by Matt Clarke

 

Millions of people have submitted oral cheek (buccal) swab samples to companies like 23andMe and Ancestry hoping to use their DNA to trace their ancestors and locate relatives in a process known as genetic genealogy. By comparing their DNA to that of other customers, the companies can determine whether, and to what degree, two customers are related. By comparing the DNA to that of known historic figures and their descendants, the companies can determine whether a customer has a famous ancestor. It is also possible to determine what geographic regions the customers’ ancestors came from and susceptibility to some diseases.

More recently, law enforcement has been using the information in the same genetic genealogy companies’ databases to establish the identity of unidentified human remains (“UHR”) and identify suspects using DNA collected at a crime scene. This “off-label” use of genetic genealogy, known as forensic genetic genealogy (“FGG”) or investigative generic genealogy, has been used to solve decades-old cold cases. FGG has also raised a red flag about the privacy of information stored in massive databases by internet-based companies

What Is DNA?

DNA is a complex molecule made up of chemical units known as nucleotides. Only four nucleotides – Adenine (“A”), Guanine (“G”), Cytosine (“C”), and Thyinine (“T”) – are used in constructing the molecule of DNA. The molecule consists of two long strands that are twisted in a spiral called a double helix, somewhat like a ladder twisted into a spiral. The nucleotides along the length of the strands are strongly bonded to one another but only weakly bonded to the nucleotides across from them in the other strand. Like in real life, the legs of the ladder are much stronger than the rungs. This arrangement allows an enzyme to open up (or unzip) the DNA ladder along its rungs, separating the strands.  

The nucleotides will strongly bond to any other nucleotide that is next to it in the strand (leg of the ladder), but A will only establish a weak bond with T in the other strand (across the rung of the ladder). Likewise, G will only establish a weak bond with C. Thus, an unzipped strand of DNA that is awash in a soup of nucleotides will force those nucleotides to assume a specific conformation while building a complementary strand: a T for each place that an A appears on the unzipped strand; a G for a C; an A for a T; and a C for a G. This is the exact conformation of the other unzipped strand of DNA. Thus, the two unzipped DNA strands can produce two DNA strands that are identical to the original molecule and accomplish replication.

DNA contains the basic coding for life. The number of nucleotides along with their sequence make up the genome that is unique to a species. The human genome consists of 3.2 billion nucleotides contained within 46 molecules of DNA, each wrapped around a protein core in a configuration called a chromosome. Each person inherits 23 chromosomes from each parent with similar chromosomes associating into 23 pairs of chromosomes in most cells.

It took 10 years and $3.2 billion to map the human genome, an effort that was completed in 2003. Within five years, inexpensive genotyping chips capable of determining hundreds of thousands of Single Nucleotide Polymorphisms (“SNPs,” pronounced “snips”) appeared on the market. The number of SNPs genetic genealogy companies identify in their propriety tests are limited to one million due to cost considerations. Most identify around 650,000 SNPs, less than 1% of the validated human SNPs. They focus on the protein-coding regions of the chromosomes, parts responsible for the attributes that make one human being different from another such as hair color, eye color, skin tone, and many other differences that may not be readily visible.

Looking at SNPs is simply a way of focusing on the places where DNA tends to be different between different people. Since any of the four nucleotides can appear at those single points along the strand, it can take on many polymorphic different appearances morphisms. That makes those locations, which might, for instance, determine the shape of an eye or a hairline or how the immune system recognizes something as belonging in the body, unique among people who are not identical twins.

Since our DNA is a fairly random mixture of the DNA belonging to our parents, we share a lot of similar SNPs with them and with anyone else we are closely related to. The more distant the relationship, the fewer SNPs we have in common.

First Law Enforcement Use of DNA

In 1984, scientist Alec Jeffreys developed methods of using enzymes to cut DNA into fragments and gel electroporsis to separate the fragments according to weight and electrical charge, yielding a unique DNA pattern somewhat similar to a bar code. It was often, and somewhat misleadingly, labeled a “DNA fingerprint.” That early method, restriction fragment length polymorphism (“RFLPJ”), required large sample sizes and relatively uncontaminated samples, limiting its usefulness to law enforcement, which often deals with small, contaminated samples collected from a crime scene. It could sometimes be used to find the perpetrator among a group of suspects, but it could not identify someone who was not already in the suspect pool.

Despite its limitations, the DNA fingerprinting method was soon used by police in the U.K. to identify the perpetrator of two rape-murders. However, it required police to request that the male population between 17 and 34 years of age in Narborough to submit to “voluntary” DNA fingerprinting, so they could either identify the perpetrator outright or focus their attention on those who refused to be tested. Social pressure led over 4,500 men to cooperate.

The perpetrator had convinced a co-worker to provide a blood sample in his place. Police learned of the deception, and their investigation led to his arrest and conviction. The testing also cleared the former prime suspect whom police had badgered into giving an impassioned false confession.

It is doubtful whether such a “DNA dragnet’’ could pass constitutional muster in the U.S. Nonetheless, DNA fingerprinting using the RFLP method was used to identify suspects and gain convictions in many U.S. courts, becoming the “gold standard” for forensic evidence for a decade.

