NEW YORK (GenomeWeb) – Companies that offer consumer genomics services have sought to assure customers that their data remains private after Family Tree DNA acknowledged last week that it has been making its database available to US federal law enforcement.
The Houston-based genetic genealogy company, a Gene by Gene subsidiary, announced Jan. 31 that it was "working with the [US Federal Bureau of Investigation] to test DNA samples provided by law enforcement in order to help identify perpetrators of violent crimes and to identify the remains of deceased individuals."
The news was extensively covered in the media, including a Jan. 31 piece in BuzzFeed News. The attention prompted a second statement from Family Tree DNA President Bennett Greenspan who defended the firm's cooperation with law enforcement, while apologizing for updating the company's terms of service in December to better reflect law enforcement's ability to use the database in certain cases without informing customers of the change.
He noted that any additional information about kits would only be provided in the case of a "valid legal process, such as a subpoena or search warrant."
A company spokesperson referred to the two statements and said the company was unlikely to further comment on the issue.
The revelation that Family Tree DNA has been working with law enforcement has some worried about a negative impact on the industry, as customers might be more cautious about buying kits. Companies have long tried to assure customers that their data would not be accessible to law enforcement, but Family Tree DNA's decision could lead to the same concerns about data privacy that existed when the services first launched, over a decade ago.
"This is a reset," said Spencer Wells, CEO of Austin, Texas-based Insitome, and founder of National Geographic's Genographic Project. "This takes us back to when we first set up the Genographic Project" in 2005.
According to Wells, consumer genomics players have worked for years to overcome initial skepticism toward the industry, particularly around data privacy and security. But those gains might have been erased by Family Tree DNA's announcement.
Some of Family Tree DNA's other competitors were quick to criticize the company's decision, and stated publicly that they would not cooperate with law enforcement in a similar manner.
Gilad Japhet, CEO of MyHeritage, posted on Facebook that the Israeli family history company had changed its terms of service specifically to prevent law enforcement from using its database. Japhet said his company is "vehemently opposed to law enforcement use and to Family Tree DNA's latest move, and will never provide an open door to law enforcement."
"We have clear policies stating we will not voluntarily work with law enforcement, and use all legal means to safeguard our customers' data," Kathy Hibbs, chief legal and regulatory officer at Mountain View, California-based 23andMe, said in an email. "We have never shared customer information with law enforcement," Hibbs said. "We believe it is our responsibility to provide customers with a safe, secure, private platform to explore their genetics."
A spokesperson for Ancestry made a similar statement. "Ancestry does not support third party DNA data uploads and does not voluntarily cooperate with law enforcement," the spokesperson said. "Any attempt by law enforcement to access our database with a third-party sample would be a violation of our company's terms and conditions. Ancestry will only turn over DNA data when compelled by court."
David Nicholson, managing director at Living DNA, said that the British consumer genomics firm will "only allow your DNA to be used for what you have asked us to do with it." He noted that all companies are obliged to provide law enforcement with information when served with a search warrant or subpoena, but stressed that the firm will not freely open up its database to any third party.
For his part, Insitome's Wells hosted a podcast this week about Family Tree DNA's cooperation with law enforcement. But despite these overtures from others in the industry to allay customers concerns, some believe the controversy could depress demand for consumer genomics services.
"I think it could lessen sales," said Wells. "That's the worry. People want to find out this information. They are trusting the companies to be good stewards of their information and in this case, this particular company has not been a good steward, at least on the surface that appears to be the situation," he said. "That calls into question, what is the industry doing to police itself?"
Judy Russell, author of the blog The Legal Genealogist, also warned it might negatively impact the industry. "I do think it will by damaging the trust the testing companies have built up that they are truly committed to personal privacy and will be good stewards of very private information," Russell said.
Russell has authored two posts about Family Tree DNA's decision. The first, "Opening the DNA flood gates" appeared on Feb. 1, and argued that Family Tree DNA had decided to work with law enforcement without the informed consent of its users, who thought they were taking a test for genealogical purposes, not to assist law enforcement. The second, "One little change" suggested that the company allow users to opt in to having their samples used for such purposes, the way that some firms, like 23andMe, request user's permission to use their data for genetic research.
Currently, Family Tree DNA is allowing users to opt out, but they will no longer receive information about cousin matches, considered to be one of the main applications of the service.
Russell also suggested that the impact of Family Tree DNA's decision would actually be greater internationally, particularly in Europe, "where privacy is a bigger issue than it is here in the US."
She noted on her blog that a complaint has been filed with the Data Protection Commission in Ireland, alleging that by working with law enforcement, Family Tree DNA had violated the General Data Protection Regulation (GDPR) that entered into force last year.
A spokesperson for the Irish DPC confirmed that the commission has "received complaints in relation to Family Tree DNA" and that it is currently assessing those complaints.
The industry has made some effort to regulate itself in recent years. Last summer, representatives from a number of firms worked together with the Washington, DC-based nonprofit, the Future of Privacy Forum, to agree on Privacy Best Practices for Consumer Genetic Testing Services, which "established standards for for genetic data generated in the consumer context."
