Introduction
The development of public and commercial genomic databases for clinical, research, and recreational purposes has grown remarkably in the last decade. There has been an especially rapid evolution and increase in popularity of direct-to-consumer genetic genealogy companies, and the genomic sequencing field is thus saturated with private players. Commercial at-home (direct to consumer, or DTC) DNA test companies such 23andMe, Ancestry.com, and FamilyTreeDNA are among the largest of these, and the objectives of their databases are such that various types of genetic data are stored alongside pertinent personal information that can, directly or indirectly, identify data subjects relatively easily. This fact has been leveraged by law enforcement agencies to solve several cold cases, with attempts made to link crime-scene DNA with the DNA of a suspect or suspect’s relative as contained in a DTC genetic database. This is usually referred to as long range familial searching (LRFS), and, unfortunately, this technique has also made the retrieval of genomic information for unintended reasons by third parties feasible. This form of genetic genealogy has thus ushered in a new era of personal data interrogation that is relatively devoid of rules and regulations from both national and international perspectives, challenging genetic privacy in the face of the efforts of private players who generally more interested in profits than people’s wellbeing.
As the databases in question contain genetic information that may reveal vast quantities of both health and non-health related information about the individuals who provide their samples and their family members, many additional concerns and implications also arise. This paper thus briefly explores the basics of DNA technology, and how DNA technology is currently being used, as well as examining questions of consent and privacy, with particular focus on state and law enforcement authority access to genealogy databases such as GEDMatch and the implications of such access.
A general overview of DNA sequencing
As it includes all of the instructions that determine an individual’s genetic features, deoxyribonucleic acid, or DNA, serves as the genetic blueprint for human development. DNA is found in all of the cells of all living organisms with the exception of red blood cells, and DNA molecules are made up of twisted paired strands of protein that create a characteristic double-helix shape, known as a DNA sequence. Each strand is made up of four different bases: adenine, thymine, guanine, and cytosine (A, C, G, and T).
The sequence of A-T pairings and G-C pairings determines how a strand of DNA “reads” and, in turn, how the person carrying that DNA will develop. A full suite of human DNA, formed of billions of DNA pairings, makes up each human genome, and the process of establishing how the A, T, G, and C nucleotides are organised in a strand of DNA is known as DNA sequencing. The DNA of all human beings is virtually identical. Approximately 99.9% of the sequence is in the exact same order in every single person; however, certain places on the human DNA molecule that differ between individuals have now been identified. While there are billions of base pairs in the human genome, forensic DNA-typing tests thus look at only about 3,000 base pairs where there are known to be differences between people (Holder et al., 2013), making these sites the basis for genomic surveillance and genomic sequencing. Although the human genome also contains thousands of genomic markers, as the areas at which forensic analysts look are always found in the same spots on the same chromosomes, each specific location is called a locus. Further, only a small core set of loci are used in forensic DNA and human identity testing.
The most prevalent genetic marker found in humans used for such purposes is single nucleotide polymorphisms (SNPs). SNPs can help determine ancestry, and they are frequently employed to uncover genes involved in various disorders as well as in forensics testing.
Direct-to-consumer (DTC) genetic testing
There is now a slew of companies offering direct-to-consumer genetic testing services. These companies target a far broader market than traditional applications, which have previously been limited to paternity testing and medical genetic tests, such as Myriad’s BRAC Analysis, used to identify potential cancer patients (Myriad Genetics, 2022).
Companies such as 23andMe and Ancestry have now brought genetic tests to the masses, based on the work of the human genome project bolstered by advances in technology and the resulting decreases in the cost of whole-genome sequencing, as well as the potential for profit and consumer interest in self-mediated healthcare and genealogy. Instructions and equipment are provided in the form of testing kits that usually require consumers to collect saliva samples, which are then posted to the relevant DTC company for testing and analysis. These companies thus promise insights into a myriad of matters related to ancestry or disease risk. For example, 23andMe provides services pertaining to health predispositions, gene carrier status, physical traits, wellness markers, and ancestry, providing results in the form of reports that consumers can access online (23 and me, 2022). Such reporting is achieved by zeroing in on specific DNA markers or variants that might be related to person’s health risks or family history.
Unlike the DTC genetic genealogy services provided by companies such as 23andMe, Ancestry, and FamilyTreeDNA, genealogical databases such as GEDMatch, allow individual users to upload their genetic profiles into their databases to compare these with other user profiles, thus enabling individuals to find distant or long-lost relatives (GEDmatch, 2022). Users can upload DNA data files from various commercial at-home services such as 23AndMe to achieve such matching. GEDMatch is particularly well known in this field, through for rather unfortunate reasons.
