A Critical Eye Toward Commercial DNA Database Criminal Procedures
After the Golden State Killer was arrested and sentenced in 2018, interest in investigative genetic genealogy spiked. A genetic genealogist broke the decades long cold case. She assisted law enforcement in identifying the serial killer from a remaining sample of DNA evidence, the commercial DNA database GEDmatch, and the painstaking process of family tree construction. Results from eye color prediction in GEDmatch and a health risk analyzer called Promethease suggested the killer would be blue eyed and prone to premature baldness. That profile led investigators to former police officer Joseph James DeAngelo. DeAngelo eventually pleaded guilty to thirteen murders and thirteen counts of kidnapping. He was sentenced to eleven consecutive life sentences without parole.
For some, this high-profile success story raised concerns about the privacy of genetic information. Several companies, including GEDmatch and FamilyTreeDNA, were voluntarily turning over user data to law enforcement. The legal background of the Fourth Amendment, particularly the third-party doctrine laid out in Smith v. Maryland (1979), plausibly implies that the companies could turn over data “voluntarily conveyed” to them to law enforcement without violating users’ rights. The uncertain legal landscape prompted scholars to call for new legislation for commercial DNA databases.
Several states have answered that call. In May 2021, Maryland and Montana passed historic laws regulating forensic genetic genealogical DNA searches. Utah’s legislature also addressed law enforcement DNA searches as part of a wider Genetic Information Privacy Act.
As political motivation for regulation has originated on both sides of the aisle—the Maryland Act was sponsored by Democrats while the primary sponsors of the Montana and Utah Acts were Republicans—many states could follow suit. Yet the enacted state laws vary widely, providing various models for future state legislatures to follow. The Montana and Utah legislation is broad and basic, setting minimal limits on DNA searches. The Maryland Act is incredibly specific, creating the potential for missteps in the details. Critics have flagged problems that suggest lawmakers should be careful of following either model exactly when crafting future legislation. While the Maryland Act is more protective than the Montana or Utah regulations, it may also prove problematic if applied verbatim in other states.
The Montana Act is simple: law enforcement is required to obtain a search warrant to search consumer DNA databases unless the person in question previously waived their privacy right. The Utah Genetic Information Privacy Act even more vaguely requires a “valid legal process” before a commercial DNA company discloses genetic data to law enforcement without a user’s express written consent.
The requirement of a search warrant likely accomplishes two goals. It should prevent companies with commercial databases from cooperating with law enforcement, and it should prevent law enforcement from simply creating profiles independently, absent such process.
Otherwise, it is unclear how much protection a warrant process would provide. The bar for probable cause is famously hard to pin down. The line is even less clear in the DNA context because there are so few test cases. Because law enforcement has typically worked with cooperative DNA companies and avoided seeking data from non-cooperative companies, there are few precedents indicating how judges evaluate probable cause in this unique context. At least one judge has granted a DNA search warrant. Judge Patricia Storwbridge of the Ninth Circuit Court of Florida approved a warrant to search GEDmatch in 2019. Most of the probable cause section of the warrant is redacted, shedding no light on this element.
Empirical studies indicate that judges generally require around a 44.5 percent probability of success to find probable cause and grant a warrant. This probability is lower than the projected success rates for many individuals on certain DNA databases. One study of GEDmatch found that for individuals of European ancestry, about 60 percent of searches were likely to identify a third cousin or closer familial match. These numbers suggest that for DNA obtained from a victim of an attacker, securing probable cause could approach mathematical certainty.
Requiring warrant process raises the bar from unregulated searches of commercial databases. But as databases grow, mathematical probabilities of finding a helpful familial match may make the hurdle of probable cause negligible.
The Maryland Act raises the bar higher. It mandates that law enforcement obtain judicial authorization before initiating a forensic genetic genealogical search. This authorization will only be given if the forensic sample satisfies a rigorous set of criteria: (1) the relevant crime must be an attempted or completed murder, rape, felony sex offense, or crime that presents a substantial and ongoing threat to public safety or national security; (2) only samples reasonably believed to belong to an unidentified suspected homicide victim or to a putative perpetrator collected from a location, person, or item connected to the crime may be tested; (3) law enforcement may only seek commercial DNA testing if state and national databases have been tested without success; and (4) reasonable investigative leads must have been attempted, unless the crime presents an ongoing threat to public safety or national security. As for the databases, the searches may only be conducted using commercial or publicly available databases that provide users notice of and seek consent for law enforcement use of their data.