The set of standards states that "genetic data may be disclosed to law enforcement entities without consumer consent when required by valid legal process" and called on firms to provide a transparency report regarding interactions with law enforcement on at least an annual basis. Both 23andMe and Ancestry currently publish such reports.
Though Family Tree DNA had agreed to the standards after they were published in July, the FPF removed the firm from its list of companies supporting the standards on Feb. 1, after it made its initial announcement about working with the FBI.
Carson Martinez, the lead author on the set of best practices and a health policy fellow at the FPF, said Family Tree DNA's agreement with the FBI is "inconsistent with industry norms and consumer expectations" and conflicts with FPF's set of best practices. She noted that the best practices state that genetic data should not be disclosed to or made accessible to third parties, in particular to government agencies, except as required by law.
She also noted that the best practices state that companies should only process DNA samples and genetic data uploaded by the relevant individual, or with that individual's permission. In a Feb. 6 blog post, FPF argued that Family Tree DNA's agreement with the FBI is "outside industry norms and inconsistent with consumer expectations" and pressed the company to "terminate the company's agreement with the FBI and take steps to ensure that law enforcement does not access users' data without appropriate legal process."
While the industry has been critical of Family Tree DNA, some users welcomed the news that the company was cooperating with law enforcement. "It's caused a lot of polarized views," said Debbie Kennett, a genetic genealogist and honorary researcher at University College London's department of genetics, evolution, and environment. "There are people who think it's wonderful that the company is doing this to help catch killers."
Kennett said that she had less of an issue with Family Tree DNA's change in its terms of service, than with the repurposing of the database, which has been done in her words without informed consent. "It's: 'Take a test, use a website that's been set up for finding your origins,'" Kennett said. "It's not: 'Take a DNA test to help catch a killer.' That is not what people signed up for when they paid for the test."
Roberta Estes, a genetic genealogist and author of the blog DNAeXplained, cautioned that most media accounts of Family Tree DNA's announcement have "misrepresented the level of access by law enforcement." She noted that no one, including law enforcement, has access to the database as a whole, "nor do they have the ability to rifle through the database like a big sandbox."
Estes underscored that the FBI has the same limited level of access that any other customer has that submits a sample for the Family Finder test, meaning to partial records of people the forensic kit matches. "Customers control how much information is displayed to their matches, including name, email address, and a tree," said Estes, "Clearly the customer can obfuscate or remove any of those things," she said. "The FBI has no access to any information from any person that doesn't match the kit."
Curtis Rogers, who co-founded GEDmatch, declined to comment on Family Tree DNA's decision to work with the FBI. However, he cautioned people about "jumping to conclusions" in general.
"The use of autosomal DNA in forensics is a whole new paradigm, completely different than the forensics everyone, including most law enforcement, are used to," said Rogers. "That can be expected with such a new innovation," he said. "What appears to violate privacy based on knowledge of old forensics, probably does not violate the privacy of people who have been genealogically tested or the privacy of any of their relatives."
Kennett acknowledged that at the moment, the FBI's use of the Family Tree DNA database has probably impacted a small amount of people. However, she decried a lack of clear regulations around making the data available to law enforcement in the US.
"They talk about catching killers and solving crimes, but without any regulation there are states where this can be used to incriminate innocent people and to target minority communities," said Kennett. "It can really disrupt people's lives."
Given the strong language used by other consumer genomics firms that they would never cooperate with law enforcement, few industry observers believe the Family Tree DNA-FBI partnership is the start of a new trend. Russell of The Legal Genealogist noted that most of the databases are international, and the companies would be subject to fines for violating the informed consent provisions of the European GDPR.
Still, Russell said the announcement had damaged Family Tree DNA's reputation. "The most difficult part for me and I think for most customers is the breach of faith," Russell said. She noted that Family Tree DNA had in the past promised the same kind of data protection that the other providers had.
"All promises and commitments made to customers ... were broken the instant a law enforcement agent was allowed to put some unknown person's crime scene sample into the database under the ruse that it was just another customer and obtain all kinds of data about customers who match that sample even though it's precisely the kind of data that FTDNA promised to protect," said Russell. She also chided the firm for not being forthcoming about its change in policy, and argued that it should support an opt-in basis for cooperating with law enforcement.
"If the company were to change it now to opt-in, it could mitigate most of the damage it's done to the trust of its customer base by truly giving each customer the right to choose," she said.
"People don't object if they have given informed consent," Insitome's Wells said. "The problem is, if you buy a DNA test, to find out who your relatives are, and then it turns out your DNA is being used for finding criminals by the FBI, you've been lied to effectively," he said.
Wells said that the issue had once again raised privacy issues in the minds of consumers, who may have not paid so much attention to terms of service and privacy policies in the past.
"No one is going to forget about this," said Wells. "Customer awareness will change. This has been reported in the world's biggest media outlets. You would have to be living under a rock to have not heard of this."