The Golden State Killer investigation
There is often a broad cross-over between the unregulated use of data and ethical dilemmas. One such case occurred when GEDMatch, an open-source genealogy website that compares autosomal DNA data files from other testing companies with its own database gained significant attention in April 2018 after the website was used by law enforcement officials to crack a cold case by identifying a suspect from the Golden State Killer case in California who had been, in an ironic twist, a police officer.
Police in the area developed the killer’s DNA profile based on preserved samples and ran the profile through the CODIS system (FBI, n.d.), a DNA database maintained and used by the FBI specifically for such purposes without getting any hits. They then turned to commercial genetic databases meant for different purposes, however, and data from GEDMatch was eventually used to narrow down the search for the suspect and eventually identify the culprit.
Users of the site who had innocently shared their DNA result with the hope of being matched with unknown relatives were not, however, informed that GEDMatch was being used in this way, and the police did not even notify those whose DNA was analysed specifically to determine the identity of the killer. Further, although GEDMatch later revised and tightened its policies regarding access by police authorities, requiring users to “opt-in” to such use in May 2019 , a Florida judge later bypassed these restrictions and granted a warrant to police investigating another homicide, to allow them access to the full database
In December 2019, GEDMatch was acquired by Verogen, Inc., a for-profit sequencing company dedicated to forensic applications, and the new version of the existing site thus came to focus on solving crimes based DNA profiles already hosted on the GEDMatch platform, which numbered in excess of 1.2 million at that time (The Crime Report, 2019).
There were three significant issues raised by the Golden State Killer investigation., privacy, and law enforcement access versus informed consent. These, taken together, paint a stark picture of a society that might be sleepwalking into a world otherwise seen only in dystopian fiction, most famously George Orwell’s masterpiece, 1984. Modern society is often presented as characterised by individualism; individual rights might thus be assumed to be thriving, privacy chief among them, and privacy and access go hand in hand. A sense of privacy may relate to who has access to individuals’ data, whether with regard to thoughts, appearance, behaviour and, particularly in the information age, both intimate and public information (Ebeling, 2016). Some authors define privacy solely in terms of access, however. for instance, writes that “privacy is the condition in which others are deprived of access to you”.
Such definitions mean that it is extremely hard to obtain complete privacy, however. When discussing the modern concept of privacy, it is also thus important to consider the individual’s interactions with the rest of society. Despite the fact that one requires the other in order to exist, these two “factions” may be seen as being in constant tension, and debate about access thus turns on the issue of finding a balance between the private interest and the public good. The concept of consent is also embroiled in this discussion of personal rights and consent, particularly with regard to the generation, use, and disclosure of personal data that is part and parcel of any true concept of privacy (Ebeling, 2016). The question of law enforcement or governmental access to commercial genealogy databases thus inherently problematic.
A major concern is that such access, left uncontrolled, both invades privacy and, by extension, threatens autonomy and liberty by creating or at least promoting the creation of involuntary and de facto rather than de jure forensic genetic databases. The Federal government in the USA already has its own official genomic databases, including the Federal NDIS and CODIS databases maintained by the FBI, which are dedicated to forensic use (FBI, n.d.). The databases mainly contain DNA profiles from convicted offenders who, in theory, have limited their own privacy rights by their actions. The use of DNA in forensic science also differs to an extent from the DNA data maintained for genetic genealogy purposes in that they lack information such as coding for eye colour or potential predisposition toward genetically inherited diseases. Open-source genetics databases and DTC genealogy databases, on the other hand, contain DNA data from presumptively innocent individuals who with an interest in their genealogy at a much broader level.
Companies that provide direct-to-consumer testing are also under-regulated more generally, which means that most of them provide inadequate consent options and privacy protection. A review by Skeva et al. (2020) that examined 22 websites and companies that provide genetic genealogy services, examining their policies regarding access to clients’ genealogy data for law enforcement purposes, discovered that all of the companies and databases involved stated in their privacy statements that they would share users’ personal information to comply with the law and thus comply with any requests from government bodies supported by relevant documentation, such as the issuance of a court warrant or a subpoena. That investigation also discovered that such law enforcement access provisions were written in a broad way that meant that they claimed leeway to release information well beyond that strictly required by such law, however. Kitchin (2014) further noted that states and authorities routinely circumvent multiple privacy laws for the purposes of security and intelligence-gathering, and that these poor standards both encourage and allow unlawful practice among law enforcers. A detective could thus register as a user under an alias on a genealogy website such as GENmatch and search for a DNA profile obtained by whatever means without ever disclosing their identity as an investigator, causing consumer data to be used for an unintended purpose without consent. This has been somewhat changed by an interim policy issued by the US Department of Justice on “Forensic Genetic Genealogical DNA Analysis and Searching”, as this recently issued guidance discussed the use of genealogical databases for forensics in more detail, stating that law enforcement officers should always identify themselves when submitting samples, and that they should not do so under an alias (The United States Department of Justice, 2019).
