Hacker News new | past | comments | ask | show | jobs | submit login
Search warrant overrides 1M users’ choice not to share DNA with cops (arstechnica.com)
45 points by pseudolus 11 days ago | hide | past | web | favorite | 20 comments

Major problem with a heavily underfunded understaffed company, they simply don't have the resources to put up any kind of legal resistance to this type of judicial pressure.

Edit, Also incredibly relevant: https://news.ycombinator.com/item?id=21461957

>they simply don't have the resources to put up any kind of legal resistance to this type of judicial pressure

a very simple solution to this, don't keep the data once you've provided a service to the customer. Or anonymize it and scrub any association.

It's never a question of "we don't have the resources to protect your data". The conclusion should be, if you don't have the ability to protect your customers you don't get to harvest their information.

This is the only way things will change. Companies need to be our in the position where holding personal data is a major liability. And not gpdr type that relies on admins or politicians. It needs to be something that excites the trial lawyers approaching the level of mesothelioma.

Idk how we get there, whether it be through the courts, Congress, or some other way. I think getting rid of third party doctrine will do more towards this goal than most people realize, but it has to be in a way that treats any data acquired by government as if it were collected by the government, to 4th amendment levels of scrutiny.

But if things are going to change, major liability on government and private sector will have to be the result, unless we want eventual relapse.

Things like this are why tools like Ring doorbells or Alexa make me scared. Sure, nobody is normally paying attention to that data. But it's all just a subpoena/warrant away from being searched. If it's physically possible to look through a dataset, then there are legal pathways for the government to use that data.

>legal pathways

And barring that, they'll just suck it all up anyway in secret and claim immunity from oversight due to undefined national security reasons.

Especially since Amazon seems eager to give police et al easy access. Up until now, the fact that most of this data even existed wasn't known to many government entities, let alone who to subpoena to get data.

Ring seems hell bent not only on promoting universal awareness of such data, but monopolizing the means of access.

I wonder how a bigger corp, like 23andme, would handle this.

Interestingly, their transparency report[1] claims they've received 7 requests from law enforcement, and denied all of them.. shows they're willing to put up somewhat of a fight at least.

[1] https://www.23andme.com/transparency-report/

It seems to me all these companies would benefit by pooling resources into an industry wide organization for defending against this sort of thing.

If case law is set by the little guy losing, it doesn't matter how much money 23 and me is throwing at their cases.

Wonder how common lying is in these situations.

I bet really common.

>GEDmatch hit the spotlight in 2018, when DNA data from its site led to the eventual arrest of a man suspected to be the "Golden State Killer," responsible for dozens of rapes and murders in California between 1976 and 1986.

This Golden State Killer case was the biggest public relations boon to police wanting access to these DNA. In general the public wants rapists and killers to be caught. I think the public thinks that if these people don't care enough about their privacy to send DNA samples to a private company (that is not a health care company), then they should not object if police use that information to catch killers and rapists.

Wasn't it actually a relative of his that submitted their DNA, not him?

Yes it was a relative's DNA. So you have to not only submit your DNA, you have to talk your all your kin out of submitting theirs. That includes sisters or brothers separated by adoption in early life.

The bigger question is: Do we want the Police, CIA, FBI, NSA, etc. to be able to have access and use that information however they want?

At this point, particularly as a matter of principle, I think it’s better to pull your DNA profile out of the system, and request that it be destroyed.

That may not be enough.

>Asked if there was evidence the database had already faced concerted attacks, scraping, or scanning, Rogers said, “I don’t want to get into it.”

>“Not that I am aware of,” he added. “I don’t know.”

>Rogers declined to comment on whether he’d been approached by national security officials about the site.

Good luck trying to destroy a digital record at this point.

Edit, Referenced: https://www.technologyreview.com/s/614642/dna-database-gedma...

He's already been busted lying about providing access when it was against policy. After being in the bad position of not having a policy for police requests, he set a policy then almost immediately broke it.

I think policy was only for a murder, and he personally approved access for a non-lethal stabbing, or something similar.

If you don't want your DNA searched in the GEDmatch database, then don't upload your DNA to GEDmatch.

You also have to ensure that none of your close relatives upload their DNA (very similar to yours) to the database either.

I've tried. So very hard. And I failed.

People, like my siblings and mother, see this as a game. They see no problem with giving a private company access to their most uniquely identifying information. They'd likely hand over their fingerprints and retina scans for a free photo of themselves doing it. My mother shreds every piece of mail but jumped on 23andme without hesitation.

The world has become dumber and less concerned with personal information than some weird shared social experience. I'm not worried about the feds getting my data (ish) as much as I am about Bad Actors in the future. (I still very much want the government out of my business and personal life though.)

Easy to say, now that other kind folks have done the heavy lifting to find the problem and publish stories raising it and we've been lucky enough to stumble upon those stories. But, that of course is the problem. Awareness.

But, should it be a problem? Shouldn't we have a basic right to privacy?

We get sold on the need for police to catch "Murderers". But then its "attempted murder". Later it's "attempted violent crimes" 1). Will anyone be surprised when it starts being used by debt collectors to harass you or your relatives?

How long after that before someone figures out how to use it to efficiently ID people with early dementia and to they can target and swindle them?

1) https://www.theatlantic.com/science/archive/2019/10/genetic-...

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact