Resources

A rape victim whose DNA from her sexual assault case was used by San Francisco police to arrest her in an unrelated property crime on Monday filed a lawsuit against the city. During a search of a San Francisco Police Department crime lab database, the woman’s DNA was tied to a burglary in late 2021. Her DNA had been collected and stored in the system as part of a 2016 domestic violence and sexual assault case, then-District Attorney Chesa Boudin said in February in a shocking revelation that raised privacy concerns. “This is government overreach of the highest order, using the most unique and personal thing we have — our genetic code — without our knowledge to try and connect us to crime,” the woman’s attorney, Adante Pointer, said in a statement.

The revelation prompted a national outcry from advocates, law enforcement, legal experts and lawmakers. Advocates said the practice could affect victims’ willingness to come forward to law enforcement authorities. Federal law already prohibits the inclusion of victims’ DNA in the national Combined DNA Index System. There is no corresponding law in California to prohibit local law enforcement databases from retaining victims’ profiles and searching them years later for entirely different purposes.

Boudin said the report was found among hundreds of pages of evidence against a woman who had been recently charged with a felony property crime. After learning the source of the DNA evidence, Boudin dropped the felony property crime charges against the woman. The police department’s crime lab stopped the practice shortly after receiving a complaint from the district attorney’s office and formally changed its operating procedure to prevent the misuse of DNA collected from sexual assault victims, Police Chief Bill Scott said. Scott said at a police commission meeting in March that he had discovered 17 crime victim profiles, 11 of them from rape kits, that were matched as potential suspects using a crime victims database during unrelated investigations. Scott said he believes the only person arrested was the woman who filed the lawsuit Monday.

One DNA-matching company has decided it’s going to corner an under-served market: US law enforcement. FamilyTreeDNA — last seen here opening up its database to the FBI without informing its users first — is actively pitching its services to law enforcement.

FamilyTreeDNA sounds like it’s finally going to seek consent from its customers, but only after having abused their trust once and under the assumption they’re all going to play ball. While some DNA companies like 23andMe are insisting on at least a subpoena before handing over access to DNA database search results, other companies are staying quiet about law enforcement access or specifically targeting law enforcement agencies with ads promising to help them work through their cold case files.

Consent is great, but it’s never going to be complete consent, no matter how FamilyTreeDNA shapes the argument. As Elizabeth Joh points out at Slate, there’s a whole lot of people involved who will never be asked for their consent once a customer agrees to allow DNA-matching sites to hand over their samples to law enforcement.

[W]hen you volunteer your DNA sample, you’re volunteering your genetic family tree, without having asked your parents, siblings, cousins, and distant cousins if they agree. That upends the usual way we think about providing information to law enforcement. You can’t give the police lawful consent to search your third cousin’s house, even if your third cousin (who you may never have met) is suspected of having been involved in a serious crime. Why are we allowing a distant relative to grant police permission to your DNA?

There’s no informed consent happening here. Customers are being treated as data points law enforcement can peruse at its leisure. A customer who agrees to be a good citizen (by clicking OK on a submission box on a private company’s website) may learn later their sample was used to lock up a close relative. Some people will be fine with this outcome. Others may regret being the critical piece of evidence used to incarcerate one of their relatives.

Whatever the case is, very few companies are being upfront about the effects of opening up database access to law enforcement. FamilyTreeDNA is using a crime victim’s parent and the founder’s Team Blue sympathies to hustle its customers towards compliance. Users who don’t like this turn of events will likely find it far more difficult to remove their DNA from FamilyTreeDNA’s database than simply hold their nose and become an willing part of this partnership.

In the past couple of years, genetic-testing companies like Ancestry and 23andMe have become popular for finding out family history and DNA information. More than 12 million Americans have sent in their DNA to be analyzed to companies like 23andMe and AncestryDNA. The spit-in-tube DNA you send in is anonymized and used for genetic drug research and both sites have been selling the data to third-party companies, like P&G Beauty and Pepto-Bismol, and universities, like The University of Chicago, for some time. In fact, just last week major pharmaceutical giant, GlaxoSmithKline, announced a $300 million deal with 23andMe. The deal entails that they can use the data to analyze the stored sample, investigate new drugs to develop and genetic data for how patients are selected for clinical trials. Both 23andMe and Ancestry said that they will not share genetic information freely, without a court order, but people are welcome to share the information online themselves sometimes in order to find lost relatives or biological parents.

Last month DNA-based investigations also led to the arrest of the suspected murderer of two vacationers in 1987, and helped identify a suicide cold case from 2001. Emboldened by that breakthrough, a number of private investigators are spearheading a call for amateur genealogists to help solve other cold cases by contributing their own genetic information to the same public database. They say a larger array of genetic information would widen the pool to find criminals who have eluded capture. The idea is to get people to transfer profiles compiled by commercial genealogy sites such as Ancestry.com and 23andMe onto the smaller, public open-source database created in 2010, called GEDmatch. The commercial sites require authorities to obtain search warrants for the information; the public site does not.