THE BUILDING BLOCKS OF LIFE: CYBER-TRESPASS, THE FOURTH AMENDMENT, AND PUBLIC ANCESTRY DATABASES
By: William C. G. Wright, Volume 104 Staff Member
With the advent of affordable commercial DNA testing services such as 23andMe, Ancestry, and MyHeritage, people are flocking to discover the secrets of their genetic code in unprecedented numbers.[1] Researchers expect more than 74 million people will add their DNA to commercial databases between 2019 and 2021 alone.[2] These services offer people the chance to learn more about their family history and increase awareness about potential health risks.[3] These services also allow users to locate distant relatives through genetic similarities.[4] These genetic family trees can be constructed either through commercial testing services themselves, like 23andMe,[5] or through independent third party open source databases, like GEDmatch, that allow individuals to post their genetic code on a publicly searchable platform.[6] However, as Ancestry’s privacy policy warns, “[y]ou may discover unexpected facts about yourself or your family when using our services” and “[o]nce discoveries are made” they can’t be undone.[7]
More troubling than what the individual uploader may discover is what others may discover about them or their distant family members. Given the heritable nature of DNA, distant family members need not consent to DNA testing or assume the risk of uploading their DNA to databases for a great deal of their genetic code to be available to others.[8] Governments have begun to recognize the power such genetic databases hold. For instance, China—with the help of DNA testing—has forced potentially one million ethnic Uighurs into “reeducation centers.”[9] Closer to home, domestic law enforcement agencies have increasingly turned to genetic databases to investigate crimes.[10] In one particularly high-profile case, law enforcement were able to use a public database—GEDmatch—to locate who they believe to be the Golden State Killer.[11] In this case, police uploaded crime scene DNA and got a partial match to the suspect’s great-great-great-grandparents.[12] To be clear, that’s a lot of greats. Given how distant such matches can be, researchers currently believe that 60% of Americans of European ancestry and 40% of Americans of African descent can be tracked by police using the genetic material currently available on genetic databases, even though only a tiny fraction of those individuals have ever had a DNA test.[13]
Ironically, one of the most private and fundamental things about a person—their genetic makeup—is likely not protected by current Fourth Amendment jurisprudence, at least not when genetic data is uploaded to a public database such as GEDmatch.[14] While the validity of the third party doctrine as applied to private genetic databases, such as 23andMe, is being questioned in the wake of the Supreme Court’s recent decision in Carpenter v. United States,[15] the Supreme Court has previously held that “the police cannot reasonably be expected to avert their eyes from evidence of criminal activity that could have been observed by any member of the public.”[16] Because public databases like GEDmatch are open to the public to view, officers likely cannot be expected to “avert their eyes from [that] evidence,” regardless of how the debate over the third party doctrine resolves itself in the context of private genetic databases.[17]
Despite Fourth Amendment defenses seemingly being off the table for defendants involved in public genetic database prosecutions, it is still in the best interests of genetic databases to protect their users’ privacy from law enforcement. Research suggests that Americans are either split or in favor of DNA testing companies sharing their data with law enforcement. In a recent survey conducted by the Pew Research Center, 48% of Americans felt it was acceptable for DNA companies to share data, 33% felt it was unacceptable, and 18% were unsure.[18] In another study published in PLOS Biology, approximately 90% of respondents felt law enforcement should be allowed to search genealogical websites that match DNA to relatives in cases of violent crime, missing persons, and crimes against children.[19] In that same study, 46% felt police should be able to use those methods to investigate non-violent crime.[20] However, abstract questions about police practices do not seem to capture the behavior and expectations of customers whose DNA is actually uploaded on databases. In May of 2019, GEDmatch authorized Utah police to use its database to solve an assault, in violation of its terms that only allowed law enforcement to use the database for murder or sexual assault investigations.[21] Following an outcry over the incident, GEDmatch changed its settings so that users must opt in to allow law enforcement access to their data.[22] Since then, only 180,000 of the database’s more than 1.2 million members have opted in.[23] Private DNA testing companies are also responding to clients’ desire for privacy. Shortly after the GEDmatch debacle, Ancestry, 23andMe, and Helix formed the Coalition for Genetic Data Protection.[24]
A potential tool for public genetic databases to protect users’ privacy rights is the Computer Fraud and Abuse Act (CFAA) and state law equivalents.[25] The CFAA prohibits “intentionally access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain[ing] . . . information.”[26] Just like conventional trespass law, liability for cyber-trespass under the CFAA hinges on what the owner of the website authorizes a specific user to do on their site.[27] This is of particular importance for public genetic databases whose data is available to anyone, as police access would seem to be largely dependent on police self-control.
The CFAA contains statutorily defined penalties for violations of its provisions.[28] A potential way to add further teeth to cyber-trespass violations by law enforcement would be to bring novel civil-rights actions under 42 U.S.C. § 1983 or Bivens v. Six Unknown Named Agents of Federal Bureau of Narcotics.[29] Section 1983 contains an express private right of action allowing individuals to sue state officials for violations of the federal constitution and federal law in their individual capacity.[30] Because the CFAA is federal law, any violation of the CFAA by state law enforcement would appear to expose any agents involved in such an unauthorized access of genetic data to personal liability.
A Bivens action would be more difficult. In Bivens, the Supreme Court recognized a judicially created private right of action against federal officials who violated the Fourth Amendment.[31] Thus, to establish grounds for a potential Bivens action, the owners of public genetic databases would need to establish a violation of their Fourth Amendment rights. In Jones v. United States, the Court relied on a property centric conception of the Fourth Amendment.[32] Under the post-Jones framework, courts must first consider whether a law enforcement action was a trespass at common law.[33] While the CFAA is statutory and not common law, and computers did not exist at the time of the Founding, a nonfrivolous argument could be made that the CFAA imports the framework of traditional common law trespass into the digital sphere.[34] If a court were to accept such an argument, any violation of the CFAA by federal law enforcement officers would then be a concurrent Fourth Amendment violation, presumably cognizable in a Bivens actions.
Of course, qualified immunity doctrine throws a wrench into any attempt to bring novel civil rights claims under § 1983 or Bivens. Under qualified immunity, government officials are immunized from suit unless the federal right they violate is “clearly established” and one “which a reasonable person would have known” at the time of the violation.[35] However, the Supreme Court held in Pearson v. Callahan that courts have discretion to resolve the merits of a claim before dismissing it on qualified immunity.[36] This helps avoid “constitutional stagnation” by allowing federal rights to become “clearly established,” even if the instant offenders are immune.[37] Thus, while qualified immunity would serve as a speedbump to § 1983 and Bivens suits brought under a novel cyber-trespass theory, these rights could become “clearly established” once initial claims are adjudicated.
Because it is in genetic databases’ best interests to protect their users’ data from government use,[38] these companies should consider bringing cyber-trespass suits against law enforcement under the CFAA when these agencies access their databases. To provide further deterrent effect, these companies should bring concurrent § 1983 and Bivens actions whenever bringing cyber-trespass claims against law enforcement. While these novel civil rights actions will likely fail initially due to qualified immunity, these suits will help “clearly establish” the genetic databases’ federally recognized rights. Once these rights are “clearly established,” immunity will no longer pose a bar to § 1983 and Bivens actions.
[1] See Antonio Regalado, More than 26 Million People Have Taken an At-Home Ancestry Test, MIT Tech. Rev. (Feb. 11, 2019), https://www.technologyreview.com/s/612880/more-than-26-million-people-have-taken-an-at-home-ancestry-test/ [https://perma.cc/5M56-N6L5].
[2] Id.
[3] 23andMe, https://www.23andme.com/ [https://perma.cc/4X45-S7S5] (last visited Feb. 21, 2020).
[4] Cf. id. (highlighting “Family Tree” and “DNA Relative Finder” features).
[5] See, e.g., id.
[6] See, e.g., GEDmatch, Your DNA Guide, https://www.yourdnaguide.com/upload-to-gedmatch
[https://perma.cc/96XP-B2DD] (last visited Feb. 22, 2020).
[7] Your Privacy, Ancestry (Dec. 23, 2019), https://www.ancestry.com/cs/legal/privacystatement [https://perma.cc/F65J-Z8CC].
[8] See Jocelyn Kaiser, We Will Find You: DNA Search Used to Nab Golden State Killer Can Home in on About 60% of White Americans, Science (Oct. 11, 2018), https://www.sciencemag.org/news/2018/10/we-will-find-you-dna-search-used-nab-golden-state-killer-can-home-about-60-white [https://perma.cc/ZKY3-XATU].
[9] Rani Molla, Genetic Testing is an Inexact Science With Real Consequences, Vox (Dec. 13, 2019), https://www.vox.com/recode/2019/12/13/20978024/genetic-testing-dna-consequences-23andme-ancestry[https://perma.cc/S79C-YN9M]; see also Jen Kirby, China’s Brutal Crackdown on the Uighur Muslim Minority, Explained, Vox (Nov. 6, 2018), https://www.vox.com/2018/8/15/17684226/uighur-china-camps-united-nations [https://perma.cc/23FM-NGL5].
[10] Sarah Zhang, How a Tiny Website Became the Police’s Go-To Genealogy Database, The Atlantic (June 1, 2018), https://www.theatlantic.com/science/archive/2018/06/gedmatch-police-genealogy-database/561695 [https://perma.cc/BPQ3-E23A].
[11] Kaiser, supra note 8.
[12] Lindsey Van Ness, DNA Databases are Boon to Police but Menace to Privacy, Critics Say, GCN (Feb. 20, 2020), https://gcn.com/articles/2020/02/20/police-dna-databases.aspx [https://perma.cc/5HHC-NM9C].
[13] Kaiser, supra note 8 (“GEDmatch likely only encompasses about 0.5% of the U.S. adult population.”).
[14] Claire Abrahamson, Note, Guilt by Genetic Association: The Fourth Amendment and the Search of Private Genetic Databases by Law Enforcement, 87 Fordham L. Rev. 2539, 2543 (2019); see also Anthony Barone Kolenc, “23 and Plea”: Limiting Police Use of Genealogy Sites After Carpenter v. United States, 122 W. Va. L. Rev. 53, 105–06 (2019).
[15] 138 S. Ct. 2206 (2018); see Kolenc, supra note 14, at 105–06; Paul Ohm, The Many Revolutions of Carpenter, 32 Harv. J.L. & Tech. 357, 383–85 (2019).
[16] California v. Greenwood, 486 U.S. 35, 41 (1988).
[17] Id.; Abrahamson, supra note 14, at 2543.
[18] Andrew Perrin, About Half of Americans are Ok with DNA Testing Companies Sharing User Data with Law Enforcement, Pew Res. Ctr. (Feb. 4, 2020), https://www.pewresearch.org/fact-tank/2020/02/04/about-half-of-americans-are-ok-with-dna-testing-companies-sharing-user-data-with-law-enforcement/ [https://perma.cc/27LS-QL6U].
[19] Christi J. Guerrini et al., Should Police Have Access to Genetic Genealogy Databases? Capturing the Golden State Killer and Other Criminals Using a Controversial New Forensic Technique, PLOS Biology (Oct. 2, 2018), https://journals.plos.org/plosbiology/article?id=10.1371/journal.pbio.2006906 [https://perma.cc/58TG-VZBG].
[20] Id.
[21] Salvador Hernandez, Investigative Genealogy Helped Police Catch Serial Killers and Rapists. Now Cases are Going Unsolved, BuzzFeed (Oct. 26, 2019), https://www.buzzfeednews.com/article/salvadorhernandez/dna-police-genetic-genealogy-serial-killers-case-gedmatch [https://perma.cc/9HDJ-SMT8].
[22] Id.
[23] Molla, supra note 9; Hernandez, supra note 21.
[24] Alex Gangitano, DNA Testing Companies Launch New Privacy Coalition, The Hill (June 25, 2019), https://thehill.com/regulation/lobbying/450124-dna-testing-companies-launch-new-privacy-coalition [https://perma.cc/H2YF-5A25].
[25] See 18 U.S.C. § 1030(a)(2)(C) (2018); Orin S. Kerr, Cybercrime’s Scope: Interpreting “Access” and “Authorization” in Computer Misuse Statutes, 78 N.Y.U. L. Rev. 1596, 1597 (2003).
[26] 18 U.S.C. § 1030(a)(2)(C) (2018).
[27] See James Grimmelmann, Consenting to Computer Use, 84 Geo. Wash. L. Rev. 1500, 1501–02 (2016) (“The term ‘without authorization’ as used in the CFAA does not refer to what a computer user does; it refers to what a computer owner says about those uses.”).
[28] 18 U.S.C. § 1030(c) (2018).
[29] 42 U.S.C. § 1983 (2018); Bivens v. Six Unknown Named Agents of Federal Bureau of Narcotics, 403 U.S. 388 (1971).
[30] See 42 U.S.C. § 1983 (2018).
[31] 403 U.S. 388 (1971).
[32] See 565 U.S. 400, 409 (2012).
[33] Id. at 411 (explaining the Fourth Amendment “must provide at a minimum the degree of protection it afforded when it was adopted”).
[34] See Grimmelmann, supra note 27 (drawing similarities between the CFAA and common law trespass and conversion).
[35] Harlow v. Fitzgerald, 457 U.S. 800, 818 (1982); see also Davis v. Scherer, 468 U.S. 183, 197 (1984).
[36] 555 U.S. 223, 232–36 (2009).
[37] See id. at 232.
[38] See supra note 21–24 and accompanying text.