The existing poor standards place consumers at risk of data breaches, however. While usernames and passwords, for example, can be easily be changed, DNA is both unique and inherent to each person; it thus fulfils the first four criteria of Clarke’s (1994) list of desirable characteristics for an effective human identification feature, which are universality of coverage (everyone should have one); uniqueness (each person should have only one, and no two people should have identical ones); permanence (they should not change, nor be changeable); and indispensability (they should be natural characteristics that cannot be removed). Exposure of such valuable information is thus extremely undesirable (Kitchin, 2014). The genome is, in particular, a treasure trove of medical information, and genome-wide association studies (GWAS) have been used to identify mutations associated with an increased risk of developing certain diseases (Speakman et al., 2018). Data from DTC genetic databases is thus inherently highly sensitive, and the fact that there is minimal regulation in this field frequently causes DTC companies, which are driven by the profit motive, to act in a manner that severely undermines consumer privacy or offers various opportunities for bad actors with regard to selling, sharing, or targeting such data. Valuable genetic profile data can be acquired through data breaches or even bought and then used for purposes such as insurance under-writing. This could lead to insurance companies charging certain individuals more for their premiums or even failing to approve insurance cover where they are marked as more predisposed to certain diseases. Pharmaceutical manufacturers could also leverage such information for marketing schemes, based on them knowing who to target when advertising their products or drugs.
While using genomic data for forensics can be useful, this method should thus be carefully controlled. Minimising the frequency with which such data can be used, as well as limiting both the purposes and storage of such data, will also go a long way towards increasing public trust and participation in those measures that absolutely require the collection of personal data in the interests of public wellbeing, whether with regard to public security or health. This reflects the need for balance between the areas of public concern and individual privacy. Privacy is in many places perceived as an aspect of liberty, and the prime threat to privacy is thus seen as government interference, with liberty defined mainly in contrast to state control. Normalising the use of commercialized genomic data at without proper frameworks of control would thus contribute to increased distrust in authority as well as actual by governments. when discussing computerisation, foresaw several extreme privacy implications: “The danger that the computer poses are to human autonomy. The more that is known about a person, the easier it is to control him” (Haggart, 2019). This also applies to genomic surveillance, with governments or authorities potentially using data technology to suppress dissent or opposition. DNA can be found in many places, both obvious ones such as actual samples of blood, semen, hair, skin cells, and saliva and residues on cigarette butts, beer bottles, and envelopes licked before being sealed (Holder et al., 2013). This powerful tool for identifying individuals attending opposition meetings or protests is thus a concern in the hands of unregulated authorities.
Establishing mechanisms of transparency, integrity, and accountability, and monitoring both the authorities and the guardians of highly sensitive data are thus necessary to earn public trust. This process could be accomplished by emplacing independent authorities to assess government institutions’ and commercial contractors’ privacy policies to ensure that they meet pre-determined requirements. The requisite culture and systems of consultation should then be emplaced to ensure that the public is educated and allowed to contribute to such undertakings.
Companies that specialise in genetic genealogy and thus hold genealogical databases should work to regain client trust by implementing explicit privacy policies that safeguard their rights. In terms of limiting secondary purposes or uses, an obvious step would be to prohibit SNP data being provided to price health, life, or disability insurance, as well as the emplacement of frameworks to detect such uses and to apply punitive action as required.
Genomic sequencing is not a flash in the pan; it is not only here to stay but also likely to change the world, with luck for the better; however, this will occur if and only if appropriate and well-structured ethical committees are emplaced to offer global oversight and to delineate any grey areas once and for all. Without this, these technologies are a ticking time bomb that may usher in a dystopian era. Skeva et al. (2020) noted that, despite the fact that many privacy laws ostensibly exist in the USA (HIPAA, GINA, the Affordable Care Act), none of these provides adequate protection against potential misuses of DNA data, and nor are the practices of consumer genomics companies covered by them (Molteni, 2019). Grey areas, such as the use of SNP data in research, should thus be regulated to permit continuance of development, as research into individual genomes may help both detect and treat common ailments such as heart disease and cancer more effectively. Keeping the public both informed and included in discussions surrounding such topics is thus essential, alongside ensuring that the appropriate rules and regulations are in place to protect personal data; such developments are likely to be crucial in creating resilient systems that both withstand the test of time and benefit the public.
