A judge has approved a warrant for law enforcement to access the database of DNA profiler GEDmatch, a landmark ruling which may have serious privacy implications.
DNA matches could provide the answers to criminal investigations gone cold; however, the question of whether the police should have access to the extremely sensitive DNA information of the masses in the quest for the few has raised a series of ethical and privacy complications.
Commenting on the ruling are the following security professionals:
This case can prove to be a double-edged sword. On one hand, having access to DNA data can be very beneficial, on the other hand, this does not bode well from a privacy perspective.
This is one of those issues which does not sit as black or white, but rather considered from a risk perspective. Much like how major tech companies like Google, Microsoft, and others, companies should only release information upon receiving a valid legal request. In addition, publishing a transparency report detailing the number of law enforcement requests annually would also be beneficial.
Ultimately, this does become a decision for individuals who use such services. Whenever one gives up personal data including DNA, the assumption should be made that the data can be accessed by law enforcement, if not today, some time in the future. And make their decisions to use such services accordingly.
Genetic data is woefully under-protected by US privacy laws like HIPAA. HIPAA only applies to healthcare entities like hospitals, insurers, and pharmacies. GINA prevents discrimination based on genetic information but doesn\’t protect privacy. Ancestry, 23andMe, and GEDmatch aren\’t covered by HIPAA. The US needs a law like HIPAA to prevent all genetic databases from becoming police databases. People have a right to access health information related to their genealogy without fearing for their privacy and the privacy of their family members.
It might be reassuring for those using similar services in the UK to know that it would be highly unlikely that similar access would be granted here. Law Enforcement must make a very strong case for the granting of Warrants by the UK Judiciary. In cases such as these they must be able to justify necessity, proportionality and also satisfy the Court that they have sufficient processes in place to manage and mitigate any collateral intrusion their investigations may cause. This means that, rather than gaining access to an entire database and being allowed to data-mine its contents at will, it is more likely that UK officers would have to identify the specific information they required and rely upon the host to provide it.