For over three decades, authorities floundered in their search for the Golden State Killer (GSK), a man responsible for at least 13 murders, 50 rapes, and 120 burglaries. Their breakthrough in 2018 was the result of a DNA match—by uploading crime scene DNA to an online genealogy database, investigators were able to link the evidence to the killer’s great-great-great-grandparents and make an arrest. In addition to taking dangerous offenders off the streets and giving victims and their families peace of mind, DNA testing has been used to exonerate more than 350 wrongfully convicted people.

These anecdotes serve as compelling evidence in support of using commercial DNA databases (CDDs) to solve crime. However, law enforcement’s use of CDDs brings with it a slew of serious privacy concerns. The issues raised by this new investigative technology make clear that it is in desperate need of regulation.

History of DNA Collection

In 1987, police in Leicestershire, England became the first law enforcement officials to make an arrest on the basis of DNA evidence. After failing to solve the murders of two girls using traditional investigative methods, law enforcement officers employed the help of a local professor to test the DNA of over 4,000 men in the area, eventually leading to the identification, arrest, and conviction of the murderer.

Though the DNA dragnet in Leicestershire was ultimately successful, it was also a time-consuming and labor-intensive process. The event proved the potential of DNA evidence to revolutionize criminal investigation, but without a centralized collection of DNA samples, DNA evidence would be limited in its use. Congress sought to create such a collection with the DNA Identification Act of 1994, which authorized the FBI to create a national database of DNA collected from convicted offenders and crime scenes. Today, the FBI’s Combined DNA Index System (CODIS) contains more than 14 million DNA profiles.

As the FBI worked on compiling its own database, private companies began developing their own. In 2000, Family Tree DNA became the first company to offer genetic genealogy tests to the public. In the years since, the DNA testing industry has exploded; as of 2019, over 26 million people having submitted their DNA to commercial ancestry and health databases—a number expected to nearly quadruple by this year.

Law enforcement agencies quickly realized that they could expand their DNA comparisons beyond CODIS to include the commercial sector. In the same manner as the average consumer, investigators can send a crime scene DNA sample to CDDs and receive a list of matches. They can then identify exact matches or narrow their suspect pool based on familial matches.

Privacy Concerns

The unique qualities of DNA and the genetic profiles present special privacy concerns. Though frequently compared by law enforcement to fingerprints, DNA profiles contain not only far more information, but also far more sensitive information. While both can serve to identify an individual, DNA profiles can reveal an individual’s medical conditions, physical and mental characteristics, heritage, and relatives.

Most importantly, DNA profiles expose sensitive data about the individual and their relatives. Unlike with other types of personal data, an individual who chooses to provide or is required to provide their DNA cannot do so without also providing the data of non-consenting relatives. GEDmatch, the database used by GSK investigators, has a user base of 0.5% of the U.S. adult population. Once that number reaches 2%, more than 90% of people of European descent may be traceable using the database. Thus, even if an individual and everyone in their immediate family refrains from using these services, they will still be detectable.

In the case of law enforcement officers uploading crime scene DNA evidence to CDDs, the privacy rights of the suspect are inherently implicated. Without the suspect’s consent or knowledge, their entire genetic makeup is made available to a corporation and its customers. If the suspect is ultimately acquitted or never charged with a crime, removing their genetic material and data from these databases may present a challenge, especially if they never learn they were a suspect in the first place.

Legislative Solutions

Due to the substantial privacy interests at stake in law enforcement’s use of commercial DNA databases, individuals’ rights will be at risk so long as this area goes unregulated. In response to these concerns, lawmakers have proposed legislative protections regarding the use of CDDs in criminal investigations.

A Maryland bill would require the consent of the person from whom DNA was collected before law enforcement could conduct a CDD search. The bill would further limit searches to those intended to identify perpetrators of burglaries or crimes of violence and terminate searches which do not return a match within a third degree of relatedness. A Washington bill would require “valid legal process” before a CDD can disclose genetic data to law enforcement without a consumer’s express consent. The bill would also require CDDs to provide a process by which consumers can delete their genetic data and request the destruction of their DNA sample. A Utah bill would ban law enforcement searches of CDDs entirely.