The Beginnings of DNA Databases

In 1987, Jeffreys developed a DNA profile that could be derived from smaller samples than were required for a DNA fingerprint and could be coded as a series of numbers, making it possible to create DNA profile databases.

Over time, scientists developed methods to amplify small samples, the polymerase chain reaction (“PCR”), and clean up contaminated and mixed samples to a degree, increasing the usefulness of DNA to law enforcement. However, several different commercial DNA laboratories had competing PCR-based systems looking at different parts of the human genome that were not necessarily compatible with one another.

CODIS Arrives

To increase the usefulness of DNA identification, it was necessary to standardize which parts of the DNA strand was being examined so that one lab’s results could be compared to that of another. Optimally for such purposes (but certainly not so for privacy and civil rights considerations), the government would collect the DNA profiles of everyone in the country and put them into a database that could be used to compare them to DNA from crime scenes and unidentified bodies. This is unlikely to happen in the U.S. due to privacy concerns constitutional safeguards, but standardization of DNA profiles is clearly possible and only requires that a national organization take the lead and set the standards.

In 1990, the FBI began a pilot software program that, in 1994, Congress authorized its implementation as the Combined DNA Index System (“CODIS”), a national database of standardized DNA profiles from people who have been arrested or convicted of crimes created by unifying the federal database with those of the states. 42 U.S.C. § 14132(a) (1994) (later transferred to 34 U.S.C. § 12592). Currently, CODIS contains the profiles of 14.7 million convicted persons, 4.4 million arrestees, and 1.1 million forensic subjects. However, despite its collection of millions of profiles, CODIS cannot identify a person whose profile is not in its database of well under 10% of the U.S. adult population.

The DNA testing method used for CODIS profiles was PCR-amplified Short Tandem Repeat (“STR”) analysis. A CODIS profile was created using PCR and gel electrophoresis to examine 20 highly-variable STR locations (“loci”) in non-protein-coding sections of the DNA, yielding 40 datapoints.

The effectiveness of CODIS was limited by the small percentage of the population in the database. Further, CODIS profiles could not be used to identify persons genetically related to the donor of the unknown DNA sample from a crime scene or UHR unless the relationship was as close as a father and son. Further, the perpetrators of the type of crime most likely to leave DNA samples behind – sex offenses and murders – were also among the least likely to have previously been convicted of a crime and thus be in the CODIS database. What was needed was a larger database and testing that could identify people genetically related to the donor of the unknown sample. Surprisingly, the private sector would soon provide just that.

Beginnings of Forensic Familial DNA Testing

Despite its limitations, the first forensic familial DNA search was accidentally conducted by British police on an STR database when a submitted sample from a decades-old cold case partially matched an STR profile in 2002. The profile on the database turned out to be that of the son of the perpetrator of multiple rapes.

Familial searches require different software from standard CODIS-matching searches. In 2008, California became the first state to implement familial DNA searching on its STR DNA databases. In 2010, Lonnie Franklin, Jr. was identified via a familial DNA search on a California government database as the “Grim Sleeper,” who was responsible for at least 10 murders of young women in Los Angeles. Franklin’s son’s DNA had recently been added to the database because of a weapons charge. The closeness of his DNA to that of the Grim Sleeper led police to initiate surveillance on his father. A discarded piece of pizza provided the sample necessary to prove he was the murder and rapist who had eluded law enforcement for decades.

Genetic Genealogy Comes Along

With the advent of cheap genetic profiling, several companies sprang up with the goal of tracing ancestry (and possible risk of genetic disease) via direct-to-consumer (“DTC”) DNA profiling in which a customer submits an oral swab for SNPs DNA profiling and placement of the DNA profile on the company’s database. 23andMe and Ancestry are the best-known genetic genealogy companies. Both maintain “closed” databases, only allowing profiles developed by the company on their respective database. While both also stated that they would never share the information they obtained from their customers’ samples with third-parties, other companies made no such promise. Further, recent events have shown both companies to be vulnerable to hacking and manipulation of their systems to gain access to, or the ability to infer, SNPs profiles of customers.

GEDmatch is a type of non-DTC genetic genealogy company with an “open” database. Its customers get a DNA profile from a DTC company then upload it into the GEDmatch database without charge. GEDmatch algorithms allow comparisons of profiles developed by different companies, making it more likely that useful information is discovered.

FamilyTreeDNA is another company that is both DTC and has an open database. Customers can submit DNA buccal swabs to FamilyTreeDNA and have them develop a profile or upload a profile developed by another company.

The Genealogy Component of Genetic Genealogy

Whereas genetics is a relatively new science with the ability to profile DNA being newer still, genealogy itself is a centuries-old study that evolved from “a sleepy, prim discipline of aristocratic origins” into a field primarily practiced by self-educated hobbyists who are interested in tracking down their own ancestors by building out a family tree. Perhaps the lack of professional genealogist can be explained by the requirement of traditional genealogy.

Genealogists spend many hours poring over records that might mention ancestors of the target person. These traditionally include government records such as birth and death certificates, marriage licenses, newspaper articles and obituaries, and school and church records. The advent of the Internet and search engines sped up the processing of those records while adding additional sources of information such as social media accounts. One can only speculate how the emergence of artificial intelligence will affect the future of genealogy. However, the labor intensity of genealogy as it currently stands makes it an expensive undertaking and makes doing it yourself attractive. Hence, the skew toward hobbyist genealogists.

Law Enforcement Shocks Companies by Secretly Using FGG

In April 2018, California law enforcement submitted a DNA sample collected from the victim of a cold case rape/murder to GEDmatch and used the results to identify the Golden State Killer, a serial killer who committed 13 murders, at least 50 rapes, and over 100 burglaries in California between 1974 and 1986. The killer was identified as retired police officer Joseph James DeAngelo, Jr., who pleaded guilty to the murders in exchange for a life sentence.

The law enforcement officials did not identify the submitted DNA profile as coming from a murder case or being in any way related to crime solving. They did not identify themselves as law enforcement to GEDmatch. This “off-label” use of FGG shocked the FGG companies, which had repeatedly assured users that their privacy would be respected. Intense media attention about the Golden State Killer case put that claim in doubt. More importantly, none of the FGG companies had a policy regarding law enforcement use of their databases. However, the public’s response to finding a serial killer using FGG was overwhelmingly positive. New entries in the GEDmatch database surged.

In May 2019, GEDmatch modified its policies to allow law enforcement to use its database to identify perpetrators of sexual assaults and murders. Less than a year later, it violated that policy by allowing law enforcement to use its database in a case that was neither a sexual assault nor murder. This led the company to again modify its policy to permit law enforcement to use its database to solve other violent crimes, such as robbery and aggravated assault, provided they fell within the FBI’s definition of “violent crime.” It also allows authorized organizations to use its database to identify human remains. This has made GEDmatch the go-to FGG database for law enforcement.

In May 2019, GEDmatch instituted an opt-in for its users to allow law enforcement to use their DNA profile. The company set the default as “opt-out” for all current and new users, but between 75% and 80% of new users opted in (compared to less than 25% of prior users). Further, after all of the publicity GEDmatch received as a result of the Golden State Killer case, the number of new users uploading a DNA profile daily grew from 1,500 to 5,000.

In 2018, FamilyTreeDNA adopted a policy permitting law enforcement to use its database to identify violent criminals and human remains. It is the only major DTC company to do so. Although it has an opt-out option, FamilyTreeDNA set all user settings and default settings to opt-in, permitting law enforcement unfettered access to virtually its entire database.

The Contribution of Citizen Scientists

Hobbyist or “citizen-scientist” genealogists have been crucial and necessary components to many cases using FGG, but the path to clearing a case has not always been smooth. In one of the earliest cases, in 2011, physicist and former NASA contractor Colleen Fitzpatrick worked with detectives in Washington State to help identify the killer of a high school girl using Y-DNA. She concluded the killer was a descendent of Robert Fuller. That tip led police to suspect a neighbor and family friend who was eventually proven innocent.

In 2018, Idaho Falls detectives secured a warrant compelling Ancestry to allow access to its database in an attempt to identify the person who raped and murdered 18-year-old Angie Dodge. They wanted to know the name of a man who had submitted his Y-DNA profile because it showed a close genetic relationship with DNA recovered from the crime scene. The disclosure led them to Michael Usry, who was subsequently proven innocent using STR DNA profiling.

Ancestry closed its open database because of the Usry incident and adopted a closed database model.

Even the much-celebrated case of the Golden State Killer was not without its hiccups. According to Barbara Rae-Venter, she had been pursuing genetic genealogy as a postretirement hobby in March 2015, when Deputy Peter Headley contacted her. He wanted her to help with the identification of Lisa Jensen, a woman who had been abducted as a child and whose identity was then unknown. Solving the Jensen case led Headley and Rae-Venter to discover that whoever had abducted Jensen was a prolific serial killer.

The success in the Jensen case prompted Paul Holes, the lead criminal investigator in the Golden State Killer case, to ask Rae-Venter to work on the case. Rae-Venter’s only qualifications were that, since retiring from being a patent attorney, she had been assisting a newfound cousin with genealogy. She had also been volunteering as “search angel” who uses DNA matches to help build family trees and solve genealogy issues.

Cynthia “CeCe” Moore is perhaps the most famous FGG genealogist. Moore began her career helping people use DTC genetic databases to solve maternity ward mix-ups, help adoptees and foundlings find birth parents, and identify unknown fathers. She is known for her “outside-the-box” thinking when tracking down genetic ancestors, earning her the nickname, “Miss Marple of Genealogy.”

In 2013, Moore established DNA Detectives, a group designed to bring together parentage seekers and those who could either solve their cases or train them to solve it themselves. It has more than 170,000 members on Facebook.

For years, Moore was wary of applying her techniques to criminal cases. Then FGG was used to solve the Golden State Killer case. The story’s widespread exposure and overwhelmingly positive reception calmed her qualms about the database users’ consent and, within days, she was working on her first murder case.

