Two States Pass Laws Limiting Law Enforcement Access To Private DNA Services

One of the more recent opportunities for law enforcement in the Third Party Doctrine space has been DNA databases. A number of companies offer on-demand DNA testing, allowing users to check themselves for potential markers that could indicate susceptibility to diseases or just to figure out where they fit in in the world by linking them to distant relatives they may not be aware of.

Since users are sharing this potentially-sensitive info with DNA companies and other users, law enforcement illogically thought they wouldn’t mind sharing it with cops. At least one company believed this as well, informally deputizing its user base as involuntary providers of DNA evidence.

A whole lot of Wild Westing ensued. Some investigators used subpoenas, believing it was third party data that carried no expectation of privacy. Others used warrants, but used them to access the entire contents of third party DNA databases. Cops even created fake accounts to upload DNA samples to find matches in cases that had gone cold.

This mostly-voluntary patchwork of legal paperwork/legal theories is now being codified into something coherent and subject to at least some judicial oversight. As the New York Times reports, two states have recently passed laws governing the use of private companies’ DNA databases by law enforcement.

Beginning on Oct. 1, investigators working on Maryland cases will need a judge’s signoff before using the method, in which a “profile” of thousands of DNA markers from a crime scene is uploaded to genealogy websites to find relatives of the culprit. The new law, sponsored by Democratic lawmakers, also dictates that the technique be used only for serious crimes, such as murder and sexual assault. And it states that investigators may only use websites with strict policies around user consent.

Montana’s new law, sponsored by a Republican, is narrower, requiring that government investigators obtain a search warrant before using a consumer DNA database, unless the consumer has waived the right to privacy.

The Maryland law is obviously the stronger of the two. It would steer investigators away from more law enforcement-receptive sites like FamilyTreeDNA, which opts users into sharing information with law enforcement by default. It would also prevent investigators from creating fake accounts to perform DNA searches, unless specifically approved by a judge.

It also mandates destruction of information obtained from DNA databases at the conclusion of investigations. And, perhaps most importantly, it forces investigators to utilize the government-owned DNA database (Codis) before approaching private third parties.

The Montana law is better than nothing, but it still needs more work. While it does erect a warrant provision, it allows that to be waived if the “consumer” consents to the search. Given that most databases attempt to link people by DNA, consent given by one person has the potential to subject lots of other people to searches they never agreed to.

But these are both positive steps. Just another 48 states to go. The relentless advance of technology often has cops claiming they’re being left behind, outpaced by criminal early adopters. But the opposite is more often true. Law enforcement moves quickly to take advantage of new tech, rushing out ahead of court precedent and legislation to exploit tech advances legislators could never have anticipated. And when the loopholes begin closing, law enforcement will switch back to complaining about the “loss” of its lawless spaces. For now, two states are better protected than the rest of the nation. Hopefully, more legislatures will recognize this is an issue they can no longer ignore.