I would surprised if there are not positions which require it. Surely law enforcement is keeping the records on some convicts. Do they even need a warrant to obtain it?
what I am leading up to is I can easily see where it becomes a requirement for others and it might start off with police forces because of the high visibility of abuse issues. From there it is not a big leap to other high visibility groups to include military and eventually everyone gets lumped in for medical safety and such.
It isn't that we need to be scared of what 3rd party sites do, it is that we need to be ahead of the game and limit how government can gain and maintain this information
Each state has a DNA database and there is also and FBI DNA database.
In California, the police can add you to the database (forcibly if needed) if you are arrested for a felony, or if you have a felony record and are arrested for a misdemeanor.
Note that I used the word “arrested,” not “convicted.” SCOCal has ruled that a conviction is not needed. Just an arrest.
All of this came about through two different voter referenda.
I'm not sure it passes the “do they have a target in mind” test. If they had a particular suspect in mind and asked whether that suspect's DNA matched or not, that's one thing. If they indiscriminately look for arbitrary people with matching DNA, then it seems to fit the definition of a common statistical mistake that even has a Wikipedia article: https://en.wikipedia.org/wiki/Prosecutor%27s_fallacy
(Although again, if the match turns out to be a prior suspect rather than a random person, that's another story—see the “defense attorney's fallacy” lower on the page.)
> If they had a particular suspect in mind and asked whether that suspect's DNA matched or not
They do. The suspect is a "John Doe." But the suspect's DNA is the physical sample they have in the rape kit. IANAL, but it sounds like it should pass the criteria for targeted search.
Interesting point - I highly doubt the suspect was a "prior suspect". But in this case I believe investigators were able to find additional evidence after they matched the DNA. So in Bayesian terms, multiple updates (DNA match + location match + suspect appearance match + other physical evidence) were made to their prior.
Additionally, I think investigators tend to act more carefully in a high profile case than in a typical case, so I expect that they possess some additional conclusive evidence.
It doesn't matter if multiple updated positively confirm the suspect as the perpetrator when the first link in the chain (ill-gotten DNA match) is excluded by the court. This guy will walk.
Will he? I believe this novel use of a private DNA database is so novel that there may not be any governing case law on whether it's a violation of privacy.
The scanned individuals opted in for relative matching. The fact those people were relatives of John Doe is publicly-documented knowledge in birth records and not susceptible to a privacy challenge.
We know states are prohibited from storing biometrics (DNA, fingerprints) of law abiding people for law enforcement purposes. Then it follows they are prohibited to outsource the same to third parties.
Car registrations are required. You are allowed a choice of owning a vehicle knowing what it requires. Sample of your DNA and fingerprints is not a requirement when we are born.
Thus I find the comparison not adequate.
But it wasn’t the suspect’s DNA it was his relative’s. Deleting your own information would not be a sufficient privacy measure in this case. It’s increasingly statistically likely that someone you’re a relative of will be in a DNA database, it’s simply not tractable to ask all of them to remove their DNA. And what about when some of these people die, can I take down my late grandma’s DNA.
So to tune the analogy: "A white van was found at the scene. Police have reason to believe the van's owner wasn't driving that day and investigate the owner's son, who is also known to sometimes use that van. That investigation reveals much stronger evidence that the son is the perpetrator."
I see no issues with this chain of investigation. Some tools the police have access to you cannot personally opt out of. That's working as intended.
If I am European and I ask Facebook to remove my data, will they also remove pictures of me which are owned by my family? I doubt it, and that's also the problem with providing consent on these DNA databases - they don't require the consent of all of your relatives.
It's a really tricky question. I'm not at all enthused about the police having rights to collect and store all arrestees' DNA indefinitely for example. On the other hand, it's both commercially risky and wholly impractical to refuse access to the service to law enforcement. You can't have a networked society and expect the police not to use OSINT techniques.
If you're arrested or charged for a felony in California you're obliged to provide a sample, since 2009. I don't know about other jurisdictions. CA apparently has the largest database in the world.
Do you mean, will you incur any legal penalty for doing so, or just be violating their ToS? I don't believe so but haven't researched it in depth. It'd be tricky to sue because the right of publicity is generally treated as a property interest and you wouldn't necessarily be able to show any economic loss. I'm not an attorney though.
In practical terms, I'm sure it's against the ToS but really the service providers have no way of knowing unless the person has already submitted their DNA and your submission raises a red flag, thus cutting you off from the information you desire. This is interesting from a game-theoretic standpoint in that it might be more secure to give your information to every website and then be the designated owner, but it probably wouldn't shield you from law enforcement getting the same information via subpoena. It's an uphill argument to say that a general right of privacy weighs heavier than the unsolved cases of 10 murders and 50 rapes, a record which will probably be broken again in future.
I don't think DNA testing companies have much incentive to screen potential customers since each person can only submit DNA once without raising another red flag.
To be useful, they'd of course need a solution for verifying authenticity of the input data. Otherwise, it's just noise and we already have historical examples of that design failing (such as "informants" handing over people to the US as terror suspects).
Ignoring practical issues with obtaining the sample, I think a good lawyer could probably find a way to sue you for any damages that you caused. As for whether it's a criminal act, I think that it might be a form of assault, maybe.
I know it would violate certain state laws regarding biometric data, but the penalty for violating those laws appears to be civil by and large, not criminal.
> Ignoring practical issues with obtaining the sample
> As for whether it's a criminal act, I think that it might be a form of assault, maybe.
Are you suggesting that using their DNA without their consent is assault, or the taking of it from them? It'd be trivial to take it without contact with them, from e.g. a hair, or their toothbrush, particularly if you live with them.
23andme and ancestry.com use a process which needs more genetic material than is available from hair or toothbrushes. You have to get a fair amount of spit in a tube.
Couldn’t this be seen as identify theft? It is like saying. I am John Doe from Bakers Street except that a complete DNA sample would be even more conclusive (I.e. impossible to accidentally to use to hide one’s identity).
Yeah. I'm more wondering about the general case, though.
If I were an insurance company, what's to stop me from hiring investigators to go through customers' garbage to find their DNA, analyze it, and then take "appropriate" action?
Genealogy sites have no way of confirming the DNA submitted belongs to the person submitting it. Trash left on the street is considered abandoned property, so fair game for identity thieves and insurers alike. However, unless you know the person lives alone and has had no other guests between trash pickups, you can't be sure the garbage DNA is theirs. More likely an insurer might try to get a sample during a house visit or, stalking out the target at a cafe, or a hairdresser appointment, you name it. Life insurance companies can come to your house and get your EKG already, a swab would be easy.
>Trash left on the street is considered abandoned property.
I wouldn't be so sure of that interpretation. In most places that I've lived, you could be arrested for taking things out of the trash, whether in front of your house, or even if dumped on the side of the road.
> If I were an insurance company, what's to stop me from hiring investigators to go through customers' garbage to find their DNA, analyze it, and then take "appropriate" action?
Laws against discrimination, such as those for both genetic information and pre-existing conditions that already apply to health insurance in the US. Even if nothing stops you from getting the information, you are prohibited from using it.
If you were an insurance company, what's to stop you from hiring investigators to tail a customer and figure out how many times per week they stop at McDonald's for breakfast?
Weird bit about these types of sites they are quite strict about using your real name, but do not really check your ID (but leaves it to post office I guess).
On a fun side, I wonder what would happen if I submitted dogs or pigs saliva.
They would know, the DNA is different. There are animal DNA matching sites for breeders' use. Dog DNA is especially interesting because their genes are more 'slippery' than those of other species.
(answered my own question: mutation rate from generation to generation in dogs is higher on average than in primates. Mechanism is not clear; one hypothesis is that mammals have DNA error correction "machinery" in their cells that is less effective in the canine genome. It's also unclear whether this has any impact on the evolution of dogs in terms of them being somehow more malleable to selective breeding than other species).
I found it intriguing that the EU GDPR explicitly recognizes genetic data as something that it covers under PII - and thus you a have "right to request deletion" of your genomic data, I assume?
"GDPR, in contrast, explicitly recognizes the sensitive nature of genetic data collected in a variety of settings. In Article 9, an adjusted definition of special categories of personal data has been provided that includes genetic data and biometric data, among others." [1]
Which is fine, I suppose, but your relatives don't have to do delete theirs, and the similarity of their DNA to your DNA means that someone could back out, to a certain level of confidence, whether you might be a match based on DNA contributed by them, with the familial relationship obtained and substantiated from other sources (vital statistics, etc.).
This is not new -- I believe there have been at least a couple of arrests made as the result of a suspect's relatives contributing DNA in lieu of actually obtaining one from the suspect directly -- and provided there's consent from the relatives, I can't see much grounds from restraining someone from allowing their own DNA to be used to build a case against someone else. It becomes a bit murkier if you start compelling people to contribute DNA to build a case against a family member, but even there I can see parallels to other types of evidence and it's not a clear slam-dunk to me that it ought to be barred unless the familial relationship is one where testimony would normally be covered by marital confidence or other privilege.
Yep. I do understand re: this not being new - worked in a forensic genetics laboratory, and I tell my family what they give up and expose us to if they contribute to one of these db's.
So caveat emptor as always...but yep I had just wondered in general about "right to delete" with respect to genomic data.
What exactly do you tell them that they're giving up and expose your family to? Kind of an odd thing to mention in a thread about a case where a family member's DNA exposed a criminal.
