Whose DNA is It Anyway? Legal Challenges that Arise from the Use of Genetic Genealogy in Criminal Investigations

By Kim Lo

Since 2018, law enforcement’s use of genetic genealogy to identify and apprehend suspects has been growing [2], especially in high profile cases like the Golden State Killer case and the recent University of Idaho student murders. However, it is not without its critics.

Jennifer Lynch, the general counsel of the non-profit civil liberties group Electronic Frontier Foundation, is one of these critics.  In a recent interview with CNN , she cautions that “[genetic genealogy] is still a very new investigative technique” that is far from perfect.[3] In addition to possibly violating the 4th Amendment against unlawful searches and seizures, Lynch points out that “the public should have the ability to know more about how these sorts of searches are conducted so that we can ensure the police are not just willy-nilly collecting DNA from people and running them against consumer genetic genealogy databases. She is hardly alone in her criticisms and concerns.

Genetic genealogy differs significantly from traditional criminal DNA searches[5] and the current state and federal laws are simply not enough to deal with the legal questions that are arising from its use. This post explores some of these concerns and explain why it is important for both federal and state government to act on this issue sooner rather than later.

Genetic genealogy is “a practice that blends DNA analysis in the lab with genealogical research, such as tracing a person’s family tree[6].” The practice became popular in the last decade when commercial companies like 23andMe and Ancestry.com offered services where for a fee a customer could order a kit, submit a saliva sample for a DNA analysis, and then receive results that could tell a person about their ethnic and racial ancestry and how at risk they are for certain genetic health issues. Since these services first became available in 2007, millions of people have used them[7]. As of February 2024, it is estimated that one out of every five Americans has tried one of these services, and more than 14 million people alone have used 23andMe[8].

While 23andMe does not share customer’s data with law enforcement, customers are still free to upload their raw DNA files from it and other similar services to sites with less protection like GEDMatch[9]. GEDMatch is a free, open-source site that was started in 2010[10]. It takes the “raw DNA files that users upload and then compares them to the people who have already uploaded their name, email addresses and DNA data.[11]” GEDMatch then analyses the results and produces a list of family relatives who have also opted in to its service[12]. The list of relatives includes everyone from parents to fourth and fifth cousins[13]. In addition, the list includes their contact information[14]. From there, genealogists take those relatives’ names and search through publicly available data bases for documents like birth certificates, obituaries and death certificates to build an even more extensive and detailed family tree.[15]

Although GEDMatch was originally intended for those seeking to learn more about their own family ancestry, law enforcement quickly realized that this could be a useful tool in helping to apprehend criminal suspects in cases with no known suspects but where DNA evidence was left behind at a crime scene[16]. The impact that GEDmatch has had on law enforcement cannot be understated. Since 2018, the information available through GEDMatch has led to an additional thirty-nine cold case arrests and played a role in identifying at least twelve previously unidentified remains[17].

In the past, the protocol for when law enforcement found unknown DNA was to test it and then enter into the FBI-maintained CODIS DNA database where it was then compared to the DNA of known criminal offenders[18]. However, when there was no match, such as in the case of the aforementioned Golden State Killer case, suspects often remained unknown indefinitely.

By contrast, investigators can now take that unknown DNA and partner with genetics companies like Parabon NanoLabs to turn it into a raw data file[19]. That raw data file can then be upload to GEDMatch which in turn produces a list of extended family members who are related to the perpetrator[20]. That list can then allow investigators to narrow their search to on those who may have been in contact with the victim and are potential suspects[21].

Usually, once the investigators have come up with that list of potential suspects, they then surveil them until they can obtain a discarded item that contains the suspect’s DNA which is then collected and tested to see if it matches the DNA found at the crime scene[22]. If it matches, then a warrant is sought to obtain a sample directly from the suspect[23].  If the sample confirms the earlier match from the discarded item, then police will make an arrest[24].  One of the biggest advantages to law enforcement is that these open databases “expands the number of possible suspects to include people who have not previously committed a crime.[25]

Expanding the number of possible suspects to include those who do not have criminal records is not the only way that genetic genealogy searches differ from traditional criminal DNA searches. DNA that is collected by law enforcement and entered into CODIS is “is subject to state and federal statutes that govern exactly how, when, and from whom it can be collected[26].”  DNA can only be collected from an arrest suspect who must be arrested under a warrant obtained on probable cause. That collected DNA must be expunged if a person is ultimately never charged or convicted[27].  Furthermore, “even the labs that process DNA entered into CODIS are subject to federal regulations and licensing requirements[28].”

By contrast, genetic genealogy databases like GEDMatch are privately maintained.  There are no regulations that regulate how these databases collect, handle, and share data[29].  They are also not covered under the Health Insurance Portability and Accountability Act (HIPAA) since HIPAA only applies to entities like healthcare providers and insurance companies[30]. There is no way of even guaranteeing that the DNA data files uploaded by users are actually their individual files other than the user’s word that is the case.

