The reason I think it's particularly interesting is that it passes one of the basic tests I have for whether something should be searchable by law enforcement: Do they have a target in mind and a warrant to search for that target? For PRISM and the other things that Snowden warned us about, the answer was no: the government was doing dragnet surveillance of all sorts of data warehouses to find people who fit a profile, without knowing who they're looking for ahead of time. With this, they have to have a DNA sample found at a crime scene, and they're using that combined with a warrant to do a targeted search for people with matching DNA. It just happens to be a website that people send their DNA to, rather than a police database.
So I'm actually inclined to say I think this is ok? But I'm not 100% sure how I feel yet.
EDIT: ok it looks like this was done not necessarily with a warrant, but with the officer just submitting the DNA as if they're a customer of the site. But actually my point still stands if they changed their technique to instead use a warrant and ask the site directly, not hiding that they were police officers... it's just that in this case they didn't even need to because it's so easy to just send others' DNA samples to these sites? It really seems like the lack of a warrant was a technicality here and could have easily gone the other way and still got to the same result.
And also contributing is the increased sensitivity of the DNA amplification methods and lax procedures at most labs. See http://www.sciencemag.org/news/2016/03/forensics-gone-wrong-...
>In 2013, geneticist Michael Coble of the National Institute of Standards and Technology in Gaithersburg, Maryland, set up a hypothetical scenario in which a mix of DNA from several people had been found on a ski mask left at a crime scene after a series of robberies. Coble asked 108 labs across the country to determine whether a separate DNA sample, which he posited had come from a suspect in the robberies, was also part of the mix. Seventy-three of the labs got it wrong, saying the suspect's DNA was part of the mix when, in fact, it was not.
A defendant is one expert witness away from undermining a case that relies on that low of a resolution of matching alone. In this case, that data was only used as a pointer to suggest to police that deeper scrutiny of the identified suspect was warranted.
and an uninformed 'jury of your peers' away from a false conviction..
To see how things were actually done, RTFA.
It's not stealing.
First off, if you discard something in the trash you no longer are laying a claim to it and giving it up for the trash handlers.
Secondly, it was established in California v. Greenwood that you don't have a privacy right to trash left out on the public curb for pickup; which obviously implies that you don't have a privacy right to trash placed in a public bin.
I personally think privacy laws need to be set up right away. I think it should be illegal, even in cases of national security, to infer something from your DNA from others, such as relatives without the use of a warrant.
you should not end up in what is effectively a police line up just because your brother submitted his dna to the public domain. people should not be able to use information about his dna, in any way imaginable to infer anything about you.
There's a world of difference between evidence submittable at a trial and evidence making someone worthy of suspicion and further investigation. I agree the bar on the former should be high; the bar on the latter being low on average leads to faster perpetrator identification and a safer community.
Imagine I could read your mind by reading someone else mind. are you ok with me having access to your private thoughts just because someone gave me access to their mind?
Even if you and I were parent and child, I don't think there's a reasonable philosophy of ownership on which you could hinge the notion that I can't donate the DNA in my cells to a cause because the pattern of half of the (physically completely independent) DNA in your body has a relationship to my own.
I do think you're touching upon possibly an interesting wrinkle in the way our current philosophy of ownership treats data about groups vs. data about an individual. Similar lines of thought underpin the question of whether your friends are culpable for sending data about themselves to Cambridge Analytica if it allows CA to extrapolate information about you.
However, I currently know of no philosophy of ownership that makes the described scenario bad apart from the general "it's a dick move if you do it on purpose to screw someone else over" (but that hinges on the general category of "Don't screw people over on purpose," not on any concept of joint ownership of data).
To pull another analogy: imagine I had dated a rapist and although I didn't have enough evidence to get him convicted of a crime, I told all my friends he was dangerous and now they won't date him. Is this bad? Quite the opposite; it's the system that is already of necessity in place to protect people from bad actors that the legal system fails to handle.
How does one even come to such a conclusion?
Legally, the answer is pretty much "no" right now, and I think it's morally also "no."