Moore is known for the first FGG-based exoneration of an innocent man and the first jury conviction resulting from FGG. She was featured on 60 Minutes in October 2018. The segment focused on cold-case breakthroughs. This resulted in a deluge of requests for assistance.

Moore also co-founded the Investigative Genetic Genealogy Accreditation Board in an attempt to develop standards and bring some order into the unorganized and underregulated FGG field, which has been described as “the wild west” by FGG experts. Moore is personally involved in closing over 200 FGG cases and is currently the chief genealogist for Parabon Labs, a new type of FGG company that specializes in helping law enforcement identify suspects and UHRs using FGG.

What Are the Privacy Concerns?

The problem with unfettered access to genetic genealogy databases is that they contain a wealth of information about the profiled individuals, well beyond just their relatives. The companies claim they can determine the propensity for certain medical conditions, personality traits, food preferences, athletic abilities, and other personal characteristics from their SNPs profiles. One company claims it can determine a person’s facial appearance, including “skin color, eye color, hair color, freckles, [geographic] ancestry and face shape.”

To conduct an FGG search, law enforcement must necessarily search the records of many individuals who are not involved in crime. They may also be led to the wrong person, as was the case with Michael Usry. Even in the seminal case of the Golden State Killer, two other men were asked by police to submit DNA samples before the actual perpetrator was identified. Whether they were considered suspects by police or merely being used to attempt to eliminate branches of the family tree is disputed, but it is likely that they, like Usry, were quite nervous after having been approached by police and asked for a DNA sample in connection with a murder. It must have been a profound relief when, weeks later, the test results eliminated them as suspects.

In this vein, FGG searches come very close to the general search warrants prohibited by the Fourth Amendment to the U.S. Constitution. The U.S. Supreme Court has yet to rule on privacy concerns connected to FGG searches. The closest case to date was its approval of taking buccal swab DNA samples from persons arrested for or convicted of a crime for the purpose of a entering a profile in CODIS. Maryland v. King, 569 U.S. 435 (2013).

King predated FGG by several years and differed in that it involved CODIS profiles, which contain only a tiny fraction of the information contained in SNPs profiles, and people arrested by police, not ordinary people participating in genetic genealogy. Even so, in a dissenting opinion, Justice Scalia rather presciently questioned the practice of taking DNA from arrestees for purposes other than identification in the crime they were charged with and creating a database of the DNA profiles derived from them.

“Perhaps the construction of such a genetic panopticon is wise. But I doubt that the proud men who wrote the charter of our liberties would have been so eager to open their mouths for royal inspection,” wrote Scalia, referencing the Utilitarianist John Stewart Mill’s 19th-century design for a prison in which guards could see into the isolated prisoners’ cells at all times that had to be abandoned because it drove the prisoners “quite mad.” University of Maryland Carey School of Law professor Natalie Ram, who is an expert on genetic privacy, calls FGG “a giant fishing expedition that fails the particularity requirement of the Fourth Amendment: that law enforcement searches be targeted and based on reasonable individualized suspicion.” According to Ram, FGG “is fundamentally a search of all of us every time they do it.” The panopticon is currently synonymous with both an idea that sounds great but fails in its execution and also a total lack of privacy.

Privacy Concerns in Forensic Genetic Genealogy

The largest DTC companies, 23andMe and Ancestry – which combined have 32 million profiles in their databases – have policies prohibiting law enforcement use of their databases without a court order. The problem with that is there may not be a way to tell that a sample was submitted by law enforcement since both companies allow customers to use pseudonyms. This is exactly what happened in June 2021 when the Riverside Cold Case Homicide team identified the victim of a 1996 homicide using MyHeritage without a court order – an explicit violation of company policy requiring a court order for any law enforcement use of its database.  

“The case presents an example of ‘noble cause bias,’ in which the investigators seem to feel that their objective is so worthy that they can break the rules in place to protect others,” wrote veteran genetic genealogist and privacy advocate Leah Larkin.

23andMe has repeatedly been the target of successful computer hacks that exposed customer information. Also, 23andMe has recently come under economic pressure as the early adopter market for DTC genetic genealogy dried up, and despite corporate statements claiming it would never make customers’ DNA profiles available to third parties, it listed the possibility of selling the profiles among its assets. This emphasizes the fact that corporate policy is a poor substitute for constitutional protection when it comes to privacy. Corporate policies are subject to change at any time due to economic pressures, changes in corporate leadership, or acquisition by another company. This is exactly what happened when, in January 2021, GEDmatch changed its policy to opt in all of its profiles for UHR identification searches without notification to or input from its customers.

All of the companies maintaining databases claim that customers’ genetic data is not at risk of exposure because they do not provide law enforcement or anyone else raw SNPs profile data. However, it was recently revealed that there were tools in the databases that allowed users to infer the SNPs profile of the match being examined and a “loophole” in the GEDmatch software that allowed law enforcement to access and use the profiles of users who had opted out.

