Computers, Privacy & the Constitution
Introduction For over three decades, authorities floundered in their search for the Golden State Killer, a man responsible for at least 13 murders, 50 rapes, and 120 burglaries. Their breakthrough in 2018 was the result of a DNA match—by uploading crime scene DNA to an online genealogy database, investigators were able to link the evidence to the killer’s great-great-great-grandparents and make an arrest. In addition to taking dangerous offenders off the streets and giving victims and their families peace of mind, DNA testing has been used to exonerate more than 200 wrongfully convicted people. These anecdotes and statistics serve as compelling evidence in support of using online genealogy databases to solve crime. However, law enforcement’s use of commercial DNA databases brings with it a slew of serious privacy and constitutional concerns. The issues raised by this new investigative technology make clear that it is in desperate need of regulation.

History of DNA Collection In 1987, police in Leicestershire, England became the first law enforcement officials to make an arrest on the basis of DNA evidence. After failing to solve the murders of two girls using traditional investigative methods, law enforcement officers employed the help of a local professor to test the DNA of over 4,000 men in the area, eventually leading to the identification, arrest, and conviction of the murderer. Though the DNA dragnet in Leicestershire was ultimately successful, it was also a time-consuming and labor-intensive process. The event proved the potential of DNA evidence to revolutionize criminal investigation, but without a centralized collection of DNA samples, DNA evidence would be limited in its use. Congress sought to create such a collection with the DNA identification Act of 1994, which authorized the FBI to create a national database of DNA collected from convicted offenders and crime scenes. Today, the FBI’s Combined DNA Index System (CODIS) contains more than six million DNA profiles. As the FBI worked on compiling its own database, private companies began developing their own. In 2000, Family Tree DNA became the first company to offer genetic genealogy tests to the public. In the years since, the DNA testing industry has exploded; as of 2019, over 26 million people having submitted their DNA to commercial ancestry and health databases—a number expected to nearly quadruple by this year. Law enforcement agencies quickly realized that they could expand their DNA comparisons beyond CODIS to include the commercial sector. In the same manner as the average consumer, investigators can send a crime scene DNA sample to commercial databases and receive a list of matches. They can then identify exact matches or narrow their suspect pool based on familial matches.

Privacy Concerns The unique qualities of DNA and the genetic profiles generated by DNA databases present special privacy concerns. Though frequently compared by law enforcement to fingerprints, DNA profiles contain not only far more information than fingerprints, but also far more sensitive information. While both can serve to identify an individual, DNA profiles can reveal an individual’s medical conditions, physical and mental characteristics, heritage, and relatives. Most importantly, DNA profiles expose this kind of sensitive data about the individual and their relatives. Thus, unlike with some other types of personal data, an individual who chooses to provide or is required to provide their DNA cannot do so without also providing the data of non-consenting relatives. GEDmatch, the database used by Golden State Killer investigators, has a user base of 0.5% of the U.S. adult population. Studies have suggested that once that number reaches 2%, more than 90% of people of European descent will be traceable using the database. This means that even if an individual and everyone in their immediate family refrains from using these services, they will still be detectable. In the case of law enforcement officers uploading crime scene DNA evidence to online genealogy databases, the privacy rights of the suspect are inherently implicated. Without the suspect’s consent or knowledge, their entire genetic makeup is made available to a corporation and its customers. If the suspect is ultimately acquitted or never charged with a crime, removing their genetic material and genetic profile from these databases may present a challenge, especially if they never learn they were a suspect in the first place.

Constitutional Concerns The Fourth Amendment protects citizens from unreasonable searches and seizures and mandates that warrants be supported by probable cause. Courts assess the application of Fourth Amendment protection using a two-part test, which asks (1) whether an individual has exhibited an actual (subjective) expectation of privacy and (2) whether the expectation is one that society is prepared to recognize as reasonable. In Maryland v. King, the Supreme Court held that a Fourth Amendment search occurs when the government collects a DNA sample from an individual. However, under the third-party doctrine, an individual forfeits their subjective expectation of privacy when they voluntarily share their data with a third party. Because consumers voluntarily submit their DNA to commercial databases, law enforcement can presumably access their data without a warrant based on probable cause. Law enforcement officials can therefore obtain data without a warrant that would otherwise be subject to Fourth Amendment protections. In King, the Supreme Court determined that although DNA collection by the government constitutes a search, arrested and convicted individuals have diminished expectations of privacy, rendering collection of their DNA reasonable. Suspects whose DNA is submitted by law enforcement to commercial databases have not been charged with a crime and are therefore presumed innocent. Until they are arrested, these individuals do not have diminished expectations of privacy and under the Fourth Amendment, have a right to be “secure in their persons, houses, papers, and effects.”

Conclusion Currently, Utah is the only state to propose legislation which would require police to obtain a court order or warrant before accessing private genetic data stored with third parties. Given the privacy and constitutional interests at stake in law enforcement’s use of commercial DNA databases, individuals’ rights will be at risk so long as this area goes unregulated.

A very good first draft. The best route to improvement on the execution side is to add links to good-quality sources supporting the extensive factual propositions included here. If you found them in the course of preparation for writing the draft, they should be easy to add.

