
Law enforcement investigators seek out private DNA databases - pavel_lishin
http://www.sandiegouniontribune.com/news/2016/mar/26/law-enforcement-investigators-seek-out-private/all/
======
droithomme
It's important to understand in the ancestry.com case they didn't ask for
information about a specific individual. They provided a sparse sample with a
few markers and asked ancestry.com, without a warrant, to do a fuzzy cold hit
search of their entire database and provide them with information about any
individuals that had partial matches. Ancestry found one, and related this
existence, which was then speculated to be a possible relative. At that point
police got an actual warrant to enable getting the name of this remote match,
and ancestry.com provided it. The person was not even an ancestry.com
customer. He was a person that participated in a scientific study years ago,
the database results of which was later sold to by ancestry.com without his
notified consent.

There are massive statistical problems with this approach, without even having
to get to the obvious privacy problems.

~~~
jacquesm
This reminds me of:

[https://en.wikipedia.org/wiki/Brandon_Mayfield](https://en.wikipedia.org/wiki/Brandon_Mayfield)

~~~
colejohnson66
His case against the PATRIOT Act was tossed because he didn't have standing!?
Despite the fact that court documents (which _are_ permissible (unlike the
Snowden documents which probably aren't)) showed he _was_ specifically
targeted?

------
belorn
Sweden have a national DNA registry that, while optional, practical all
newborns are added to since 1975. The registry is purely intended for medicine
and research, and the few exceptions when law enforcement had requested a
sample, there have been outcry from both researchers and the public that such
use would start make parents denying the request and ruin the extremely
valuable resource that such registry create. Everyone loose when that trust is
lost, from the pain and misery that happens from untreated disease, to the
economical loss to society, to the loss of progress from a lack of research
data.

~~~
mtgx
This is exactly why the companies using this DNA data must fight the US
government all the way to the Supreme Court for any such request. Otherwise,
their businesses risk dying out before they even get a chance to take off,
because people won't trust them anymore if they just end up handing the data
over to the government.

~~~
jdavis703
Or you could get your DNA tested under a pseudonym with a prepaid card (if
enough people started doing this they might even offer an anonymous or
encryption option).

~~~
joering2
Been there done that. 23andme will not accept any prepaid/debit card and kit's
shipping address must match billing address. Full name is obviously required -
as I was told, for your own protection. Long story short, I withdrew.

~~~
robryk
How does this work with the option of shipping the kits as gifts to someone?

------
Paul-ish
> The Sorenson Molecular Genealogy Foundation was launched by billionaire Utah
> businessman James LeVoy Sorenson with the backing of the church. The
> foundation's goal was finding a "genetic blueprint" for humans, and it
> amassed more than 100,000 samples when Ancestry acquired the database in
> 2007.

It is discouraging that this data that was ostensibly collected for non
commercial purposes can be sold to Ancestry.

~~~
irixusr
That's why I never participate I anything data related.

I turned down a $100 best buy gift card in exchange for a 10 minute interview.
The guy wouldn't let me go because he couldn't understand why anyone would
turn down $100 for a 10 minute chat.

When I was forced to participate in a study in university I always lied in my
answers (how is forcing me to participate moral?)

Its _my_ data. I don't trust you, ill do my darnest to keep it from you or
feed you wrong info.

------
pavel_lishin
I'd love to check my DNA for potential diseases, and I'd like to know, for
instance, if I'm a descendant of Genghis Khan - but this article reinforces my
reluctance to send it in anywhere.

As I understand it, they refuse to do anonymous testing - they have good
reasons, some of which are completely focused on privacy. I'd love to have an
at-home kit, so I could check the contents of my DNA against a database of
known facts.

~~~
Paul-ish
> I'd love to have an at-home kit, so I could check the contents of my DNA
> against a database of known facts.

I think sequencing at home would be difficult. What we would need is for them
to sequence your DNA, then send that data to you, then destroy their copy of
the data. This would need to be enforced contractually. The problem is that if
you lose your copy of the data, it is gone. This has issues with usability.

If if they offered to keep your named detached from the sequence it wouldn't
do much. Your DNA probably has more bits of entropy than your first and last
name together.

~~~
abecedarius
Sequencing at home is done all the time by your own cells -- or anyway
replication is. There's no inherent reason it can't be done by small cheap
tools; we're just not there yet.

(Yes, privacy is why I never signed up with 23andme. I expected news like
this.)

