A consumer purchases a home DNA kit for genealogy or health spits in a vial or swabs the inside of their cheeks and then ships their sample off to a lab for analysis. It’s really quite a simple proposition, isn’t it?
Not So Fast
Science and marketing have ruled the roost in recent years, as evidenced by the popularity of direct-to-consumer DNA tests. More than 26 million people have used in-home kits from companies like 23andMe, AncestryDNA, FamilyTreeDNA, and MyHeritage. After all, what could be more straightforward than paying a company to analyze the genetic material found in your cells, in hopes of learning about your origins or health outlook? Actually, plenty. “Maze of confusion” might be a better term for the current DNA landscape.
As it turns out, the law is gradually having its say about your DNA. Myriad legal issues have blown up like cumulonimbus clouds on a humid August day. Suddenly, a whole raft of complications muddies the consumer DNA picture. Terms like jurisprudence, forensics, police investigations, privacy, and property law are being mixed with genomes, alleles, and base pairs. The result has often been discombobulation and apprehension about where the legal questions will lead.
What are DNA testing legal implications? What are the issues and risks surrounding direct-to-consumer DNA kits and the databases that contain their information? Is DNA testing legal?
You might ask Michael Usry Jr., a Louisiana filmmaker. His father took a DNA test and submitted it to a public database that was later purchased by Ancestry.com. Police in Idaho Falls, Idaho, who were investigating a 1996 murder found the senior Usry’s DNA was a relatively close match to DNA left at the murder scene. Investigators started probing the Usry family tree and found that Michael Usry Jr. made films about violent homicides. Suddenly detectives from Idaho were at the filmmaker’s door in New Orleans. Usry was taken to a police interrogation room and grilled about details on the murder of Angie Dodge. He was astonished.
There was just one problem with this situation. When police got around to obtaining and testing Usry’s DNA, they found it was not a match to their crime scene. His father’s DNA in the Ancestry database matched 34 of 35 genetic markers from the crime scene DNA. Yet his son didn’t match, and he was eventually cleared. But not before his life was turned upside down and his name became permanently associated with the still-unsolved murder. It turns out the genetic marker match from Michael Usry Sr. wasn’t all that close. It’s possible, if not likely, that the killer has no ties at all to the Usry family tree. The filmmaker was left to ponder how he became accused of homicide based on someone else’s DNA that led police to a false accusation.
The Usry case is a prime example of the competing legal issues and interests surrounding the massive DNA databases maintained by Ancestry, 23andMe and a growing number of other consumer DNA companies. Customers’ privacy seems at growing risk from law enforcement agencies, insurance companies and who knows who else.
Many consumers don’t realize how emerging technologies like DNA analysis can be used against them, according to the University of California-Davis law professor Elizabeth Joh. “Do you realize, for example, that when you upload your DNA, you’re potentially becoming a genetic informant on the rest of your family?” Joh told The New Republic. “And then if that’s the case, what if you’re the person who didn’t personally upload the DNA, but you discover that your family member has done that?”
What once would have seemed part of a George Orwell novel is now a sobering reality. Constitutional law attorney and author John Whitehead of The Rutherford Institute is sounding the alarm over the risk that a consumer’s DNA could be accessed, stored and analyzed for purposes he or she did not authorize. That could have dire consequences, creating what Whitehead calls “a nation of suspects.”
“With the entire governmental system shifting into a pre-crime mode aimed at detecting and pursuing those who ‘might’ commit a crime before they have an inkling, let alone an opportunity to do so, it’s not so farfetched to imagine a scenario in which government agents … target potential criminals based on their genetic disposition to be a ‘troublemaker,’ or their relationship to past dissenters,” he wrote.
This white-hot debate is being stirred by almost daily headlines showing how police use commercial DNA databases to solve major cold-case crimes. The highest-profile example came with the 2018 arrest of James Joseph DeAngelo, a former police officer accused of being the “Golden State Killer.” He is alleged to have committed a dozen murders and 50 rapes in California between 1974 and 1986. Police took DNA extracted from a rape kit in one of those cases and uploaded it to the public DNA database GEDmatch. That search identified some distant relatives, whose information was used to construct a family tree. That led to DeAngelo. Police surreptitiously obtained his DNA from a door handle and a discarded facial tissue and matched it to the crime scene DNA.
While many laud the use of consumer DNA to solve crimes, privacy advocates worry about the potential abuses. Those who use home DNA kits must agree to detailed terms and conditions when setting up their online accounts. Those terms detail potentially thorny issues related to ownership of the DNA and who might be able to gain access to DNA samples. Most customers don’t read them, although the consequences of ignoring this boilerplate information could be life-altering. In one high-profile example, a DNA company is now allowing police access without a warrant or subpoena.