Another fundamental way in which traditional criminal DNA searches differ from genetic genealogy searches has to do with the overall quality of the samples that each typically uses to get their respective results. While private companies are able to control for quantity and contamination, most samples used in forensic application (especially those obtained from crime scenes) are often “degraded and contaminated samples[31].”

While the recommended amount of DNA for testing is typically 200 nanograms of genetic material (ng), most forensic samples typically range between 0.1 ng to 1 ng[32]. As a result, using very small samples and multi-source samples for genetic genealogy searches may lead to serious errors or misidentifications[33]. While sibling matches may be able to withstand smaller samples, accuracy for second and third cousins falls significantly[34]. It is worth noting that in the cases of correctly identifying third cousins, even samples that were at the ideal of 200 ng were only accurate on average 74.6% of the time[35]. As a result, false positives can and do occur[36].  In addition to sample size, results are also affected by algorithmic parameters[37]. Therefore, without knowing the exact algorithms and parameters used to obtain the result, “it can be difficult to assess whether the results are reliable or are a product of manipulating bioinformatics[38].”

The Fourth Amendment protects against unwanted searches and seizures[39] and is seen as the major source of privacy law in the United States[40]. While some originally interpreted it mostly as an effort to protect places, “the Supreme Court shifted Fourth Amendment doctrine from a property tort-based approach in Boyd v. United States to a reasonable expectations analysis in the famous wiretapping case Katz v. United States[41].” In Katz, Justice Harlan defined a new standard for judging reasonable search and seizure. “. . . [T]here is a twofold requirement, first that a person have exhibited an actual (subjective) expectation of privacy and, second, that the expectation be one that society is prepared to recognize as ‘reasonable[42].”

The issue of what is reasonable is still a question of debate and is even more of a challenge in situations involving the use of genetic genealogy to apprehend suspects. The state successfully argued under California v. Greenwood, 486 U.S. 35 (1988) that the Fourth Amendment does not require a warrant to search DNA found on items that a suspect has discarded because the suspect abandoned their privacy interests in their DNA when they left it behind on those items.[43] Although Greenwood may not seem applicable in most cases involving the use of genetic genealogy,an argument could be made that when one decides to upload their DNA profile on a publicly shared data base they lose their right to DNA data privacy. It must be noted that in the vast majority of these recent cases including the Golden State Killer and the University of Idaho murders, the suspects did not actually upload their DNA themselves.  Rather relatives, many of whom probably were not even aware of the existence of said suspects, were the ones who did that.  Likewise, the third-party doctrine ruled that under the Fourth Amendment, an individual loses a reasonable expectation of when they volunteer information to a third party[44] would not  appear to apply to these sort of suspects either since it is quite hard to argue that anyone “volunteers” their DNA data to a third party by virtue of being related to them.

Furthermore, there remains the question: What about the rights of those who did the actual uploading but never intended for their DNA data to be used for criminal procedures? Also, what about the commercial companies who wish to opt out as well?   Examples abound of both users and commercial companies who specifically said that did not want DNA data to be used for the purposes of criminal investigation only to have those preferences ignored. Even a 2018 interim policy issued by the Justice Department on the use of familial genealogical genetics (FGG)  by federal agencies that states investigative “shall identify themselves as law enforcement to services and enter and search FGG profiles only in those [genealogical genetic] services that provide explicit notice to their service users[45]” failed to offer protection in some situations.  For instance, it has been reported that a loophole on the GEDMatch website, which allowed researchers to view “the profiles of individuals who had specifically opted out of the use of their data in law enforcement sources.” [46]  In summer 2023, it was revealed that California’s Riverside County Regional Cold Case Team uploaded a victim’s DNA to the commercial site MyHeritage despite the fact that doing so is a direct violation of the company’s term of services. It was further claimed that Riverside County Regional Cold Case Team may have acted with cooperation from the FBI.[47]  Lastly, there is also the question of those individuals and companies that are comfortable with DNA data being used for investigative purpose in cases involving serious offensives like murder or sexual assaults but object to it being used in lesser crimes. As Electronic Frontier Foundation’s Jennifer Lynch said to CNN:

There’s a tendency for judges, for the public, to say, ‘Oh, well, these crimes are so terrible that it justifies any kind of search to possibly identify the person,’” she said. “But what we have to realize is that these kinds of investigative techniques are not limited to cold cases and not limited to heinous felonies. They will be used in even minor crimes, and they can implicate people for crimes they didn’t commit.[48]

Lynch’s statements about this being used for minor crimes are backed up by the data: In October 2019 it was announced that out of the ten requests made by law enforcement to access 23andMe’s data base, “[t]he majority of the requests concerned credit card fraud.[49]

As of this writing, there is no national standard for the use of genetic genealogy. Twelve states allow for the use of it while Montana and Maryland are the only two states that that have explicit statutory limitations on the use of genetic genealogy and familial searches[50].

