The direct-to-consumer genetic testing company 23andMe was widely discussed in the news recently after it announced it would resume providing health information to customers. Less widely reported was another important announcement: for what appears to be the first time, 23andMe has released a public report about the number of requests it has received from law enforcement seeking its customers’ genetic information. According to the Transparency Report, 23andMe has received four requests for user data from law enforcement, with five different affected users.
Although 23andMe has thus far successfully fought off all of the law enforcement requests for its users’ data, there has long been concern about the potential release of 23andMe’s customers’ information to law enforcement. The 23andMe Privacy Statement states, “23andMe will preserve and disclose any and all information to law enforcement agencies” when it believes it is required to do so. Even though 23andMe has not yet disclosed any of its users’ information, the day may soon come when it is required to do so. That disclosure could have significant impacts for not only users who consented to the use of their data, but for users’ families, who may be implicated through familial DNA searches.
Consider, for example, the case of Michael Usry, who fell under false suspicion for a murder he did not commit after police found his father’s DNA in a publicly searchable database. Mr. Usry’s father had donated a DNA sample through his Mormon church for the purposes of a genealogy project. Ancestry, which purchased the project, had made the information publicly searchable, and allowed police to comb through it using familial DNA searches to look for suspects. Although Ancestry no longer allows public searches of that data, its privacy policies contain similar statements to those found in 23andMe’s Privacy Statement about releasing customer information when complying with law enforcement orders. Under that policy, Ancestry did provide information about Mr. Usry’s father to the police under court order.
Ancestry has declined to comment on the specifics of cases in which it has disclosed information, saying only that, “we have cooperated with law enforcement and the courts to provide only the specific information requested” when asked about their disclosures. 23andMe has stated that, if required to disclose information, it will notify the affected customer – unless ordered not to do so.
Civil liberties organizations such as the Electronic Frontier Foundation have emphasized that private DNA databases such as those run by 23andMe and Ancestry pose particularly concerning threats to privacy and civil liberties. People should be aware of the potential for their data to be disclosed to law enforcement when they send in a cheek swab to find out about their ancestry or genetic traits. As 23andMe’s report and Ancestry’s experience with Mr. Usry’s case make clear, law enforcement agencies are already asking for access to private companies’ data. Unless a ban on law enforcement use of private genetic databases is put in place, it will be up to companies and customers to manage that risk for themselves.