The loophole came to light when Cairenn Binder, a genealogist who heads up the Investigative Genetic Genealogy Center’s certificate program, was involved in simulated trial testimony for a presentation by attorney and DNA expert Tiffany Roy called “In The Hot Seat.” The idea was to acclimate genealogists to giving trial testimony, and the single instruction Roy had given was “do not lie.”

Roy, playing the part of defense counsel during cross-examination, asked Binder if she was aware of a loophole in the GEDmatch software that allowed access to opted-out profiles. Binder not only “testified” that she was aware of the loophole but admitted having used it around a dozen times herself. The DNA Doe Project and even such FGG luminaries as Moore have also admitted to having used the loophole. Some even admitted covering up their use of the loophole.

“If we can’t trust these practitioners, we certainly cannot trust law enforcement. These investigations have serious consequences; they involve people who have never been suspected of a crime,” said Roy, who believes a search warrant should be required for an FGG search. “Anything less is a serious violation of privacy.”

Networked Privacy

Uploading your SNPs profile to a genetic genealogy database also uploads 50% of the DNA profile of your parents, siblings, and children and a lower percentage for more distant relatives. If only a few close relatives upload their profiles, your entire profile will be in the database, albeit distributed among the relatives’ profiles. This raises a question of whether you have any privacy rights or interests when a relative, especially a close relative, uploads their DNA profile.

Moore first ran into this question when she attended a genetics conference in 2012 and asked two Native American women who were on a panel whether they had taken a DTC test. “The women explained they wouldn’t take a test without consulting everybody else in the tribe, because they’d be making the decision for everybody,” said Moore.

It was an eye-opening moment for Moore, who had previously not considered the fact that people who were uploading their profiles to SNPs databases were effectively making the decision for other people to have their profiles in the database. This now applies to the entire country, Moore noted.

“It all happened under the radar, and it doesn’t really matter if you’re opposed: It’s a collective decision that’s already been made. A lot of what the privacy advocates have said I agree with. But 30 million people made that choice for everybody else.”

This represents what tech anthropologists call “networked privacy,” which really means lack of privacy as the term describes how you are exposed and your choices diminished or undone when others share things about you that you did not want to make public. Thus, the problem of privacy, or lack thereof, in FGG searches has become one that is as much a question of philosophy as it is one of law.

Law Enforcement Secrecy About Using FGG

As noted above, in a successful case involving a FGG search for a perpetrator, the last step is typically police obtaining a discarded item containing DNA that they use to confirm the perpetrator’s identity using a CODIS profile. It is well established that police can retrieve discarded items and test them without a warrant, California v. Greenwood, 486 U.S. 35 (1988), and the admissibility of CODIS profiles is well established, Maryland v. King, 569 U.S. 435 (2013). So, those aspects of the identification are rarely challenged.

The problem is that police usually start their narratives, and the documents which prosecutors turn over to the defense, with the successful CODIS search, omitting the use of FGG altogether. Thus, FGG has not been the subject of much in the way of court challenges, and little is known about how the investigations actually proceed.

“We don’t actually know how many people who have placed their data in these online databases are subject to forensic uses,” said Stephanie Malia Fullerton of the University of Washington School of Medicine’s Department of Bioethics. “We also don’t know how these partial genetic matches are used, and we can speculate about the possible harms, but we don’t know what exactly is involved or who is contacted.”

In a few cases, including the celebrated Golden State Killer case, it is known that police or the FGG company or genealogists working with them have approached people genetically related to the suspect and asked them to submit a DNA sample or, in some cases, even mailed a SNPs DNA sampling kit under the false pretense of being a gift from a relative. Police claim this is a part of narrowing down the genealogy search by eliminating branches of a family tree. However, due to the aforementioned secrecy, none of these methods have been subject to court scrutiny.

A recent court decision reinforced the secrecy surrounding law enforcement use of FGG. In Buzzfeed, Inc. v. United States Department of Justice, 2023 U.S. Dist. LEXIS 185893 (U.S.D.C. 2023), the court ruled that the U.S. Department of Justice could exempt much of the information requested by Buzzfeed relating to its communications and contracts with companies involved in FGG. The court concluded that the documents were exempted from FOIA disclosure because the information was “confidential,” and its release could cause harm to the company and might be used in future criminal prosecutions.

Court Challenges to FGG Searches

In one of the rare published cases involving a defendant challenging the use of a FGG search based on privacy, the Court of Appeals of Washington upheld the trial court’s denial of a criminal defendant’s motion to suppress FGG search results because the defendant, who was convicted of felony murder in connection with the 1993 rape and murder of a 12-year-old girl, had “no privacy interest in commonly held DNA that a relative voluntarily uploaded to a public database that openly allowed law enforcement access.” State v. Hartman, 534 P.3d 423 (Wash. App. 2023). The court also ruled that the defendant had no privacy interest in DNA abandoned at the crime scene.