News media disclosed that FamilyTreeDNA gave the Federal Bureau of Investigation (FBI) access to its consumer DNA database without requiring a court order such as a search warrant. The news set off an earthquake across the internet. FamilyTreeDNA altered its terms and conditions in December 2018 without notifying customers. This potentially exposed the 1 million Family Tree DNA samples to law enforcement search — critics say without consent. Then came news that a third-party vendor that does work for law enforcement agencies was also given access to the FamilyTreeDNA database.
Too Eager to Help Police?
“So from a high-level agreement with the FBI, we’re now looking at any police department with some extra cash having the ability to submit a sample from any crime scene — not just rapes and murders but a wide variety of cases as long as the money is there — and pull information about all the persons who’ve tested who match those samples, out to the distant-cousin level,” said Judy G. Russell, who blogs as The Legal Genealogist. Russell said it is likely that information from tens of thousands of people is at risk of “being sucked into a criminal investigation — again, all without their informed consent.”
Russell and others believe FamilyTreeDNA needs to change this policy to be on an opt-in basis only. Otherwise, the only way to escape the searches of law enforcement and affiliated companies is to disable DNA matching. The matching feature, which allows customers to search for genetic relatives, is one of the primary reasons consumers purchase genealogy DNA kits. “It’s time, and beyond time, for the company to take corrective action and keep its promises to its customers to protect their privacy,” Russell wrote on her blog.
In a letter to customers, FamilyTreeDNA founder Bennett Greenspan said law enforcement agencies are able to set up regular accounts and upload DNA samples just like any other customer — as long as they notify the company that they are doing it. Information beyond what is available to the average customer would require a court order, he said.
Greenspan noted that the company has “received an incredible amount of support from those of you who believe this is an opportunity for honest, law-abiding citizens to help catch bad guys and bring closure to devastated families,” he wrote. That line went over like a lead balloon with many customers and critics. The Legal Genealogist’s Russell called Greenspan’s statement a “logical fallacy.”
“If you support handing over access to customer data to the police without advance notice and without judicial oversight, you’re an honest, law-abiding citizen,” Russell wrote. “The converse logical fallacy is that if you believe in personal privacy, support the rule of law and having a company that keeps its promise to its customers, you’re not an honest, law-abiding citizen.”
The Family Tree DNA kerfuffle prompted competitors to issue a string of statements, distancing themselves from any notion they would expose customer DNA data without a court order. AncestryDNA, 23andMe, MyHeritage and LivingDNA emphasized they would not share any customer information without consent unless compelled to do so by a “valid legal process.” The 23andMe statement went even further, saying the company would not voluntarily work with law enforcement and will “use all legal means to safeguard our customers’ data.”
A lawmaker in the U.S. state of Maryland has proposed banning the use of consumer DNA databases to identify potential suspects in criminal cases. Law enforcement in Maryland and many U.S. states already have the legal authority to collect DNA samples from people arrested for certain crimes. State criminal DNA databases are typically connected to the national CODIS database maintained by the FBI. But detectives are increasingly turning to public DNA databases such as GEDmatch and private consumer databases like FamilyTreeDNA to search for links to criminal suspects.
Police in California used the FamilyTreeDNA database to help crack the 1973 murder of 11-year-old Linda O’Keefe. Newport Beach Police ran a DNA sample from the crime scene through the FamilyTreeDNA database and got a hit indicating a man named James Alan Neal could be their killer. Police tracked Neal to Colorado and put him under surveillance. They followed him and were able to obtain DNA samples that police said match DNA left at the crime scene. Neal was charged in February 2019 with murder, kidnapping and lewd and lascivious acts. Police earlier sent DNA from the crime scene to Parabon NanoLabs, which used its SnapShot technology to develop estimates of the killer’s appearance. Those images bore a striking resemblance to Neal.
This new partnership of police and genealogy has helped solve dozens cold-case homicides, rapes and other violent crimes. Some say the practice should at least be monitored to prevent abuse. “Technology is outstripping our understanding of how it’s being used,” defense attorney Paul Applebaum told the Minneapolis Star-Tribune. “I don’t think people have thought through the legal and ethical implications.”
Health Care Risks from DNA?
Genealogy buffs aren’t the only ones reeling from legal questions raised by the use of direct-to-consumer DNA tests. A growing number of companies are selling health and wellness DNA kits that test for potential risk of disease, assess carrier status for a variety of illnesses, and look for traits such as being an early riser or having a distaste for cilantro. Some test kits purport to assign the numerical risk of developing serious diseases like lung cancer, breast cancer, and diabetes. It’s the kind of information that in the wrong hands could create lots of headaches for consumers.