As consumer genomics databases continue to grow rapidly, there are also increased opportunities to identify individuals suspected of having committed serious crimes. However, issues such as the current lack of oversight and the absence of specific legislation to safeguard this nascent industry from various threats are concerning, particularly as the general public has been generally excluded from the process. It remains to be seen how regulatory solutions can be fashioned to best protect individuals’ privacy rights and allow industry development, as well as how the public will respond to such moves.
References
23 and me (2022). Your personal health experience starts with meaningful information from your DNA. 23andMe, Inc. [online] Available from: https://www.23andme.com/ [Accessed 11 January 2022]
Clarke, R. (1994). Human Identification in Information Systems: Management Challenges and Public Policy Issues, Information Technology & People, 7(4), pp. 6–37. doi: 10.1108/09593849410076799/FULL/XML.
Ebeling, M. F. E. (2016) Healthcare and big data: Digital specters and phantom objects. Healthcare and Big Data: Digital Specters and Phantom Objects. New York: Palgrave Macmillan. doi: 10.1057/978-1-137-50221-6.
FBI (n.d.) Frequently Asked Questions on CODIS and NDIS. [online] Available from: https://www.fbi.gov/services/laboratory/biometric-analysis/codis/codis-and-ndis-fact-sheet [Accessed 24 December 2021].
GEDmatch (2022). Comprehensive solutions for genetic genealogy and family tree research. [online] Available from: https://www.gedmatch.com/ [Accessed 11 January 2022].
Holder, E.H., Leary, M.L., and Laub, J.H. (2013). DNA for the Defense Bar. Washington, DC: U.S. Department of Justice.
Haggart, B. (2019) The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power , S. Zuboff (2018) , Journal of Digital Media & Policy. doi: 10.1386/jdmp.10.2.229_5.
Kitchin, R. (2014). The Data Revolution: Big Data, Open Data, Data Infrastructures & Their Consequences. London: Sage. doi: 10.4135/9781473909472.
Molteni, M. (2019). The US Urgently Needs New Genetic Privacy Laws, WIRED (online). Available from https://www.wired.com/story/the-us-urgently-needs-new-genetic-privacy-laws/ [Accessed 12 January 2022].
Myriad Genetics (2022). BRAC Analysis.[online]. Available from: https://myriad.com/products-services/hereditary-cancers/bracanalysis/ [Accessed 12 January 2022].
Reiman, J. H. (1995) ‘Driving to the Panopticon: A Philosophical Exploration of the Risks to Privacy Posed by the Highway Technology of the Future’, Santa Clara High Technology Law Journal, 11(1). Available from: https://digitalcommons.law.scu.edu/cgi/viewcontent.cgi?article=1174&context=chtlj (Accessed: 23 January 2022).
Skeva, S., Larmuseau, M.H.D., and Shabani, M. (2020) Review of policies of companies and databases regarding access to customers’ genealogy data for law enforcement purposes, Personalized medicine, 17(2), pp. 141–153. doi: 10.2217/PME-2019-0100.
Speakman, J.R., Loos, R.J.F., O’Rahilly, S., Hirschhorn, J.N. and Allison, D.B. (2018). GWAS for BMI: a treasure trove of fundamental insights into the genetic basis of obesity. International journal of obesity, 42(8), pp.1524-1531. doi: 10.1038/s41366-018-0147-5.
The Crime Report (2019). GEDmatch Sold, Will Serve as ‘Molecular Witness’ for Police. [online]. Available from: https://thecrimereport.org/2019/12/10/gedmatch-sold-will-serve-as-molecular-witness-for-police/ (Accessed 24 December 2021).
The United States Department of Justice (2019) United States Department of Justice Interim Policy Forensic Genetic Genealogical DNA Analysis and Searching [online]. Available from https://www.justice.gov/olp/page/file/1204386/download. [Accessed 12 January 2022].
Kashmir, H. and Heather, M. (2019) Your DNA Profile is Private? A Florida Judge Just Said Otherwise – The New York Times [online]. Available from: https://www.nytimes.com/2019/11/05/business/dna-database-search-warrant.html (Accessed: 24 December 2021).
Schwartz, P. (1989) ‘The Computer in German and American Constitutional Law: Towards an American Right of Informational Self-Determination’, undefined, 37(4), p. 675. doi: 10.2307/840221
write