The lack of legal precedent on the subject is one of the many reasons why the University of Idaho murder case is drawing so much attention, not just from the usual true crime reporters but also legal reporters and scholars. While the judge has yet to set a date for the trial, it is likely the issue of the genetic genealogy will come up before, during, and possibly even after the trial.

The few existing state and federal laws that we currently have are not enough when it comes to the regulation of genetic genealogy, and its use in criminal investigation. Neither current laws nor past court rulings involving traditional DNA searches or reasonable expectations of privacy that were established prior to the advent of genetic genealogy technology are adequate to solve the challenges and questions that this new technology presents  Answers to questions or even attempts to find answers to question like who exactly owns and controls our DNA-arguably our most personal of all property that we possess but are constantly shedding and leaving behind wherever we go and parts of which we share with others through no choice of our own-are not going to be easy tasks. However, we cannot wait for the courts and the states to slowly assemble a patchwork of laws. Instead, what is needed is both state and federal legislation that will protect 4th Amendment rights even in a time where DNA which was once locked in mystery is increasingly becoming public information regardless of whether we provide consent or not.





Image Source: kjpargeter on Freeport.com

[1] Eric Levenson, It Started as a Hobby. Now They’re Using DNA to Help Cops Crack Cold Cases, CNN (Mar. 27, 2018, UPDATED 10:27 AM EDT), https://www.cnn.com/2018/08/03/health/dna-genealogy-cold-cases-trnd/index.html.

[2] Id.

[3] Eric Levenson, A Hearing in the Idaho Student Killings Case Focuses on Genetic Genealogy. Here’s Why that May be Important, CNN (Feb. 29, 2024, UPDATED 9:45 AM EST),https://www.cnn.com/2024/02/28/us/idaho-student-killings-genetic-genealogy/index.html.

[4] Id.

[5] Jennifer Lynch, Forensic Genetic Genealogy Searches: What Defense Attorneys & Policy Makers Need to Know,  Electronic Frontier Foundation (Jul. 26, 2023), https://www.eff.org/wp/forensic-genetic-genealogy-searches-what-defense-attorneys-need-know#Regulation.

[6] Levenson, supra note 1.

[7] Alaina Demopoulos, ‘There are no serious safeguards’: Can 23andMe be Trusted with our DNA?, The Guardian (Feb. 17, 2024, 12:00 PM EST),  https://www.theguardian.com/technology/2024/feb/17/23andme-dna-data-securityfinance#:~:text=Of%20course%2C%20most%2023andMe%20experiences,learning%20more%20about%20their.

[8] Id.

[9] Levenson, supra note 1.

[10] Id.

[11] Id.

[12] Levenson, supra note 1.

[13]  Id.

[14] Id.

[15] Id.

[16] Levenson, supra note 3.

[17] Genevieve Carter, The Genetic Panopticon: Genetic Genealogy Searches and the Fourth Amendment, 18 NW. J. TECH. & INTELL. PROP. 311, 321 (2021).

[18] Levenson, supra note 1.

[19] Id.

[20] Id.

[21] Id.

[22] Levenson, supra note 1.

[23] Id.

[24] Id.

[25] Id.

[26] Lynch, supra note 5.

[27] Id.

[28] Id.

[29] Id.

[30] Genevieve Carter, The Genetic Panopticon: Genetic Genealogy Searches and the Fourth Amendment, 18 NW. J. TECH. & INTELL. PROP. 311, 317 (2021).

[31] Bicka Barlow & Kristen McCowan, Genetic Genealogy in the Legal System, 97 WIS. LAW. 14, 15 (2024).

[32] Id. at 16.

[33] Lynch, supra note 5.

[34] Barlow & McCowan, supra note 31, at 16.

[35] Id.

[36] Lynch, supra note at 5.

[37] Barlow & McCowan, supra note 31, at 15.

[38] Id., at 16.

[39]U.S. Cont. amend. IV.

[40] Carter, supra note 30 at 324.

[41] Id.

[42] Katz v. United States, 389 U.S. 347, 88 S. Ct. 507, 588 (1967).

[43] Lynch, supra note 5.

[44] Id.

[45] Id.

[46] Bicka Barlow & Kristen McCowan, Genetic Genealogy in the Legal System, 97 WIS. LAW. 14, 17 (2024).


[48] Levenson, supra note 3.

[49] Genevieve Carter, The Genetic Panopticon: Genetic Genealogy Searches and the Fourth Amendment, 18 NW. J. TECH. & INTELL. PROP. 311, 317 (2021).

[50] Lynch, supra note 5.

[51] Id.