The Maryland Act was the product of a diverse working group of police, prosecutors, public defenders, members of the Innocence Project, and academics. The law establishes robust protections for informed consent about providing DNA, consequences for violations, and an annual public review of searches conducted.1 Some critics, however, have found flaws in this Act as well.
A particularly notable critic is Paul Holes. Holes is a retired investigator who was a key leader of the Golden State Killer investigative team. He has highlighted the significant scientific limitations on the use of DNA evidence—illustrated by the Golden State investigation itself.
Because DNA testing technology developed significantly over the course of the investigation, Holes had used up much of the mystery offender’s DNA. Even after reaching out to other agencies that might have had access to more samples, many did not have sufficient DNA or had samples that were too contaminated with victims’ DNA for proper testing. A lucky break came from a pathologist who had collected two kits from a Golden State Killer sexual assault and had given only one to law enforcement, reserving the other in the coroner’s office, where it remained until Holes’s inquiry.
In light of these practical limitations, the aspect of the Maryland Act that other states should carefully consider before adopting is the mandate that the DNA first be “entered into the statewide DNA data base system and the national DNA data base system, and [have] failed to identify a known individual.” “In essence, the statute could potentially cause me to kill my case,” Holes said of the Maryland law. Even in the case of the Golden State Killer, who had dozens of victims and DNA collection opportunities, obtaining the requisite quantity and quality of DNA was difficult. Add in complicating factors like contamination, degradation, and limited collection and the amount of available DNA may be reduced even further. A 2021 study conducted in the United Kingdom estimated that only 2.4 percent of crimes produced DNA: 63.5 percent of homicides and 7.8 percent of rapes. An even lower percent of crimes had DNA linked to case outcomes—8.4 percent of homicides and only 0.6 percent of rapes.
These practical limitations are even more troubling given the vast differences between the DNA populations contained in commercial databases and those in the government databases that the Act mandates law enforcement search first. In 2020, scholars evaluated data disclosed by seven states to estimate that, despite composing only 13 percent of the U.S. population, Black people contribute 34 percent of samples to public databases.
This racial overrepresentation is particularly significant because of the controversial means by which these “contributions” can be made. In Maryland v. King (2012), the Supreme Court held that states could collect DNA evidence from arrestees, not just convicted offenders.
The Supreme Court has also given law enforcement expansive power to make arrests. In Atwater v. City of Lago Vista (2001), the Court determined that “[i]f an officer has probable cause to believe that an individual has committed even a very minor criminal offense in his presence,” including a traffic misdemeanor punishable only by a fine, “he may, without violating the Fourth Amendment, arrest the offender.” Current FBI statistics report the national DNA database contains 4.4 million arrestee profiles and 14.7 million offender profiles. In combination with evidence that Black Americans are arrested at a rate double their share of the population, the application of Fourth Amendment case law may exacerbate the existing racial tilt of these public DNA databases.
Given Fourth Amendment case law and disparate enforcement, other states that pattern legislation on the Maryland Act might end up requiring law enforcement to first use disproportionately Black state databases instead of disproportionately white commercial databases. Because of the fragility and frequently low quantities of DNA, this requirement could risk expending evidence on an unlikely database before searching a statistically more likely database. The DNA samples of white offenders could be used up while searching disproportionately Black state databases. States must be sensitive to potential biases lingering in their own databases before instituting a similar requirement.
The recent developments in commercial DNA database regulation offer an example of Justice Brandeis’s “laboratories of democracy.” As with any good scientific process, future state laboratories need to evaluate the existing regulations critically. While the rigor of Maryland’s law has many benefits over the minimal standards imposed by Montana and Utah, future legislators should avoid uncritically copying the regulation. Specifically, the practical scientific limits of DNA, the racial tilts of some databases, and concerns about the ease of arrest under Fourth Amendment doctrine combine to caution against requiring the use of certain databases. State regulation of commercial DNA databases must consider the potential implications of this provision.
- 1See Natalie Ram, Erin E. Murphy & Sonia M. Suter, Regulating Forensic Genetic Genealogy, 373 Sci. 1444, 1446 (2021).