DNA databases: biology stripped bare
Net Results: Should private DNA profiles be available to third parties for crime inquiries?
DNA molecule: DNA not only provides identifying detail about a person but reveals medical and genetic data. And not just about that individual, but about close and even distant relatives. Photograph: Steven Hunt
Last week, a judge in a Sacramento, California, court read out the first of eight murder charges to suspect Joseph James DeAngelo as he sat shackled to a wheelchair.
The 72 year old is alleged to be the infamous Golden State Killer. Using DNA samples and a genealogy database, investigators tracked him down and took him into custody more than four decades after the first assaults were committed in the mid-1970s.
I remember them. At the time, my family lived in the nearby quiet university town of Davis, and these crimes terrified the region.
Fast forward to two weeks ago. I was visiting my mother in California and, trying to relocate some information on her great-great-great-grandfather, I did a search on a genealogy website and was startled to find that someone distantly related to me had uploaded his DNA profile to the site. I hadn’t realised genealogy sites now had this “feature”.
My first thought was, what were people thinking? How secure were those highly revealing profiles? What happens to them when the companies holding them are sold or close down? Are there legal protections on what may be done with them?
Hardly a week later, all these issues and far more have been highlighted by the DeAngelo case, in which a dogged investigator matched a pristine DNA sample from the killer, held for years in a freezer in Ventura county, with DNA markers taken from objects discarded by DeAngelo.
However it is the route by which they were connected that is both ingenious and alarming. In a tale worthy of detective fiction, investigators uploaded a fake profile with the Ventura DNA profile to a genealogy open database and began to painstakingly piece together family trees from a resulting distant familial match.
Eventually they focused on DeAngelo.
If he is indeed convicted, then an individual responsible for a horrific chain of violent crimes will end his days in prison.
But the method used? It uncomfortably displays the arguments on either side of a privacy versus security debate in the relatively new area of DNA identification, arguments which have not been properly considered anywhere.
Should DNA profiles created for private purposes be available to third parties? This question may seem to have a simple answer. If Mary goes to one of the many companies that will produce a personal DNA profile, and uploads the results to a genealogy website, surely that is her choice?
Well, it’s more complicated.
DeAngelo was tracked by using the data from a DNA profile uploaded by one distantly related individual to an open genealogy database that anyone can access. No warrant was used.
Yet as the EU’s Article 29 working group of data protection authorities recognised back in a 2003 working document on biometrics (https://iti.ms/2FB69ve), DNA is a unique and unusual form of identification deserving of special legal protections.
DNA not only provides identifying detail about a person but reveals medical and genetic data. And not just about that individual, but about close and even distant relatives.
Exploiting those characteristics led investigators to DeAngelo. And society might well decide that such uses of DNA are warranted and advantageous. But we must also consider the potential for misuse and abuse, too.
I don’t believe the risk of law enforcement misappropriation is necessarily the main worry here. Instead, it is the potential of corporate or state misuse.
DeAngelo, we are told, was identified via a rare marker in his DNA, also carried by the distant relative. We tend to think of such a capability in isolation, used in this one instance towards an acceptable outcome.
Yet we are only in the infancy of data collection, mining and analysis. And DNA is extraordinarily revealing – and is only going to become more so as markers are better understood. Plus, like other biometric data, it constitutes an irrevocable link to an individual.
But unlike other biometrics, it also provides revealing links to thousands of other related individuals; even to an entire ethnic group.
Such markers may reveal a genetic predisposition towards cancer, or early onset dementia. Mining that data and linking it to family trees and thus, individuals, might interest insurance companies, or state health bodies, or – as ever – advertisers. Or? Who knows?
And the ability of a third-party potentially to reveal such information about me, about you, without us having any say, by providing their DNA profile for some personal purpose? Consider how furious so many have been on the basis of their Facebook profile data going to Cambridge Analytica via some Facebook friend deciding to do a quiz.
Facebook profile data is revealing enough. But DNA is you, fully, irrevocably, exposed. And whatever it displays about you right now, is trivial compared to what we will be able to read into it in the future.
That’s why this case isn’t just about a solitary law enforcement outcome, but about all of us doing an unintended, genetic full monty.