by Matt Clarke with research assistance by Ann Foster

Millions of people have submitted oral cheek (buccal) swab samples to companies like 23andMe and Ancestry hoping to use their DNA to trace their ancestors and locate relatives in a process known as genetic genealogy. By comparing their DNA to that of other customers, the companies can determine whether, and to what degree, two customers are related. By comparing the DNA to that of known historic figures and their descendants, the companies can determine whether a customer has a famous ancestor. It is also possible to determine what geographic regions the customers’ ancestors came from and susceptibility to some diseases.

More recently, law enforcement has been using the information in the same genetic genealogy companies’ databases to establish the identity of unidentified human remains (“UHR”) and identify suspects using DNA collected at a crime scene. This “off-label” use of genetic genealogy, known as forensic genetic genealogy (“FGG”) or investigative generic genealogy, has been used to solve decades-old cold cases. However, FGG has raised a red flag about the privacy of information stored in massive databases by internet-based companies.

What Is DNA?

DNA is a complex molecule made up of chemical units known as nucleotides. Only four nucleotides—Adenine (A), Guanine (G), Cytosine (C), and Thyinine (T)—are used in constructing the molecule of DNA. The molecule consists of two long strands that are twisted in a spiral called a double helix, somewhat like a ladder twisted into a spiral. The nucleotides along the length of the strands are strongly bonded to one another but only weakly bonded to the nucleotides across from them in the other strand. Like in real life, the legs of the ladder are much stronger than the rungs. This arrangement allows an enzyme to open up (or unzip) the DNA ladder along its rungs, separating the strands.

The nucleotides will strongly bond to any other nucleotide that is next to it in the strand (leg of the ladder), but A will only establish a weak bond with T in the other strand (across the rung of the ladder). Likewise, G will only establish a weak bond with C. Thus, an unzipped strand of DNA that is awash in a soup of nucleotides will force those nucleotides to assume a specific conformation while building a complementary strand: a T for each place that an A appears on the unzipped strand; a G for a C; an A for a T; and a C for a G. This is the exact conformation of the other unzipped strand of DNA. Thus, the two unzipped DNA strands can produce two DNA strands that are identical to the original molecule and accomplish replication.

DNA contains the basic coding for life. The number of nucleotides along with their sequence make up the genome that is unique to a species. The human genome consists of 3.2 billion nucleotides contained within 46 molecules of DNA, each wrapped around a protein core in a configuration called a chromosome. Each person inherits 23 chromosomes from each parent with similar chromosomes ­associating into 23 pairs of chromosomes in most cells.

It took 10 years and $3.2 billion to map the human genome, an effort that was completed in 2003. Within five years, inexpensive genotyping chips capable of determining hundreds of thousands of Single Nucleotide Polymorphisms (“SNPs,” pronounced “snips’’) appeared on the market. The number of SNPs that genetic genealogy companies identify in their propriety tests are limited to one million due to cost considerations. Most identify around 650,000 SNPs, less than 1% of the validated human SNPs. They focus on the protein-coding regions of the chromosomes, parts responsible for the attributes that make one human being different from another such as hair color, eye color, skin tone, and many other differences that may not be readily visible.

Looking at SNPs is simply a way of focusing on the places where DNA tends to be different between different people. Since any of the four nucleotides can appear at those single points along the strand, it can take on many different appearances. That makes those locations— which might, for instance, determine the shape of an eye or a hairline or how the immune system recognizes something as belonging in the body—unique among people who are not identical twins.

Since our DNA is a fairly random mixture of the DNA belonging to our parents, we share a lot of similar SNPs with them and with anyone else we are closely related to. The more distant the relationship, the fewer SNPs we have in common.

First Law Enforcement Use of DNA

In the 1984, scientist Alec Jeffreys developed methods of using enzymes to cut DNA into fragments and gel electrophoresis to separate the fragments according to weight and electrical charge, yielding a unique DNA pattern somewhat similar to a bar code. It was often, and somewhat misleadingly, labeled a “DNA fingerprint.” That early method—restriction fragment length polymorphism (“RFLP”)—required large sample sizes and relatively uncontaminated samples, limiting its usefulness to law enforcement, which often deals with small contaminated samples collected from a crime scene. It could sometimes be used to find the perpetrator among a group of suspects, but it could not identify someone who was not already in the suspect pool.

Despite its limitations, the DNA fingerprinting method was soon used by police in the United Kingdom to identify the perpetrator of two rape-murders. However, it required police to request that the male population between 17 and 34 years of age in Narborough submit to “voluntary” DNA fingerprinting, so they could either identify the perpetrator outright or focus their attention on those who refused to be tested. Social pressure led over 4,500 men to cooperate.

The perpetrator had convinced a co-worker to provide a blood sample in his place. Police learned of the deception, and their investigation led to his arrest and conviction. The testing also cleared the former prime suspect whom police had badgered into giving a tepid (and false) confession.

It is questionable whether such a “DNA dragnet” could pass constitutional muster in the United States. Nonetheless, DNA fingerprinting using the RFLP method was used to identify suspects and gain convictions in many U.S. courts, becoming the “gold standard” for forensic evidence for a decade.

The Beginnings of DNA Databases

In 1987, Jeffreys developed a DNA profile that could be derived from smaller samples than were required for a DNA fingerprint and could be coded as a series of numbers, making it possible to create DNA profile databases.

Over time, scientists developed methods to amplify small samples—the polymerase chain reaction (“PCR”)—and clean up contaminated and mixed samples to a degree, increasing the usefulness of DNA to law enforcement. However, several different commercial DNA laboratories had competing PCR-based systems looking at different parts of the human genome that were not necessarily compatible with one another.

CODIS Arrives

To increase the usefulness of DNA identification, it was necessary to standardize which parts of the DNA strand was being examined so that one lab’s results could be compared to that of another. Optimally, from a law-enforcement viewpoint, the government would collect the DNA profiles of everyone in the country and put it into a database that could be used to compare it to DNA from crime scenes and unidentified bodies. This is unlikely to happen in the U.S. due to privacy concerns and constitutional issues, but standardization of DNA profiles was clearly possible and only required that a national organization take the lead in setting standards.

In 1990, the FBI began a pilot software program, and in 1994, Congress authorized its implementation as the Combined DNA Index System (“CODIS”), a national database of standardized DNA profiles from people who have been arrested or convicted of crimes created by unifying the federal database with those of the states. 42 U.S.C. § 14132(a) (1994) (later transferred to 34 U.S.C. § 12592). Currently, CODIS contains the profiles of approximately 14.7 million convicted persons, 4.4 million arrestees, and 1.1 million forensic subjects. Despite its enormous size, CODIS cannot identify a person whose profile is not in its database of well under 10% of the U.S. adult population.

The DNA testing method used for CODIS profiles was PCR-amplified Short Tandem Repeat (“STR”) analysis. A CODIS profile was created using PCR and gel electrophoresis to examine 20 highly-variable STR locations (loci) in non-protein-coding sections of the DNA, yielding 40 datapoints.

The power of CODIS was limited by the small percentage of the population in the database. Further, CODIS profiles could not be used to identify persons genetically related to the donor of the unknown DNA sample from a crime scene or UHR unless the relationship was as close as a father and son. Further, the perpetrators of the type of crime most likely to leave DNA samples behind—sex offenses and murders—were also among the least likely to have previously been convicted of a crime and thus be in the CODIS database. What law enforcement wanted was a larger database and testing that could identify people genetically related to the donor of the unknown sample. Surprisingly, it was the private sector that would soon provide just that.

Beginnings of Forensic
Familial DNA Testing

Despite its limitations, the first forensic familial DNA search was accidentally conducted by British police on an STR database when a submitted sample from a decades-old cold case partially matched an STR profile in 2002. The profile on the database turned out to be that of the son of the perpetrator of multiple rapes.

Familial searches require different software from standard CODIS-matching searches. In 2008, California became the first state to implement familial DNA searching on its STR DNA databases. In 2010, Lonnie Franklin, Jr. was identified via a familial DNA search on a California government database as the “Grim Sleeper,” who was responsible for at least 10 murders of young women in Los Angeles. Franklin’s son’s DNA had recently been added to the database because of a weapons charge. The closeness of his DNA to that of the Grim Sleeper led police to initiate surveillance on his father. A discarded piece of pizza provided the sample necessary to prove he was the murderer and rapist who had eluded law enforcement for decades.

Genetic Genealogy Comes Along

With the advent of cheap genetic profiling, several companies sprang up with the goal of tracing ancestry (and possible risk of genetic disease) via direct-to-consumer (“DTC”) DNA profiling in which a customer submits an oral swab for SNP DNA profiling and placement of the DNA profile in the company’s database. 23andMe and Ancestry are the best-known genetic genealogy companies. Both maintain “closed” databases, only allowing profiles developed by the company on their database. While both also stated that they would never share the information they obtained from their customers’ samples with third-parties, other companies made no such promise. Further, recent events have shown both companies to be vulnerable to hacking and manipulation of their systems to gain access to, or the ability to infer, SNP profiles of customers.

GEDmatch is a type of non-DTC genetic genealogy company with an “open” database. Its customers get a DNA profile from a DTC company then upload it into the GEDmatch database without charge. GEDmatch algorithms allow comparisons of profiles developed by different companies, making it more likely that useful information is discovered.

FamilyTreeDNA is another company that is both DTC and has an open database. Customers can submit DNA buccal swabs to FamilyTreeDNA and have it develop a profile or upload a profile developed by another company.

The Genealogy Component of Genetic Genealogy

Whereas genetics is a relatively new science with the ability to profile DNA being newer still, genealogy itself is a centuries old discipline that evolved from “a sleepy, prim discipline of aristocratic origins” into a field primarily practiced by self-educated hobbyists who are interested in tracking down their own ancestors by building out a family tree. Perhaps the lack of professional genealogist can be explained by the requirements of traditional genealogy.

Genealogists spend many hours poring over records that might mention ancestors of the target person. These traditionally include governments records such as birth and death certificates and marriage licenses as well as newspaper articles, obituaries, and school and church records. The advent of the Internet and search engines sped up the processing of those records while adding additional sources of information such as social media accounts. One can only speculate how the emergence of artificial intelligence will affect the future of genealogy.

However, the labor intensity of genealogy as it currently stands makes it an expensive undertaking, so doing it yourself is an attractive option. Hence, the skew toward hobbyist genealogists.

Law Enforcements Shocks Companies by Secretly Using FGG

In April 2018, California law enforcement submitted a DNA sample collected from the victim of a cold case rape/murder to GEDmatch and used the results to identify the Golden State Killer, a serial killer who committed 13 murders, at least 50 rapes, and over 100 burglaries in California between 1974 and 1986. The killer turned out to be retired police officer Joseph James DeAngelo, Jr., who pleaded guilty to the murders in exchange for a life sentence.

Law enforcement officials did not identify the submitted DNA profile as coming from a murder case or being in any way related to crime solving. They did not identify themselves as law enforcement to GEDmatch. This “off-label” use of FGG shocked the FGG companies that had repeatedly assured users that their privacy would be respected. Intense media attention about the Golden State Killer case put that claim in doubt. More importantly, none of the FGG companies had a policy regarding law enforcement use of their databases, overt or otherwise. However, the public’s response to finding a serial killer using FGG was overwhelmingly positive. New entries in the GEDmatch database surged.

In May 2019, GEDmatch modified its policies to allow law enforcement to use its database to identify perpetrators of sexual assaults and murders. Less than a year later, it violated that policy by allowing law enforcement to use its database in a case that involved neither sexual assault nor murder. This led the company to again modify its policy to permit law enforcement to use its database to solve other violent crimes, such as robbery and aggravated assault, provided they fell within the FBI’s definition of “violent crime.” It also allowed authorized organizations to use its database to identify human remains. This made GEDmatch the go-to FGG database for law enforcement.

The same month, GEDmatch instituted an opt-in for its users to allow law enforcement to use their DNA profile. The company set the default as “opt-out” for all current and new users, but between 75% and 80% of new users opted in (compared to less than 25% of prior users). Further, after all of the publicity GEDmatch received as a result of the Golden Gate Killer case, the number of new users uploading a DNA profile daily grew from 1,500 to 5,000.

In 2018, FamilyTreeDNA adopted a policy permitting law enforcement to use its database to identify violent criminals and human remains. It is the only major DTC company to do so. Although it has an opt-out option, FamilyTreeDNA set all user settings and default settings to opt-in, permitting law enforcement unfettered access to virtually its entire database.

The Contribution of
Citizen Scientists

Hobbyist or “citizen-scientist” genealogists have been crucial and necessary components to many cases using FGG, but the path to clearing a case has not always been smooth and not without false accusations. In one of the earliest cases in 2011, physicist and former NASA contractor Colleen Fitzpatrick worked with detectives in the state of Washington to help identify the killer of a high school girl using Y-DNA. Fitzpatrick concluded the killer was a descendent of Robert Fuller. That tip led police to suspect a neighbor and family friend who was eventually proven innocent.

In 2018, Idaho Falls detectives secured a warrant compelling Ancestry to allow access to its Sorenson database in an attempt to identify the person who raped and murdered 18-year-old Angie Dodge. They wanted to know the name of a man who had submitted his Y-DNA profile because it showed a close genetic relationship with DNA recovered from the crime scene. The disclosure led them to Michael Usry, who was then proven innocent using STR DNA profiling.

Ancestry closed its open Sorenson database because of the Usry incident and adopted a closed database model.

Even the much-celebrated case of the Golden State Killer was not without its hiccups. According to Barbara Rae-Venter, she had been pursuing genetic genealogy as a post-retirement hobby in March 2015 when Deputy Peter Headley contacted her. He wanted her to help with the identification of Lisa Jensen, a woman who had been abducted as a child and whose identity was then unknown. Solving the Jensen case led Headley and Rae-Venter to discover that whoever had abducted Jensen was a prolific serial killer.

The success in the Jensen case prompted Paul Holes, the lead criminal investigator in the Golden State Killer case, to ask Rae-Venter to work on the case. Rae-Venter’s only qualifications were that, since retiring from being a patent attorney, she had been assisting a newfound cousin with genealogy. She had also been volunteering as a “search angel” who uses DNA matches to help build family trees and solve genealogy issues.

Cynthia “CeCe” Moore is perhaps the most famous FGG genealogist. Moore began her career helping people use DTC genetic databases to solve maternity ward mix-ups, help adoptees and foundlings find birth parents, and identify unknown fathers. She is known for her “outside-the-box” thinking when tracking down genetic ancestors, earning her the nickname, “Miss Marple of Genealogy.”

In 2013, Moore established DNA Detectives, a group designed to bring together parentage seekers and those who could either solve their cases or train them to solve it themselves. It has more than 170,000 members on Facebook.

For years, Moore was wary of applying her techniques to criminal cases. Then FGG was used to solve the Golden State Killer case. The story’s widespread exposure and overwhelmingly positive reception eased her qualms about the database users’ consent, and within days, she was working on her first murder case.

Moore is known for the first FGG-based exoneration of an innocent man and the first jury conviction resulting from FGG. She was featured on 60 Minutes in October 2018. The segment focused on cold-case breakthroughs. This resulted in a deluge of requests for assistance.

Moore also co-founded the Investigative Genetic Genealogy Accreditation Board in an attempt to develop standards and bring some order into the unorganized and underregulated FGG field, which has been described as “the wild west” by FGG experts. Moore is personally involved in closing over 200 FGG cases and is currently the chief genealogist for Parabon Labs, a new type of FGG company that specializes in helping law enforcement identify suspects and UHRs using FGG.

What Are the Privacy Concerns?

The problem with unfettered access to genetic genealogy databases is that they contain a wealth of information about the profiled individuals, well beyond to whom they are related. The companies claim they can determine the propensity for certain medical conditions, personality traits, food preferences, athletic abilities, and other personal characteristics from their SNPs profiles. One company claims it can determine a person’s facial appearance, including “skin color, eye color, hair color, freckles, [geographic] ancestry and face shape.”

To conduct an FGG search, law enforcement must necessarily search the records of many individuals who are not involved in or even suspected of a crime. They may also be led to the wrong person, as was the case with Michael Usry. Even in the seminal case of the Golden State Killer, two other men were asked by police to submit DNA samples before the actual perpetrator was identified. Whether they were considered suspects by police or merely being used to attempt to eliminate branches of the family tree is disputed, but it is likely that they, like Usry, were quite nervous after having been approached by police and asked for a DNA sample in connection with a murder. It must have been a profound relief when, weeks later, the test results eliminated them as suspects.

In this vein, FGG searches come very close to the general search warrants prohibited by the Fourth Amendment to the U.S. Constitution. The U.S. Supreme Court has yet to rule on privacy concerns connected to FGG searches. The closest case to date is its approval of taking buccal swab DNA samples from persons arrested for or convicted of a crime for the purpose of entering a profile in CODIS. Maryland v. King, 569 U.S. 435 (2013).

King predated FGG by several years and differed in that it involved CODIS profiles, which contain only a tiny fraction of the information contained in SNPs profiles, and people arrested by police, not ordinary people participating in genetic genealogy. Even so, in a dissenting opinion, Justice Antonin Scalia rather presciently questioned the practice of taking DNA from arrestees for purposes other than identification in the crime they are charged with and creating a database of the DNA profiles derived from them.

“Perhaps the construction of such a genetic panopticon is wise. But I doubt that the proud men who wrote the charter of our liberties would have been so eager to open their mouths for royal inspection,” wrote Scalia, referencing the Utilitarianist John Stuart Mill’s 19th-century design for a prison in which guards could see into the isolated prisoners’ cells at all times that had to be abandoned because it drove the prisoners “quite mad.”

University of Maryland Carey School of Law professor Natalie Ram, who is an expert on genetic privacy, calls FGG “a giant fishing expedition that fails the particularity requirement of the Fourth Amendment: that law enforcement searches be targeted and based on reasonable individualized suspicion.” According to Ram, FGG “is fundamentally a search of all of us every time they do it.” The panopticon is currently synonymous with both an idea that sounds great but fails in its execution as well as a total lack of privacy. 

Corporations’ Protection of Customers’ Privacy

The largest DTC companies, 23andMe and Ancestry—which combined have 32 million profiles in their databases—have policies prohibiting law enforcement use of their databases without a court order. The problem with that is there may not be a way to determine whether a sample was submitted by law enforcement since both companies allow customers to use pseudonyms. This is exactly what happened in June 2021 when the Riverside Cold Case Homicide team identified the victim of a 1996 homicide using MyHeritage without a court order—an explicit violation of company policy requiring a court order for any law enforcement use of its database.

“The case presents an example of ‘noble cause bias’ in which the investigators seem to feel that their objective is so worthy that they can break the rules in place to protect others,” wrote veteran genetic genealogist and privacy advocate Leah Larkin.

23andMe has repeatedly been the target of successful computer hacks that exposed customer information. Also, 23andMe has recently come under economic pressure as the early adopter market for DTC genetic genealogy dried up, and despite corporate statements claiming it would never make customers’ DNA profiles available to third parties, it listed the possibility of selling the profiles among its assets. This emphasizes the fact that corporate policy is a poor substitute for constitutional protection when it comes to privacy. Corporate policies are subject to change at any time due to economic pressures, changes in corporate officers, or acquisition by another company. This is precisely what happened in January 2021 when GEDmatch changed its policy to opt in all of its profiles for UHR identification searches without notification to or input from its customers.

All of the companies maintaining databases claim that customers’ genetic data is not at risk of exposure because they do not provide law enforcement or anyone else raw SNP profile data. However, it was recently revealed that there were tools in the databases that allowed users to infer the SNP profile of the match being examined and a “loophole” in the GEDmatch software that allowed law enforcement to access and use the profiles of users who had opted out.