The problem isn't deleting your DNA. The problem is you cannot delete your relative's DNA. Which is how I've read that they found him. Found a relative match from a 3rd-party, made sure he would have been in the area the years of the rapes, tailed him for a verification DNA sample, made arrest.
If this were to come before the CJEU[1], it would not be clear-cut at all. There was a landmark case where home CCTV was ruled inadmissible in a robbery by virtue of the fact that it included footage of a public road, and the thieves did not consent to the use of their personal data[2], i.e., the recording of their images in public using a home CCTV system.
And the definition of personal data extends to any data that can be linked to you. For example, if a server records a log entry with your name and IP, and the server also records log entries with just the IP, all of the log entries are considered personal data, even for dynamic IPs in some instances[3].
There are some exceptions around criminal justice and the protection of persons and property, however, I still wouldn't be surprised if this DNA evidence were ruled inadmissible in the EU.
Is the metadata that you requested deletion something police in Europe can subpoena?
It sure would seem awful suspicious if someone requested DNA deletion out of the blue. Not convictably-suspicious, but suspicious enough to warrant followup investigation. ;)
what is the difference here between a face photo and DNA? I don't really see any. Both are kind of information fingerprint of a person. If police have a photo of a suspect is it ok for them to use image search of FB/Google/etc.?
To me it’s that the evidence didn’t come from the suspect. It’s like being able to recognise me from a photo of a relative on FB - I don’t like the idea of that. I don’t know why, but I don’t.
What's the difference between this case and the fact the unabomber was caught because his brother and sister-in-law recognized his writings?
What's the difference between this case and if the cops post a photo of a suspect and someone says "looks kinda like my co-worker, maybe a close relative" and that co-worker says "oh, that's my brother, we look alike, people mistake us for each other all the time." And then the DNA matches the brother.
That the relatives gave evidence unknowingly and that the DNA service was used quite differently to what it was designed for. A terrible person was caught in a clever, but sleazy way.
The police used GEDMatch which is openly available and it says explicitly it's used for "researcher" and warns users that their genetic information is available to the public and they can't control what the public does with it.
People "unknowingly" give evidence to the police all the time. That's like complaining the police used information that someone blogged about to solve a crime.
The issue as I understand it, is with the broadness of the search, and that the data in question is personal and private. The search did not query for a particular subject. As an analogy, if the police thought the suspect had diabetes, would they be able to subpoena a hospital to list all the diabetics, then consider them all potential perpetrators?
If the officer submitted the DNA as if they were a customer of the site, I wonder how they complied with the company's sample collection process. You usually have to submit a generous amount of saliva or cheek swabs.
There are sites that don't require a sample, but instead you upload the raw data from a site where you did submit a sample. Gedmatch is one such site. One could construct a file in a compatible format containing DNA data obtained from your own laboratory, upload to gedmatch, and analyse matches. This is how "ancient DNA" samples are uploaded to gedmatch to see how you match against thousand year old human DNA samples.
Could they make a fake saliva sample that has the same consistency as real saliva and whatever other characteristics that the analysis equipment depends on, but contains no DNA (or take a real saliva sample from someone and strip out the DNA), and then but the DNA they want to test into this fake saliva and submit that?
Is this too different from looking up a person's name in Google or Facebook search boxes? In all three scenarios Police are taking advantage of publicly available information written/published by you or about you by others. Police can inspect openly viewable property without a warrant as well. They did not find the killer's DNA in a web site, but blood relatives provided enough triangulation to hone in on a person and get their "abandoned DNA" (maybe cup, cigarette, bloody nose napkin in the trash).
The difference is your name isn't plastered on every object you come in contact with. Your name isn't transferred to other people who come in contact with the same objects as you. Your name doesn't end up in other locations that have nothing to do with you.
The idea I could get arrested because my cousin coughed on a doorknob is terrifying. Everyone has that black sheep in their family. Why should I get harassed by the police every time they or someone they know commits a crime?
Your name is transferred to other relatives (your spouse, children, parents), and it does end up in press, documents, reports, yellow-page type sites, and other locations you haven't touched. Depending on your level of celebrity, it can also get plastered in news and projects you do not come in contact with. In this case though, they narrowed down a suspect, but did not bother him until they had two pieces of abandoned DNA that directly matched the killer. This is not the first time a black sheep has been found, by the DNA of relatives wealthy enough to afford a $100 test (now probably cheaper). The moment they mentioned he has a daughter and granddaughter when they announced the capture yesterday, I knew they probably triangulated him by a relative's DNA. The article today proved it.
That's not what I'm talking about. Your DNA can end up under the fingernails of a murder victim with no connection to you. Your name cannot. There was a Wired article about this the other day:
That's more of an issue with DNA evidence interpretation than a fundamental difference between different types of identifiable information. Your information can definitely end up in a crime scene that you have nothing to do with. If we use the name example, it's happened before as well [1].
