Private DNA should stay out of the government’s hands

This op-ed was published in the Deseret News yesterday.

Utah lawmakers will be presented a simple question in January: should police officers be able to go on fishing expeditions in privately owned or crowd-sourced DNA databases?

At first blush, it might seem that this is a helpful new tool to close cold cases and identify suspects. After all, who doesn’t want to reveal a criminal’s identity in order to ensure justice is served?

Just last week, Clearfield police announced that they were able to identify a suspected rapist by taking a DNA sample they had and running it through a private company’s database to see if it was a match to anyone whose information happened to be listed there. Last year, police were able to identify who assaulted an elderly woman in Centerville using the same tactic with a crowd-sourced DNA database called GEDMatch.

DNA can solve cases such as these because of how it links us to other people; because we share so much DNA in common with all our relatives, the government can use a person’s family tree and a DNA sample they obtain in order to find their target. Many might be tempted to praise this process, but in reality it should give us pause.

Think of George Orwell’s dystopia where everyone is constantly watched. In an environment of mass surveillance, the government can solve crimes more easily; with access to whatever information it needs, it can ruthlessly punish those who violate the law. The real world isn’t far off from that fictional future, since police and prosecutors typically consider each new technological tool a welcome support for their job, incrementally adopting the very surveillance systems that in the aggregate can cause oppression.

But the ability to solve crimes in this manner comes at a cost, and if the pendulum swings too far in one direction, then it has moved away from privacy to our collective detriment.

Consider a parallel example: the government’s use of facial recognition. Lawmakers recently heard testimony from law enforcement justifying their use of our drivers license photos to perform facial recognition analysis to catch criminals, even though you and I never consented to our photos being used this way, nor have we been suspected of a crime. This technology’s defenders shared stories about the good it had done, yet notwithstanding these results lawmakers in committee were rightly upset that the government was engaged in fishing expeditions using information of innocent people. Expect to see this practice sharply curtailed in the upcoming legislative session.  

This outcry came despite the data—driver license photos—belonging to the government. The problem is much, much worse when it comes to private or crowd-sourced databases, including those which store our DNA information.

Imagine a police officer with a digital document whose owner he wished to identify, demanding that Dropbox scan its millions of files—belonging to its users, not to Dropbox—to reveal anyone who might have uploaded the file. Or what if a detective had an audio recording of a criminal, and asked Amazon to search for voice recording matches in its Alexa database. Maybe law enforcement could create a rendering of a suspected criminal and demand that Apple reveal anyone using FaceID who was a lookalike.

As horrendous as these examples are—clearly abusive of government power—they pale in comparison to DNA. Why? Because in the foregoing examples, all the company might reveal is the information a single person entrusted to a third party. But unlike with a voice, face, fingerprint, or other biometric information, our DNA inherently reveals not only our personal medical information and ethnic heritage, but connections to a family tree of relatives. It’s not just an identity match of a single individual—it’s a coerced genealogical disrobing of a person’s entire family.

That Clearfield case mentioned earlier? Dr. Rae-Venter, who processed the DNA, relied upon a company called FamilyTreeDNA who exposed its users’ private information to law enforcement to help find the lead. For this, the doctor praised their “corporate courage.” 

And yet because this company was unwilling to protect its customers’ (and their relatives’) essential privacy—a short-sighted act in our view, not a courageous one—FamilyTreeDNA was kicked out of a coalition of leading DNA companies that have championed best practices and industry standards, including customer privacy. 

These massive databases are an understandable temptation for law enforcement officials who want to engage in fishing expeditions in search of leads. All the same, they should be limited in being able to do so, just as the Utah Legislature has—in the name of privacy—limited law enforcement use of technologies like drones, cell phone tracking devices, license plate readers, body cameras, digital data snooping, and more.

Should police officers be able to go on fishing expeditions in DNA databases to solve crimes? We think the answer is a clear no, and look forward to making that case in the upcoming legislative session to persuade lawmakers to continue their protection of our privacy in light of new technological innovations.

Connor Boyack is president of Libertas Institute. Michael Melendez, a genealogy researcher, is Libertas Institute’s director of policy.