The loophole came to light when Cairenn Binder, a genealogist who heads up the Investigative Genetic Genealogy Center’s certificate program, was involved in simulated trial testimony for a presentation by attorney and DNA expert Tiffany Roy called “In the Hot Seat.” The idea was to acclimate genealogists to giving trial testimony and the single instruction Roy had given was “do not lie.”

Roy, playing the part of defense counsel during cross-examination, asked Binder if she was aware of a loophole in the GEDmatch software that allowed access to opted-out profiles. Binder not only “testified” that she was aware of the loophole but admitted having used it around a dozen times herself. The DNA Doe Project and even such FGG luminaries as Moore have also admitted to having used the loophole. Some even admitted covering up their use of the loophole.

“If we can’t trust these practitioners, we certainly cannot trust law enforcement. These investigations have serious consequences; they involve people who have never been suspected of a crime,” said Roy who believes a search warrant should be required for an FGG search. “Anything less is a serious violation of privacy.”

Networked Privacy

Uploading your SNP profile to a genetic genealogy database also uploads 50% of the DNA profile of your parents, siblings, and children and a lower percentage for more distant relatives. If only a few close relatives upload their profiles, your entire profile will be in the database, albeit distributed among the relatives’ profiles. This raises the difficult question of whether you have any privacy rights or interests when a relative, especially a close relative, uploads their DNA profile.

Moore first ran into this concept when she attended a genetics conference in 2012 and asked two Native American women who were on a panel whether they had taken a DTC test. “The women explained that they wouldn’t take a test without consulting everybody else in the tribe, because they’d be making the decision for everybody,” said Moore.

It was an eye-opening moment for Moore, who had previously not considered the fact that people who were uploading their profiles to SNPs databases were effectively making the decision for other people to have their profiles in the database. This now applies to the entire country, Moore noted.

“It all happened under the radar, and it doesn’t really matter if you’re opposed: It’s a collective decision that’s already been made. A lot of what the privacy advocates have said I agree with. But 30 million people made that choice for everybody else.”

This represents what tech anthropologists call “networked privacy,” which really means lack of privacy as the term describes how you are exposed and your choices diminished or undone when others share things about you that you did not want to make public. Thus, the problem of privacy, or lack thereof, in FGG searches has become one that is as much a question of philosophy as it is one of law.

Law Enforcement Secrecy About Using FGG

As noted above, in a successful case involving an FGG search for a perpetrator, the last step is typically police obtaining a discarded item containing DNA that is used to confirm the perpetrator’s identity using a CODIS profile. It is well established that police can take discarded items and test them without a warrant, California v. Greenwood, 486 U.S. 35 (1988), and the admissibility of CODIS profiles is well established, Maryland v. King, 569 U.S. 435 (2013). Thus, those aspects of an identification are rarely challenged.

The problem is that police usually start their narratives, and the documents which prosecutors turn over to the defense, with the successful CODIS search, omitting the use of FGG altogether. Consequently, FGG has not been the subject of much in the way of court challenges, and little is known about how investigations actually proceed.

“We don’t actually know how many people who have placed their data in these online databases are subject to forensic uses,” said Stephanie Malia Fullerton of the University of Washington School of Medicine’s Department of Bioethics. “We also don’t know how these partial genetic matches are used, and we can speculate about the possible harms, but we don’t know what exactly is involved or who is contacted.”

In a few cases, including the celebrated Golden State Killer case, it is known that police or the FGG company or genealogists working with them approached people genetically related to the suspect and asked them to submit a DNA sample or in some instances even mailed an SNP DNA sampling kit under the false pretense of being a gift from a relative. Police claim this is a part of narrowing down the genealogy search by eliminating branches of a family tree. However, due to the aforementioned secrecy, none of these methods have been subject to court scrutiny.

A recent court decision reinforced the secrecy surrounding law enforcement use of FGG. In Buzzfeed, Inc. v. United States Department of Justice, 2023 U.S. Dist. LEXIS 185893 (D.D.C. 2023), the Court ruled that the U.S. Department of Justice could exempt much of the information requested by Buzzfeed relating to its communications and contracts with companies involved in FGG. The Court held that the documents were exempted from FOIA disclosure because the information was “confidential” and its release could cause harm to the company and might be used in future criminal prosecutions.

Court Challenges to FGG Searches

In one of the rare published cases involving a defendant challenging the use of a FGG search based on privacy, the Court of Appeals of Washington upheld the trial court’s denial of a criminal defendant’s motion to suppress FGG search results because the defendant, who was convicted of felony murder in connection with the 1993 rape and murder of a 12-year-old girl, had “no privacy interest in commonly held DNA that a relative voluntarily uploaded to a public database that openly allowed law enforcement access”—GEDmatch accessed via Parabon NanLabs. State v. Hartman, 534 P.3d 423 (Wash. Ct. App. 2023). The Court also ruled that the defendant had no privacy interest in DNA abandoned at the crime scene.

