By: Katelyn N. Ringrose
Published: November 22, 2019
Introduction
***
In 2018, seventy-two-year-old Joseph DeAngelo was accused of committing over one-hundred burglaries, fifty rapes, and thirteen murders that took place throughout California from the mid-1970s to the mid-1980s.[2] DeAngelo has gone by many names during his time as California’s most prolific unidentified serial-rapist and murderer. However, the East Area Rapist, Visalia Ransacker, Original Night Stalker, and Golden State Killer all have one crucial thing in common—their DNA.
DeAngelo’s DNA, after being housed in a storage locker for decades, was uploaded to the Combined DNA Index System (CODIS) by local law enforcement in 2000.[3] The FBI designed CODIS to find direct matches, and the bureau enforces a strict criteria for familial searches, with most states disallowing familial matching from taking place on the site at all.[4] With no CODIS match for DeAngelo’s DNA, and genealogy websites offering endless possibilities for familial-based cold hits, in 2018, Sacramento law enforcement opted to upload the DNA they had sequenced to GEDmatch. GEDmatch is a third-party site developed to compare data obtained through consumer use of direct-to-consumer genetic testing companies like 23andMe and AnscestryDNA.[5]
The officers did not ask for, nor did they receive a court order, and the limits to the officers’ authority are unclear.[6] After DeAngelo’s DNA was matched to another DNA sequence belonging to a GEDmatch user, law enforcement directed their attention to male relatives of that individual.[7] After narrowing their sights on DeAngelo, as being of an appropriate age and having shared characteristics with the unidentified offender, law enforcement harvested an abandoned item of DeAngelo’s that contained his DNA. The officers matched his abandoned DNA to the DNA they had on file, unmasking DeAngelo one final time.[8]
DNA is the most personally identifying information (“PII”) possible. While other biometrics like facial and iris recognition are increasing in technological accuracy, and fingerprints hold a 98.6% match propensity, DNA, when tested at a high loci point, can yield a near-perfect match. Furthermore, the propensity of DNA as an identifier is almost unending, with its capacity to identify relatives: both living and dead. Some 26 million people have uploaded their DNA to direct-to-consumer genetic testing websites. Researchers conclude that it is nearly possible for every American to be identified through familial matching today, with more matches being accrued over time.[9] There has been increased pressure, especially since DeAngelo’s arrest, to utilize genetic testing sites to achieve cold hits, and there have been at least four cold murder cases and one recent rape case solved through similar efforts.[10] The capacity of DNA identification is vast, with admittedly numerous positive benefits, but the practice also holds incredibly harmful implications on privacy. Despite the possibility for abuse, direct-to-consumer (“DTC”) genetic-testing companies have been slow to adopt stringent privacy policies adopting best practices when it comes to protecting their consumer’s genetic information from law enforcement.[11]
This note surveys genetic testing companies and examines the current state and federal regulatory landscape, along with issues regarding law enforcement’s use of such sites, and the current need for enhanced oversight. In Part I, this note scrutinizes how law enforcement has become privy to genetic information from DTC sites, including so-called public genealogical databases, and whether such searches are constitutional. This note looks into the expectation of privacy Americans reasonably hold in their genetic material.[12] This note also questions whether third-parties, individuals who have voluntarily submitted their DNA, should have a differing expectation of privacy in their genetic material than fourth-parties, individuals whose DNA is only a familial match to that third-party consumer. In Part II, this note examines potential applications of Carpenter v. United States to the issue of genetic privacy, and looks to how district courts have been approaching third-party data collection over this past year.[13] HIPAA and GINA, federal laws governing medical data, as well as other medical regulatory mechanisms do not apply to the issue of commercial genetic data. In Part III, this note examines current DTC genetic-testing privacy agreements and finds areas where such policies may be strengthened. In Part IV, this note scrutinizes current law enforcement policies regarding the utilization of DTC websites. If law enforcement is operating in violation with current privacy policies, consumer safeguards need to be updated in order to provide greater protections. Finally, in Part V, this note concludes with a model privacy policy for DTC genetic testing companies, a model state law regarding genetic searches, as well as a model advisory memorandum for law enforcement. This note argues that Americans hold a reasonable expectation of privacy in their DNA, and law enforcement should seek a warrant[14] to gather information from DTC genetic-companies.[15] DTC companies should enhance their lax privacy policies in order to help protect their consumers from third-party intrusions and, what could be, the most invasive law enforcement scheme to date—genetic surveillance.