~~~
abecedarius
Added:
[https://en.wikipedia.org/wiki/Nanopore_sequencing](https://en.wikipedia.org/wiki/Nanopore_sequencing)
offers compact sequencers. Here's a handheld one:
[http://www.wired.com/2012/03/oxford-nanopore-sequencing-
usb/](http://www.wired.com/2012/03/oxford-nanopore-sequencing-usb/) There
can't be any physical barrier to high-quality readout by machines as small as
a cell, because our own cells do it. I only brought that up because,
ironically, I know more about cells than nanopore sequencing.

~~~
damurdock
We're still years off from sequencing at home for anyone other than dedicated
biohackers. The MinION is really cool, but it's very much an advanced
researcher's tool.

Honestly, if you're interested in having your genome sequenced/analyzed, I
would suggest contacting a local genetic counselor and asking if they can find
a sequencing core (or someone that does beadchips) that would agree to delete
your data after analysis. They would also be able to discuss your data and the
impact it has on your health with you, and provide referrals if more testing
or diagnosis is needed.

~~~
abecedarius
I figured that was probably the case; even optimistically, the Minion costs
around $1000. But the parent comment seemed rather too absolute in rejecting
sequencing at home, like it'd never happen. I'm going to wait a few years and
then reevaluate the choices.

------
woodman
This is another perfect example of how the whole "If you've got nothing to
hide..." thing is totally insane. This guy had nothing to hide, seven years
later the police show up.

~~~
rhizome
I wonder if it's possible for e.g. the Mormon Church to run a DNA program to
be able to protect the data and identities under the 1st Amendment, similar to
what the Catholic Church has done with pedophile records.

~~~
wldcordeiro
It would certainly help if the LDS Church was headquartered in its own
sovereign nation but I think it's trickier here in the US. Though it would
certainly make for an interesting test of freedom of religion if it ever came
down to it.

------
TuringNYC
This is where the Prosecutor's Fallacy is particularly dangerous
([https://en.wikipedia.org/wiki/Prosecutor%27s_fallacy](https://en.wikipedia.org/wiki/Prosecutor%27s_fallacy))

Someone intent on finding a suspect can try to find a convenient suspect.
Perform secondary sort on those who cannot afford a defense and/or persons of
color and you've got someone who is suddenly in a world of undeserved trouble.

------
X86BSD
And _this_ is why I will not do Ancestry DNA. As much as I want to do their
DNA program I just won't until we have some major strict privacy laws
regarding DNA. Once a third party has it, just like storing your data in the
cloud, who knows _where_ this DNA will wind up or for what purpose.

~~~
jacquesm
Even with privacy laws there is very little in terms of guarantees. Too many
ways in which data can be copied or read by those who should not have access.
For some data, it is simply better if it does not exist in an easily
accessible centralized pool at all.

------
blisterpeanuts
This isn't going to end well. The minute the general public becomes aware that
they're effectively handing their DNA over to the FBI and perhaps the NSA,
companies like Ancestry.com and 23andMe.com will be out of the DNA business. I
was thinking of registering my own DNA, but not any more. I'm not against law
enforcement at all, but I'm sure against this kind of back door attempt to
confiscate yet more of our private data.

~~~
Nutmog
The general public isn't worried about these problems. The general public is
the people who voted for giving those agencies their powers and letting them
keep them. Anyone who voted for Bush or Obama is someone who isn't worried
about giving their DNA to 23andMe.

------
kmfrk
I deleted my 23andMe profile for this reason. I've still got a .zip file of my
(relevant) DNA on my computer.

There's Promethease
([https://www.promethease.com](https://www.promethease.com)), if you want a
more open alternative. They're quite good.

~~~
jjawssd
> Implying your data is deleted from their servers

------
SCAQTony
Farcical comedy I know but imagine if one day you go on some sneezing rampage
due to allergies on some sidewalk 5 minutes before a horrible murder took
place and you're suddenly a suspect! At least that is my fear.

------
merpnderp
23AndMe says they will destroy your sample if you request and I would assume
you can ask that they destroy your data.

~~~
chaostheory
That is not really true. According to 23AndMe, by law the lab that processes
your saliva must keep your data for a minimum of two years. Moreover 23AndMe
keeps your data forever if it's involved in any of their studies (it's in
their TOC), which probably happens the second you submit anything to them. I
do not believe that 23AndMe actually deletes data.

~~~
merpnderp
Looks like they won't delete your DNA data, but they will delete any personal
information linking it to you. Fair enough.

[https://www.23andme.com/about/privacy/](https://www.23andme.com/about/privacy/)

~~~
dsmithatx
Do they still keep a database of all previous customers? If only 1% request a
deletion it would leave a fairly small group of people who requested the
deletion. Then via genetic markers you could probably match them back up
fairly easily with the right data.

------
dekhn
I've placed my whole genome on PGP. Anybody is free to use it.
[https://my.pgp-hms.org/profile/hu80855C](https://my.pgp-
hms.org/profile/hu80855C)

~~~
damurdock
How was the process of signing up for the PGP? I've been interested in doing
it before, but wasn't sure if it would be a major hassle or more of an in-and-
out of the doctor thing.

Also I'm impressed at the amount of data, I expected a few VCF files, not a
~60GB BAM.

~~~
dekhn
I just uploaded the data files to pgp and signup was trivial.

I did illumination wgs and just visited random doc for the blood draw.

------
dominotw
There was story a while ago on HN about some guy putting his 23andme on github

[https://news.ycombinator.com/item?id=2211928](https://news.ycombinator.com/item?id=2211928)

------
awinter-py
If we improve the use case for anonymous medical care, I can live with 23andme
being a subpoena farm.

Much scarier that you can't get a lab test without leaving 3 data footprints
(insurer, lab, doctor's office).

------
microcolonel
Time to ask 23andme to destroy my sample, I'm disappointed but not surprised.
Not 23andme's fault though. Thankfully I had mine tested in the Canadian
facility rather than the U.S. one; so they can legally comply.

No doubt they can get my sequence anyway, maybe they already have it; but at
least I can say that they got it illegitimately.

------
nxzero
Appears the story linked to has a pretty limited amount of information, more
information maybe found here:

[https://www.genomeweb.com/applied-markets/ancestrycom-
shutte...](https://www.genomeweb.com/applied-markets/ancestrycom-shutters-
smgf-database-amid-murder-case-controversy)

~~~
jacquesm
At $95 I think I'll pass.

------
cm2187
This is why I refused to contribute to a medical study on a condition I had in
the past and that would have required me to provide some DNA sample. These
databases should not exist given the weak legal protection and the non
existent protection against hackers.

------
nsajko
The site was unusable (couldn't scroll) until I turned off Javascript.

------
Nutmog
There's a lot of negative reaction here. What's wrong with the police
searching DNA data to find a suspect? Is it:

A) They might do something statistically invalid like charging whoever
matches, even if somebody is bound to match just by chance. That didn't happen
here. Usry was only a suspect and interrogated then let go. If he did get
wrongly convicted, that means there's always at high risk of that for any
investigation even without DNA. If we don't trust our processes for protecting
against wrongful convictions, then we should try to fix those because they'll
already be being abused. If we don't want police to interrogate any suspects
who aren't already known to be guilty, then we might find they become a lot
less effective at solving crimes.

"... was interrogated for six hours and finally gave blood for a DNA sample.
For the next month, he remained under suspicion until his DNA was determined
not to match the samples taken from the crime scene."

That looks like a perfectly normal and acceptable way of investigating a
crime. It looks like the system working safely.

B) Police accessing personal data is wrong. How about phone tapping with a
warrant? How about searching a house with a warrant? Private surveillance
footage? Where do you draw the line and not allow them to investigate crimes?

C) People confuse it with secret anti-terrorist or antidisestablishmentarian
(I found a use for that word!) NSA investigations which don't follow the well
accepted warrant process.

D) Other.

~~~
Veratyr
I have a few problems:

\- 23AndMe/Ancestry shouldn't __have __a database of DNA - > identity
mappings.

\- Law enforcement shouldn't have the ability to compel surrender of data for
which someone can have a reasonable expectation of privacy (medical records,
private communications, journals etc.). Privacy trumps investigation for me.

\- Law enforcement shouldn't have any kind of "search" access to any private
DNA database. I could accept them getting information for an exact match but
including relatives and partial matches is too far.

~~~
Nutmog
I understand wanting to keep the police out of your private things. But we
already let them in when they have a warrant. Are you saying DNA is more
private than your house, computer, phone converations, etc? Or that all those
things should be off limits to police with a warrant?

Of course this is not the same as giving them free access to whatever they
want. Then I could understand people's worries. Individual policemen could use
it to harass people they don't like, or other abuses.

~~~
Veratyr
> Are you saying DNA is more private than your house, computer, phone
> converations, etc? Or that all those things should be off limits to police
> with a warrant?

I can live with the police gaining access to my house but my computer and
phone conversations are just as off limits to them as I want my DNA to be.
Every device I own that can store data is fully encrypted so the police have
no access to that regardless of their wishes. Same goes for most of my phone
conversations.

I draw the limits at two things: my body (DNA) and my mind (communications,
data).