In State v. Boretree, 2021 Ohio App. LEXIS 2828 (2021), the Court upheld the trial court’s denial of a general challenge to the admissibility of an FGG search performed by AdvanceDNA under contract with police that was used to identify him as the perpetrator of a 1993 attempted murder in connection with kidnapping and rape. However, the conviction was later reversed by the Supreme Court of Ohio on statute of limitations grounds. State v. Bortree, 212 N.E.3d 874 (Ohio 2022).

In an interesting and related civil case, Leslie v. City of New York, 2023 U.S. Dist. LEXIS 49775 (S.D.N.Y. 2023), residents of New York City are challenging, on Fourth Amendment grounds, the NYPD’s warrantless practice of covertly collecting DNA from a person’s discarded trash, using it to obtain a CODIS or FGG profile, then storing that profile on the city’s database for years regardless of whether a person is charged with (or suspected of) committing a crime. The targeted person could, for instance, merely be suspected of being a gang member or associated with a gang. If successful, this lawsuit may chart a path for challenging similar DNA collection in criminal cases. The initial cases make it seem unlikely that courts will require warrants for FGG searches. But the higher courts have yet to weigh in on the matter.

What Standard to Use?

A major question in future court decisions regarding privacy and FGG searches will be what the appropriate standard is. The courts will likely use one of two existing standards in analyzing FGG privacy interests. The first is the “reasonable expectation of privacy” standard set forth in Katz v. United States, 389 U.S. 347 (1967). In deciding whether a telephone booth could be bugged without a search warrant, the Katz Court determined that to have a legitimate Fourth Amendment claim, a person must have “an actual (subjective) expectation of privacy” that “society is prepared to recognize as reasonable,” like one has when using a public phone booth. This “reasonable expectation of privacy” test replaced the previous determination of whether the intrusion constituted a physical “trespass” and became the standard for analysis of Fourth Amendment issues for the next 34 years.

Technology forced the Supreme Court to re-examine Katz’s declaration that the Fourth Amendment protects people, not places, when faced with police using thermal imaging to detect relative amounts of heat within a house. The Court in Kyllo v. United States, 533 U.S. 27 (2001), held that the imaging constituted an intrusion into a constitutionally-protected space—the home.

In United States v. Jones, 565 U.S. 400 (2012), the Supreme Court clarified that “the Katz reasonable-expectation-of-privacy test had been added to, not substituted for, the common-law trespassory test” when it held that placing a GPS tracking device on a car constituted a Fourth Amendment search in that it was a physical trespass upon Jones’ property.

Since Jones, the reasonable expectation of privacy test from Katz has been applied to collection of cellphone location and cell-site location information. Carpenter v. United States, 138 U.S. 2206 (2018). It seems likely that, since there is no physical intrusion involved in an FGG search, courts will apply Katz to privacy-based challenges to FGG searches. That seems to be what the Hartman Court did without specifically stating it. However, Hartman’s SNP profile revealed that he was bald and likely was bipolar or had a substance abuse disorder, sensitive medical information in which it could be argued one has a reasonable expectation of privacy. Only time will tell whether such an approach will be successful.

How Defense Attorneys Can Challenge FGG Searches

Besides the aforementioned privacy issues, defense attorneys can challenge FGG searches on a number of issues. One of which is the lack of certification of genealogists and the lack of validation of both their methods and the scientific methods used in FGG. Therefore, a defense attorney contemplating a challenge to how FGG was used in a specific case must use the tools of discovery to determine who played what role in the FGG investigation and what methods were used as well as any validation studies that have been performed to determine the accuracy and limitations of those methods.

It is also important to determine whether the samples used were degraded or mixtures, both of which can increase the likelihood of lab errors. Further, mixtures can implicate another suspect. Therefore, it is important to determine how many profiles were generated by the sample.

The similarity of two SNPs profiles is measured in centimorgans (“cMs”), a measure of how likely it is for a longer DNA segment to be passed on to a descendent intact. The closer the relationship, the longer segments are shared. Parents, children, and siblings typically share 2,000–36,000 cMs of a person’s DNA. First cousins only share 425–1,100, but that is also in the range shared by grandparents/children, great-grandparents/children, half-siblings, and great uncles/aunts. Thus, it is essential that defense attorneys discover the cMs of each profile used to trace the alleged family tree of a suspect profile and the logic used to assign an identity to the profile based on the cMs.

Other Complicating Factors
for FGG Searches

The very sensitivity of DNA collection may be its worst enemy. As shown in the Amanda Knox case, small amounts of DNA can be easily transferred to another person (brush transfer) and from that person to an object never touched by the DNA donor (secondary transfer), leading to a wrongful conviction. Something similar happened in Germany when a contaminated cotton swab had police erroneously looking for a murderer in the Romani (“gypsy”) community for two years.

Researchers seeking better ways to track sea turtles discovered human DNA in all kinds of unexpected places—creek water, snow, honey, and even floating around in the air in “surprising” levels. The DNA was of high enough quality to derive CODIS or SNPs profiles. Further, DNA testing has already been in use to monitor disease levels in wastewater, and the identifiable DNA of 40 different humans were found on a dog’s head fur. Consequently, there are many potential sources of DNA contamination in everyone’s environment.

