Mar 16, 2016 - 23andMe and You

23andPrivacy: Your Data and Law Enforcement

By Kate Black and Zerina Curevac*
Since our founding a decade ago, 23andMe has only received requests from law enforcement for information regarding five of our more than 1.2 million customers.
In each of these cases, 23andMe successfully resisted the request and protected our customers’ data from release to law enforcement.
While receiving and responding to law enforcement requests is not a common occurrence at 23andMe like it might be at some large tech companies, customer privacy and trust are at the core of our approach to the issue.

We believe a key part of maintaining that trust is keeping customers informed and answering their questions about data security and privacy, so we’d like to  take this opportunity to answer some of the most commonly asked questions from our customers.

Why would law enforcement be interested in my genetic data?

Law enforcement agencies are interested in genetic information because it may help identify individuals who are the focus of an investigation. The federal government manages the Combined DNA Index System (“CODIS”), a database comprised of the genetic information of convicted offenders and arrestees, collected by state and federal law enforcement agencies. Typically, law enforcement officers will collect DNA from an unknown suspect at a crime scene and compare it to CODIS to see if they can match it to a convicted offender or arrestee profile. If the unknown suspect matches an individual in CODIS, law enforcement can obtain the identity of the suspected perpetrator. If a search fails to return a match, law enforcement can run an additional search of CODIS called a “familial search.”

Unlike a routine database search, a familial search can  potentially identify close biological relatives to the unknown profile obtained from crime scene evidence. By finding close relatives of an unknown suspect, law enforcement may be able to locate the unknown suspect and solve the crime. If no direct matches or familial matches are found in CODIS, law enforcement sometimes turn to privately owned databases in search of a match.

The Electronic Frontier Foundation reported on such a situation in May 2015, where police in Idaho tried to identify a suspect for a cold case murder using a publicly searchable Ancestry.com database. The public database allowed detectives to identify an unknown suspect because the suspect’s father had donated his DNA sample to the database years prior. Ultimately, the identified suspect was cleared as a false positive.

Is my 23andMe data likely to be useful to law enforcement or the government?

There are a number of technical and legal reasons that 23andMe data is highly unlikely to be useful to law enforcement, and we’d like to highlight a couple of the most important ones.

First, 23andMe’s tests are of little use to law enforcement or government because they cannot technically be matched against the information in CODIS or other governmental databases. 23andMe’s genealogy tests use a genotyping technology that produces markers for single nucleotide polymorphisms (SNPs), but  law enforcement use a different kind of DNA test that uses markers known as short tandem repeats. This makes comparing the two very difficult. One way to think about the difference between the tests is that 23andMe’s test focuses on how you are like other people, while forensic tests focus on how you are different from other people.

If law enforcement presented a scenario in which SNP information was useful to a case, it’s still unlikely that it would be admitted into any legal proceedings for a number of reasons. One reason is a legal principle known as “chain of custody” which requires that a piece of evidence is what it claims to be, or that evidence collected can be reliably connected to a specific individual in order to use it in court. Genetic data collected by 23andMe fails to meet the chain of custody requirement.

Our service is offered online, and as a result, we can’t precisely authenticate an individual’s identity when they use our service. In other words, we don’t have any means to “reliably connect” any particular DNA sample to an individual.

We have been successful in communicating these, and other, limitations to law enforcement agents when they contact us.  Once law enforcement officials see both the legal and technical limitations of attempting to use the data, they have backed off of their requests.  As a result 23andMe has not released any data to law enforcement to date. We will continue to vigorously protect the privacy and security of our customers’ data. Those protections for customers remain at the core of what we do.

What is 23andMe doing to protect my data?

Every company must decide how to respond if and when law enforcement officers request information about their customers. 23andMe unequivocally chooses to use all practical legal and administrative resources to resist requests from law enforcement, and we do not share customer data with any public databases, or with entities that may increase the risk of law enforcement access.

What are the limitations of 23andMe’s data protection efforts?

While we will continue to do everything in our power to protect our customer’s information, we also think it’s important to be transparent about our limitations. As stated in our Privacy Statement, we may ultimately be required by law to comply with a valid court order, subpoena, or search warrant for genetic or personal information. We can’t speculate on what future scenarios might bring rise to such disclosures, but we will notify the affected individual(s) through the contact information they have provided to us in advance of any disclosure to law enforcement, unless doing so would violate the law or a court order.

How can I keep track of 23andMe’s releases to law enforcement?

We stay accountable and transparent to our customers via our Transparency Report, which details the law enforcement requests we have received and our responses.

Should you have any additional questions or concerns, please feel free to email us at privacy@23andMe.com.

*

Kate Black is 23andMe’s Privacy Officer and Corporate Counsel, while Zerina Curevac is a 23andMe legal intern.

Related Stories

Stay in the know.

Receive the latest from your DNA community.