In 2008, the United States Congress passed the Genetic Information Nondiscrimination Act (GINA), which prohibits employers and health insurance companies from discriminating against people based on genetics. Those provisions were lauded by consumer advocates, but the GINA law has a loophole — it doesn’t apply to companies that sell life, disability, and long-term-care insurance. So a consumer who finds out through an at-home DNA test that she has, for example, the BRCA1 gene mutation (associated with higher risk for breast cancer), could be denied coverage for that very reason.
Insurers can’t require an applicant to take a DNA test, but they expect consumers to cooperate and honestly report medical and DNA test results — or face rejection of coverage. Consumer advocates want the law amended to prohibit discrimination in the purchase of life, long-term care and disability insurance. But with strong pushback from the insurance industry, such a change will be an uphill fight. “It’s an industry that is hundreds of years old,” Mark Rothstein, founding director of the Institute for Bioethics, Health Policy and Law at the University of Louisville School of Medicine, told Fast Company magazine. “They make a lot of money doing things the way they’ve always done it.”
Writing in The New England Journal of Medicine, Thomas May, Ph.D., said the nondiscrimination law has “serious limitations,” including its exemption of employers of 15 or fewer people, and its requirement that victims of genetic discrimination prove that their information was misused. “This flawed mechanism, though well-intentioned, is hardly adequate to balance complex competing interests that might arise in DNA testing,” May wrote.
Direct-to-consumer DNA tests raise a number of other issues:
Limited information — People who take DNA health tests might make major medical decisions or reach false conclusions based on the limited information the tests provide. This is why many doctors strongly advise patients to consult a physician or genetic counselor before drawing any conclusions based on DNA health tests.
Chain of custody — Companies that market consumer DNA tests largely rely on a person’s honesty when they send in a DNA sample or upload raw DNA files for analysis. It is not difficult to send in someone else’s DNA and then have access to their information. “Do genetic testing organizations have a duty to verify the ownership of genetic samples?” asked May in the New England Journal of Medicine. “Our current regulatory approach to privacy in direct-to-consumer (DTC) genealogy testing has permitted the creation of a Wild West environment, in which companies send vials to consumers, who return DNA samples by mail.”
Unlike clinic-based medical tests, consumer DNA tests are not subject to the U.S. Health Insurance Portability and Accountability Act (HIPAA), which has strict requirements for privacy in storage and access to health records. May said HIPAA-type protections would cripple the consumer DNA industry, but some kind of protection should be possible. “Although there is no way to guarantee privacy, surely there are ways to mitigate risk,” he said.
Adoptees and DNA — The technology made available by consumer DNA tests has been a huge boost to adoptees searching for information on their birth parents and other blood relatives. Home DNA kits are “one of the most powerful tools available today to identify and locate family members in unknown parentage cases,” writes Russell of The Legal Genealogist. “Where the paper trail runs out, DNA is often the only tool that has any hope of shining a light on the path.”
The promise of DNA matches with adoptees’ blood relatives is a stark contrast with adoption records laws in many places. In the U.S., changes have been made in recent decades to give adoptees access to more information from previously sealed files. However, most states that allow this still have restrictions, such as not giving out identifying information on the parents. Other countries such as the United Kingdom, give adoptees access to birth records but allow birth parents to specify they don’t want contact with children given up for adoption. Ultimately, adoptee successes with DNA testing could serve as pressure to loosen adoption records laws.
Security vs. Privacy — The clash between the public good and personal privacy has become a daily battle in the era of DNA databases. As we’ve already see, government access to commercial DNA databases raises concerns about overreach and encroachment on liberties. Police are increasingly collecting DNA samples from people who are merely arrested, a move that could make DNA as ubiquitous as the fingerprint or the mug shot. Giving governments or third parties access to such deeply personal information will continue to generate controversy and spawn lawsuits.
The late U.S. Supreme Court Justice Antonin Scalia put it this way in a court case over police DNA collection during arrests: “Solving unsolved crimes is a noble objective, but it occupies a lower place in the American pantheon of noble objectives than the protection of our people from suspicionless law-enforcement searches,” he wrote in his dissent in Maryland vs. King. The looser standards employed to justify taking more DNA samples by government authority might solve more crimes, he said, but it risks creating a “genetic panopticon.”
“I doubt that the proud men who wrote the charter of our liberties would have been so eager to open their mouths for royal inspection,” Scalia wrote.
The legal wrangling has only begun when it comes to DNA and who controls the right to use its cell-deep information. The meteoric rise of direct-to-consumer DNA kits could soon lead to a ballooning of court cases and legislative acts that attempt to settle the issues. Who would have thought such a legal fuss could come from a little tube of spittle?