The researchers who have been seeking to further explore the origin and content of human DNA in the environment (referred to as eDNA) have run into the roadblock of ethics panels rejecting research proposals based on medical and scientific ethics. Ironically, law enforcement operates under no such constraints.

“There’s an imbalance in almost all systems of the world between what law enforcement is allowed to do, versus publicly funded research, versus private companies,” observed University of Vienna professor Barbara Prainsack, who studies the regulation of DNA technology in medicine and forensics.

“It’s a total wild west, a free for all,” said New York University School of Law professor Erin Murphy, who specializes in the use of new technologies in the criminal legal system. “The understanding is that police can sort of do whatever they want unless it is explicitly prohibited.”

What to Expect in the Future

Police estimate there are over 200,000 unsolved major criminal cases involving DNA evidence in the U.S. The enormous power of FGG to solve even decades-old cases makes it unlikely that the courts will subject it to any meaningful restraints. It is possible that a search warrant will be required, but such a requirement is unlikely to come from the courts. Instead, it is more likely that legislative bodies will enact regulations concerning FGG searches. Two have already done so.

Montana requires that a search warrant be issued before performing any kind of DNA database search. Mont. Code 44-6-104 (2021). Maryland’s regulations are more comprehensive, requiring judicial authorization for FGG searches and for covert DNA collection, limiting the types of crimes FGG searches may be used to investigate, and requiring law enforcement to first pursue all reasonable leads and use government DNA databases before seeking FGG authorization. Md. Code Crim, Proc. § 17-101 (2022).

The U.S. Department of Justice (“DOJ”) has also issued interim rules limiting FGG searches to violent crimes and prohibiting FGG results from being the sole basis for an arrest. However, the rules have not been finalized or formalized and only apply to federal agencies and other agencies that receive federal funding. Unsurprisingly, the FBI has already ignored the DOJ interim rules in at least one case.

FGG searches may also be affected by questions regarding the “informed consent” being given by customers to use their SNP profiles for law enforcement purposes. Bioethicists have noted that few people actually change default settings or read the terms of service, although they become binding under the DTC companies’ so-called “wrap contracts” (basically, if you use the service, you are accepting the terms of service).

There is support for the bioethicists’ claim. When GEDmatch changed all users’ settings to opt out of law enforcement use but allowed them to change the setting to opt in, fewer than one in five did so. Yet, three out of four new GEDmatch users, whose default setting is opt-in, keep the setting at opt-in. Perhaps this is why the European Union General Data Protection Regulation required FamilyTreeDNA to change its default to opt-out for its European users. The default for U.S. users remains opt-in.

State legislatures will be the most likely source of privacy protection with respect to FGG searches in the future. Hopefully, Maryland’s clearly-written and comprehensive statute will serve as a template for similar statutes in other states. Congress could enact similar legislation. This is unlikely to happen in the near future given its near-inability to pass meaningful legislation due to the strong partisan divide in Congress.

Examples of Cases Cleared and Bodies Identified Using FGG

The power of FGG is hard to overstate given the astonishing and growing number of cases cleared using the method. Some notable cases include the use of FGG to match DNA found on the button of a knife sheath at the scene of a quadruple murder to the father of the person charged with the murders. The victims, all students at the University of Idaho, were murdered during the night at an off-campus house in late 2022. Police had no suspects until FGG identified the DNA from the knife sheath. They covertly took items from Bryan Kohberger’s father’s trash and confirmed the FGG results using CODIS-style testing.

Critics contend police had enough evidence from other sources to arrest Kohberger without using FGG. Kohberger is one of the few criminal defendants to find out about police use of FGG in his case prior to trial. He is contesting its use in what may be a precedent-setting case.

In what may have been the first use of FGG to identify UHRs, on April 10, 2018, about two weeks before the announcement that the Golden State Killer had been identified, GEDmatch was used to identify the body of a young woman who had been found strangled and beaten along a roadside in Miami, Ohio, on April 28, 1981. She had formerly been known only as “Buckskin Girl” because of a buckskin poncho she had been wearing.

In 2022, FGG was used to solve the sexual assaults of two Rhode Island girls, ages 11 and 13, in 1987. The FGG investigation began in 2019, following the publicity of the Golden Gate Killer case. It led to the arrest of Frank Thies, 66, of Terre Haute, Indiana. He was charged with one count of first-degree sexual assault and two counts of first-degree child molestation.

In October 2021, FGG accomplished the identification of the body of a woman found raped and strangled near a Woodlawn, Maryland, cemetery in 1976. Previously known as “Woodlawn Jane,” she is now known to be Margaret Fetterolf, who was 16 and a serial runaway when she was murdered. The identification became possible after Fetterolf’s cousin, Shannon McAdoo, a hobby genealogist, uploaded her SNPs profile to an open genetic genealogy database.

In an unusual twist, the victim of a 1987 rape in Dallas read about FGG in 2021 and contacted cold case detectives and prosecutors in Dallas, urging them to use it to solve her case. A previous run on CODIS did not identify the perpetrator but did show that the same man had committed three other rapes in Dallas and two in Shreveport. The 2021 FGG search would reveal more.

