*This writing is a blog post. It is not a published IPTF Journal article.
Jordan Rose
In 2018, a breakthrough in a 40-year-old unsolved case involving a series of homicides, sexual assaults, and burglaries, known as the Golden State Killer, shocked the public.[1] Law enforcement used an innovative, yet controversial, approach to identify the suspect.[2] Investigators uploaded an unidentified DNA sample from one of the original crime scenes to GEDMatch, an open-source genetic database specifically designed to provide consumers a method of identifying genetic relatives by uploading their DNA samples, rather than to help identify criminal suspects.[3] Over four months, genealogists helped reconstruct a family tree, leading to the identification of a fourth cousin.[4] Police ultimately arrested Joseph James DeAngelo by narrowing down suspects based on age, location, and physical descriptions.[5] Law enforcement confirmed DeAngelo’s identity during a secret surveillance operation, where his DNA was collected from a discarded tissue and swabbed from his car door.[6] While this method provided justice for victims, it raised significant legal and ethical concerns such as data protection and general privacy, especially given the rise of Direct-To-Consumer Genetic Testing (DTC-GT).[7]
DTC-GT companies such as 23andMe or AncestryDNA allow consumers to send in DNA samples and receive reports about their ancestry, health risks, and genetic traits.[8] The process of receiving a report is relatively simple: consumers swab the inside of their cheek, send the sample to the company, and receive an analysis.[9] DTC-GT companies then examine specific regions of DNA called single nucleotide polymorphisms (SNPs), which vary among individuals. [10] This analysis can reveal a person’s ancestry, disease susceptibility, and even physical traits.[11] Before these services existed, genetic testing was primarily available through healthcare providers and covered by health insurance, ensuring data protection under the Health Insurance Portability and Accountability Act (HIPAA).[12] However, unlike medical genetic testing, results from DTC-GT are not protected under HIPAA, leaving consumers vulnerable to data misuse.[13] Since their inception in the early 2000s, DTC-GT companies have surged in popularity, offering test kits for under $100 and bypassing traditional medical oversight.[14] This rapid expansion has outpaced regulation, giving rise to consumer privacy concerns.[15]
In May 2023, the Federal Trade Commission (FTC) took action against two DTC-GT companies, Vitagene and Genelink, for misleading consumers about data security.[16] Vitagene falsely assured customers that their genetic data was under “rock-solid security,” yet shared it with third parties, including supermarkets and supplement manufacturers.[17] Further, 277 consumers’ raw genetic data were stored on a publicly accessible cloud, linked to their names.[18] Similarly, Genelink exposed the genetic data, social security numbers, and banking information of approximately 30,000 consumers due to inadequate security practices.[19] These cases illustrate the risks of trusting private companies to safeguard highly sensitive genetic information.[20] The case of the Golden State Killer further exemplifies these concerns.[21] When law enforcement used the open-source platform GEDMatch, they searched DNA profiles submitted by consumers who were hoping to find their long-lost relatives and did not expect to aid criminal investigations.[22] At the time, GEDMatch’s privacy statement did not mention law enforcement use.[23] Only after DeAngelo’s arrest did the platform update its policy, explicitly stating that genetic data could be accessed by law enforcement.[24]
The Golden State Killer case is not unique as recently courts have upheld the use of genetic genealogy to solve crimes, such as State v. Hartman, where a Washington appellate court ruled that law enforcement’s use of GEDMatch to identify a suspect through a cousin’s DNA was valid.[25] The court reasoned that a suspect does not have a privacy interest in a relative’s decision to upload DNA to a public database. [26] As these databases expand, so does law enforcement’s ability to find suspects. Studies estimate that with as little as 2% of a population’s DNA uploaded, nearly all individuals can be linked to a third cousin.[27] In 2018, researchers found that a search for individuals of European descent could identify a match to a third cousin in 60% of cases, a percentage that has only increased since then as more consumers submit their DNA to testing services. [28]
DTC-GT companies have revolutionized personal genetics, making it easier than ever for consumers to learn about their ancestry and health. However, these benefits come at a cost, including potential misuse of sensitive genetic data by both corporations and law enforcement. Unlike medical records, which are protected under strict privacy laws, genetic data submitted to private companies lack robust legal safeguards. As these companies continue to grow, regulations must keep pace to ensure consumer protection. Transparency in data use, stronger security measures, and clear limits on law enforcement access are necessary to prevent future abuses. Without meaningful reforms, the privacy risks associated with genetic testing will only escalate, leaving consumers vulnerable in ways they never anticipated when they signed up to get their DNA analysis.
[1] See Ray A. Wickenheiser, Forensic Genealogy, Bioethics and the Golden State Killer Case, 4 Forensic Sci. Int.: Synergy 114, at 114—17 (2020) (discussing ethical implications of using forensic genealogy in criminal cases like the Golden State Killer).