In State v. Boretree, 2021 Ohio App. LEXIS 2828, the court upheld the trial court’s denial of a general challenge to the admissibility of a FGG search performed by AdvanceDNA under contract with police that was used to identify him as the perpetrator of a 1993 attempted murder in connection with kidnapping and rape. However, the conviction was later reversed by the Supreme Court of Ohio on statute of limitations grounds. State v. Bortree, 212 N.E.3d 874 (Ohio 2022).

In an interesting and related civil case, Leslie v. City of New York, 2023 U.S. Dist. LEXIS 49775 (S.D.N.Y. 2023), residents of New York City are challenging, on Fourth Amendment grounds, the NYPD’s warrantless practice of covertly collecting DNA from a person’s discarded trash, using it to obtain a CODIS or FGG profile, then maintaining that profile on the city’s database for years regardless of whether a person is charged with (or even suspected of) committing a crime. The targeted person could, for instance, merely be suspected of being a gang member or associated with a gang. If successful, this lawsuit may chart a path for challenging similar DNA collection in criminal cases.

The initial cases make it seem unlikely that courts will require warrants for FGG searches. But the higher courts have yet to weigh in on the matter.

What Standard to Use?

A major question in future court decisions regarding privacy and FGG searches will be what the appropriate standard is. The courts will likely use one of two existing standards in analyzing FGG privacy interests. The first is the “reasonable expectation of privacy” standard of Katz v. United States, 389 U.S. 347 (1967). In deciding whether a telephone booth could be bugged without a search warrant, the Katz Court determined that, to have a legitimate Fourth Amendment claim, a person must have “an actual (subjective) expectation of privacy” that “society is prepared to recognize as reasonable [objective],” such as one has when using a phone booth. This “reasonable expectation of privacy” test was thought to replace the previous test based on whether the intrusion was a common-law “trespass” and became the standard for analysis of Fourth Amendment issues for the next 34 years.

Technology forced the Court to re-examine Katz’s declaration that the Fourth Amendment protected people, not places, when faced with police using thermal imaging to detect relative amounts of heat within a house. The Court in Kylo v. United States, 533 U.S. 27 (2001), held that the imaging constituted an intrusion into a constitutionally-protected space, the home.

Then, in a case that took many legal experts by surprise, in United States v. Jones, 565 U.S. 400 (2012), the Court clarified that “the Katz reasonable-expectation-of-privacy test had been added to, not substituted for, the common-law trespassory test” when it held that placing a GPS tacking device on a car was a search in that it was a trespass upon Jones’ property. Thus, challenged police conduct must pass both the Katz and Jones tests in order to be constitutional.

Since Jones, the Katz test has been applied to a collection of cellphone location and cell-site location information. See Carpenter v. United States, 585 U.S. 296 (2018). It seems likely that, since there is no physical intrusion upon constitutionally protected places involved in a FGG search, the Katz test will be applied to a privacy-based challenge to FGG searches. That seems to be what the Hartman Court did without specifically stating it. However, Hartman’s SNPs profile revealed that he was bald and likely had bipolar or substance abuse disorder, which constitutes sensitive medical information for which it could be argued one has a reasonable expectation of privacy. Only time will tell whether such an approach will be successful.

How Defense Attorneys Can Challenge FGG Searches

Besides the aforementioned privacy issues, defense attorneys could challenge FGG searches on a number of issues. One of which is the lack of certification of genealogists and the lack of validation of both their methods and the scientific methods used in FGG. Therefore, a defense attorney contemplating a challenge to how FGG was used in a specific case must use the tools of discovery to determine who played what role in the FGG investigation and what methods were used as well as any validation studies that have been performed to determine the accuracy and limitations of those methods.

It is also important to determine whether the samples used were degraded or mixtures, both of which can increase the likelihood of lab errors. Further, mixtures can implicate another suspect. Thus, it is important to determine how many profiles were generated by the sample.

The similarity of two SNPs profiles is measured in centiMorgans (“cMs”), a measure of how likely it is for a longer DNA segment to be passed on to a descendent intact. The closer the relationship, the longer segments are shared. Parents, children, and siblings typically share 2,000 to 3,600 cMs of their DNA. First cousins share only 425 to 1,100, but that is also in the range shared by grandparents/children, great-grandparents/children, half-siblings, and great uncles/aunts. Therefore, it is essential that defense attorneys discover the cMs of each profile used to trace the alleged family tree of a suspect profile and the logic used to assign an identity to the profile based on the cMs.

Other Complicating Factors for FGG Searches

The very sensitivity of DNA collection may yet be its worst enemy. As shown in the Amanda Knox case, small amounts of DNA can be easily transferred to another person (brush transfer) and from that person to an object never touched by the DNA donor (secondary transfer), leading to a wrongful conviction. Something similar happened in Germany when a contaminated cotton swab had police erroneously looking for a murderer in the Romani (“Gypsy”) community for two years.

Scientists seeking better ways to track sea turtles discovered human DNA in all kinds of unexpected places – creek water, snow, honey, and even floating around in the air in “surprising” levels. The DNA was of high enough quality to derive CODIS or SNPs profiles. Further, DNA testing has already been in use to monitor disease levels in waste water, and the identifiable DNA of 40 different humans were found on a dog’s head fur. Thus, there are many potential sources of DNA contamination in everyone’s daily environment.