Once a person discards any material as trash in a public space, it's fair game. The police didn't begin doing this sort of thing when DNA tests were invented.
I just used both methods listed to request account closure and deletion of all my data.
I suggest people do the same.
what I am leading up to is I can easily see where it becomes a requirement for others and it might start off with police forces because of the high visibility of abuse issues. From there it is not a big leap to other high visibility groups to include military and eventually everyone gets lumped in for medical safety and such.
It isn't that we need to be scared of what 3rd party sites do, it is that we need to be ahead of the game and limit how government can gain and maintain this information
In California, the police can add you to the database (forcibly if needed) if you are arrested for a felony, or if you have a felony record and are arrested for a misdemeanor.
Note that I used the word “arrested,” not “convicted.” SCOCal has ruled that a conviction is not needed. Just an arrest.
All of this came about through two different voter referenda.
(Although again, if the match turns out to be a prior suspect rather than a random person, that's another story—see the “defense attorney's fallacy” lower on the page.)
They do. The suspect is a "John Doe." But the suspect's DNA is the physical sample they have in the rape kit. IANAL, but it sounds like it should pass the criteria for targeted search.
Additionally, I think investigators tend to act more carefully in a high profile case than in a typical case, so I expect that they possess some additional conclusive evidence.
The scanned individuals opted in for relative matching. The fact those people were relatives of John Doe is publicly-documented knowledge in birth records and not susceptible to a privacy challenge.
Lets assume that instead of DNA evidence, they had a photo of a white van at the scene of the crime.
In that case it would be obvious that the police would search databases for people who own that model of car.
If police would need to have a specific suspect in mind before they start investigations, how would they ever be able to investigate anything?
With GDPR, you should be able to force 23andme to delete your DNA information after you received the results. That's if you're European at least.
I see no issues with this chain of investigation. Some tools the police have access to you cannot personally opt out of. That's working as intended.
In practical terms, I'm sure it's against the ToS but really the service providers have no way of knowing unless the person has already submitted their DNA and your submission raises a red flag, thus cutting you off from the information you desire. This is interesting from a game-theoretic standpoint in that it might be more secure to give your information to every website and then be the designated owner, but it probably wouldn't shield you from law enforcement getting the same information via subpoena. It's an uphill argument to say that a general right of privacy weighs heavier than the unsolved cases of 10 murders and 50 rapes, a record which will probably be broken again in future.
I don't think DNA testing companies have much incentive to screen potential customers since each person can only submit DNA once without raising another red flag.
Or simply Facebook. Imagine the improvement in advertising accuracy if it could use your DNA as a unique key in its database. Match
I know it would violate certain state laws regarding biometric data, but the penalty for violating those laws appears to be civil by and large, not criminal.
> As for whether it's a criminal act, I think that it might be a form of assault, maybe.
Are you suggesting that using their DNA without their consent is assault, or the taking of it from them? It'd be trivial to take it without contact with them, from e.g. a hair, or their toothbrush, particularly if you live with them.
If I were an insurance company, what's to stop me from hiring investigators to go through customers' garbage to find their DNA, analyze it, and then take "appropriate" action?
I wouldn't be so sure of that interpretation. In most places that I've lived, you could be arrested for taking things out of the trash, whether in front of your house, or even if dumped on the side of the road.
That being said, you can't trespass to obtain the trash.
Laws against discrimination, such as those for both genetic information and pre-existing conditions that already apply to health insurance in the US. Even if nothing stops you from getting the information, you are prohibited from using it.
On a fun side, I wonder what would happen if I submitted dogs or pigs saliva.
"GDPR, in contrast, explicitly recognizes the sensitive nature of genetic data collected in a variety of settings. In Article 9, an adjusted definition of special categories of personal data has been provided that includes genetic data and biometric data, among others." 
 - https://www.nature.com/articles/s41431-017-0045-7
This is not new -- I believe there have been at least a couple of arrests made as the result of a suspect's relatives contributing DNA in lieu of actually obtaining one from the suspect directly -- and provided there's consent from the relatives, I can't see much grounds from restraining someone from allowing their own DNA to be used to build a case against someone else. It becomes a bit murkier if you start compelling people to contribute DNA to build a case against a family member, but even there I can see parallels to other types of evidence and it's not a clear slam-dunk to me that it ought to be barred unless the familial relationship is one where testimony would normally be covered by marital confidence or other privilege.
So caveat emptor as always...but yep I had just wondered in general about "right to delete" with respect to genomic data.
And the definition of personal data extends to any data that can be linked to you. For example, if a server records a log entry with your name and IP, and the server also records log entries with just the IP, all of the log entries are considered personal data, even for dynamic IPs in some instances.
There are some exceptions around criminal justice and the protection of persons and property, however, I still wouldn't be surprised if this DNA evidence were ruled inadmissible in the EU.
 Court of Justice of the European Union
It sure would seem awful suspicious if someone requested DNA deletion out of the blue. Not convictably-suspicious, but suspicious enough to warrant followup investigation. ;)
It still might. He's yet to be tried. He's yet to be convicted. It's going to be interesting / crazy to see how the ACLU reacts to this.
Also, in a way, this situation reminds me of the recent FB snafu. That is, access to your friends was granted by you (or me), not them.
The point being, personal privacy isn't so personal anymore.
What's the difference between this case and if the cops post a photo of a suspect and someone says "looks kinda like my co-worker, maybe a close relative" and that co-worker says "oh, that's my brother, we look alike, people mistake us for each other all the time." And then the DNA matches the brother.
People "unknowingly" give evidence to the police all the time. That's like complaining the police used information that someone blogged about to solve a crime.
The idea I could get arrested because my cousin coughed on a doorknob is terrifying. Everyone has that black sheep in their family. Why should I get harassed by the police every time they or someone they know commits a crime?
Seriously? That's all it takes for you to accept the police doesn't need a warrant? That the warrant is "just a technicality"?
If that were true, we wouldn't need judges to approve warrants. Police has and will abuse their powers without the judge being a filter for their actions. That should never change.
What I mean is, the interesting issue to me is whether it's OK for law enforcement to send a DNA sample and compel ancestry/genomic sites to respond with any matches, even if they do have a warrant. So I misspoke saying it's a technicality, what I really mean is that the issue is interesting to me even if a warrant were provided.
IIRC The Wire had an accurate description of its use as an interogation tool (note I did not say investigative tool).
The other two examples are true. Across the Atlantic polygraphs are regarded as a comedy technology and breathalyser tests are sufficient grounds only for arrest and an actual blood test.
Something along the lines of if only 0.01 percent of the world's population can match a DNA sequence found that still leaves us with a million matches where I just made up both those numbers.
Careful, your bias is showing..
This is why a strong prior, developed through traditional policework, is necessary to increase the reliability of DNA results - most results obtained through database trawling will be false - and these will be numerous if the database is large enough. It is also part of the reason why exonerations are more robust than identifications.
This particular case may not suffer from these statistical problems, but they are worth keeping in mind, as it sets a precedent.
That isn't bias but rather an understanding of burden of proof. If you think it is, then you are very fundamentally misinformed about how our society functions.
Perhaps that’s the real privacy issue... anyone can find a piece of hair on the sidewalk, send it to a genealogy website, and identify who it might belong to and/or any relatives.
I wonder how they submitted the DNA
Searching for relatives in such sites, CAN be a privacy issue, but I don't see how your particular example works exactly.
What motivation exactly would have anyone that found a piece of hair, on the sidewalk or elsewhere, to know people with DNA from/similar to that hair's?
I don't know if it's that easy, but something like this may become possible.
Sure, but following you would be much easier.
Why go through all the trouble (AND live an online trace).
Maybe in the future leaked DNA sequence databases will be available, downloadable, and searchable by criminals without a third party. If so, this would actually be less likely to create evidence than following them.
*Unless there are other marriages between your mom's and dad's families
Not with the police, but they let people who find a related DNA to find them (this is a feature of these websites). Once the police have your DNA, then can find your relatives. You can't control whether your relatives are opted in to this feature or not.
It’s the same problem we saw with Cambridge Analytica. Incidental data shared by our friends can reveal information about ourselves when analyzed in bulk or supplemented with additional data.
We should think really carefully about this! My uncle’s right to check out who his long lost cousins could put my genetic information in the hands of a potential employer, insurer, or government. That could be really bad.
This is similar to the Facebook scenario, where it’s not just your privacy you are trading away for whatever benefit, but those of people related or near you.
Btw, I live in Eastern Europe so I'm talking about stuff I've experienced here, maybe in the States or in Western Europe this behavior changed a long time ago and not only recently.
Why should you have a right to block the later from happening? It's not your own personal information.
I think the debatible point is consent: i dont think anyone ever consented to their dna being able to be used to incriminate them or anyone else without their express consent.
Im actually stunned, I don't yet have an opinion on how this should be handled.
I predict that someone in the near future will be saddled with the unenviable task of arguing against the precedent set by this arrest. Good luck to that poor soul.
And given that people shed skin cells and hair regularly, that can be called abandoned property.
Being in a location at a certain place and time could be trivial to determine, no matter how careful you are.
I have a bad feeling this precedent won't be upturned.
Sure, if you have a Judge sign off on a search warrant, I have no problem with individuals being searched. But that petition to the court better be public and upon a sworn affidavit upon probable cause.
This case sure doesn't sound like that - instead it sounds like $geneticcorp was providing all analysis to law enforcement by default. Then again, the companies can just claim that's their "free speech" or some such garbage
Well, that would determine that your DNA was there, but as we saw in that case discussed here earlier this week  is it a lot easier than most people realize for your DNA to get transferred to things or people who then transfer it to a crime scene, where it can be discovered and thought to be from the criminal.
I spent a while thinking about what one could do to defend against the risk that one's DNA might be falsely found at a crime scene for a crime that occurred when you are home alone. I couldn't think of a good way to prove you were home, but you don't need that. You just need evidence sufficient to raise reasonable doubt.
I came up with two ideas, one that you can do yourself, and one that would involve a startup that provides an alibi service. Not sure if anyone actually needs anything like this yet, but it is an interesting problem to thing about.
(I live alone, and my office switched to work at home a few months ago. I can now easily go several days now where the only people who see me are fast food workers, gas station attendants, and others in retail. Even at the fast food place I visit several times a week, where they remember me sufficiently to say "the usual?" when I walk in, and make the right thing if a say "yes", I doubt that if they were asked if I was there on a particular morning they would not be able to remember. All they could say is a come in 3 or 4 times a week but they wouldn't know which were the days I did not come in...so if somehow I was tied to a crime, I would probably have a very hard time establishing that I was not there).
First the self-hosted version. This is based on the old classic method that people, such as kidnappers, would sometimes use to prove that a hostage was still alive as of a particular date: send a photograph of the hostage holding a major newspaper from that date.
Set up a camera in your home that periodically takes a photo (or maybe a short video) of you standing next to a couple of monitors. One of the monitors displays current prices for several major stocks on exchanges around the world, and exchange rates on several currency exchanges around the world. The other shows several major news sites. After the photo is taken it is hashed and timestamped using a trusted timestamp service  (or if you want to do it simpler, just Tweet the hash).
If you ever need to raise doubt about a claim that you were somewhere at a time you claim you were at home, you offer the photo or videos taken near that time. The timestamp for the hash establishes an upper limit for the time that the photo was made. The prices on the stocks and currencies and the headlines on the news sites should allow establishing a lower limit on when it was made. That gives you evidence that you were home between those times.
Could this be faked? Yes. You could take a photo made earlier in next to blank monitors, and then around the time you are committing the crime ssh home and make the system take a photo of the monitors displaying the price and news data, and then Photoshop that into the earlier photo, and upload it.
But if your system is set up to work honestly, I think it would be good enough for reasonable doubt, unless the prosecutor can offer actual evidence that you DID hack it rather than just speculating that you MIGHT have done so.
The startup version, offering an alibi as a service, would just need you to have a webcam and microphone at home. With this service, you periodically initiate a video chat with the service, which it records. You should do the chat from a place where the background is easily recognized and unique. During the chat, the service gives you a random number of 6 digits. You speak the digits, while simultaneously holding up a number of fingers corresponding to those digits. The service saves the video and the random number. Maybe also hold up your phone with it using a GPS or mapping app showing your location.
In fact, the alibi service could probably make the whole client side a smartphone app. Use the smartphone front facing camera instead of a webcam. The app can use the phone GPS to record the location.
If you are worried about privacy issues over the videos of you being uploaded to the alibi service, there could be an option to store everything (video, GPS location) locally or on whatever secure cloud storage you use for your own videos and photos, with just a hash uploaded to the alibi server.
If anyone (a) submits their DNA to such a site, and (b) looks at profiles of people with similar DNA to his found by the site (that is, what the police did in this case according to the comment above) then doesn't matter if they "consent" or not, they should expect that others can do the exact same thing, and be shown matches to their DNA.
Doesn't that weird you out? The right not to incriminate your family feels breached.
That's not a thing. It's innocent until proven guilty; it's legally impossible to gather evidence because they're guilty to use against them. Hell, innocent people's fingerprints can be, and often are, collected at crime scenes. The police can use innocent people's prints to establish a timeline or figure out what their role was.
How many people have been that scared?
This entire "you share lots of info (DNA) with your relatives, thus they can screw you with it" is a pretty new issue. I doubt we understand the full ramifications, yet, and thus i'd prefer caution instead of the government giving others a green light to screw me in ways i cannot even imagine, yet.
Nevertheless hopefully ancestry etc would have sensible policies to protect peoples’ privacy unleSs a court order is involved.
I have a cousin who found out, in his 50s, after his mother and father had passed away, that he was not related to anybody in our family. It crushed him.
This guy gave his parents the gift of divorce.
The guy has a PhD but writes like a BuzzFeed writer.
It sounds like they submitted DNA from GSK crime scenes to a number of genealogical sites and got back one or more familial matches. From that match or matches, they were able to backtrack to a specific suspect.
Once the suspect was identified, they were able to surreptitiously obtain the suspect's DNA, then they directly tested that DNA against GSK DNA samples, and were able to confirm the match.
It hasn't been stated directly, but it seems like there is plenty of still-usable DNA from GSK crime scene evidence, even though it will now be 30+ years old.
It should be regarded as another tool in the toolbox, not the be-all and end-all of criminal forensic investigation.
Humans are an odd bunch.
Just as there was a state proposition (sponsored by the relatives of one of this killer's victims) to expand DNA-testing of criminal suspects, a future policy change could send investigators into those filing cabinets, if the blood DNA isn't too degraded, to do a broad genetic dragnet for criminal suspects (or their relatives).
Since proposition 69 (2004), and recently upheld by the Calfornia Supreme Court, California is taking and holding indefinitely DNA for everyone arrested for a felony, even if they're never charged or convicted:
So they get already get 'free look' (no warrant required) at the DNA of anyone alive, via an arrest, even if the charges are ultimately unsupportable. Do you expect a stronger protection would apply against stored records?
Further, the newborn blood spots are already in government custody. There's no essential requirement for any private 3rd party to produce them, against the holder's wishes. Why wouldn't a detective/prosecutor, perhaps emboldened by public opinion or some new Prop-69-like policy, to consider these blood spots 'abandoned' DNA, just like that acquired from this 'Golden State Killer' suspect after surveillance but without a specific warrant?
Is it unlikely that law enforcement would ever get a 'warrant to modern-sequence-all-the-spots', to solve some particularly heinous crime, then retain the data indefinitely, as they already do for other incidental collections? Sure, that sounds to me like a 'general warrant' that should be prohibited by the 4th amendment. But government keeps seeking – and often winning in court! – ever-broader database warrants. (See for example https://www.washingtonpost.com/news/monkey-cage/wp/2016/06/1...)
Even the ~80 yes/no genetic disorders automatically tested for, and thus possibly kept in a digital database afterwards, might be enough 'bits' to narrowly pick a few suspects, or uniquely identify a single suspect, in some cases. Would the CA DOJ need a warrant to have a friend at the CA DPH run a SQL query on a database that may already be online?
Can you find any statement from the California Department of Publish Health that they would only release blood spot data to law enforcement with a warrant?
But that's so discouraged, and the normal process is so automatic and hectic, that it's very rare. Few even realize the blood-spot permanent-collection is happening.
There was a proposed bill in 2015 to require signed consent before the collection, but it was defeated. See very end of:
Much as you can opt out of the Second Amendment protection of firearm ownership by moving out of the US.
Officers turning off the oven weren't just doing a favor to the killer, but to the whole community.
He either was dumb a BS excuse to see if they will let him (perhaps to run for it), or was legitimately worried to have his house burned down.
As for the officers, they either sincerely meant it, or find it a cool phrase to say, conveying "you have other things to worry about now".
I've seen remarkably similar exchanges on tons of arrests in series like Law And Order.
He will get sued and lose the house likely.
The suspect would not want their house to catch fire and police officers have a moral duty to prevent fires in their jurisdiction if they are made aware of a fire hazard they can easily mitigate.
You should also be aware that the Nation Research Council has done a study on "forensic science" where DNA was the only barely reliable measurement in the entire field.
These are methods the US Justice Department/Police/Judges/Prosecutors routinely uses to destroy innocent lives and trick juries. It's not hard to see how people become skeptical.
I'm not saying this is the case with the capture of the Golden State Killer, but it's not hard to see how the public lost its trust in these institutions we hold to be accountable and make choices.
This will potentially cause people to be less willing to use sites like this, and this could have long-term negative public health impact. Plus, it hurts the commercial businesses.
(My DNA is on record with DOD for personnel recovery purposes, as are most military/contractor personnel of the past 15 years or so, but I'm not sure how the actual database works. I suspect in reality it means China, Russia, Israel, and any other competent infosec adversary also has a full copy of this database.)
This long article that someone on Twitter sent me is interesting: https://medium.com/matter/23-and-you-66e87553d22c
(One could, I suppose, make an argument that the police, for purely selfish reasons, would want as many people as possible to use these sites so would keep mum on this methodology, but that's assuming police act as a coherent unit or organization and are not themselves individuals and citizens with their own red-lines for creepiness).
IANAL, but even without the expert witness, defense should be able to throw enough doubt for a criminal case defense with a line of questioning that begins "If the DNA matched to person Q in the DNA database and not to my client, why is person Q not the one being charged with this crime?" Defense can then move from there to the observation that the match to a relative in the database merely narrows the field of subjects to a whole family tree of relatives of the matched individual.
(Note that in this case, the police used the geneology matches as a tool to focus suspect list, not as primary evidence in a murder trial. That's more in the realm of "Looking for everyone in town who buys that brand of cigar" than in the realm of "Your dad's DNA got you sent to prison!!!").
The race was yours to win. You were the observer in power, never observed. An initial setback came on September 10, 1984, in a lab at the University of Leicester, when the geneticist Alec Jeffreys developed the first DNA profile. Another came in 1989, when Tim Berners-Lee wrote a proposal for the World Wide Web. People who weren’t even aware of you or your crimes began devising algorithms that could help find you. In 1998, Larry Page and Sergey Brin incorporated their company, Google. Boxes holding your police reports were hauled out, scanned, digitized, and shared. The world hummed with connectivity and speed. Smartphones. Optical-text-recognition technology. Customizable interactive maps. Familial DNA.
I’ve seen photos of the waffle-stomper boot impressions you left in the dirt beneath a teen-age girl’s bedroom on July 17, 1976, in Carmichael, a crude relic from a time when voyeurs had no choice but to physically plant themselves in front of windows. You excelled at the stealth sidle. But your heyday prowess has no value anymore. Your skill set has been phased out. The tables have been turned. Virtual windows are opening all around you. You, the master watcher, are an aging, lumbering target in their crosshairs.
A ski mask won’t help you now.
The killer left behind 800 megabytes of information at the crime scene in the 1970s. A present day genealogy website had another 800 MB uploaded from a family member. Algorithms found a match.