Killer’s Code – Familial DNA Searches Through Third-Party Databases under Carpenter
A man terrorizes an entire state for years, raping and murdering innocent victims in the dead of night.[1] Investigators fail to find him, and he seemingly disappears for decades.[2] DNA evidence of the suspect obtained at a crime scene produces no viable leads when searched through existing government databases.[3] The killer is free and anonymous. But years after the crimes have been committed and the leads have all dried up, one of the killer’s relatives submits a sample of her DNA to a third-party DNA database to research her genealogy. Investigators, in a last-ditch effort, run the suspected killer’s genetic profile from the crime scene DNA sample through the third-party company’s DNA database, hoping to find at least a partial match.[4] The search does produce a partial match, indicating that one of the profiles in the third-party database is genetically related to the killer.[5] Investigators follow-up on this lead, determine the identity of the relative, and, using standard investigative techniques, uncover the identity of the suspected killer. After analyzing a DNA sample obtained from an object the suspect has discarded, investigators confirm an exact match to the crime scene sample.[6] They arrest the serial killer after over thirty years of searching.[7]
Now imagine a nearly identical scenario. A rapist murderer evades police detection for years.[8] DNA evidence of the suspected killer obtained from the crime scene produces no results when run through existing government databases.[9] As a last-ditch effort, investigators run the genetic profile through a third-party database primarily used for genealogical research.[10] They find a partial match, obtain a court order requiring the database to reveal the identity of the partial match, and then investigate that person’s relatives as potential suspects.[11] The police make an arrest, only this time they have arrested the wrong person.[12] After over a month in a jail cell, investigators finally determine that the suspect is not the killer.[13] Though his father’s DNA partially matched that of the killer’s DNA, this innocent suspect’s DNA did not produce a match.[14] Here, government investigators have used that same tool—partial match DNA searches through a third-party database—but have only succeeded in locking up an innocent man. This Note examines whether the government should be able to search such third-party databases, possibly invading a consumer’s privacy interest in their genetic information.
DNA contains highly sensitive information with the potential to expose intimate details about a person’s medical history and paternity.[15] The genetic information in DNA is also a highly precise identification tool, which is why it has become integral not only in criminal investigation, but also in private genealogical research.[16] Consumers freely convey their DNA and genetic information to sites like Ancestry.com and 23andMe—third-party databases—to learn more about themselves and their genealogical history.[17] At the same time, they are effectively conveying the shared genetic information of their close relatives, as every human shares a portion of their DNA with their relatives.[18]
The question of whether government investigators should be able to gain access to these third-party databases to help them solve crimes has become a very real concern in recent years.[19] Implicated in this question is the third-party doctrine exception to protections under the Fourth Amendment. The recent Supreme Court ruling in Carpenter v. United States has shed new light on the third-party doctrine.[20] This Note analyzes the implications of this decision and the impact it may have on genetic information conveyed to third-party databases and utilized as an investigative tool by the government. Part I provides background information related to the mechanics of traditional forensic DNA analysis, consumer-based uses of DNA analysis in genealogical services, and state investigator use of consumer-based DNA databases to conduct partial match searches in criminal investigations. Part I also provides a background into the current state of the Fourth Amendment and the third-party doctrine. Part II analyzes whether, under current precedents, Fourth Amendment protections should extend to genetic information voluntarily conveyed to third-party DNA databases. This Note concludes that the government should not be allowed to access third-party databases to conduct partial match searches, absent a warrant supported by probable cause. Part III proposes potential avenues that one might take to ensure consumer genetic information is protected from government intrusion.
Table of Contents
I. Background
A…. Forensic DNA
1…. Familial Searches
2…. Genetic Genealogy
B….The Fourth Amendment and a Person’s Privacy Interest in Their DNA
II. Analysis
A…. Property
B…. Reasonable Expectation of Privacy.
III. Proposal
Conclusion.
The average human being is composed of approximately 100 trillion cells.[21] Within the nucleus of each cell are twenty-three pairs of chromosomes—dense packets of deoxyribonucleic acid, or DNA.[22] DNA is a chemical substance containing informational code responsible for replicating the cell and constructing enzymes.[23] DNA can be thought of like a “genetic blueprint”—this informational code is passed from generation to generation, providing the building blocks for our individual genetic identity.[24] DNA itself is composed of four chemical nucleobases (A, T, C, G), which, when combined, are known as nucleotides.[25] Coding regions of the nucleotide sequences, known as genes, only make up five percent of human genomic DNA.[26] The remaining ninety-five percent of DNA, the non-coding regions, are where markers used for human identity testing can be found.[27]
The characterization of a gene’s variant form—termed allele—at a specific location (locus) along the genetic sequence is called a genotype.[28] A person’s various genotypes define characteristics such as hair and eye color.[29] The combination of genotypes for multiple loci make up a person’s DNA profile.[30] To identify a person based on their DNA profile, an analyst evaluates multiple loci for unique variability.[31] An analyst compares these variable regions in one sample against a different sample, seeking to either include or exclude the profile based on whether they match.[32] The number of loci examined and compared correlates to the confidence in connecting two matching DNA profiles; the more loci that match, the more likely the two samples came from the same individual.[33]
However, forensic DNA identification is slightly more complicated than that.[34] DNA is actually loaded with repeated sequences of various lengths.[35] For human identification purposes, the most important repeated units are microsatellite or short tandem repeats (STRs) because they are highly variable among individuals.[36] In the United States, the FBI has established twenty core loci of STRs for inclusion in the national DNA database known as Combined DNA Index System (CODIS).[37] When all twenty CODIS loci are tested, a match between two samples indicates a virtual certainty that the samples belong to the same individual.[38]
While a perfect match of all twenty core loci is nearly flawless in precise identification, a partial match may indicate that the two sampled individuals are related to each other.[39] Because half of an individual’s genetic information comes from their father and the other half comes from their mother, there is a significant probability that two people who share biological ties will also share a large number of alleles in common.[40] An analyst evaluating thirteen loci can obtain twenty-six discrete measurements—thirteen from the mother and thirteen from the father.[41] This genetic overlap makes possible a criminal investigator’s ability to conduct familial searches to identify a suspect based on a relatives’ DNA.[42]
The typical procedure for forensic identification in the criminal context proceeds in the following manner. Investigators at the crime scene collect biological evidence such as blood, semen, and saliva.[43] Investigators run the DNA profile through a database like CODIS or other databases at the state or local level to identify a match.[44] Once in the database, the sample “donor” may now be identified as a potential suspect whenever DNA evidence from a crime scene produces a match.[45] DNA identification or “fingerprinting” has been instrumental in aiding criminal investigators in hundreds of thousands of investigations in the United States alone.[46] With the method proven incredibly effective for criminal investigations, DNA fingerprinting quickly became an investigative tool in the United States.[47] While the utility of a broadly inclusive government database cannot be denied when investigators analyze DNA evidence for an exact match, the controversial partial match or familial search method leaves open highly debated constitutional questions about DNA testing’s place in the criminal justice system.[48]
The genetic overlap between relatives[49] can produce a partial match in the database search, when the source sample is run through the system populated by a close relative’s sample.[50] When an initial search through the database produces no exact match—because, for instance, the sample donor has never been arrested or convicted—investigators may attempt to potentially identify the source’s relatives in the database by performing a partial match familial search.[51]
Partial matches do not automatically indicate that the database matches are the sample source’s relatives, but, depending on the level of stringency and search threshold, the search could produce a number of potential leads.[52] Investigators may then follow up on these leads (potential source relatives), using other criteria such as age and location to rule out their relatives as the potential source of the sample collected from the crime scene.[53] What is so troubling to the many familial search critics is that a familial search often necessarily requires police to investigate these potential leads, most of whom are innocent suspects.[54] These individuals are effectively made suspects without any actual suspicion that they committed the crime.[55]
An “intentional familial search” occurs when investigators specifically intend to identify a partial match, usually after they exhausted the possibility of identifying an exact match.[56] While each jurisdiction may have differing laws and policies regarding whether to report unintentional partial matches, a few jurisdictions explicitly provide for intentional familial searches.[57] In 2008, California became the first state to make familial searches legal under certain circumstances.[58] The FBI states that familial searches are not currently conducted on the national level, nor are they performed by the National Disability Insurance Scheme (NDIS).[59] Therefore, almost all intentional familial searches performed by law enforcement are performed through a state database.[60]
California’s familial search policy has garnered high-profile success and continues to lead the way in the field.[61] Familial searches in California have aided investigators in solving two serial killer cold cases—the “Grim Sleeper”[62] and the “Golden State Killer.”[63] Despite these high-profile instances of success using familial searching, the investigative technique has many opponents. Among these various criticisms are the potential for discrimination (both general and race-based),[64] inaccuracy and inefficiency,[65] the societal interest in intact families,[66] democratic accountability concerns,[67] and—most significant to this Note—privacy concerns.[68]
However, these criticisms of familial searches apply to its use in criminal investigations. But familial searches are not limited to the criminal investigation. In fact, genetic profiling in general has much broader uses that are increasingly being embraced by general consumers.[69]
In recent years, popular companies like Ancestry and 23andMe have introduced genealogical research to the average consumer. Genealogy is “the study of family ancestral lines,” typically thought of as the practice of building a family tree.[70] Genetic genealogy is “the use of DNA testing in combination with traditional genealogical practices,” such as examining historical records.[71] The genealogical practice of identifying relatives using DNA data is quite similar to forensic DNA profiling in many respects, yet also has some key differences.[72] While CODIS only uses STR markers and forensic crime labs typically only profile STR markers,[73] 23andMe and Ancestry—the two leading genetic genealogy companies in the industry—use a genotyping technology that produces markers for single nucleotide polymorphisms (SNPs).[74] Therefore, the genetic data stored in these private databases is unlikely to be useful to law enforcement officers seeking to cross-reference with data in CODIS or with a sample genotyped with only STRs.[75] Of course, it is possible that investigators could have their crime labs genotype for SNPs, though this technique is more expensive, and the data is much more invasive, revealing personal information regarding appearance and health (such as predisposition to diseases).[76]
Companies like 23andMe and Ancestry have become increasingly popular in recent years and the direct-to-consumer DNA test kits make it easier than ever for consumers to learn more about their genetic ancestry.[77] Both companies have a similar process for submitting one’s DNA for analysis.[78] Once analyzed, the DNA profiles can tell customers more about their genetic makeup, providing ethnicity estimates, and identifying potential relatives who have matched DNA.[79] Both companies allow customers to download their “raw data”—the decoded results generated in the lab from a DNA sample—for use in independent research.[80] A customer may then upload his or her raw data to a free website like GEDmatch, a website that provides more powerful DNA and genealogical analysis tools for amateur and professional researchers and genealogists.[81]
Both Ancestry and 23andMe clearly express that customer privacy is of the utmost importance and have crafted detailed privacy statements.[82] Furthermore, both companies guarantee that the customers maintain ownership of their DNA and DNA data, and that they will not disclose a customer’s genetic information to a third-party without prior consent.[83] However, with regard to a request by law enforcement, both Ancestry and 23andMe state in their privacy policies that they will comply with valid legal process such as subpoenas and warrants.[84]
Since its founding, and as of October 15, 2019, 23andMe has only received seven law enforcement requests for user information.[85] The company successfully resisted all seven requests.[86] Ancestry’s 2017 Transparency Report indicates that the company received thirty-four valid law enforcement requests for user information and complied with thirty-one.[87] While Ancestry did not receive requests for genetic information nor did it disclose genetic information to law enforcement in 2017, Ancestry complied with a search warrant in 2014, which required the company to provide the identity of a customer based on a DNA sample that had previously been made public.[88] GEDmatch, given its transparent position on law enforcement use, has famously aided law enforcement in a criminal investigation.[89]
The most significant of these companies’ services is the genetic relative identification capabilities and the potential for law enforcement to use (or abuse) these tools in criminal investigations. While CODIS and other local level databases are vastly populated and have contributed to countless investigations, they still only scratch the surface of potential DNA profiles that could aid investigations.[90] When the investigative trail runs cold and familial searches through the government databases produce no viable leads, can investigators legally turn to these private databases for familial searches in criminal investigations?
Currently, the answer seems to be yes. Investigators have—at least twice—performed familial searches through private, consumer-populated databases to aid criminal investigations.[91] The most recent case is the April 2018 apprehension of a man suspected to be the “Golden State Killer,” a murderer who “rained down terror across the state of California” between 1974 and 1986.[92] Joseph James DeAngelo, a former police officer accused of committing more than fifty rapes and twelve murders, was identified and apprehended after law enforcement used GEDmatch to aid its decades-old cold case investigation.[93] While investigators have not revealed precisely how they identified DeAngelo, genetic genealogists speculate that investigators ran a familial search with crime scene DNA through GEDmatch to identify a relative.[94] Investigators then likely ruled out suspects from the pool of potential relatives using clues like age, sex, and place of residence to narrow the search down to DeAngelo.[95] They positively matched the DNA recovered from multiple crime scenes with DNA obtained from an item DeAngelo discarded, confirming that he was likely the Golden State Killer.[96]
In a similar vein, Idaho investigators in 2014 turned to similar methods to aid a cold case investigation.[97] Unlike California investigators’ success in the Golden State Killer case, Idaho investigators identified and investigated the wrong suspect, resulting in a nightmare scenario for Michael Usry—the innocent suspect.[98] In this case, investigators turned to a GEDmatch-like genetic genealogical private database called Sorenson Database in an attempt to solve the 1996 murder of an Idaho Falls teenager named Angie Dodge.[99] Like the Golden State case, investigators used DNA collected from the crime scene and performed a familial search through the publicly searchable Sorenson Database, meaning they did not need a warrant or court order.[100] The search resulted in forty-one potential familial matches, but one relative in the pool matched thirty-four of the thirty-five alleles tested.[101] However, investigators had only a DNA profile match, but not a name associated with that profile.[102] Sorenson Database was owned by Ancestry, so investigators obtained a court order, which required Ancestry to reveal the “protected” name associated with the profile and other relevant user information.[103] This led investigators to conclude that Michael Usry’s father was a relative of the murderer.[104] Through traditional investigative means, law enforcement identified Michael Usry as their suspect and subsequently began to investigate him as the prime suspect.[105]
Usry was left waiting for thirty-three days before investigators determined he did not murder Angie Dodge.[106] It was only after police took a cheek swab DNA sample from Usry and tested it against the source sample from the crime scene that they realized they did not have a match.[107] As is the case sometimes, forensic DNA evidence can produce near-miss matches that implicate innocent people.[108] And both the Usry case and the Golden State Killer case have raised concerns about the lack of regulation surrounding investigators’ ability to perform a familial search through a publicly searchable, private consumer–populated database.[109]
These two notable instances of law enforcement accessing consumer genetic information—outside of a government database—present important questions about this new frontier of familial searching and its role in our criminal justice system.
When the state uses consumer genetic information in a criminal investigation in the manner discussed in Section I.A, it inevitably triggers property and privacy issues for both the consumer and the consumer’s genetic relatives. The government’s use of this DNA necessarily implicates the Fourth Amendment of the Constitution, which is designed to protect a citizen’s property and privacy interests against unreasonable government searches and seizures.[110] Today, courts sometimes must construe “persons, houses, papers, and effects” more broadly to protect from unreasonable search and seizure, the approximate modern digital equivalents to those discrete categories protected in the Constitution.[111]
The Fourth Amendment’s protection against unreasonable searches and seizures was originally closely tied to property law and common law trespass.[112] The doctrine’s focus was protection against the government physically intruding on a constitutionally protected area.[113] However, in the latter half of the twentieth century, the Supreme Court recognized that physical invasion of property rights is not the only means of Fourth Amendment violations.[114] In response to advancing technology and shifting societal impressions of privacy, the Court adopted the “reasonable expectation of privacy” test in Katz v. United States to determine whether the Fourth Amendment is applicable in certain instances.[115] The Court first asks whether the individual has exhibited a subjective expectation of privacy in the activity or information.[116] Next, the Court asks whether the individual’s expectation is “one that society is prepared to recognize as reasonable.”[117] If the individual has a legitimate subjective expectation of privacy and it is an objectively reasonable expectation, then the government must obtain a warrant supported by probable cause in order to invade that privacy interest.[118]
In Katz, the Supreme Court determined that private conversations conducted over a public telephone were entitled to protection under the Fourth Amendment, despite the fact that there was no property interest that was trespassed upon.[119] Thus, post-Katz, the Court has applied the reasonable expectation of privacy standard to determine whether certain acts or interests in areas accessible to the public should be entitled to Fourth Amendment protection.[120] However, Fourth Amendment protections become more complicated when a third-party is involved. Out of the Katz standard emerged the modern interpretation of the third-party doctrine, which provides that a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.[121]
The Court has acknowledged that the decision in Katz neither narrowed the Fourth Amendment’s scope nor displaced or diminished the common law trespassory test.[122] Rather, Katz’s reasonable expectation of privacy standard augmented the scope of protection under the Fourth Amendment and at times enlarged those protections.[123] Trespass of property interests becomes the constitutional minimum, and a showing of a property interest violation creates a stronger case that an individual’s reasonable expectation of privacy has been invaded.[124]
The Fourth Amendment’s property law roots largely dictate how the Court has developed the third-party doctrine. The two building block cases in the third-party doctrine—United States v. Miller and Smith v. Maryland—illuminate the Court’s understanding of the Fourth Amendment’s connection to property law.[125] The Court in both cases determined that neither Smith nor Miller had legitimate expectations of privacy in either the bank records or telephone records at issue because they did not possess, own, or control the records.[126] Individuals “assume[] the risk” of disclosure when they voluntarily convey information to a third party, therefore they have no legitimate expectation of privacy.[127] Thus, ownership, control, and possession—key property concepts—are integral in determining whether individuals have surrendered their reasonable expectation of privacy when disclosing information to third parties.[128]
The Court in Smith and Miller looked not only to the individuals’ property interests, but also to the nature of the individuals’ activities for which protection was sought, to determine whether the individuals had a reasonable expectation of privacy.[129] Even though an individual seeking
Fourth Amendment protection may convey information to a third party under the assumption that it will be used only for a limited purpose, the Miller Court held that the individual has assumed the risk of government intrusion.[130] So while an individual may have had a subjective expectation of privacy in the contents of the bank records, that expectation is objectively not reasonable.[131]
Most recently, in 2018 the Court revisited the third-party doctrine by extending Fourth Amendment protection to digital cell-site data—information derived nearly continuously from cell phones and stored by third-party service carrier companies—in its five-to-four decision in Carpenter v. United States.[132] Prior to Carpenter, the Court had taken a fairly strict approach to applying the reasonable expectation of privacy standard to third-party doctrine cases. However, in recent years, the Court seems to have shied away from a broad application of the third-party doctrine, at least as it is applied to location tracking in the digital era. The Court has recognized that certain types of digital data held by third parties do not fit neatly into existing third-party doctrine precedent.[133]
The Carpenter majority determined that because of the unique role cell phones play in society and the way that information is collected through these devices, a person does not surrender all Fourth Amendment protections simply by possessing a phone that records their location.[134] The individual’s lack of ownership of the actual data was not dispositive.[135] The Court, in considering whether a person has a reasonable expectation of privacy in data that reveals their public movements, and which is held by a third party, gave significant weight to the vital role that certain technologies play in modern society and the vast amount of highly sensitive data that is “voluntarily” conveyed to third parties.[136] A person’s movements provide a window into highly intimate and private details of their life.[137] With modern technology like the cell phone, the government has the capability to compile a “detailed chronicle” of a person’s physical movements, going back several years.[138] For the Carpenter court, this capability proved too much of an intrusion into a person’s personal life—an intrusion that goes beyond society’s expectations of privacy.[139]
The Carpenter court notably considered historical understandings of privacy in determining whether a person, and society as a whole, has a reasonable expectation of privacy in an activity.[140] The majority determined that the essential purpose of the Fourth Amendment is to secure “the privacies of life against arbitrary power” and to “place obstacles in the way of a too permeating police surveillance.”[141] Against this backdrop, the majority weighed society’s expectation of privacy in the digital age against the government’s exercise of arbitrary power.[142] Where the Court found in Smith that the third-party doctrine applied to telephone numbers, the Carpenter court recognized that when Smith was decided, the concept of a cell phone which can track private details of a person’s life did not exist.[143] And where the Court in Jones determined that GPS tracking of a person’s movements was too much of a government intrusion into that person’s expectation of privacy, the Carpenter court held Fourth Amendment protection should cover the cell-site data at issue, despite its conveyance to a third party.[144] This data was too sensitive and too susceptible to abuse.[145] The majority concluded that an individual’s privacy interest in this sensitive information—the individual’s whereabouts, dating back as far as five years in the past—outweighed the fact that it had been disclosed to a third party.[146]
Applying post-Carpenter Fourth Amendment principles to genetic information that has been voluntarily (or involuntarily) submitted to private DNA databases and subsequently searched by state investigators, it is clear that some kind of constitutional line must be drawn.
Genetic information conveyed to third-party databases should be protected under the Fourth Amendment because, though it is conveyed to a third party, the individual still maintains a reasonable expectation of privacy in this highly sensitive information. The courts should show special solicitude for this discrete category of sensitive information because it necessarily implicates genetic relatives who have not voluntarily conveyed their genetic identity to the third party and because both consumer and relative retain a property interest in the information.[147] Fourth Amendment protection in this case means that state investigators would need to obtain a warrant supported by probable cause in order to conduct the “search” of the third-party database.
A “search” for the purposes of this Note refers to either of two potential scenarios under which an investigator would access consumer genetic information through a third-party database. In the first, investigators upload a crime scene sample or sample profile to a pay-walled third-party site (either by creating an account[148] or directly requesting that the database grant access). When the investigators obtain a partial match, they then request from the database more information about the match (depending on how anonymized the user has made their profile). This scenario is less likely, primarily because crime scene samples are typically incompatible with popular third-party database requirements and websites like 23andMe only accept saliva samples for analysis.[149] The second and more likely scenario is where investigators use a publicly available (open-source) third-party database like GEDmatch, obtain a partial match, and then request the database to “unmask” the anonymous user (again depending on how anonymized the user has made their profile). The “unmasking” process is essentially a subpoena-like request for documents.[150]
With consumer DNA data, the third-party doctrine problem is even more complicated because there is not only a third party consideration (the consumer DNA database company) but also a consideration for the consumer’s close genetic relatives’ privacy. Therefore, a case involving a claim by a consumer or their genetic relative would necessarily require the court to decide whether the third-party doctrine should apply. Given that a case like this has never been before the Supreme Court, there are two possible routes a plaintiff might take to argue that their genetic information conveyed to a third-party database should receive Fourth Amendment protection: that the plaintiff retains a property interest in the information and that the plaintiff has a reasonable expectation of privacy in the information. While the Fourth Amendment was initially based in property/trespass law and later analyzed under the reasonable expectation of privacy standard, a finding of a property interest can at the very least help a Fourth Amendment claim, as it can be evidence that the person invoking Fourth Amendment protections had a reasonable expectation of privacy in the interest sought to be searched.[151] There is a strong argument that consumers, and even their relatives, maintain a cognizable property interest in their shared genetic information. This alone may be sufficient to trigger Fourth Amendment protections. Yet, even if a court does not recognize a property interest (or does not find it sufficient), the court should recognize that the consumer and their relatives have a reasonable expectation of privacy in their shared genetic information, despite its conveyance to a third party, sufficient to trigger Fourth Amendment protections.
Genetic information contains the most sensitive details about a person’s very being and should be protected as an individual’s property under natural law.[152] The public at large, including courts, regulators, and legislatures, generally agree that individuals should have some measure of control over their genetic information.[153] This not only invokes the idea that individuals generally want to keep their genetic information private, but also that they find in their genetic information core property rights like “control.”[154] While the Constitution regulates the government’s collection of genetic material but not its subsequent analysis, the actual genetic information that is derived from such analysis should be treated differently.[155]
An individual’s desire to control their genetic identity is a key factor in finding a property interest in the genetic information. More specifically, individuals wish to have control over whether to exclude others from accessing their information—the right to exclude being one of the sticks in the “bundle of property rights.”[156] Citizens’ overall privacy concerns can be understood as an extension of their property interest in excluding who can know what about their genetic identity.[157] Several states have shown that they take individuals’ interest in their identifiable genetic information very seriously by passing legislation that declares that genetic information is the property of the individual from whom it derives.[158]
What complicates genetic information in property interest terms is that it is immutably and non-volitionally shared with close relatives.[159] An individual’s genetic information will always contain identifiable information about their close relatives. However, these individuals do not voluntarily share this information; it is simply a product of biology.[160] Thus, close relatives in theory have a shared property interest in their shared identifiable genetic information. One potential legal framework that may most evenly account for these individuals’ shared property interests is to look at DNA like property owned by the entirety.[161] Regardless of the technical legal framework, the basic science indicates that because individuals involuntarily share a portion of identifiable genetic information, they each have a legally cognizable property interest in the same genetic information.[162] This fact alone raises questions about how to apply the third-party doctrine to government search and seizure of shared genetic information.