The scientists who have been seeking to further explore the origin and content of human DNA in the environment (“eDNA”) have run into the roadblock of ethics panels rejecting research proposals based on medical and scientific ethics. Ironically, law enforcement operates under no such constraints.

“There’s an imbalance in almost all systems of the world between what law enforcement is allowed to do, versus publicly funded research, versus private companies,” said University of Vienna professor Barbara Prainsack, who studies the regulation of DNA technology in medicine and forensics.

“It’s a total wild west, a free for all,” said New York University School of Law professor Erin Murphy, who specializes in the use of new technologies in the criminal legal system. “The understanding is police can sort of do whatever they want unless it is explicitly prohibited.”

What to Expect in the Future

Police estimate there are over 200,000 unsolved major criminal cases involving DNA evidence in the U.S. The enormous power of FGG to solve even decades-old cases makes it unlikely that the courts will subject it to any meaningful restraints. It is possible that a search warrant will be required, but such a requirement is unlikely to come from the courts. Instead, it is more likely that legislative bodies enact regulations concerning FGG searches. Two have already done so.

Montana requires that a search warrant be issued before performing any kind of DNA database search. Mont. Code 44-6-104 (2021). Maryland’s regulations are more comprehensive, requiring judicial authorization for FGG searches and for covert DNA collection, limiting the types of crimes FGG searches may be used to investigate, and requiring law enforcement to first pursue all reasonable leads and use government DNA databases before seeking FGG authorization. Md. Code Crim, Proc. § 17-101 (2022).

The U.S. Department of Justice has also issued interim rules limiting FGG searches to violent crimes and prohibiting FGG results from being the sole basis for an arrest. However, the rules have not been finalized or formalized and only apply to federal agencies and other agencies that receive federal funding. Also, the FBI has already ignored the DOJ interim rules in at least one case.

FGG searches may also be affected by questions regarding the “informed consent” being given by customers to use their SNPs profiles for law enforcement purposes. Bioethicists have noted that few people actually change default settings or read the terms of service, although they become binding under the DTC companies’ so-called “wrap contracts” (basically, if you use the service, you are accepting the terms of service).

There is support for the bioethicists’ claim. When GEDmatch changed all users’ settings to opt-out of law enforcement use but allowed them to change the setting to opt-in, fewer than one in five did so. Yet, three out of four new GEDmatch users, whose default setting is opt-in, keep the setting at opt-in. Perhaps this is why the EU General Data Protection Regulation required FamilyTreeDNA to change its default to opt-out for its European users. The default for U.S. users remains opt-in.

State legislatures will be the most likely source of privacy protection with respect to FGG searches in the future. Hopefully, Maryland’s clearly written and comprehensive statute will serve as a template for similar statutes in other states. Congress could enact similar legislation. This is unlikely to happen in the near future given its near inability to pass meaningful legislation due to the strong partisan divide in Congress.

Examples of Cases Cleared and Bodies Identified Using FGG

The power of FGG is hard to overstate given the astonishing and growing number of cases cleared using the method. Some notable cases include the use of FGG to match DNA found on the button of a knife sheath at the scene of a quadruple murder to the father of the person charged with the murders. The victims, all students at the University of Idaho, were murdered during the night at an off-campus house in late 2022. Police had no suspects until FGG identified the DNA from the knife sheath. They covertly took items from Bryan Kohlberger’s father’s trash and confirmed the FGG results using CODIS-style testing.

Critics say police had enough evidence from other sources to arrest Kohlberger without using FGG. Kohlberger is one of the few criminal defendants to find out about police use of FGG prior to trial. He is contesting its use in what may be a precedent-setting case.

In what may have been the first use of FGG to identify UHRs, on April 10, 2018, about two weeks before the announcement that the Golden State Killer had been identified, GEDmatch was used to identify the body of a young woman who had been found strangled and beaten along a roadside in Miami, Ohio, on April 28, 1981. She had formerly been known only as “Buckskin Girl” because of a buckskin poncho she had been wearing.

In 2022, FGG was used to solve the sexual assaults of two Rhode Island girls, ages 11 and 13, in 1987. The FGG investigation began in 2019, following the publicity of the Golden State Killer case. It led to the arrest of Frank Thies, 66, of Terre Haute, Indiana. He was charged with one count of first-degree sexual assault and two counts of first-degree child molestation.

In October 2021, FGG accomplished the identification of the body of a woman found raped and strangled near a Woodlawn, Maryland, cemetery in 1976. Previously known as “Woodlawn Jane,” she is now known to be Margaret Fetterolf, who was 16 and a serial runaway when she was murdered. The identification became possible after Fetterolf’s cousin, Shannon McAdoo, a hobby genealogist, uploaded her SNPs profile to an open genetic genealogy database.

In an unusual twist, the victim of a 1987 rape in Dallas read about FGG in 2021 and contacted cold case detectives and prosecutors in Dallas, urging them to use it to solve her case. A previous search on CODIS did not identify the perpetrator but did show that the same man had committed three other rapes in Dallas and two in Shreveport. The 2021 FGG search would reveal more.

“I got an email from a woman telling me about this incredible case about an unsolved serial rapist in Dallas,” said Dallas County cold case prosecutor Leighton D’Antoni, who took the case to the FBI to run a FGG profile. “We identified our suspect within 24 hours.” A STR profile from discarded trash confirmed that David Thomas Hawkins committed the rapes.

New Hampshire began a FGG investigation of the 1981 murder of Laura Kempton, 23. They soon publicly identified the perpetrator as Ronnie James Lee, who died of acute cocaine intoxication at the age of 45 in 2005.

Ozark, Alabama, police worked with Parabon Nanolabs to identify the man who killed two 17-year-old girls in 1999. In 2019, they arrested Coley Mccraney, a truck-driving preacher who had lived a crime-free life since then.

The Sheriff’s Department in Douglas County, Colorado, was able to clear the 1980 abduction, rape, and murder of 21-year-old Helene Pruszynski using FGG. The break came when a distant cousin of suspect James Clayton put her 23andMe profile on GEDmatch after reading about the Golden State Killer case.

A cursory search on LEXIS legal news yielded some recent FGG cases:

According to the October 5, 2023, Palm Coast Observer, FGG was used to identify Roberta “Bobbie” Lynn Weber as the body of a woman found murdered in Daytona Beach, Florida, in 1990.

The October 6, 2023, Cincinnati Enquirer reported that FGG was used to identify Robert Stewart who was then indicted for the February 2003 murder of Herman Brown, 46.

According to an episode of 48 Hours aired on CBS, on November 18, 2023, FGG was used to identify Patrick Nicholas as the killer of Sarah Yarborough, 16, in King County, Washington, on December 13, 1991.

The December 7, 2023, Orlando Sentinel reported that the body of Eileen Trooper, who was 41 when she was murdered in South Florida in 1998, was identified using FGG. It also showed her to have been a victim of Florida serial killer Lucious Boyd, who currently resides on the state’s death row.

The Miami Herald on January 8, 2024, reported that FGG showed William Taylor, who died on May 19, 2022, to have been the perpetrator in the May 15, 1982, stabbing murder of Kevin McBride, 47.

The January 15, 2024, Galaxy Gazette reported that Othram, Inc. used FGG to identify the skeletal remains found in September 2022 as a five-year-old boy who had been missing since 2003 named Logan Bowman.

UPI.com reported on January 24, 2024, that the last unidentified remains of the “Green River Killer,” Gary Ridgeway, had been identified by Orthram, Inc. using FGG. Tammie Liles was a 16-year-old Seattle prostitute when she became one of Ridgeway’s 49 known victims.

On January 31, 2024, Noticais Finaciers reported that FGG resulted in the identification of Kevin Konther, who was 58 when he was sentenced in February 2023. Konther was arrested in 2019 along with his twin, whom be tried to frame-for the rape of a 9-year-old girl in 1995 and a 32-year-old woman in 1998.

The February 2, 2024, Lansing State Journal reported that FGG had been used to identify Douglas Laming, 70, as the person who raped and murdered Karen Umphrey in 1980. It reported that Othram, Inc. and its DNA Solves database – which were started by the husband-and-wife team of David and Kristen Mittelman in 2018 with the explicit goal of assisting law enforcement – were used to close the case.  

On February 21, 2024, the Madison Courier inIndiana reported that the body of a pregnant woman discovered in May 1992 in a flooded Fort Wayne basement had been identified as Tabetha Ann Muslin using FGG. The identification was simplified by the presence of the profiles of her father, late mother, and two aunts in the database.

Conclusion

Those examples, taken from a few months of media reports, show the speed at which FGG is being used to close cold cases and put a name to UHRs. In 2022, Swedish police used FGG to identify the perpetrator of a double homicide, a first such use in the EU. Police in the Philippines are using FGG to identify the fathers of underage sex workers’ babies, showing the spread of FGG around the world. This spread can be expected to continue.

It may also drastically expand in the U.S. if other universities follow the lead of the University of North Texas Health Science Center’s Center for Human Identification Laboratory. The laboratory will soon be fully accredited to perform forensic genealogy, and law enforcement agencies will be able to use that resource without cost. This effectively eliminates the biggest restraint on law enforcement’s use of FGG – its high cost.

Even without universities providing free FGG, we can expect the use of the method to increase as law enforcement agencies become accustomed to it. We can also expect that police will favor using it in more and different kinds of cases unless prevented from doing so be laws or court rulings. After all, it is much easier to turn the investigative work over to the scientists, technicians, and genealogist than to do it yourself.

 

Sources: nytimes.com, familytreemagazine.com, nib.gov, academic.oup.com, science.org, reuters.com, crime-scene-investigator.net, hudsonalpha.org, theintercept.com, eff.org, sagepub.com, apnews.com, northeastern.edu, washingtonpost.com, wfaa.com, abcnews.com, al.com, uncovered.com, llalive.com

Related legal cases