[2] See id. (assessing the use of an open-source genetic database not designed to help identify criminal suspects).
[3] See id. (explaining how investigators narrowed their search using genetic databases and concerns this type of unintended use raises).
[4] See Christi J. Guerrini, Should Police Have Access to Genetic Genealogy Databases? Capturing the Golden State Killer and Other Criminals Using a Controversial New Forensic Technique, 9 Harv. L. Rev. F. 1 (2019) (discussing implications of police access to genetic genealogy databases).
[5] See id. (providing legal basis for law enforcements’ access to genetic genealogy databases).
[6] See id. (identifying steps taken to confirm DeAngelo’s identity as the Golden State Killer).
[7] See Guerrini, supra note 4 (convicting the suspect of high-profile series of crimes through a novel method taking advantage of relatively new DTC-GT services).
[8] See Healthcare Provider Direct-to-Consumer Genetic Testing FAQ, Nat’l Hum. Genome Res. Inst. (last visited Oct. 16, 2024), https://www.genome.gov/For-Health-Professionals/Provider-Genomics-Education-Resources/Healthcare-Provider-Direct-to-Consumer-Genetic-Testing-FAQ (addressing questions and considerations for healthcare providers regarding DTC-GT).
[9] See Bermseok Oh, Direct-to-Consumer Genetic Testing: Advantages and Pitfalls, 10 Frontiers in Pediatrics 1 (2019), https://pmc.ncbi.nlm.nih.gov/articles/PMC6808639/ (discussing benefits and challenges of DTC-GT).
[10] See Daryl Lovell, Biology Professor Breaks Down Science Behind Ancestry Heritage Tests, Syracuse univ. news (Feb. 15, 2021), https://news.syr.edu/blog/2021/02/15/biology-professor-breaks-down-science-behind-ancestry-heritage-tests/ (explaining the science underlying ancestry and heritage testing).
[11] State v. Westrom, 6 N.W.3d 145, 151—53 (Minn. 2024) (holding that a police analysis of fingerprints from a discarded napkin did not constitute a search under Minnesota law)
[12] See 45 C.F.R. § 160 (2024) (outlining privacy standards for individually identifiable health information).
[13] See Ethan Wold, The Double Helix Dilemma: Navigating Privacy Pitfalls in Direct-to-Consumer Genetic Testing, 24 Minn. J. L. Sci. & Tech. 123 (2023), https://mjlst.lib.umn.edu/2023/11/07/the-double-helix-dilemma-navigating-privacy-pitfalls-in-direct-to-consumer-genetic-testing/ (examining privacy implications of DTC-GT under HIPAA and the Genetic Information Nondiscrimination Act).
[14] See Robert S. Green, The Need for Genetic Testing and Family History in Clinical Practice, 93 Mayo Clinic Proc. 1281 (2018), https://www.mayoclinicproceedings.org/article/S0025-6196(17)30772-3/fulltext (emphasizing the importance of genetic testing and family history in medical and regulatory contexts).
[15] See Ellia Jillson, The DNA of Privacy and the Privacy of DNA, Fed. Trade Comm’n (Jan. 24, 2024), https://www.ftc.gov/business-guidance/blog/2024/01/dna-privacy-privacy-dna (discussing the lack of regulation protecting consumers from privacy concerns in the increasingly popular field of DTC-GT).
[16] Id.
[17] Press Release, Fed. Trade Comm’n, FTC Says Genetic Testing Company 1Health Failed to Protect Privacy and Security of DNA Data, Unfairly Changed Customers’ Consent (June 14, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/06/ftc-says-genetic-testing-company-1health-failed-protect-privacy-security-dna-data-unfairly-changed.
[18] Id.
[19] See Press Release, Fed. Trade Comm’n, Companies Pitching Genetically Customized Nutritional Supplements Will Drop Misleading Disease Claims (Jan. 30, 2014) (discussing the action against Genelink for their mishandling of consumer data) https://www.ftc.gov/news-events/news/press-releases/2014/01/companies-pitching-genetically-customized-nutritional-supplements-will-drop-misleading-disease.
[20] Jillson, supra note 15.
[21] See Guerrini, supra note 4 (discussing law enforcement’s use of a DTC-GT’s database to identify the suspect in a crime).
[22] Guerrini, supra note 4.
[23] Id.
[24] Id.
[25] 27 Wn. App. 2d 952, 979 (Wash. Ct. App. 2023) (holding that defendant did not have a valid privacy interest in the shared DNA segments uploaded to GEDMatch by his cousin)
[26] Id.
[27] See id. (suggesting that as DTC-GT becomes more popular, more people will upload their genetic data, making it easier for law enforcement to discover a genetic match)
[28] See id. (providing data regarding the usage of DTC-GT in 2018, which has increased in popularity since then).