When a person submits their genetic profile to a private database for genealogical purposes, they have effectively voluntarily disclosed this information to a third party. Further, they have disclosed their close relatives’ genetic information without those relatives’ consent.[163] This initial “consent” or “assumption of risk” in disclosing this information may trigger a finding that the Fourth Amendment does not protect this interest.[164]
Genetic information should fall into the “persons” category of the Fourth Amendment protections.[165] Genetic material is present in every cell in the human body; physical genetic material composes the very essence of the human body. The Court in Maryland v. King confirmed that a buccal swab of an arrestee’s cheek is a “search,” albeit permissible.[166] If the physical material is considered part of a “person,” the information found within that material, too, should be considered part of the “person.” Much like how an investigator rifling through a suspect’s pockets for information is a search of the “person,” an investigator rifling through that suspect’s genetic code for information is a search of the “person.” While the pockets are not literally attached to, and part of, the suspect’s body, genetic code may similarly be separated from the physical body but remains immutably connected to the suspect as his very identity.
Even if a court were to determine genetic information is not considered part of a “person” under the Fourth Amendment, at the very least it could be considered “papers” or “effects.”[167] Submission of genetic information to a third-party database is distinguishable from cases that have applied the traditional third-party doctrine.[168] Further, genetic information records are distinguishable from the Supreme Court’s understanding of “papers” and “effects” in third-party doctrine precedent.[169] Looking to Smith and Miller, it was highly relevant to the Court that neither of the individuals owned, possessed, or controlled the records and information.[170] Rather, the records were created, owned, and controlled by the third-party companies.[171] However, as recognized by several states and at least one circuit court, individuals retain a property interest in their genetic information.[172] Therefore, when a person submits their genetic information to a private third-party database for genealogical research, they should neither be deemed to have surrendered their property interest in that information, nor to have assumed the risk that the government will search their identifiable genetic information.[173]
Unlike the bank records or telephone records in Smith and Miller, the third-party company is not actually creating, controlling, or solely possessing the identifiable genetic information.[174] As stated in the Terms of Service and Privacy Policies of two major DNA databases, the consumer maintains some control and some exclusionary rights of their genetic information.[175] Consumers may delete[176] their information from the database at any point and may exclude others from knowing their identity by anonymizing[177] their information. While the consumer may concede a portion of their property interest to the company, in that they allow the company to profit from their genetic information, the consumer still has a legally cognizable property interest.[178] Finally, because the consumer can access their genetic information freely and can download the raw information at any time, the consumer and the company share possession of the genetic information (at least until the consumer elects to delete their profile from the database).[179] A consumer’s voluntary submission of their genetic information is more akin to a bailment,[180] in which they do not lose any property interest and in which their papers and effects are protected from unreasonable searches and seizures under the Fourth Amendment.[181] Such a bailment does not diminish the consumer’s property interest.[182] Genetic information uploaded to a third-party database should be treated nothing like the phone and bank records at issue in Smith and Miller. Any invocation of the third-party doctrine based on those leading precedents should fail.
Going one step further, it is literally impossible for a person to fully “give away” their genetic information, even in the bailment context.[183] Because DNA is immutably tied to a person’s being, surrendering a “copy” of that information does not mean that the genetic information is no longer part of that person. Therefore, when a consumer volunteers their genetic information to a third-party database, they have not really given anything away in the traditional sense. There is nothing stopping that consumer from using their genetic information again whenever and however they wish. The entity to which a consumer surrenders their DNA could never prevent that person from utilizing their DNA—it is the information that literally fuels that person’s life.
The other key distinguishing feature between third-party doctrine precedent and submission to private DNA databases is that the consumer’s many genetic relatives do not volunteer or consent to the submission of their shared genetic information. Therefore, even if the court were to determine that a consumer completely surrendered their property interest and expectation of privacy when they voluntarily submitted their genetic information to a third-party database, it could not be argued that the close relative voluntarily surrendered their property interest in their identifiable genetic information. Accordingly, it would be entirely unworkable to apply the third-party doctrine to genetic information submitted to private databases.[184]
While there is a strong indication that individuals retain a property interest in their genetic information and share that property interest with close relatives, the current Fourth Amendment standard post-Carpenter still remains the “reasonable expectation of privacy” standard. Even if the courts do not find a property interest in genetic information, they should find that a consumer at least has a reasonable expectation of privacy in that information. The Carpenter court has implicitly narrowed the application of the third-party doctrine.[185] The Court recognized the unique nature of cell phone tracking data, the ubiquity of cell phone use in modern society, and the intense privacy interests at stake.[186] Though cell phone consumers did not have a property interest in the tracking data records because they did not create, own, possess, or control such records, the Court refused to extend the third-party doctrine.[187] Under this precedent and a similar logic, the Court similarly should not extend the third-party doctrine to genetic information stored in third-party databases.[188]
In determining whether a person surrenders their reasonable expectation of privacy in their genetic information conveyed to third-party databases, the government should show special solicitude for such data because it contains highly sensitive identification information, perhaps even more sensitive than the location data protected in Jones and Carpenter.[189] For genetic information not only reveals a person’s identity and the identity of their close relatives, but it can also reveal intensely private medical details about that person and their relatives, and also potentially strained familial relationships.[190] The Court should consider the precise nature of the information sought to be protected and not rely solely on the fact that the information was shared with a third party in making its determination of whether to grant Fourth Amendment protection.[191] The Carpenter Court distinguished information in Smith and Miller from the cell-site data at issue, noting that in Smith the pen register revealed very little identifying information, and in Miller the bank records were not confidential but negotiable instruments.[192] Where the Court in Carpenter found that cell-site location information revealed too much sensitive identification information about the individual carrying the cell phone, when it comes to genetic information, the identification relates to multiple individuals.[193] Genetic information contains significantly more identifying information than the information in both Smith and Carpenter. Accordingly, the court should show at least as much solicitude for such information, if not more.
A person maintains a subjective expectation of privacy in the highly sensitive identifying details of their genetic information, even when they voluntarily convey this information to a third party. Consumers have the opportunity to provide as much or as little personal information to their accounts as they wish, limiting what their genetics matches can see.[194] However, the consumer could argue that to allow the government to have unfettered access to anonymized genetic information easily capable of de-anonymization (via subpoena-like “unmasking”[195]) would be to allow the government to identify anybody who has submitted genetic information to a database. This is a police power that is far too great to go unchecked.[196]
There is an even greater expectation of privacy in identifiable genetic information on the part of the genetic relative who has not voluntarily conveyed this information to a third party.[197] Individuals who have consciously decided not to submit their genetic information to third-party databases for genealogical research have that choice effectively negated by their relative’s decision to submit their own genetic information.[198] This intra-relative breach is only exacerbated by the government’s unfettered ability to then search these third-party databases to identify a suspect based on a partial match search. Whereas the individuals in Smith and Miller voluntarily submitted the information at issue (telephone numbers and bank records respectively) to the third parties, the close relative of the consumer that submits a DNA sample does not voluntarily consent to disclose his or her shared identifiable genetic information with that database.[199] In Carpenter, it was not squarely at issue whether the cell phone user voluntarily submits their location information via the passive cell-site location tracking. However, there exists a degree of implicit consumer consent.[200] With genetic information, there is no implicit consent by the consumer’s relative, due to the immutable and non-volitionally shared nature of DNA.[201] Therefore, the court could hardly determine that a consumer’s relative has consciously and voluntarily consented to surrender their reasonable expectation of privacy in their genetic information when the consumer has submitted a DNA sample.
Even where the consumer voluntarily conveys this information to a third party, they should not lose an objective expectation of privacy.[202] The consumer has a private interest in learning more about their genetic identity, family history, and the medical information their genetics reveal about their health.[203] Much like how cell phone use is indispensable to participation in modern society, and therefore the consumer has no choice but to surrender data to third-party companies, an individual’s interest in learning about their genetics limits the great majority of society to deal solely with third-party companies.[204] The average individual is incapable of collecting, analyzing, and sequencing their own genetic code; even if they were, genetic genealogical research by definition requires numerous multiple other genetic samples in a database.[205] A person who wishes to research their genetic code must convey that information to a third party with the capability to facilitate that research.[206] Though it is a stretch to say that the average individual has “no choice” but to give their DNA to a third party because it is as indispensable to modern life as a cell phone, genetic research provides incredible societal benefits that should be encouraged. The overall benefits to society from advancing technology and genetic research may someday make personal DNA analysis and genealogical study an indispensable part of the average person’s life.[207]
As previously argued, this conveyance can be compared to a bailment,[208] therefore the consumer does not surrender their expectation of privacy or their Fourth Amendment rights. The consumer discloses their genetic information for the limited purposes of analysis, personal medical research, and genealogical research in general. The consumer need not necessarily assume that their sensitive identifiable genetic information will be released to other people (or the government) for other purposes.[209]
As the Carpenter court recognized, the Fourth Amendment’s basic purpose to is protect the privacy and security of American citizens against arbitrary invasions of privacy by the government and to create obstacles in the way of a too permeating police power.[210] Allowing the government to search private DNA databases for partially matching genetic information is very much an arbitrary invasion of not only consumer privacy but also the consumer’s relatives’ privacy. This type of invasion “runs against everyone,” for everyone has genetic code and almost everyone has relatives.[211] Therefore, in theory, anyone is susceptible to government invasion of their identifiable genetic code.[212] The Carpenter court found critical that the pervasiveness of cell phone use opened up almost everyone in the country to historic location tracking.[213] The court should similarly find this incredibly broad ability to “search” the genetic information of a large portion of the population highly critical. Looking to the Framers’ purpose in crafting the Fourth Amendment,[214] it is hard to believe that they would consider the government’s ability to identify a significant portion of the population based solely on a drop of blood an exercise of police power that does not require constitutional protection.[215] Because this exercise of power would be relatively easy and cheap—as the police would have collected a DNA sample in the ordinary procedure at the crime scene, but the third-party company would have done the painstaking work of analyzing and compiling a vast database—it is particularly susceptible to abuse.[216] So whether voluntarily conveyed on the part of the consumer or involuntarily conveyed on the part of the relative, a court should determine that society has deemed reasonable an individual’s expectation of privacy in their identifiable genetic information. A court, therefore, should hold that such information is protected under the Fourth Amendment despite having been conveyed to a third party. The strong consumer interest in keeping their identifiable genetic information private outweighs the fact that the information was disclosed to a third party.[217] Further, this privacy interest should outweigh the government’s interest in solving crimes.
A court should conclude that Fourth Amendment protections extend to this unique type of data, regardless of third-party involvement, under either a property-based analysis, a privacy-based analysis, or both.[218]
There are two obvious paths that can be taken to ensure that American citizens’ privacy interest in their identifiable genetic information is not arbitrarily invaded by the government. The first is to wait for someone to bring a constitutional claim in federal court.[219] The second and more realistic path would be to lobby the state legislatures to pass laws that create limitations on law enforcement’s ability to perform partial match searches through third-party databases.[220] Some Justices agree that areas like this, where the governing legal standard is one of reasonableness, should be decided legislatively.[221]
Currently, investigative procedures utilizing DNA analysis are largely dictated by the executive branch.[222] These regulations are typically made at the state and local level.[223] Because investigative procedures are mostly left to the states, a federal law would not accomplish much in the way of governing local procedures.[224] Therefore, state and local legislatures should craft laws designed to protect consumers’ interest in their genetic information. Some states like California already have policies that enable state investigators to conduct partial match searches. While the California policy can be, and has been, used to grant the government access third-party databases, the state imposes a fairly comprehensive procedure before allowing a partial match search.[225] California’s policy is not a law passed by the state legislature, but rather a guiding rule/regulation imposed by the Attorney General in the executive branch.[226] Therefore, states should go a step further than California and pass actual statutes through their legislatures imposing as much protection for the third-party database consumers and their relatives as possible, including a court-ordered warrant requirement.[227] These laws should require a relatively high level of probable cause in order for investigators to obtain a court-ordered warrant to both “search” the third-party databases, and to request documents from the databases for the purpose of “unmasking” anonymous users.[228]
Some additional layers of protection are necessary, such as limiting this investigative technique to: (1) a discrete category of extreme crimes; (2) investigations into an active suspect that poses a high risk to public safety;[229] (3) minimize the “partial-ness” of the partial matches;[230] (4) minimize the intrusion into ancillary suspects’ lives that turn up in a partial match (i.e., the relatives); and (5) require a qualified panel to grant final approval. However, legislatures would be wise to give the panel some latitude to make discretionary decisions. The panel should sometimes be able to grant warrants in grey areas where not all the specific criteria are met but where a balancing of the public against the private interests weighs in favor of allowing the search. It may be too extreme to suggest that this incredibly effective investigative technique should never be used.
However, due to the nature of the interests at stake, there is a strong need for uniformity in the law. Considering the largest third-party database companies are Internet-based, and therefore are accessible to anyone anywhere in the country, consumers and their implicated relatives need a uniform level of protection, no matter where they live. For that reason, some sort of judicially-mandated constitutional underpinning may be necessary. States seeking to provide additional protection would be free to do so. For instance, states could pass laws imposing more rigorous requirements that go beyond a simple probable-cause supported search warrant, much like federal wiretap laws.[231] However, the states can act immediately by at least making an effort to pass laws that follow a model law—one similar to the California policy.
Another potential solution, in an area where federal regulation could achieve concrete results across the country, is to establish a mandatory heightened notice requirement imposed on all DNA database companies.[232] This is a measure that would hold the third-party database companies accountable to consumer interests. While this requirement would not necessarily protect the consumer’s relatives’ privacy interest in their shared genetic information, it would at least put the consumer on notice that they are effectively conveying a shared interest. This type of heightened notice guarantees a more informed consent on the part of the consumer,[233] which subsequently may be treated as an appropriate waiver of a reasonable expectation of privacy, at least as to the consumer.[234] A federal law of this nature, like an FDA labeling requirement,[235] would be binding on all third-party DNA database companies selling their services in the United States. Therefore, while the federal legislature cannot remedy this privacy issue as it relates to state and local practices, Congress could impose mandates designed to protect consumer privacy directly on the DNA companies.
Identifiable genetic information is shared immutably and involuntarily among close relatives. Both the consumer and the consumer’s relatives share a property interest in the details of their genetic information. When a consumer submits their DNA to a third-party company to analyze their genetic code, they have effectively conveyed their relatives’ genetic code without consent. Neither the consumer nor their relatives surrender their property and privacy rights in this information simply because the information has been conveyed to a third-party. Each individual has a reasonable expectation of privacy in their identifiable genetic information due to its highly sensitive nature. Therefore, the third-party doctrine should not apply to this type of data. Accordingly, in order for law enforcement to use a third-party DNA database as an investigative tool, investigators must acquire a warrant supported by probable cause. State and local governments should craft detailed laws that impose limits on how, in which scenarios, and with what level of reasonable suspicion law enforcement can obtain a warrant to gain access to third-party databases for use in investigations. Finally, the federal government should impose a heightened notice requirement on the third-party DNA database companies so as to ensure consumers are made aware of their rights.
† Articles Editor, Cardozo Law Review Volume 41. J.D. Candidate (May 2020), Benjamin N. Cardozo School of Law; B.A., University of Pittsburgh, 2014. I would like to thank the editors of Cardozo Law Review, past and present, for guiding this Note toward publication. Thank you to Professor Felix Wu for your guidance and thoughtful feedback on this Note. Finally, a special thank you to my family and friends for your support these past few years.
[1] Sarah Zhang, How a Genealogy Website Led to the Alleged Golden State Killer, Atlantic (Apr. 27, 2018) [hereinafter Zhang, Golden State Killer], https://www.theatlantic.com/science/archive/2018/04/golden-state-killer-east-area-rapist-dna-genealogy/559070 [https://perma.cc/AX4D-PT7Z].
[8] Cf. Brendan I. Koerner, Your Relative’s DNA Could Turn You into a Suspect, Wired (Oct. 13, 2015, 6:45 AM), https://www.wired.com/2015/10/familial-dna-evidence-turns-innocent-people-into-crime-suspects [https://perma.cc/TM49-H4NL].
[14] Id. “Two unrelated, randomly selected individuals will have, on average, 8.59 alleles in common. . . . [P]artial matching methods presently have a significant rate of false positives—supposed relatives who, upon further analysis, turn out not to be related.” Natalie Ram, DNA by the Entirety, 115 Colum. L. Rev. 873, 882–83 (2015).
[15] Ram, supra note 14, at 929.
[16] Erin Murphy, Relative Doubt: Familial Searches of DNA Databases, 109 Mich. L. Rev. 291, 295–300 (2010); Ram, supra note 14, at 929–30, 934–35.
[17] AncestryDNA—Frequently Asked Questions (United States), Ancestry [hereinafter Ancestry, Ancestry FAQ], https://www.ancestry.com/dna/en/legal/us/faq#about-1 [https://perma.cc/J7SS-EVF2]; About Us, 23andMe, https://mediacenter.23andme.com/company/about-us [https://perma.cc/XYH3-UABF].
[18] Ram, supra note 14, at 903–07.
[19] See Koerner, supra note 8; Zhang, Golden State Killer, supra note 1; see also Kristen V. Brown, Major DNA Testing Company Sharing Genetic Data with the FBI, Bloomberg, https://www.bloomberg.com/news/articles/2019-02-01/major-dna-testing-company-is-sharing-genetic-data-with-the-fbi [https://perma.cc/DS4W-FSKA] (last updated Feb. 1, 2019, 5:23 PM).
[20] Carpenter v. United States, 138 S. Ct. 2206 (2018).
[21] John M. Butler, Forensic DNA Typing: Biology, Technology, and Genetics of STR Markers 17 (2d ed. 2005).
[25] Id. at 19. Because there are four possible nucleobases at each position and trillions of combinations are possible, “[h]umans have approximately three billion nucleotide positions in their genomic DNA.” Id. The sequence of these nucleotides is composed of “coding” and “non-coding” regions. Id. at 22.
[27] Id. While these regions are often referred to as “junk” DNA because they are not directly related to making proteins, there is evidence that scientists will continue to discover important uses among the “junk.” See id.; Murphy, supra note 16, at 315; Gabrielle A. Sulpizio, Your Body, Your DNA: Addressing the Constitutionality of Databanked DNA Under the Fourth Amendment, 10 Charleston L. Rev. 417, 435–36 (2016); Simon A. Cole, Double Helix Jeopardy, IEEE Spectrum (Aug. 1, 2007), https://spectrum.ieee.org/computing/software/double-helix-jeopardy [https://perma.cc/R2MP-MUBD].
[28] Butler, supra note 21, at 23.
[30] Id. at 23. Over 99.7% of human DNA is the same between people and only about 0.3% of DNA differs from person to person; this tiny fraction of our DNA makes us unique and identifiable. Id. at 26.
[33] Id. For a useful analogy comparing DNA searches to how the U.S. Postal Service delivers mail, see id. (U.S.P.S. delivers mail to a single individual out of over 300 million by using a state, city, zip code, street number, and name on an envelope.).
[34] This additional breakdown of the identification process is important for familial identification, which I will detail in-depth infra Section I.A.1.
[35] Butler, supra note 21, at 85.
[36] Id. Academic and commercial researchers have worked to identify specific STR markers for various uses, from human identification to disease gene location studies. Id. at 86, 94.
[37] Id. at 94. CODIS originally had thirteen core loci, but as of January 1, 2017, CODIS added seven additional core loci. See Frequently Asked Questions on CODIS and NDIS, FBI [hereinafter FBI, CODIS FAQ], https://www.fbi.gov/services/laboratory/biometric-analysis/codis/codis-and-ndis-fact-sheet [https://perma.cc/8TY5-WAP2].
[38] Butler, supra note 21, at 94–95 (“When all 13 CODIS core loci are tested, the average random match probability is rarer than one in a trillion among unrelated individuals.” (citation omitted)).
[39] Murphy, supra note 16, at 297–98.
[41] Id. A child and a parent will match at thirteen alleles, while siblings may on average share 16.7 alleles in common. Id. These figures reflect DNA profiling using the original thirteen CODIS core loci.
[42] Murphy, supra note 16, at 297–98.
[43] Butler, supra note 21, at 33–41. Analysts then isolate the DNA and put it in the proper format for characterization and typing. Id. at 33; Erin Murphy, The Art in the Science of DNA: A Layperson’s Guide to the Subjectivity Inherent in Forensic DNA Typing, 58 Emory L.J. 489, 496–99 (2008).
[44] Murphy, supra note 16, at 296. These government databases are populated by DNA profiles primarily collected from convicts and arrestees. Id. at 295–96. Upon arrest an individual may be compelled to submit a DNA sample. See generally Maryland v. King, 569 U.S. 435 (2013).
[45] Murphy, supra note 16, at 296–97.
[46] CODIS—NDIS Statistics, FBI, https://www.fbi.gov/services/laboratory/biometric-analysis/codis/ndis-statistics [https://perma.cc/VYE3-2HZN] (“As of September 2019, CODIS has produced over 485,063 hits assisting in more than 474,576 investigations.”). DNA identification has also contributed to the exoneration of at least 367 individuals to date. DNA Exonerations in the United States, Innocence Project, https://www.innocenceproject.org/dna-exonerations-in-the-united-states [https://perma.cc/QPJ8-EEFM]. In fact, the world’s first use of DNA fingerprinting in the criminal context led to both an exoneration and a conviction in a 1986 double murder in the United Kingdom. DNA Pioneer’s ‘Eureka’ Moment, BBC, http://news.bbc.co.uk/2/hi/programmes/newsnight/8245312.stm [https://perma.cc/3VX6-RMJF] (last updated Sept. 9, 2009).
[47] While DNA testing through state and local databases has been employed as early as 1989, it wasn’t until the passage of the DNA Identification Act of 1994 that “formalized the FBI’s authority to establish a National DNA Index System (NDIS) for law enforcement purposes.” Combined DNA Index System (CODIS), FBI [hereinafter FBI, CODIS Homepage], https://www.fbi.gov/services/laboratory/biometric-analysis/codis [https://perma.cc/MC8H-8NPD]; see also Michelle Hibbert, DNA Databanks: Law Enforcement’s Greatest Surveillance Tool?, 34 Wake Forest L. Rev. 767 (1999) (discussing Virginia’s passage of the first state laws in America that required certain offenders to submit DNA samples for inclusion in a DNA databank). The NDIS is considered one part of CODIS and contains DNA profiles contributed by federal, state, and local participating forensic laboratories. FBI, CODIS FAQ, supra note 37. Implemented in October 1998, “[a]ll 50 states, the District of Columbia, the federal government, the U.S. Army Criminal Investigation Laboratory, and Puerto Rico participate in NDIS.” Id. As previously mentioned, CODIS uses twenty core loci for STR DNA data submitted to NDIS. However, CODIS only requires, at a minimum, “at least 8 of the original CODIS Core Loci combined with a match rarity of at least one in ten million . . . for submission to and searching at NDIS” for forensic DNA profiles. Id.
[48] See generally Murphy, supra note 16.
[49] As previously discussed, humans share a significant portion of their DNA with their parents and siblings. Id. at 295.
[51] Id. at 297–98. To generate a partial match, investigators will typically run a moderate or low-stringency database search, one that returns matches in which the profile has at least one allele present but has additional alleles that the sample does not. Id.
[52] Id. If a database contains a relative, a search with the right parameters is eighty to ninety percent likely to produce a partial match that includes that relative. Id. Elaborating further on search parameters, Murphy explains that a search that requires a great deal of matching identification between the sample and the database profile sets a high standard for the match leads and will increase the likelihood that one of the leads will pan out. Id. at 299. However, such strict parameters will produce a small number of leads and thus may eliminate a lead that would have pointed toward the source. Id. On the other end of the spectrum, a low standard and less restrictive search will produce a larger suspect pool, but it will be more difficult to find a useful lead among the partial matches. Id. This is a trade-off that investigators face when running a database search. Id.
[53] Zhang, Golden State Killer, supra note 1.
[54] Murphy, supra note 16, at 299, 306.
[56] Id. at 300. An “inadvertent partial matching” occurs when investigators run a search intending to find an exact match but instead find a partial match due to the low-stringency search. Id. at 299 (internal quotations omitted).
[57] Id. at 302; States Using Familial Searches, DNA Forensics, http://www.dnaforensics.com/StatesAndFamilialSearches.aspx [https://perma.cc/V5EB-NRV7].
[58] Memorandum from Edmund G. Brown Jr., Attorney Gen., to All Cal. Law Enforcement Agencies & Dist. Att’ys Offices, DNA Partial Match (Crime Scene DNA Profile to Offender) Policy (2008) [hereinafter California Policy], http://www.dnaresource.com/documents/CAfamilialpolicy.pdf [https://perma.cc/W7HM-DPR4]; States Using Familial Searches, supra note 57. The California policy provides a detailed explanation of the procedures required to conduct a familial search. See California Policy, supra. In the years following, Colorado and New York have passed similar laws and implemented policies that grant investigators the authority to conduct familial searches. States Using Familial Searches, supra note 57. As many as twelve states have used familial searches in criminal cases. James Rainey, Familial DNA Puts Elusive Killers Behind Bars. But Only 12 States Use It., NBC News (Apr. 28, 2019, 6:00 AM), https://www.nbcnews.com/news/us-news/familial-dna-puts-elusive-killers-behind-bars-only-12-states-n869711 [https://perma.cc/28WD-KQ6X]. The CODIS website notes that Arkansas, California, Colorado, Florida, Michigan, Texas, Utah, Virginia, Wisconsin, and Wyoming currently perform familial searching at the state level. FBI, CODIS Homepage, supra note 47. Though these states may not have formal laws providing for familial searches, investigators in these states have nonetheless conducted familial searches.
[59] FBI, CODIS Homepage, supra note 47. Maryland is the only state with a statute categorically banning familial searching. Md. Code Ann. Pub. Safety § 2-506(d) (West 2009); FBI, CODIS Homepage, supra note 47. The District of Columbia has a similar ban. D.C. Code § 22-4151 (2019); FBI, CODIS Homepage, supra note 47.
[60] However, it is still possible for a state investigator using CODIS to identify a potential relative based on a partial match yielded through a low-stringency NDIS search. FBI, CODIS FAQ, supra note 37. While it is not recommended that an investigator perform a routine familial search through CODIS software, an unintentional partial match could still achieve similar results. Id. It should be noted that California and Colorado use specially designed software, not CODIS software, to perform familial searches of their state database. Id.
[61] See Zhang, Golden State Killer, supra note 1; Shelby Grad, How a Bite of Pizza Led to an Arrest in the Grim Sleeper Serial Killer Case, L.A. Times (Feb. 16, 2016), http://www.latimes.com/local/lanow/la-me-ln-bite-of-pizza-led-to-grim-sleeper-arrest-20160216-story.html [https://perma.cc/HKA8-ZXFH]; see also Murphy, supra note 16, at 293.
[62] Grad, supra note 61. A notable use of familial search resulted in the 2005 apprehension of the “BTK” killer in Kansas. Mark Hansen, How the Cops Caught BTK: Playing to a Serial Killer’s Ego Helped Crack the Case, A.B.A. J. (May 1, 2006, 12:01 AM), http://www.abajournal.com/magazine/article/how_the_cops_caught_btk/?icn=most_read [https://perma.cc/WMK6-83S6]. Interestingly, investigators positively identified Dennis Rader as the suspect after comparing crime scene DNA with a tissue sample from a pap smear performed on his daughter, which the prosecutors subpoenaed. Id.
[63] Zhang, Golden State Killer, supra note 1. It should be noted that the suspect in the “Golden State Killer” case has not yet been convicted.
[64] Murphy, supra note 16, at 305–09, 321–25.
[68] Id. at 313–19. Aside from privacy concerns, each of these criticisms are beyond the scope of this Note. For a more in-depth discussion of familial search criticisms, see generally Murphy, supra note 16.
[69] Antonio Regalado, 2017 Was the Year Consumer DNA Testing Blew Up, MIT Tech. Rev. (Feb. 12, 2018), https://www.technologyreview.com/s/610233/2017-was-the-year-consumer-dna-testing-blew-up [https://perma.cc/2KDD-DESC].
[70] Genealogy, Merriam-Webster, https://www.merriam-webster.com/dictionary/genealogy [https://perma.cc/24T9-5XPS]; Ellen Hinkley, What Is Genetic Genealogy?, dnatestingchoice.com (Feb. 28, 2017), https://dnatestingchoice.com/en-us/news/2017-02-28-what-is-genetic-genealogy [https://perma.cc/GTR9-9U5H].
[71] Hinkley, supra note 70; Genetic Genealogy, Int’l Soc’y Genetic Genealogy Wiki, https://isogg.org/wiki/Genetic_genealogy [https://perma.cc/6ADV-QHA3].
[72] FBI, CODIS Homepage, supra note 47.
[74] Kate Black & Zerina Curevac, 23andPrivacy: Your Data and Law Enforcement, 23andMe: Blog (Mar. 16, 2016), https://blog.23andme.com/23andme-and-you/23andprivacy-your-data-law-enforcement [https://perma.cc/RTZ9-6CH7]; Ancestry, Ancestry FAQ, supra note 17. Ancestry’s test surveys a customer’s entire genome at over 700,000 locations. Id.
[75] Black & Curevac, supra note 74.
[76] Sarah Zhang, How a Tiny Website Became the Police’s Go-To Genealogy Database, Atlantic (June 1, 2018) [hereinafter Zhang, GEDmatch], https://www.theatlantic.com/science/archive/2018/06/gedmatch-police-genealogy-database/561695 [https://perma.cc/2VJ9-VWMT]; see also Sarah Zhang, The Genomic Revolution Reaches the City Crime Lab, Atlantic (Sept. 22, 2017) [hereinafter Zhang, Genomic Revolution], https://www.theatlantic.com/science/archive/2017/09/next-generation-dna-sequencing-forensics/540603 [https://perma.cc/AU8E-RMPA] (explaining that forensic labs do not actually know the sequence of the STRs they test, but instead simply count the repeats at certain loci to identify the source’s unique genetic pattern). According to Zhang, forensic labs could soon use DNA sequencer technology to analyze ancestry, hair color, and eye color. Zhang, Genomic Revolution, supra. Presumably, these labs will also be capable of locating SNP markers, thus making it logistically easier for investigators to search genealogy databases.
[77] Ancestry.com has over ten million people in its DNA network and 23andMe has more than five million customers. Company Facts, Ancestry, https://www.ancestry.com/corporate/about-ancestry/company-facts [https://perma.cc/ANC2-7394]; About Us, 23andMe, https://mediacenter.23andme.com/company/about-us [https://perma.cc/87UW-6JQL]. By way of comparison, NDIS boasts a database containing over thirteen million offender profiles, over three million arrestee profiles, and over 900,000 “forensic profiles” for a total of over seventeen million individual profiles. CODIS—NDIS Statistics, supra note 46. One can only guess that the private databases like Ancestry and 23andMe will continue to grow.
[78] Customers can purchase the DNA kits online or at local retailers like CVS. Where to Buy 23andMe DNA Test Kit?, 23andMe, https://customercare.23andme.com/hc/en-us/articles/115014501108-Where-Can-I-Buy-a-23andMe-Kit [https://perma.cc/Z98J-JZNU]. Once they have the kit, customers will register the product on the company’s website and provide their sample—a simple process that involves spitting saliva into the collection tube, sealing the sample kit, and placing it in a mailbox. Providing Saliva Sample for DNA Test Kit, 23andMe, https://customercare.23andme.com/hc/en-us/articles/202904530-Providing-your-saliva-sample [https://perma.cc/L8ML-ZWBG]; Activating Your AncestryDNA Test, Ancestry, https://www.ancestry.com/dna/activate/instructions [https://perma.cc/G3MW-XKAU]. The company receives the sample, analyzes the DNA, and then provides the customer a URL link to access their online results. How It Works, 23andMe, https://www.23andme.com/howitworks [https://perma.cc/4AUF-DY74]; DNA, Ancestry, https://www.ancestry.com/dna [https://perma.cc/NUU5-4PYZ].
[79] Health + Ancestry Service, 23andMe [hereinafter 23andMe, Health + Ancestry], https://www.23andme.com/dna-health-ancestry [https://perma.cc/R4HA-FS2A]; Ancestry, Ancestry FAQ, supra note 17. AncestryDNA targets family history from a few hundred to one thousand years ago, including information about a customer’s geographic origins across 350 regions worldwide. Id.; DNA, Ancestry, supra note 78. 23andMe can tell customers more about their paternal and maternal ancestors from more than a thousand years ago, pulling data from over 150 regions worldwide. 23andMe, Health + Ancestry, supra. 23andMe offers additional services including genetic health risks, wellness reports, carrier status, and information regarding specific genetic traits like whether a customer is genetically predisposed to have a unibrow. Id. Both Ancestry and 23andMe allow customers to opt-in to participate in valuable genetic research. See Research, 23andMe [hereinafter 23andMe, Research], https://www.23andme.com/research [https://perma.cc/Y3LC-45H8]; AncestryDNA Research Project, Ancestry [hereinafter Ancestry, Research Project], https://support.ancestry.com/s/article/AncestryDNA-Research-Project [https://perma.cc/5ZMK-TSSY].
[80] Accessing Your Raw Genetic Data, 23andMe, https://customercare.23andme.com/hc/en-us/articles/212196868-Accessing-and-Downloading-Your-Raw-Data [https://perma.cc/MJ96-5G4M]; Ancestry, Ancestry FAQ, supra note 17.
[81] GEDmatch, https://www.gedmatch.com/login1.php [https://perma.cc/5PYT-L8TE]. Because GEDmatch does not analyze DNA samples, but rather, provides tools to analyze raw data already collected from forensic lab analysis, it has proved to be a tantalizing and useful investigative tool. See Zhang, GEDmatch, supra note 76. Consumers may use a website like GEDmatch to improve and refine their genealogy research, which offers, among other useful features, the ability to match with users who have tested with different services. Zhang, Golden State Killer, supra note 1.
[82] Privacy, 23andMe [hereinafter 23andMe, Privacy], https://www.23andme.com/about/privacy [https://perma.cc/5TLQ-4DBK] (last updated Sept. 30, 2019); Your Privacy, Ancestry [hereinafter Ancestry, Privacy], https://www.ancestry.com/cs/legal/privacystatement [https://perma.cc/D28M-CX2S] (last updated July 25, 2019).
[83] Terms of Service, 23andMe [hereinafter 23andMe, ToS], https://www.23andme.com/about/tos [https://perma.cc/Y872-297T] (last updated Sept. 30, 2019); Ancestry Terms and Conditions, Ancestry [hereinafter Ancestry, ToS], https://www.ancestry.com/cs/legal/termsandconditions [https://perma.cc/7YBG-CZBM] (last updated July 25, 2019); Ancestry, Privacy, supra note 82. However, both companies’ policies state that customers waive their property rights with regard to research or commercial products that may be developed with their genetic information, meaning customers will not receive compensation for any such research or commercial products. 23andMe, ToS, supra; Ancestry, ToS, supra. It is worth noting that 23andMe’s guarantee of data ownership is less explicit than Ancestry’s guarantee. 23andMe, ToS, supra (“Any Genetic Information derived from your saliva remains your information, subject to rights we retain as set forth in these TOS.”).
[84] 23andMe, Privacy, supra note 82; Ancestry, Privacy, supra note 82. Because GEDmatch is a free, open-access system, its Terms of Service and Privacy Policy warns users that they are unable to guarantee that the website will be used solely for its intended use as a genealogical research tool. GEDmatch.com Terms of Service and Privacy Policy, GEDmatch [hereinafter GEDmatch, ToS], https://www.gedmatch.com/tos.htm [https://perma.cc/GFM4-5B7Q] (last updated May 18, 2019). The policy states, “some of these possible uses of Raw Data, personal information, and/or Genealogy Data by any registered user of GEDmatch include . . . [f]amilial searching by third parties such as law enforcement agencies to identify the perpetrator of a crime, or to identify remains.” Id.
[85] Transparency Report, 23andMe, https://www.23andme.com/transparency-report [https://perma.cc/TJP6-KELM] (last updated Oct. 15, 2019); Black & Curevac, supra note 74.
[86] Black & Curevac, supra note 74 (“23andMe unequivocally chooses to use all practical legal and administrative resources to resist requests from law enforcement, and we do not share customer data with any public databases, or with entities that may increase the risk of law enforcement access. . . . [23andMe] will notify the affected individual(s) . . . in advance of any disclosure to law enforcement, unless doing so would violate the law or a court order.”).
[87] Ancestry 2017 Transparency Report, Ancestry, https://www.ancestry.com/cs/transparency-2017 [https://perma.cc/2D8Q-VLMN]. However, the instances in which they complied were related to investigations involving credit card misuse and identity theft, not violent crimes. Id.
[88] Ancestry 2015 Transparency Report, Ancestry, https://www.ancestry.com/cs/transparency-2015 [https://perma.cc/2Z4Z-VGPR]; Koerner, supra note 8.
[89] Zhang, Golden State Killer, supra note 1.
[91] Koerner, supra note 8; Zhang, Golden State Killer, supra note 1.
[92] Megan Molteni, The Creepy Genetics Behind the Golden State Killer Case, Wired (Apr. 27, 2018, 2:00 PM), https://www.wired.com/story/detectives-cracked-the-golden-state-killer-case-using-genetics [https://perma.cc/P7AT-L665].
[93] Molteni, supra note 92; Avi Selk, All We Know About Joseph DeAngelo, the Golden State Killer Suspect Who Became a Suburban Grandfather, Wash. Post (Apr. 26, 2018, 6:09 PM), https://www.washingtonpost.com/news/post-nation/wp/2018/04/26/joseph-deangelo-golden-state-killer-suspect-was-normal-grandpa-according-to-teen [https://perma.cc/65ME-NCY7]; Zhang, Golden State Killer, supra note 1.
[94] Molteni, supra note 92; Zhang, Golden State Killer, supra note 1. The articles state that “investigators wouldn’t break any laws in accessing a publicly available database like GEDmatch,” Molteni, supra note 92, and that this type of investigative technique is “wholly unregulated.” Zhang, Golden State Killer, supra note 1. Investigators have not indicated how they generated a profile that would be compatible with the raw data on GEDmatch, however, California’s progressive approach to forensic DNA analysis likely made it possible. Molteni, supra note 92; Zhang, Golden State Killer, supra note 1. “The California Department of Justice . . . began validating DNA-sequencing tools about two years ago and plans to complete the process within the next year.” Zhang, Genomic Revolution, supra note 76.
[95] Molteni, supra note 92; Zhang, Golden State Killer, supra note 1.
[96] Molteni, supra note 92; Zhang, Golden State Killer, supra note 1. It is true that DeAngelo has not yet been convicted, but clearly there is a significant amount of probative DNA evidence that links him to the crimes. Investigators resorted to this DNA search after numerous traditional searches through state databases returned no matches. Molteni, supra note 92; Zhang, Golden State Killer, supra note 1.
[99] Id.; Jennifer Lynch, How Private DNA Data Led Idaho Cops on a Wild Goose Chase and Linked an Innocent Man to a 20-Year-Old Murder Case, Electronic Frontier Found. (May 1, 2015), https://www.eff.org/deeplinks/2015/05/how-private-dna-data-led-idaho-cops-wild-goose-chase-and-linked-innocent-man-20 [https://perma.cc/SW8H-84P8].
[100] Koerner, supra note 8; Lynch, supra note 99.
[101] Koerner, supra note 8; Lynch, supra note 99.
[102] Koerner, supra note 8; Lynch, supra note 99.
[103] Koerner, supra note 8; Lynch, supra note 99.
[104] Koerner, supra note 8; Lynch, supra note 99.
[105] Koerner, supra note 8; Lynch, supra note 99.
[106] Koerner, supra note 8; Lynch, supra note 99.
[107] Koerner, supra note 8; Lynch, supra note 99.
[108] Murphy, supra note 16, at 299–300, 328–29.
[109] Molteni, supra note 92; Zhang, Golden State Killer, supra note 1.
[110] U.S. Const. amend. IV (“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no [w]arrants shall issue, but upon probable cause, supported by [o]ath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”).
[111] See, e.g., United States v. Jones, 565 U.S. 400 (2012). For example, in the last five years the Court has extended Fourth Amendment protections to digital information stored on cell phones and in the cloud. Riley v. California, 573 U.S. 373 (2014).
[112] Carpenter v. United States, 138 S. Ct. 2206, 2213 (2018); Jones, 565 U.S. at 405 (stating that the reference to “persons, houses, papers, and effects” in the Fourth Amendment would be superfluous if it was meant to focus solely on personal privacy).
[113] Carpenter, 138 S. Ct. at 2213 (citing Jones, 565 U.S. at 400, 405, 406 & n.3).
[114] Id.; Jones, 565 U.S. at 405; Katz v. United States, 389 U.S. 347, 351 (1967) (“[T]he Fourth Amendment protects people, not places.”).
[115] Katz, 389 U.S. 347 (holding that electronic surveillance can constitute a search, even when no property interest is invaded). Justice Harlan first articulated the reasonable expectation of privacy standard in his concurrence in Katz. Id. at 360–61 (Harlan, J., concurring). The Court in Katz recognized that a purely property/trespassory-based standard for Fourth Amendment protection would be inadequate to protect certain privacy interests in the modern world, which triggered the shift to a privacy interest analysis. Id. at 351–53 (majority opinion) (“[T]he Fourth Amendment protects people, not places.”); see also Carpenter, 138 S. Ct. at 2213; Jones, 565 U.S. at 414 (Sotomayor, J., concurring).
[116] Smith v. Maryland, 442 U.S. 735, 740 (1979) (citing Katz, 389 U.S. 347).
[117] Id. (internal quotation marks omitted).
[118] Id.; Carpenter, 138 S. Ct. at 2221.
[119] Katz, 389 U.S. 347. The Court found significant the “vital role” that the public telephone had come to play at that time, acknowledging that what one seeks to preserve as private, even in public areas, may be entitled to constitutional protection under the Fourth Amendment. Id. at 351–52.
[120] Carpenter, 138 S. Ct. 2206; Jones, 565 U.S. 400.
[121] See Carpenter, 138 S. Ct. 2206; Smith, 442 U.S. 735 (holding that the installation and use of a pen register to log an individual’s phone calls was not a “search” under the Fourth Amendment); United States v. Miller, 425 U.S. 435 (1975) (holding there is no legitimate expectation of privacy in the bank records at issue, therefore the records are not protected under the Fourth Amendment).
[122] Jones, 565 U.S. at 408; id. at 414 (Sotomayor, J., concurring).
[123] Id. at 414 (Sotomayor, J., concurring).
[124] Id. at 411; id. at 414 (Sotomayor, J., concurring). While the Court sometimes focuses more on the “property interest” aspect of Fourth Amendment protections, in the recent Carpenter v. United States decision the Court focused on the plaintiff’s “privacy interest,” holding that Carpenter had a reasonable expectation of privacy in the record of his physical movements. Carpenter, 138 S. Ct. at 2208–11.
[125] Smith, 442 U.S. 735; Miller, 425 U.S. 435.
[126] Smith, 442 U.S. at 743 (“This Court consistently has held that a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.”); Miller, 425 U.S. at 440; see also Carpenter, 138 S. Ct. at 2226–27 (Kennedy, J., dissenting) (“Miller and Smith hold that individuals lack any protected Fourth Amendment interests in records that are possessed, owned, and controlled only by a third party.” (emphasis added)).
[127] Smith, 442 U.S. at 744. For Justice Kennedy in the recent Carpenter decision, there must be a requisite connection between the individual and the property interest for the individual to be able to assert Fourth Amendment interests in the property. Carpenter, 138 S. Ct. at 2227 (Kennedy, J., dissenting). And for Justice Thomas, also dissenting, the issue in Carpenter was who actually owned the records. Id. at 2235 (Thomas, J., dissenting).
[128] The Carpenter majority parts with dissenters Justice Kennedy and Justice Thomas in its determination that disclosure or conveyance of information to a third party does not automatically mean an individual has surrendered their expectation of privacy. Justice Kennedy and Justice Thomas determined that the cell-site records in Carpenter were not different from other kinds of bank records handed over to a third party and never actually belonged to Carpenter. Carpenter, 138 S. Ct. at 2224, 2227–28 (Kennedy, J., dissenting); id. at 2241–42 (Thomas, J., dissenting) (“[I]ndividuals do not have Fourth Amendment rights in someone else’s property.”).
[129] Smith, 442 U.S. at 741–45; Miller, 425 U.S. at 442–45. The Miller Court, in examining the nature of the particular bank documents (financial statements and deposit slips) sought to be protected, determined that the individual had no legitimate expectation of privacy in their contents because they were not confidential communications but negotiable instruments to be used in commercial transactions. Miller, 425 U.S. at 442. The Court noted that a depositor assumes the risk that the information he reveals to the bank will be conveyed by that person to the government. Id. It was significant to the Court that the documents contained “only information voluntarily conveyed to the banks and exposed to their employees in the ordinary course of business.” Id. Further, the Court noted that Congress assumed a lack of any legitimate expectation of privacy in enacting the Bank Secrecy Act, the purpose of which was “to require records to be maintained because they ‘have a high degree of usefulness in criminal, tax, and regulatory investigations and proceedings.’” Id. at 442–43 (quoting 12 U.S.C. § 1829b(a)(1) (2012)).
[130] Miller, 425 U.S. at 443.
[131] The Smith Court similarly held that even if a person has a subjective expectation that the numbers they dial will be kept private, that “expectation is not ‘one that society is prepared to recognize as “reasonable,”’” because that person voluntarily conveyed the information to a third party and thus assumed the risk that the company would reveal that information to the police. Smith, 442 U.S. at 743–45 (quoting Katz v. United States, 389 U.S. 347, 361 (1967)). “[P]etitioner voluntarily conveyed numerical information to the telephone company and ‘exposed’ that information to its equipment in the ordinary course of business. In so doing, petitioner assumed the risk that the company would reveal to police the numbers he dialed.” Id. at 744 (emphasis added).
[132] Carpenter, 138 S. Ct. 2206.
[133] Carpenter, 138 S. Ct. at 2214–15; United States v. Jones, 565 U.S. 400, 417 (2012) (Sotomayor, J., concurring). Justice Sotomayor, in her Jones concurrence, pushes back against a strict application of the third-party doctrine in the digital age. Id. It seems clear that much of her reasoning regarding the need to protect highly sensitive personal information revealed in digital data derived from ubiquitous technologies can be found in the Carpenter majority opinion. See id.; Carpenter, 138 S. Ct. at 2219–20. Justice Sotomayor argued:
More fundamentally, it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties. This approach is ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks.
Jones, 565 U.S. at 417 (Sotomayor, J., concurring) (citations omitted).
[134] Carpenter, 138 S. Ct. at 2217–18.
[135] Id. Justice Kennedy concedes that Miller and Smith have limitations and may not apply when the government obtains “modern-day equivalents of an individual’s own ‘papers’ or ‘effects,’ even when held those papers or effects are held by a third party.” Id. at 2230 (Kennedy, J., dissenting). Justice Gorsuch, in his Carpenter dissent, implies that the Court may have understood this conveyance of digital data to the third party to be an involuntary bailment. Id. at 2270 (Gorsuch, J., dissenting) (“At least some of this Court’s decisions have already suggested that use of technology is functionally compelled by the demands of modern life, and in that way the fact that we store data with third parties may amount to a sort of involuntary bailment too.”). “A bailment is the ‘delivery of personal property by one person (the bailor) to another (the bailee) who holds the property for a certain purpose,’” where the bailor does not surrender ownership and the bailee owes a legal duty to keep the item. Id. at 2268–69 (emphasis removed) (citing Black’s Law Dictionary 169 (10th ed. 2014)).
[136] Carpenter, 138 S. Ct. at 2219–20.
[137] Id.; Jones, 565 U.S. at 415 (Sotomayor, J., concurring) (“GPS monitoring generates a precise, comprehensive record of a person’s public movements that reflects a wealth of detail about her familial, political, professional, religious, and sexual associations.”). And just because a person ventures into the public sphere does not mean they surrender all Fourth Amendment protection. Carpenter, 138 S. Ct. at 2217.
[138] Carpenter, 138 S. Ct. at 2217–18, 2220.
[139] Id. One important factor was that technology like cell phones has come to play a vital role in society. Id. at 2220. “[C]ell phones and the services they provide are ‘such a pervasive and insistent part of daily life’ that carrying one is indispensable to participation in modern society.” Id. (quoting Riley v. California, 573 U.S. 373, 385 (2014)). The majority seems to have considered, as Justice Sotomayor alludes to in her Jones concurrence, the apparent “tradeoff” of privacy for the convenience offered by modern technologies and determined the “tradeoff” is not absolute. Jones, 565 U.S. at 417–18 (Sotomayor, J., concurring) (internal citation omitted) (quoting Jones, 565 U.S. at 427 (Alito, J., concurring)) (“[S]ome people may find the ‘tradeoff’ of privacy for convenience ‘worthwhile,’ or come to accept this ‘diminution of privacy’ as ‘inevitable,’ and perhaps not. I for one doubt that people would accept without complaint the warrantless disclosure to the government of a list of every Web site they had visited in the last week, or month, or year.”); see Carpenter, 138 S. Ct. at 2217. Rather, the Court makes clear that at least within the special area of location tracking data, a person does not discard their expectation of privacy simply by using these nearly indispensable technologies. Id. at 2217–18.
[140] Carpenter, 138 S. Ct. at 2213–14, 2216–17, 2219, 2224. The Court looked to what the Framers may have considered a government intrusion protected under the Fourth Amendment, but also considered how, between now and only fifty years ago, rapidly shifting technology has shaped society’s expectations of privacy. Id. “Although no single rubric definitively resolves which expectations of privacy are entitled to protection, the analysis is informed by historical understandings ‘of what was deemed an unreasonable search and seizure when [the Fourth Amendment] was adopted.’” Id. at 2213–14 (brackets in original) (quoting Carroll v. United States, 267 U.S. 132, 149 (1925)). While reference to the Framers’s intentions induces a more abstract analysis and tenuous analogies between modern day technology and their eighteenth century equivalents, the Court’s more reasoned analysis is the consideration of post-Katz Fourth Amendment precedent. Id. at 2216–19, 2222.
[141] Carpenter, 138 S. Ct. at 2214 (internal quotations omitted) (first quoting Boyd v. United States, 116 U.S. 616, 630 (1886); and then quoting United States v. Di Re, 332 U.S. 581, 595 (1948)).
[143] Id. at 2217 (“After all, when Smith was decided in 1979, few could have imagined a society in which a phone goes wherever its owner goes, conveying to the wireless carrier not just dialed digits, but a detailed and comprehensive record of the person’s movements.”). The Carpenter Court was also cognizant of the fact that technology changes rapidly, and while the cell-site technology may not be perfectly precise today, newer and better technologies will surely emerge. Id. at 2218–19 (quoting Kyllo v. United States, 533 U.S. 27, 36 (2001)) (“At any rate, the rule the Court adopts ‘must take account of more sophisticated systems that are already in use or in development.’”).
[144] Id. at 2218. The cell-site data received a higher degree of solicitude, due to the police’s ability to use this data to track any person’s past movements. Id. at 2218–19. “With access to CSLI, the Government can now travel back in time to retrace a person’s whereabouts . . . .” Id. at 2218. The Court explained that the location information is “continually logged for all of the 400 million devices in the United States” and the wireless carriers maintain records of the information for up to five years. Id. “[T]his newfound tracking capacity runs against everyone. Unlike with the GPS device in Jones, police need not even know in advance whether they want to follow a particular individual, or when.” Id. (emphasis added).
[145] Id. at 2223. “[T]his tool risks Government encroachment of the sort the Framers, ‘after consulting the lessons of history,’ drafted the Fourth Amendment to prevent.” Id. (quoting United States v. Di Re, 332 U.S. 581, 595 (1948)); see also United States v. Jones, 565 U.S. 400, 416 (2012) (Sotomayor, J., concurring) (“[T]he Government’s unrestrained power to assemble data that reveal private aspects of identity is susceptible to abuse.”).
[146] Carpenter, 138 S. Ct. at 2216–17, 2219–20; see also id. at 2231–32 (Kennedy, J., dissenting); id. at 2267 (Gorsuch, J., dissenting).
[147] The Carpenter majority seems to have used a balancing test in its application of the reasonable expectation of privacy, with respect to information conveyed to third parties. See id. at 2216–17, 2219–20; see also id. at 2231–32 (Kennedy, J., dissenting) (citations to majority opinion omitted) (“The Court appears, in my respectful view, to read Miller and Smith to establish a balancing test. For each ‘qualitatively different category’ of information, the Court suggests, the privacy interests at stake must be weighed against the fact that the information has been disclosed to a third party. When the privacy interests are weighty enough to ‘overcome’ the third-party disclosure, the Fourth Amendment’s protections apply.”); id. at 2267 (Gorsuch, J., dissenting) (emphasis in original) (citations to majority opinion omitted) (“The Court says courts now must conduct a second Katz-like balancing inquiry, asking whether the fact of disclosure to a third party outweighs privacy interests in the ‘category of information’ so disclosed.”). The majority’s conclusion that the third-party doctrine does not extend to this discrete category of information (cell-site location data) reflects the majority’s recognition of the information’s highly sensitive nature. The Carpenter decision has effectively modified the third-party doctrine analysis with the addition of this new balancing inquiry. Though the majority announced that the decision was to be narrow, it seems clear that the Carpenter decision will have a broad effect on various types of information that have been conveyed to third parties but are sought to be protected from unreasonable government search and seizure under the Fourth Amendment. See id. at 2220 (majority opinion); see also id. at 2233–34 (Kennedy, J., dissenting); id. at 2266–67 (Gorsuch, J., dissenting).
[148] This would likely be a violation of the Terms of Service. See 23andMe, ToS, supra note 83; Ancestry, ToS, supra note 83; GEDmatch, ToS, supra note 84.
[149] See Black & Curevac, supra note 74; Ancestry, Ancestry FAQ, supra note 17.
[150] It is not clear whether or not a subpoena is a “search” under the Fourth Amendment. See Carpenter, 138 S. Ct. at 2221–22; see also id. at 2228–29 (Kennedy, J., dissenting); id. at 2246–61 (Alito, J., dissenting). This Note assumes that subpoena-like requests for documents would be subject to Fourth Amendment protections. Id. at 2221–22 (explaining a subpoena will not insulate a search from Fourth Amendment protections where there is a legitimate expectation of privacy in the interest held by a third party). Further discussion on this topic is beyond the scope of this Note.
[151] A finding of a property interest is a fully independent basis for finding something to be a Fourth Amendment search, not just evidence of a reasonable expectation of privacy. However, the Court, from Katz to Carpenter, seems to indicate that whether the individual retains a property interest or not is not dispositive, so long as the reasonable expectation of privacy standard is met. Katz v. United States, 389 U.S. 347, 351–52 (1967); Carpenter, 138 S. Ct. at 2208–09; see also id. at 2227 (Kennedy, J., dissenting) (citing Rakas v. Illinois, 439 U.S. 128, 143 (1978)) (“Yet ‘property concepts’ are, nonetheless, fundamental ‘in determining the presence or absence of the privacy interests protected by that Amendment. This is so for at least two reasons. First, as a matter of settled expectations from the law of property, individuals often have greater expectations of privacy in things and places that belong to them, not to others. And second, the Fourth Amendment’s protections must remain tethered to the text of that Amendment, which [] protects only a person’s own ‘persons, houses, papers, and effects.’”); id. at 2268 (Gorsuch, J. dissenting) (citing Byrd v. United States, 138 S. Ct. 1518, 1526 (2018)) (“Katz only ‘supplements, rather than displaces the traditional property-based understanding of the Fourth Amendment.’”).
[152] Ram, supra note 14, at 929.
[155] Id. at 891–92 (“[L]awmaking institutions have recognized that people do have a cognizable legal interest in their identifiable genetic information.”).
[158] Id. At least one court has expressly treated intangible genetic information as property. Id. at 907 (referring to United States v. Kriesel, 720 F.3d 1137 (9th Cir. 2013)).
[160] Id. at 892, 903 (“An individual cannot simply sell or otherwise alienate her interest in her genetic information and thereby no longer be genetically similar to her close genetic relatives.”).
[162] “Voluntariness shapes the scope of many legal rights.” Id. at 904.
[163] Murphy, supra note 16, at 295.
[164] See Smith v. Maryland, 442 U.S. 735 (1979); United States v. Miller, 425 U.S. 435 (1976).
[166] Maryland v. King, 569 U.S. 435, 446 (2013).
[167] U.S. Const. amend. IV; see also Carpenter v. United States, 138 S. Ct. 2206, 2222 (2018) (“If the third-party doctrine does not apply to the ‘modern-day equivalents of an individual’s own “papers” or “effects,”’ then the clear implication is that the documents should receive full Fourth Amendment protection. We simply think that such protection should extend as well to a detailed log of a person’s movements over several years.”); id. at 2268, 2272 (Gorsuch, J., dissenting) (“[T]he fact that a third party has access to or possession of your papers and effects does not necessarily eliminate your interest in them. . . . Plainly, customers have substantial legal interests in this information, including at least some right to include, exclude, and control its use. Those interests might even rise to the level of a property right.”). The raw data file and the underlying information containing a consumer’s entire genetic makeup should be considered “papers” or “effects” in the same way that an individual’s personal diary would be considered their papers or effects.
[168] Smith, 442 U.S. at 743–45; Miller, 425 U.S. at 443.
[169] Carpenter, 138 S. Ct. at 2222; id. at 2269 (Gorsuch, J., dissenting); Smith, 442 U.S. 735; Miller, 425 U.S. 435.
[170] Carpenter, 138 S. Ct. at 2226–27 (Kennedy, J., dissenting); Miller, 425 U.S. at 440 (“On their face, the documents subpoenaed here are not respondent’s ‘private papers.’ Unlike the claimant in Boyd [sic], respondent can assert neither ownership nor possession.”).
[171] Carpenter, 138 S. Ct. at 2226–27 (Kennedy, J., dissenting).
[172] Ram, supra note 14, at 892. Further, at least one international supreme court has “grounded a claim of control over the genetic information of another on the shared nature of identifiable genetic information.” Id. at 900 (“In Guðmundsdóttir v. Iceland, the Icelandic Supreme Court determined that an individual exercising the right to opt out of a genetic database may require the exclusion not only of her own genetic sequence, but also that of her deceased father.”).
[174] Smith, 442 U.S. at 743–44; Miller, 425 U.S. 435; see also 23andMe, Privacy, supra note 82; Ancestry, Privacy, supra note 82; 23andMe, ToS, supra note 83; Ancestry, ToS, supra note 83.
[175] 23andMe, Privacy, supra note 82; Ancestry, Privacy, supra note 82; 23andMe, ToS, supra note 83; Ancestry, ToS, supra note 83.
[176] Erin Brodwin, How to Delete Your DNA Data from Genetics Companies like 23andMe and Ancestry, Bus. Insider (May 4, 2018, 8:37 AM), https://www.businessinsider.com/how-to-delete-dna-genetic-data-2018-5 [https://perma.cc/CE5C-376P]. While Ancestry allows users to delete their genetic information, it still requires users to call the company to discard their saliva sample. Id. 23andMe, on the other hand, seems to be less forthcoming about what they can and cannot do with a user’s genetic info and saliva sample. Id. Users are able to delete their profiles but the company states that it cannot delete a user’s raw genetic data in compliance with federal law. Kristen V. Brown, Deleting Your Online DNA Is Brutally Difficult, Bloomberg (June 15, 2018, 5:00 AM), https://www.bloomberg.com/news/articles/2018-06-15/deleting-your-online-dna-data-is-brutally-difficult [https://perma.cc/JA8V-4CMP]; What’s New in Your Account Settings?, 23andMe, https://customercare.23andme.com/hc/en-us/articles/360004944654-What-s-New-In-Your-Account-Settings [https://perma.cc/2XBU-H4SW]. This should not significantly diminish a consumer or their relatives’ property interest, as the consumer still retains a certain degree of control and possession.
[177] Can My DNA Be Genotyped Anonymously?, 23andMe, https://customercare.23andme.com/hc/en-us/articles/202907890-Can-I-be-genotyped-anonymously [https://perma.cc/B9J2-GZJ5]; Choosing Not to Be Listed as an AncestryDNA Match, Ancestry, https://support.ancestry.com/s/article/Opting-out-of-DNA-Matches [https://perma.cc/WW8D-SVQQ].
[178] 23andMe, ToS, supra note 83; Ancestry, ToS, supra note 83; Ancestry, Privacy, supra note 82.
[179] Accessing Your Raw Genetic Data, 23andMe, https://customercare.23andme.com/hc/en-us/articles/212196868-Accessing-and-Downloading-Your-Raw-Data [https://perma.cc/7VPP-QXTW]; Ancestry, Ancestry FAQ, supra note 17.
[180] A common example of a bailment is when a person mails a letter through the U.S. Postal Service, wherein the mailer is the bailor and the mailman is the bailee. See United States v. Carpenter, 138 S. Ct. 2206, 2268–70 (Gorsuch, J., dissenting) (discussing Ex Parte Jackson, 96 U.S. 727 (1878)).
[181] Id.; see also Ex Parte Jackson, 96 U.S. 727, 733 (1878) (holding that sealed letters placed in the mail are “as fully guarded from examination and inspection, except as to their outward form and weight, as if they were retained by the parties forwarding them in their own domiciles”). Justice Gorsuch explained that Fourth Amendment protections against unreasonable search and seizure of bailed papers and effects should extend, in some cases, to modern-day papers and effects, such as emails. Carpenter, 138 S. Ct. at 2269 (Gorsuch, J., dissenting). “At least some of this Court’s decisions have already suggested that use of technology is functionally compelled by the demands of modern life, and in that way the fact that we store data with third parties may amount to a sort of involuntary bailment too.” Id. at 2270.
[182] Nor does a bailment diminish the consumer’s expectation of privacy over the sensitive information voluntarily surrendered, because the consumer has the opportunity to anonymize the information. See sources cited supra note 177.
[183] “In a bailment, you’ve handed your keys to the valet. He’s supposed to give it back to you, but until he does, you can’t drive your car. [However, with genetic information,] [n]o matter what happens, I still have my DNA.” Telephone Interview with Felix Wu, Professor of Law, Benjamin N. Cardozo Sch. of Law (July 18, 2019).
[184] “Insofar as the Fourth Amendment inquiry may turn on the strength of the property interest involved, users of genealogical genetic services are in a much better position to assert an expectation of privacy in their data than are cell phone users.” Natalie Ram, Genetic Privacy After Carpenter, 105 Va. L. Rev. (forthcoming 2019) (manuscript at 34) (on file with the Virginia Law Review).
[185] Carpenter, 138 S. Ct. at 2233–35 (Kennedy, J., dissenting).
[186] See generally Carpenter, 138 S. Ct. 2206.
[188] Id. However, unlike the consumer in Carpenter who did not have any property interest in the third party’s cell-site data but did have a reasonable expectation of privacy in the content of that data, DNA database consumers do have a property interest in their genetic records and have a reasonable expectation of privacy in their identifiable genetic information.
[189] Id.; United States v. Jones, 565 U.S. 400, 414–16 (2012) (Sotomayor, J., concurring); Ram, supra note 14, at 929; see also Ram, supra note 184, at 24.
[190] See Murphy, supra note 16, at 319; Ram, supra note 14, at 876, 929.
[191] Carpenter, 138 S. Ct. at 2219 (first quoting Riley v. California, 573 U.S. 373, 392 (2014); and then quoting United States v. Miller, 425 U.S. 435, 442 (1979)) (“But the fact of ‘diminished privacy interests does not mean that the Fourth Amendment falls out of the picture entirely.’ Smith and Miller, after all, did not rely solely on the act of sharing. Instead, they considered ‘the nature of the particular documents sought’ to determine whether ‘there is a legitimate “expectation of privacy” concerning their contents.’”).
[192] Id. (citing Riley, 573 U.S. 373).
[193] Id. at 2218; Ram, supra note 14.
[194] See, e.g., Privacy for Your AncestryDNA Test, Ancestry, https://www.ancestry.com/cs/legal/PrivacyForAncestryDNATesting [https://perma.cc/5R92-92DQ]. For consumers who opt-in to allowing their genetic information to be researched, their information is typically de-identified and anonymized. Ram, supra note 14, at 886.
[195] See discussion of “scenario two” supra p. 123.
[196] See Carpenter, 138 S. Ct. at 2214.
[197] Ram, supra note 14, at 899 (“[M]y DNA is not just my DNA. It’s my family’s DNA.”). Ram argues that “the shared nature of identifiable genetic information means that individuals’ authority to control their ‘own’ identifiable genetic information may be affected by how the government, research entities, or genetic testing firms make use of genetic information drawn from close genetic relatives.” Id.
[199] Smith v. Maryland, 442 U.S. 735, 743–44 (1979); United States v. Miller, 425 U.S. 435, 438–43 (1976); Ram, supra note 14, at 903–07.
[200] Carpenter, 138 S. Ct. at 2220.
[201] See Ram, supra note 14, at 903–07.
[202] Ram, supra note 184, at 25, 31 (quoting Carpenter, 138 S. Ct. at 2213) (“[I]individuals retain a constitutionally significant ‘expectation of privacy . . . that society is prepared to recognize as reasonable’ not merely in their physical cells, but also in the genetic information those cells contain. . . . The mere act of sharing genetic data with a third-party service provider ought not automatically forfeit an expectation of privacy in genetic data.”).
[203] Ram, supra note 14, at 935 (“[E]ach family member retains a unilateral right to learn about the genetic information in her cells—even if that information is germane to others of her kin.”). As Justice Marshall explained in his Smith dissent, “[p]rivacy is not a discrete commodity, possessed absolutely or not at all.” Smith, 442 U.S. at 749 (Marshall, J., dissenting).
[204] Carpenter, 138 S. Ct. at 2220; see also Ram, supra note 184, at 31 (“Today’s direct-to-consumer [DNA] marketplace may be akin to the early days of cell phone or smartphone use.”).
[205] For example, 23andMe uses CLIA (Clinical Laboratory Improvement Amendments)–certified labs to extract DNA from cells in customer saliva samples and then processes the DNA on a highly complex genotyping chip capable of reading hundreds of thousands of variants in the customer genome. Genetic Science, 23andMe, https://www.23andme.com/genetic-science [https://perma.cc/T87R-GKHK]. The average individual likely does not have personal access to laboratory equipment capable of adequately extracting DNA from a sample, let alone computer hardware and software capable of analyzing the genome.
[206] Without a database populated with other genomes, the individual’s lone sample would be of little value for personal genealogical research because there are no profiles with which to compare. Genetic testing for medical purposes must meet strict federal and state standards covering “how tests are performed, the qualifications of laboratory personnel, and quality control and testing procedures for each laboratory.” How Can Consumers Be Sure a Genetic Test Is Valid and Useful?, Genetics Home Reference, https://ghr.nlm.nih.gov/primer/testing/validtest [https://perma.cc/T82W-MJL5].
[207] Consider a future where a person can maximize their health simply by running a quick genetic analysis to determine their ideal diet, exercise, and medication regimen.
[208] Carpenter, 138 S. Ct. at 2269 (Gorsuch, J., dissenting).
[212] See Ram, supra note 184, at 32 (“[G]enetic data aggregated in genealogical databases may be approaching an inescapable and automatic nature that makes the sharing of such data not truly voluntary.” (internal quotations omitted)).
[213] Carpenter, 138 S. Ct. at 2218.
[214] Id. at 2214 (“[A] central aim of the Framers was to place obstacles in the way of a too permeating police surveillance.” (internal quotations omitted)).
[215] At the time the Framers wrote the Fourth Amendment, they did not even know that germs existed. See Germ Theory, Sci. Museum Brought to Life, http://broughttolife.sciencemuseum.org.uk/broughttolife/techniques/germtheory [https://perma.cc/4HJB-7VC5]. It is hard to imagine that the Framers could possibly have conceptualized the nearly science-fiction level of identification technology, based purely on genetic code which is invisible to the naked eye and ties relatives together over decades.
[216] United States v. Jones, 565 U.S. 400, 415–16 (2012) (Sotomayor, J., concurring); see also Ram, supra note 184, at 30 (“Like cell site location information, genetic data also enables the government to conduct its investigations in remarkably easy, cheap, and efficient [ways,] compared to traditional investigative tools[,] such as [w]ith just the click of a button.” (internal quotations omitted) (brackets in original)).
[217] Carpenter, 138 S. Ct. at 2216–17, 2219–20; see also id. at 2231–32 (Kennedy, J., dissenting); id. at 2267 (Gorsuch, J., dissenting).
[218] See Ram, supra note 184, at 32. While Ram reaches a similar conclusion with respect to whether the Fourth Amendment should protect genetic information voluntarily conveyed to third-party databases, her thesis focuses on how the courts should analyze privacy policies to determine whether consumers have granted consent. In contrast, this Note proposes that, until the Supreme Court makes a ruling issuing a constitutional mandate to protect genetic information stored in third-party DNA databases, federal and state legislatures should pass laws limiting investigator access to those databases.
[219] There are two potential plaintiffs in such a case—the consumer and the consumer’s relative. A detailed analysis of whether these plaintiffs would have standing is beyond the scope of this Note.
[220] Though one potential downside is the lack of uniformity in the administration of the law, a constitutional mandate, made the law of the land by the Supreme Court, would create much-needed uniformity by binding the entire nation.
[221] Carpenter, 138 S. Ct. at 2233 (Kennedy, J., dissenting) (“How those competing effects balance against each other, and how property norms and expectations of privacy form around new technology, often will be difficult to determine during periods of rapid technological change. In those instances, and where the governing legal standard is one of reasonableness, it is wise to defer to legislative judgments . . . .”); see id. at 2261 (Alito, J., dissenting) (“Legislation is much preferable to the development of an entirely new body of Fourth Amendment caselaw for many reasons, including the enormous complexity of the subject, the need to respond to rapidly changing technology, and the Fourth Amendment’s limited scope.”); see also id. at 2265–66 (Gorsuch, J., dissenting).
[222] California Policy, supra note 58.
[223] Natalie Ram, Fortuity and Forensic Familial Identification, 63 Stan. L. Rev. 751 (2011); see, e.g., California Policy, supra note 58; see also FBI, CODIS Homepage, supra note 47 (“Familial searching is not currently conducted at the national level or performed by the [NDIS].”).
[224] States Using Familial Searches, supra note 57.
[225] California Policy, supra note 58 (partial match searches are a measure of last resort; the evidence must meet certain criteria and a Department of Justice committee must grant final approval).
[226] California Policy, supra note 58.
[227] It should be noted that there is an obvious utility to this controversial investigative technique, in that it has successfully been used to solve criminal cases. See Zhang, Golden State Killer, supra note 1. While using a third-party database partial match search may occasionally result in more cases solved (while technology will surely improve the process, resulting in less investigative mistakes), legislatures should not weigh lightly the immense privacy interest at stake. As discussed infra note 228, a potential balanced middle ground may be to allow investigators to use third-party databases (after obtaining a warrant) to perform an exact match search, therefore lessening the intrusion on the consumer’s relatives’ interests.
[228] The standard would be high because partial match searches may be considered suspicionless by definition and for a search to be reasonable there typically must be “some quantum of individualized suspicion.” Carpenter, 138 S. Ct. 2206, 2221 (2018) (citing United States v. Martinez-Fuerte, 428 U.S. 543, 560–61 (1976)); see Maryland v. King, 569 U.S. 435, 448 (2013) (quoting Samson v. California, 547 U.S. 843, 855, n.4 (2006)); Chandler v. Miller, 520 U.S. 305, 313 (1997); Ram, supra note 14, at 927 (“Whatever the legal standard for invading an individual’s interest in her identifiable genetic information . . . that standard is not met with respect to individuals targeted through a source-excluding partial match. No basis for database inclusion or database search of their genetic information exists until after a partial match has been discovered, investigated, and found to be informative. But the Constitution does not permit intrusion of protected interests to be justified with information discovered after the fact.”). Therefore, it seems as though one school of thought suggests that the only permissible use of a third-party database by law enforcement under a warrant requirement would be an exact match search. Ram, supra note 14, at 923. Where the police could ordinarily obtain a warrant to search Person A’s house to get to Person B (which may be analogous to a “suspicionless” partial match search), police should not as easily be able to obtain a warrant to search Person A’s genetic information to get to Person B, because the information is significantly more sensitive. While the balance between consumer privacy interest and government policing interest may shift on a case-by-case basis, a simple warrant requirement is not an overly burdensome hurdle for investigators to overcome if they have sufficient probable cause.
[229] For example, an active serial killer or terrorist on the loose—think the Boston Marathon bomber. While there is an urge to use this technique to solve cold cases (it’s current noteworthy use), an assumed-inactive criminal poses much less of a threat to society. This is an area where the legislature should precisely balance the technique’s strong benefit to protect against its invasion of privacy and property interests.
[230] For example, require a high level of STR matches without requiring all STRs to match.
[231] See, e.g., 18 U.S.C. § 2511 (2012).
[232] This regime could be in the spirit of the FDA’s labeling and advertising requirements imposed on tobacco companies, which require tobacco companies to include large graphic warning images on cigarette packs. See Terry Baynes, Court: Tobacco Health Labels Constitutional, Reuters (Mar. 19, 2012, 2:40 PM), https://www.reuters.com/article/us-tobacco-labels/court-tobacco-health-labels-constitutional-idUSBRE82I0VX20120319 [https://perma.cc/395D-PH2C]. These mandated labels, which must cover the top fifty percent of a cigarette pack’s front and back panels, make it clear to the consumer that the product is dangerous. Id. A heightened notice requirement for a third-party DNA database would make it abundantly clear to a consumer—clearer than the current Terms of Service statements—that the consumer may be sacrificing some of their rights to their genetic information by signing up with the company.
[233] Where graphic warnings are effective at informing consumers about health risks associated with smoking, a heightened warning for consumer DNA testing may similarly inform consumers of the consequences of DNA conveyance before they consent to the conveyance. Court Victory Means FDA Must Act Fast to Put Graphic Warnings on Cigarettes, Truth Initiative (Sept. 18, 2018), https://truthinitiative.org/research-resources/tobacco-prevention-efforts/court-victory-means-fda-must-act-fast-put-graphic [https://perma.cc/7Q83-JJQN].
[234] A heightened notice requirement could in no way be seen as a waiver of a consumer’s relatives’ reasonable expectation of privacy in their shared genetic information. The goal of this type of legislation is to give pause to the consumer before they submit their shared genetic information, and perhaps even consult with their relatives.
[235] See, e.g., Cigar Labeling and Warning Statement Requirements, FDA, https://www.fda.gov/TobaccoProducts/Labeling/Labeling/ucm524442.htm [https://perma.cc/GVK5-ARTH].