> seems like the lack of a warrant was a technicality here
Seriously? That's all it takes for you to accept the police doesn't need a warrant? That the warrant is "just a technicality"?
If that were true, we wouldn't need judges to approve warrants. Police has and will abuse their powers without the judge being a filter for their actions. That should never change.
I think that's a non-charitable way of reading what I said. Although I was certainly unclear.
What I mean is, the interesting issue to me is whether it's OK for law enforcement to send a DNA sample and compel ancestry/genomic sites to respond with any matches, even if they do have a warrant. So I misspoke saying it's a technicality, what I really mean is that the issue is interesting to me even if a warrant were provided.
Wow, this whole comment thread is given up acceptance of ambulance-at-the-bottom-of-the-cliff thinking. The real solution would be to make the police accountable so you can trust them, then let them search however they like.
Which is the fundamental problem with data businesses. When you give your data to a 3rd party it is not possible within our legal system to restrict who has access to it.
could they even? They d have to send a letter to all the relatives of each of their customers that their partial genetic information is stored in their computers.
Given the fallibility of DNA testing they may as well be using a divining rod to declare someone a witch. This will be abused to falsely accuse innocent people. Lives will be ruined and the authorities will act like their hands are clean. 23andMe is not a forensics lab. Their techs have no incentive to avoid mistakes with cross contamination. This is just plain dumb.
In this case, sites like 23andMe were only used to generate leads on suspects. Two independent forensic DNA tests were used for evidence of guilt. I agree that DNA testing has flaws, but that's the purpose of the criminal trial. Defendants have due process rights to cross-examine the DNA testing process, present their own testimony, and provide exculpatory evidence.
I think you're confusing an investigation with a trial. This technique seems like a breakthrough for narrowing a list of suspects. But your claim that this would be used as evidence in a trial is unfounded and a bit silly. They have him. They have the DNA of the killer. They can perform their own testing without relying on any online DNA test results at all.
Because the public is ignorant of the problems with it and the judiciary likes tools that can win easy convictions. Breathalyzers don't actually measure blood alcohol and there is no credible way they can estimate it to three significant digits but courts allow them too. Polygraphs are pure bullshit but the examiner's word that someone is "lying" is taken as sacrosanct evidence in court.
The other two examples are true. Across the Atlantic polygraphs are regarded as a comedy technology and breathalyser tests are sufficient grounds only for arrest and an actual blood test.
I'm pretty sure most all jurisdictions allow you to request a blood test in lieu of a breathalyser. I assumed it was common knowledge polygraphs were junk, but at least Wikipedia says they're in common use in the U.S. but are considered controversial. I knew polygraphs were banned as a prerequisite for jobs in many areas and that many government jobs had them as part of the interview, but figured it was more of a stress test or hazing. I do think the bar for expert testimony and scientific evidence could use a lot of improvement in the U.S.
I don't know if this is the commenter's intent but isn't there a potential false positive issue with DNA testing?
Something along the lines of if only 0.01 percent of the world's population can match a DNA sequence found that still leaves us with a million matches where I just made up both those numbers.
This 'bias' is not necessarily inappropriate because of the inherent asymmetries of DNA evidence - it is statistically more powerful for exoneration than conviction. This is because of the False Positive Problem (similar to the Birthday Problem in probability): if the actual incidence of a phenomenon is lower than the false positive rate of the test, a positive result is likely erroneous even on a highly accurate test.
This is why a strong prior, developed through traditional policework, is necessary to increase the reliability of DNA results - most results obtained through database trawling will be false - and these will be numerous if the database is large enough. It is also part of the reason why exonerations are more robust than identifications.
This particular case may not suffer from these statistical problems, but they are worth keeping in mind, as it sets a precedent.
That isn't bias but rather an understanding of burden of proof. If you think it is, then you are very fundamentally misinformed about how our society functions.
The reason I think it's particularly interesting is that it passes one of the basic tests I have for whether something should be searchable by law enforcement: Do they have a target in mind and a warrant to search for that target? For PRISM and the other things that Snowden warned us about, the answer was no: the government was doing dragnet surveillance of all sorts of data warehouses to find people who fit a profile, without knowing who they're looking for ahead of time. With this, they have to have a DNA sample found at a crime scene, and they're using that combined with a warrant to do a targeted search for people with matching DNA. It just happens to be a website that people send their DNA to, rather than a police database.
So I'm actually inclined to say I think this is ok? But I'm not 100% sure how I feel yet.
EDIT: ok it looks like this was done not necessarily with a warrant, but with the officer just submitting the DNA as if they're a customer of the site. But actually my point still stands if they changed their technique to instead use a warrant and ask the site directly, not hiding that they were police officers... it's just that in this case they didn't even need to because it's so easy to just send others' DNA samples to these sites? It really seems like the lack of a warrant was a technicality here and could have easily gone the other way and still got to the same result.