“I got an email from a woman telling me about this incredible case about an unsolved serial rapist in Dallas,” said Dallas County cold case prosecutor Leighton D’Antoni, who took the case to the FBI to run an FGG profile. “We identified our suspect within 24 hours.” An STR profile from discarded trash confirmed that David Thomas Hawkins committed the rapes.

New Hampshire investigators began an FGG investigation of the 1981 murder of Laura Kempton, 23. They soon publicly identified the perpetrator as Ronnie James Lee, who died of acute cocaine intoxication at the age of 45 in 2005.

Ozark, Alabama, police worked with Parabon NanLabs to identify the man who killed two 17-year-old girls in 1999. In 2019, they arrested Coley McCraney, a truck-driving preacher who had lived a crime-free life since then.

The Sheriff’s Department in Douglas County, Colorado, was able to clear the 1980 abduction, rape, and murder of 21-year-old Helene Pruszynski using FGG. The break came when a distant cousin of suspect James Clayton put her 23andMe profile on GEDmatch after reading about the Golden State Killer case.

A cursory search on LEXIS legal news yields some recent FGG cases:

According to the October 5, 2023, Palm Coast Observer, Othram used FGG to identify as Roberta “Bobbie” Lynn Weber the body of a woman found murdered in Daytona Beach, Florida, in 1990.

The October 6, 2023, Cincinnati Enquirer reported that FGG was used to identify Robert Stewart who was then indicted for the February 2003 murder of Herman Brown, 46.

According to an episode of 48 Hours aired on CBS, on November 18, 2023, FGG was used to identify Patrick Nicholas as the killer of Sarah Yarborough, 16, in King County, Washington, on December 13, 1991.

The December 7, 2023, Orlando Sentinel reported that the body of Eileen Trooper, who was 41 when she was murdered in South Florida in 1998, was identified using FGG. It also showed her to have been a victim of Florida serial killer Lucious Boyd, who currently resides on the state’s death row.

On January 8, 2024, The Miami Herald reported that FGG showed William Taylor, who died on May 19, 2022, to have been the perpetrator in the May 15, 1982, stabbing murder of Kevin McBride, 47.

The January 15, 2024, Galaxy Gazette reported that Othram had used FGG to identify the skeletal remains found in September 2022 as a five-year-old boy who had been missing since 2003, Logan Bowman.

UPI.com reported on January 24, 2024, that the last unidentified remains of the “Green River Killer,” Gary Ridgeway, had been identified by Othram using FGG. Tammie Liles was a 16-year-old Seattle prostitute when she became one of Ridgeway’s 49 known victims.

On January 31, 2024, according to the Independent, FGG resulted in the identification of Kevin Konther, who was 58 when he was sentenced in February 2023. Konther was arrested in 2019 along with his twin, whom be tried to frame for the rape of a 9-year-old girl in 1995 and a 32-year-old woman in 1998.

On February 2, 2024, the Lansing State Journal reported that FGG had been used to identify Douglas Laming, 70, as the person who raped and murdered Karen Umphrey in 1980. It reported that Othram and its DNA Solves database—which was started by the husband-and-wife team of David and Kristen Mittelman in 2018 with the express goal of assisting law enforcement—was used to close the case.

On February 21, 2024, the Madison (Indiana) Courier reported that the body of a pregnant woman discovered in May 1992 in a flooded Fort Wayne basement had been identified as Tabetha Ann Murlin using FGG. The identification was simplified by the presence of the profiles of her father, late mother, and two aunts in the database.

Conclusion

Those examples, taken from a few months of media reports, show the speed at which FGG is being used to close cold cases and put a name to UHRs. In 2022, Swedish police used FGG to identify the perpetrator of a double homicide, a first such use in the EU. Police in the Philippines are using FGG to identify the fathers of underage sex workers’ babies showing the spread of FGG around the world. This spread can be expected to continue.

It may also drastically expand in the U.S. if other universities follow the lead of the University of North Texas Health Science Center’s Center for Human Identification Laboratory. The laboratory will soon be fully accredited to perform forensic genealogy and law enforcement agencies will be able to use that resource without cost. This effectively eliminates the biggest constraint on law enforcement’s use of FGG—its high cost.

Even without universities providing free FGG, we can expect the use of the method to increase as law enforcement agencies become accustomed to it and increasing rely upon it. We can also expect that police will favor using it in more and different kinds of cases unless prevented from doing so by laws or court rulings. After all, it is much easier to turn the investigative work over to the scientists, technicians, and genealogists than to do it yourself.  

Sources: nytimes.com, familytreemagazine.com, nib.gov, academic.oup.com, science.org, reuters.com, crime-scene-investigator.net, hudsonalpha.org, theintercept.com, eff.org, sagepub.com, apnews.com, northeastern.edu, washingtonpost.com, wfaa.com, abcnews.com, al.com, uncovered.com, llalive.com

Subscribe today

Already a subscriber? Login