The arrest of Joseph James DeAngelo as the suspected Golden State Killer has both thrilled and worried watchers. Bringing the Golden State Killer to justice is a victory for law enforcement and public safety. But with his identification through a publicly accessible genealogical DNA database, there are serious questions about who now is subject to genetic surveillance by the government, and not just by the online commercial services that sequence or store DNA data for genealogical research. These questions are all the more urgent as law enforcement investigators rush to implement similar tactics in other cases, like the search for the Zodiac Killer. As it turns out, millions more of us have our genetic information stored in a variety of genetic collections—including ones we may not even know about.
Lots of large collections of DNA-based information have been created for good reasons that have nothing to do with law enforcement. Cancer patients whose treatments depend on which specific genetic variations they possess and individuals seeking preconception genetic testing each have genetic data in their medical records. The advent of personalized medicine also means that the scope of genetic data created and stored for health care purposes is also poised to grow rapidly in the near future. But we can only realize the benefits of precision medicine with the aid of large-scale genetic sequencing, yielding increasing volumes of genetic data in medical records. This information will frequently be stored with both the patient’s medical providers and the laboratory that performed the genetic sequencing.
Millions of other genetic data is collected, sequenced, and used in scientific research. Right now, more than 500 million tissue samples are stored in hundreds of biobanks throughout the United States. If you have ever had blood drawn by a doctor, it is likely that the blood left over after testing for hemoglobin or cholesterol was “deidentified”—stripped of certain identifying information—and redirected to research. But it is not at all clear that genetic information can truly be deidentified. Researchers have repeatedly demonstrated that if someone wants to reidentify an “anonymous” genetic profile, it is not that hard to do.
And in any event, the scope and number of identifiable tissue samples—those easily traced to a specific individual—are also likely to grow. Under amendments to the Common Rule, which governs federally funded human-subjects research including genetic research, individuals need give only “broad consent”—consent to “unspecified future research”—for the storage and research use of their “identifiable private information and identifiable biospecimens.” That such consent may be obtained as a standard part of physician-office paperwork may lead many people to give broader permission than they realize.
At the moment, it’s unclear exactly whether, or under what circumstances, law enforcement can search these rapidly growing genetic resources. The Supreme Court has held that police generally do not need a warrant to access or examine data that an individual has voluntarily shared with a third party, like a physician, biobank, or direct-to-consumer genetics company.
Existing federal laws designed to protect medical or research data, meanwhile, are incomplete or uncertain. It is unclear, for instance, whether the HIPAA Privacy Rule, which governs the use and disclosure of identifiable health information, applies to biobanks or DNA databases. Nor is it clear that the genetic information that police use in their DNA identifications is “protected health information,” which is all that HIPAA protects. Indeed, the Supreme Court emphasized the non–health-related nature of forensic DNA analysis when it ruled that a warrant wasn’t necessary to collect a DNA sample from an individual arrested for, but not yet convicted of, a crime.
Genetic data used for scientific research purposes are eligible for arguably much stronger protection. Under a Certificate of Confidentiality, researchers may refuse to disclose identifiable, sensitive research data—even against a warrant. But while Certificates of Confidentiality now issue automatically for federally funded research, researchers whose work is supported by other sources of funding must seek out and apply for this protection.
The result of this patchwork of legal protections is that police are likely to try to access and search through the genetic data of millions of ordinary Americans—even those who have resisted the temptation to send a saliva sample or cheek swab to a company like 23andMe. And that means that it is likely that you and I will eventually fall within the reach of police DNA searching, if we haven’t already. In fact, as the Golden State Killer investigation shows, we may come under police suspicion through a database search even if our own DNA is not stored in any database, so long as at least one genetic relative’s DNA is.
Put simply, what amounts to a universal genetic database may soon be available for law enforcement searches. After all, police investigating the Golden State Killer case turned to familial searches in genealogical databases only after ordinary genetic searches and familial searches in the state’s own forensic database proved fruitless. In a future case, if investigators still cannot find a lead after searching these genealogical databases, why wouldn’t they try to search yet other genetic resources?
But these kinds of searches run counter to important principles of medical ethics and criminal justice. Effective health care and advances in research depend on maintaining public trust in the security and privacy of genetic data. Making clinical and research biobanks accessible to law enforcement searches radically alters the risk-benefit calculus that supports clinical and research endeavors. Indeed, strong protections against unwarranted government searches may be essential to ensure that citizen support for and participation in genetic research and their own health care continue.
More broadly, law enforcement searches in nonforensic databases undermine democratic norms. These searches amount to an end run around considered legislative judgments about who ought to be subject to perpetual genetic surveillance by the government. All 50 states have enacted laws that specify whose DNA police should be allowed to collect and put into a database of known persons, subject to routine search by law enforcement to solve new and old crimes alike. Although the scope of these authorized law enforcement DNA databases has expanded over time, no state has suggested, much less authorized, the collection and retention of DNA from ordinary citizens for investigative use. Searches in non–law enforcement databases subvert these legislative judgments by examining the genetic information of people who may have never had a run-in with law enforcement, much less been arrested or convicted of a crime. If investigators want that kind of access to DNA, at the very least they should have to convince the state legislature—and the public—that the benefits outweigh the costs to privacy.