California law enforcement announced last week that the arrest of the so-called Golden State Killer suspect, who police allege is responsible for a string of murders, rapes, and burglaries from the 1970s and 1980s. The most interesting revelation, however, was how the police finally solved this very cold case that had sat dormant for so long.
Police revealed that they inputted DNA evidence recovered from the crime scenes into a DNA database used by individuals who share their DNA information in order to build out family trees. Using this open-source database, police were able to connect the crime-scene DNA to a distant relative of the suspect who had used this DNA mapping service, ultimately narrowing down their search and leading them to focus on the suspect. Eventually, police obtained discarded DNA from the suspect (likely from his trash or the like), linking him to the DNA at the crime scene.
This use by law enforcement of a DNA database consisting of voluntarily-provided DNA samples is an eye-opener about the serious privacy risks of sharing such information. Generally, when law enforcement officers seek to obtain a DNA sample from an individual, they have to obtain a search warrant based on probable cause because they believe the individual is tied to a crime. But what happens when that individual has voluntarily shared his DNA profile with a third party, such as Ancestry.com, 23andme, or any number of these genealogy services? In all likelihood, that sharing of one’s DNA information may act as a waiver of any privacy claims in it.
The Supreme Court has long upheld the “third party doctrine,” which provides that there is no reasonable expectation of privacy in information shared with a third party. That includes your bank, with which you share your banking information, your wireless carrier, with which you share your call records, and even Google, with which you probably share your location history. The extent of the third party doctrine and how far it goes is still being considered by the courts. But the bottom line is this: if you choose to use a DNA testing service and provide a DNA sample voluntarily, you should probably first consider the privacy implications of doing so and carefully review the service’s privacy policies.