Who can access your DNA test kit data?

CLEVELAND – You want to find out where your ancestors came from but could find out you're related to a serial killer. As more people submit DNA samples for genetic testing, law enforcement is using that information to crack cases, raising questions about privacy protection.

U.S. Marshal for Northern Ohio Pete Elliott announced Thursday that DNA testing was key to determining the true identity of Robert Ivan Nichols, who took his own life in his Eastlake apartment in 2002.

Investigators realized he had been living under the alias of Joseph Newton Chandler III, a child from Oklahoma who, along with his parents, was killed in a car crash in 1945. The reason for the assumed identity remains unclear.

Genetic genealogists matched the man's DNA with the profiles of distant relatives who had submitted saliva samples to companies like 23andMe or Ancestry to learn about their genealogy.

The relatives then voluntarily uploaded their genetic profiles to the open source website GEDmatch, which links users with other relatives in its database to help build family trees.

The site is now being used by investigators searching for criminals and researchers seeking to identify John Does. It was used to track down the suspected Golden State killer this year.

“We had a number of matches. They were all what we would call third cousins, fourth cousins,” Margaret Press, a genetic genealogist with the DNA Doe Project, said of the Nichols case. “A DNA match is really an individual who has tested with a company like Ancestry and uploaded their DNA results to GEDmatch.”

Press and her colleagues spent hundreds of hours on the case and ultimately identified Nichols by building and connecting family trees.

While genetic testing can help catch criminals, it also raises privacy concerns. Law enforcement use of public ancestry databases and company use of user data are largely unregulated. Privacy protection rests in the hands of genetic testing companies, according to experts.

“I think that's the legal lollapalooza because people are going in, not with any thought about what's going to happen with my request for DNA, rather am I Swiss? Am I Italian? Am I from Uganda?” said Cleveland civil rights attorney and law professor Avery Friedman. “If you're trusting private sector to protect your privacy rights, that's a great big bowl of trouble.”

Ancestry and 23andMe each said they do not provide data to law enforcement unless required to by a court order. They also said they do not provide data to third parties, including insurers and employers, without explicit consent from their users.

“I would reiterate we haven't provided any data to law enforcement and that our policies prohibit us from working with law enforcement,” 23andMe Spokesperson Andy Kill said. “We don't share any personal information with outside parties. Customers do have the option to consent to participate in research. This consent is completely optional, and requires signing a separate document beyond our terms of service.”

Both companies provide transparency reports listing law enforcement requests for data. Ancestry’s most recent report indicates it provided user information in response to 31 of 34 “valid law enforcement requests” in 2017.

A spokesperson for Ancestry, which also includes a search option, provided a statement saying protecting customer privacy is a priority.

“Ancestry will not share any DNA data with law enforcement unless compelled to by valid legal process and will always seek to minimize the impact on our customers’ expectations of privacy,” the spokesperson said.

GEDmatch is free and open to the public, and its terms of service has been updated to note uploaded data can be used by law enforcement.

Friedman urged caution before handing over a sample of DNA, the road map of your most private information.

“Technology is way ahead of the law,” he said. “So, it seems to me it may be time for Congress or the state legislature to pass a law to protect personal privacy.”