Substantively, I think the best route to improvement is to concentrate less on the Fourth Amendment, which simply does not provide relevant protection for the privacy of genetic information held by third parties, given ts limitation to criminal prosecution situations and the absence of need for the direct introduction of genetic evidence once the persons of interest identified by genetic searching have been investigated and other evidence gathered by other means. More attention to the legislative possibilities would therefore be helpful.


Introduction

For over three decades, authorities floundered in their search for the Golden State Killer (GSK), a man responsible for at least 13 murders, 50 rapes, and 120 burglaries. Their breakthrough in 2018 was the result of a DNA match—by uploading crime scene DNA to an online genealogy database, investigators were able to link the evidence to the killer’s great-great-great-grandparents and make an arrest. In addition to taking dangerous offenders off the streets and giving victims and their families peace of mind, DNA testing has been used to exonerate more than 350 wrongfully convicted people.

These anecdotes serve as compelling evidence in support of using commercial DNA databases (CDDs) to solve crime. However, law enforcement’s use of CDDs brings with it a slew of serious privacy concerns. The issues raised by this new investigative technology make clear that it is in desperate need of regulation.

History of DNA Collection

In 1987, police in Leicestershire, England became the first law enforcement officials to make an arrest on the basis of DNA evidence. After failing to solve the murders of two girls using traditional investigative methods, law enforcement officers employed the help of a local professor to test the DNA of over 4,000 men in the area, eventually leading to the identification, arrest, and conviction of the murderer.

Though the DNA dragnet in Leicestershire was ultimately successful, it was also a time-consuming and labor-intensive process. The event proved the potential of DNA evidence to revolutionize criminal investigation, but without a centralized collection of DNA samples, DNA evidence would be limited in its use. Congress sought to create such a collection with the DNA Identification Act of 1994, which authorized the FBI to create a national database of DNA collected from convicted offenders and crime scenes. Today, the FBI’s Combined DNA Index System (CODIS) contains more than 14 million DNA profiles.

As the FBI worked on compiling its own database, private companies began developing their own. In 2000, Family Tree DNA became the first company to offer genetic genealogy tests to the public. In the years since, the DNA testing industry has exploded; as of 2019, over 26 million people having submitted their DNA to commercial ancestry and health databases—a number expected to nearly quadruple by this year.

Law enforcement agencies quickly realized that they could expand their DNA comparisons beyond CODIS to include the commercial sector. In the same manner as the average consumer, investigators can send a crime scene DNA sample to CDDs and receive a list of matches. They can then identify exact matches or narrow their suspect pool based on familial matches.

Privacy Concerns

The unique qualities of DNA and the genetic profiles present special privacy concerns. Though frequently compared by law enforcement to fingerprints, DNA profiles contain not only far more information, but also far more sensitive information. While both can serve to identify an individual, DNA profiles can reveal an individual’s medical conditions, physical and mental characteristics, heritage, and relatives.

Most importantly, DNA profiles expose sensitive data about the individual and their relatives. Unlike with other types of personal data, an individual who chooses to provide or is required to provide their DNA cannot do so without also providing the data of non-consenting relatives. GEDmatch, the database used by GSK investigators, has a user base of 0.5% of the U.S. adult population. Once that number reaches 2%, more than 90% of people of European descent may be traceable using the database. Thus, even if an individual and everyone in their immediate family refrains from using these services, they will still be detectable.

In the case of law enforcement officers uploading crime scene DNA evidence to CDDs, the privacy rights of the suspect are inherently implicated. Without the suspect’s consent or knowledge, their entire genetic makeup is made available to a corporation and its customers. If the suspect is ultimately acquitted or never charged with a crime, removing their genetic material and data from these databases may present a challenge, especially if they never learn they were a suspect in the first place.

Legislative Solutions

Due to the substantial privacy interests at stake in law enforcement’s use of commercial DNA databases, individuals’ rights will be at risk so long as this area goes unregulated. In response to these concerns, lawmakers have proposed legislative protections regarding the use of CDDs in criminal investigations.

A Maryland bill would require the consent of the person from whom DNA was collected before law enforcement could conduct a CDD search. The bill would further limit searches to those intended to identify perpetrators of burglaries or crimes of violence and terminate searches which do not return a match within a third degree of relatedness. A Washington bill would require “valid legal process” before a CDD can disclose genetic data to law enforcement without a consumer’s express consent. The bill would also require CDDs to provide a process by which consumers can delete their genetic data and request the destruction of their DNA sample. A Utah bill would ban law enforcement searches of CDDs entirely.

None of these proposals have been enacted, but they provide a blueprint of the different ways in which this area can be regulated. Given the growing use of these databases by law enforcement, a complete ban of these searches seems unlikely to be adopted. Maryland’s consent and relatedness requirements would eliminate the use of CDD searches in cases like GSK and would therefore be similarly difficult to enact.

However, limiting searches of commercial databases to investigations involving violent crime would help balance the interests of law enforcement and private individuals. Requiring a court order before law enforcement can search CDDs would provide much-needed oversight. Requiring databases to provide processes by which suspects can delete their genetic data and have their DNA samples destroyed would help protect the suspects’ privacy interests. Though these proposed regulations cannot completely address the privacy issues at stake in law enforcement’s use CDDs, they can serve as a meaningful step in the right direction.

Navigation

Webs Webs

r5 - 02 May 2021 - 21:20:09 - SamSmart
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM