this post was submitted on 15 Jul 2023
49 points (94.5% liked)

Asklemmy

44119 readers
915 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy 🔍

If your post meets the following criteria, it's welcome here!

  1. Open-ended question
  2. Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
  3. Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
  4. Not ad nauseam inducing: please make sure it is a question that would be new to most members
  5. An actual topic of discussion

Looking for support?

Looking for a community?

~Icon~ ~by~ ~@Double_[email protected]~

founded 5 years ago
MODERATORS
 

So obviously we're all on Lemmy for a complicated combination of reasons, but we all likely share some common ground, namely...

  • need for privacy
  • need to own/control/access the data we produce
  • healthy skepticism about the trustworthiness of for-profit corporations, in general

So if we don't want meta to know even innocuous things; like how many times/when we message our grandma, and we don't google to know when we're searching for remedies to a rash, and we don't want reddit to... Well we just don't want reddit - we don't want them to profit from or weaponize that data against us in a myriad ways.

We also don't want them artificially removing features and creating tiered layers of service/value hidden behind a paywall (I understand this is very present in the some of the commercially available DNA services).

So that brings me to DNA testing services. Since they started to emerge in the mainstream they were immediately an interesting, exciting novelty and I also knew it was data I wouldn't feel safe trusting with a for-profit org - with broken systems like law enforcement and health insurers on speed dial and just salivating for the goodies they collect.

So all that considered, any groups that provide this type of service that you do trust/use, and why?

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 3 points 1 year ago (1 children)

Most companies don’t cooperate with law enforcement

All companies are still subject to the jurisdiction of their country. Perhaps you meant they are not voluntarily sending an unsolicited copy of every DNA profile to the nearest law enforcement office, but they still obey court warrants and extrajudicial subpoenas like National Security Letters.

Moreover, law enforcement doesn't even need to submit an official request. The Golden State Killer was caught after police detectives uploaded his DNA to a personal genomics website in 2017 pretending it was theirs. The website returned a list of relatives, which police used to find the killer. This was all perfectly legal.

For sure, don't go around killing people, but don't rely on these companies to protect your genetic privacy either.

[–] [email protected] 5 points 1 year ago (1 children)

The Golden State Killer was caught after police detectives uploaded his DNA to a personal genomics website in 2017 pretending it was theirs.

That's untrue. They uploaded it to Gedmatch which is the one website that allows these things. They didn't 'pretend it was theirs', they legitimately uploaded it from a police account. They do this a lot but you need to opt in now due to the legal challenges. They've solved quite a few crimes and identified many unidentified bodies, including a number of murdered children.

[–] [email protected] 1 points 1 year ago (1 children)

Ok, maybe I'm misremembering. There was some case where detectives simply submitted the DNA as their own, but maybe it was not GSK. Found this New York Times article: https://www.nytimes.com/2021/05/31/science/dna-police-laws.html

May 31, 2021 New laws in Maryland and Montana are the first in the nation to restrict law enforcement’s use of genetic genealogy, the DNA matching technique that in 2018 identified the Golden State Killer, in an effort to ensure the genetic privacy of the accused and their relatives.

Ah. So at least in 2021 only two states had any laws against trolling genealogy databases at all. Before 2021 none did. How many of remaining 48 have passes any laws about it since?

Beginning on Oct. 1, investigators working on Maryland cases will need a judge’s signoff before using the method, in which a “profile” of thousands of DNA markers from a crime scene is uploaded to genealogy websites to find relatives of the culprit.

As I said, a website cannot "allow" something if the police have a court order. They can only obey. Before 2021 police in Maryland could get genealogy info without court order. Now they can get it with one.

Montana’s new law, sponsored by a Republican, is narrower, requiring that government investigators obtain a search warrant before using a consumer DNA database, unless the consumer has waived the right to privacy.

Ok, so in Montana only:

  • with court order, can get all DNA data
  • without court order, can get DNA data of consumers who waved their privacy rights

What does waving entail?

Privacy advocates like Ms. Ram have been worried about genetic genealogy since 2018, when it was used to great fanfare to reveal the identity of the Golden State Killer, who murdered 13 people and raped dozens of women in the 1970s and ’80s. After matching the killer’s DNA to entries in two large genealogy databases, GEDmatch and FamilyTreeDNA, investigators in California identified some of the culprit’s cousins, and then spent months building his family tree to deduce his name — Joseph James DeAngelo Jr. — and arrest him.

Ok, so GEDmatch and FamilyTreeDNA were used, without court order...

Another sticky provision: Investigators may use only genealogy companies that have explicitly informed the public and their customers that law enforcement uses their databases, and that have asked for their customers’ consent to participate. Currently, customers of GEDmatch and FamilyTreeDNA are given a choice about whether to participate in these searches. But the companies provide little information about what those searches entail, and the opt-in settings are turned on by default.

Apparently that "need to opt in" you mentioned does exist, but it's more like an opt out really.

Unlike 23andMe and Ancestry, which have kept their immense genetic databases unavailable to law enforcement without a court order, GEDmatch and FamilyTreeDNA are eager to cooperate.

Aha! So GEDmatch and FamilyTreeDNA did and are giving police DNA info upon request without court order, and 23andMe and Ancestry are giving police DNA info with court order only. We can now construct this matrix:

Can police get your DNA data from genealogy database?

GEDMatch FamilyTreeDNA - 23andMe Ancestry
with optout default
Maryland w/o court order no no no no
Maryland w/ court order yes yes yes yes
Montana w/o court order no yes no no
Montana w/ court order yes yes yes yes
other 48 states w/o court order no yes no no
other 48 states w/ court order yes yes yes yes

You see it gets rather complicated... Rather than telling users to play 3SAT with the latest legal rules of their state, it's easier to simply say "If you submit your DNA for sequencing, police might get it."

In other cases, detectives might surreptitiously collect the DNA of a suspect’s relative by testing an object that the relative discarded in the trash. Maryland’s new law states that when police officers test the DNA of “third parties” — people other than the suspect — they must get consent in writing first, unless a judge approves deceptive collection.

Oh wow, what a case! Again, all this deception legal at the time, and still legal in 49 states without court order, and legal in Maryland with court order.

[–] [email protected] 1 points 1 year ago (1 children)

You're getting a bit confused here. Gedmatch cooperates with law enforcement but it's only if you've chosen to, so it's a program you need to opt in to. This is legal.

Some of what you've found is about how the police use DNA in general, for example going into bins to get you or your relatives DNA, this is unrelated to genetic genealogy and has been done for decades.

Now one thing that could happen is police requesting your DNA by court order, this is already done, not through genetic genealogy though, they can just get it from you. If the police get a court order to obtain your DNA then they're swabbing you themselves, or as previously mentioned, just getting it from your bin.

Police can not request everyones DNA by court order. That's not how laws work, and if they wanted to use genetic genealogy privately then they'd need access to the entire database, millions of people in dozens of countries, and each one would need to be requested individually with a full case to obtain. That's impossible.

Police do have their own database of DNA they've legitimately obtained, it's called CODIS. This can be used to find close relatives, so if your brother was arrested for a robbery and had his DNA collected, then your DNA was found in a murder scene they could link it to your brother using CODIS.

[–] [email protected] 1 points 1 year ago (1 children)

this is unrelated to genetic genealogy

Am I still misunderstanding something?

Beginning on Oct. 1, investigators working on Maryland cases will need a judge’s signoff before using the method, in which a “profile” of thousands of DNA markers from a crime scene is uploaded to genealogy websites to find relatives of the culprit. The new law, sponsored by Democratic lawmakers, also dictates that the technique be used only for serious crimes, such as murder and sexual assault. And it states that investigators may only use websites with strict policies around user consent.

To me that reads that the court order allows the police to use the genealogy database. For example:

  • I am curious about my genes
  • I submit my DNA for sequencing
  • Some years later some cousin rapes and murders someone, dumps the body
  • Police find body, find unknown DNA
  • Police get court order in murder case
  • Police force genealogy database to scan for matching DNA
  • Genealogy database gives police my name
  • Police show up at my door, start asking if I have any relatives that "kinda like to rape people"
  • Police hang out behind my house, steal the pizza crust from my trash bin for further DNA tests

Is that not a plausible scenario? What in the language of the law used by the NYT article makes you think this is disallowed? And remember, this is for Maryland only. The other 49 states can obtain a court order for any reason, be it murder or subway fare dodging.

it’s a program you need to opt in to

Again, not what privacy advocates from the NYT article say:

Currently, customers of GEDmatch and FamilyTreeDNA are given a choice about whether to participate in these searches. But the companies provide little information about what those searches entail, and the opt-in settings are turned on by default.

I.e. more like opt-out than opt-in, and again, irrelevant in case of a court order.

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago) (1 children)

So the first one, what you're missing is

And it states that investigators may only use websites with strict policies around user consent.

The law dictates it must have an opt in policy, so DNA being accessed is from volunteers basically.
It's also worth noting that if they had your DNA there's no need to steal your pizza because that will just provide the same DNA.

It's also discussing a Maryland law where prosecuters there have to apply to use those volunteers and have a certain level of crime to do so. In other states they can access the volunteers with less hoops to jump through. Nobody can access non volunteers.

On the 'turned on by default' statement, that's just untrue. It was never an opt out policy, it started as an open access arrangement then after legal challenges it became an opt in policy. You can look that up.

Now another misconception that I've noticed is what Gedmatch is, you can't submit spit to Gedmatch, it's a site for people who have tested at other sites to upload their DNA file to compare against other users of the site.

ETA - There's also no addresses on Gedmatch, the police would email you and ask for your details. You can submit addresses to Ancestry for example if you want, but there's no requirement to, or for that matter your name, email, etc etc. In cases currently being worked on they have had leads closed because people won't reply to a message.

[–] [email protected] 1 points 1 year ago (1 children)

There’s also no addresses on Gedmatch, the police would email you and ask for your details.

You are splitting hairs. Unless you took precautions to use a fake name and an untraceable email address, the police are showing up at your door. It's what they do.

On the ‘turned on by default’ statement, that’s just untrue.

Here's the gedmatch page describing their policy, and here's the screenshot they use to illustrate it:

"Public" is selected by default. Yeah yeah, they added "public opt-in" and "public opt-out" options in 2019 and forgot to update their screenshot, but I bet "public opt-in" is still selected by default. The NYT article says exactly that too. It is just untrue to call that "just untrue"! And can you guess what happened to all the people who uploaded their DNA data before 2019? Were all they automatically upgraded to "public opt-in"? I don't understand why you are so adamant to protect gedmatch saying "go ahead, upload your DNA freely!" when we know for sure that it was a free-for-all at least until 2019.

And you are still splitting hairs because you haven't refuted my main claim that police can get your data with a warrant. All that "opt-in/opt-out" is for the gedmatch's voluntary police information warrantless sharing program. I have seen no indication that gedmatch will not search the entire database for a match upon police request with a warrant. I have reason to believe that they will, because I know the state is sovereign. You cannot shield your information stored at third parties from government search just because you signed a privacy agreement with them.

The law dictates it must have an opt in policy

The law of the state of Maryland, not the other 49 states. And I looked up the actual law, it doesn't actually say "opt-in" contrary to the news article description of it:
https://mgaleg.maryland.gov/mgawebsite/Legislation/Details/hb0240?ys=2021RS https://mgaleg.maryland.gov/2021RS/Chapters_noln/CH_681_hb0240e.pdf

(D) FGGS MAY ONLY BE CONDUCTED USING A DIRECT–TO–CONSUMER OR PUBLICLY AVAILABLE OPEN–DATA PERSONAL GENOMICS DATABASE THAT: (1) PROVIDES EXPLICIT NOTICE TO ITS SERVICE USERS AND THE PUBLIC THAT LAW ENFORCEMENT MAY USE ITS SERVICE SITES TO INVESTIGATE CRIMES OR TO IDENTIFY UNIDENTIFIED HUMAN REMAINS; AND (2) SEEKS ACKNOWLEDGMENT AND CONSENT FROM ITS SERVICE USERS REGARDING THE SUBSTANCE OF THE NOTICE DESCRIBED IN ITEM (1) OF THIS SUBSECTION.

To me that sounds more like "providing a warning" than providing an "opt-in/opt-out" system. The "acknowledgment and consent" could be as simple as clicking "I agree to terms of service". Here's what gedmatch privacy policy says:

some of these possible uses of Raw Data, personal information, and/or Genealogy Data by any registered user of GEDmatch include but are not limited to:
Familial searching by third parties such as law enforcement agencies to identify the perpetrator of a crime, or to identify remains.
...
We may disclose your Raw Data, personal information, and/or Genealogy Data if it is necessary to comply with a legal obligation such as a subpoena or warrant.
...
we may use and disclose personal information for meeting legal requirements and enforcing legal terms, as described in more detail above

I am not a lawyer but to me that sounds like an explicit notice that law enforcement may get my data and satisfies the Maryland law requirement for a warrant. Specifically, gedmatch policy does not say they will ignore a warrant if you opt out. Again, my assertion is that the opt-in/opt-out system is for the voluntary warrantless information sharing system, and the warrants described in Maryland law are separate from that.

You also imply that 23andMe and ancestry.com do NOT share any information with law enforcement because they do not have an opt-in system. This is also false. Here's ancestry.com policy:

Ancestry will release basic subscriber information as defined in 18 USC § 2703(c)(2) about Ancestry users to law enforcement only in response to a valid trial, grand jury or administrative subpoena.

Ancestry will release additional account information or transactional information pertaining to an account (such as search terms, but not including the contents of communications) only in response to a court order issued pursuant to 18 USC § 2703(d).

Contents of communications and any data relating to the DNA of an Ancestry user will be released only pursuant to a valid search warrant from a government agency with proper jurisdiction.

They WILL give up your DNA data to a valid warrant. The only question in my mind is whether they will also search the entire database for a given police sample. There is this article that says ancestry.com refused a police warrant in 2019 as improper, and police did not push the matter further. But it is unclear if ancestry.com was refusing to search its database on principle, or whether that one warrant in particular was faulty. Like if the police request "all 15 million DNA records" because they are idiots and don't know how databases work there is grounds to argue that is too broad of a request. But we don't have the text of the actual warrant. There are other articles that say police have been using specifically ancestry.com successfully to investigate crimes.

Someone would need to search the actual court cases where police used genealogy data to find suspects to confirm whether every single instance has used GEDMatch voluntary opt-in service, or whether police warrants have successfully retrieved match data from GEDMatch full database and from ancestry.com and 23andMe. I do not have such access.

EVEN IF ancestry.com and GEDmatch refuse warrants to search non-opt-in DNA in databases, such refusals have not yet been tested in court.

EVEN IF the Maryland law is amended/interpreted to mean that police cannot search non-opt-in DNA in databases even with a warrant (a voluntary restriction of the state on its own sovereign power, quite possible!), and EVEN IF the opt-in is made an explicit choice made in consultation with a "trained bioethicist" instead of an "I agree" checkbox below Terms of Service, and EVEN IF all other 49 states pass the same law as Maryland, it would STILL not be perfectly safe to upload your DNA to these services. Just as Maryland law changed in 2019, so it can change again. As we've seen with Roe v. Wade even long-established laws are not safe when there is a political interest to change them.

[–] [email protected] 1 points 1 year ago

That is a very long email filled with a lot of waffle which is based on things you seem to be worried about due to not understanding the situation. I'm not helping you with everything but read what you're typing, you've put a post about needing explicit consent to use DNA and then made up a story that people can be tricked. Not how it works.

The screenshot you've found of Gedmatch isn't anything to do with police at all.

Finally, you've claimed I haven't answered the court case suggestion, which I did a message or two ago. If they have a case strong enough to get your DNA then they can get it from you. No need to go faffing about with websites.
To use genetic genealogy you need access to a database of users, each of those peoples data is protected and in order to use them each time you would need to make a valid case for each persons DNA. That means hundreds of thousands individual cases and you wouldn't get permission as theres no cause.