05/04/2018

After The Golden State Killer, The Ethics Of Genetic Testing

21:57 minutes

Genetic testing sites are nothing new. They’ve grown enough in popularity over the past decade that the idea of spitting into a tube and sending it in the mail to a website to find out more about your family tree—or even your risk of certain inherited diseases—doesn’t seem all that strange to most people.

But the case of the Golden State Killer has brought to light many questions about the direct-to-consumer genetic testing market that still need answering. For example, who controls your data once you’ve shared it with a third-party site? Should law enforcement be able to use a consumer genetic database to aid in a criminal case? And when that data links you to a family tree, how do you protect the privacy of those who haven’t willingly shared it?

[The ethics of ET communication.]

Dr. Amy McGuire, professor of biomedical ethics at Baylor College of Medicine, discusses the risks we take when we share genetic information online. Plus, Natalie Ram, assistant professor of law at University of Baltimore School of Law discusses how this new era of genetic research is butting up against the criminal justice system.

Interview Highlights

On whether or not some genetic testing sites offer more privacy than others.

Natalie Ram: Well, it depends what you mean by privacy. So 23andMe and AncestryDNA and other services like those are more like a walled garden. And so they you will inform their users that they may be required to comply with court orders, but that they will do their best to fight them, whereas the GEDmatch platform, from what I’ve learned in the last couple of days, is really a much more open system. It doesn’t make as many promises. It’s sort of a not-for-profit enterprise.

On how genetic testing sites fit into the larger conversation on privacy.

Natalie Ram: I think that in the big data world that we live in now, it’s not just genetic information. It’s social media information, it’s information that we share online, it’s information that has come up with regard to people’s cell phone activities—we’re kind of at an inflection point, I think, in our society, and in our legal system, to be thinking about how do we handle privacy issues in the context of big data, where you’re inevitably going to be sharing your information whether intentionally or unintentionally with other third parties.

On how you could be included in a genetic database without submitting DNA yourself.

Amy McGuire: I participated in a study that was done out of MIT several years ago where we sort of first looked at this familial matching through genetic databases, and it was surprisingly easy actually to identify people through their familial matches on genetic genealogy databases. One of the things that struck me is, you may not even know you’re related to the person who has uploaded their data. They could be fourth, fifth, sixth, generation cousins who you don’t know and you had no idea you had any relation to them, and yet their information could in some ways be used to identify you. So I do think it raises really important questions—that’s what makes the genetic piece of this slightly different than like Facebook information because genetic information is in and of itself inherently familial. And so you can tell information about your genetic relatives through your own DNA.

[From Strava to Facebook to Venmo, you may be leaking data.]

On whether genetic information, like that used to identify the suspect in the Golden State Killer case, is covered under the Fourth Amendment.

Natalie Ram: So as it happened in this investigation, there was a subpoena made to a different website, not to GEDmatch [the site used to ultimately identify the suspect]—a subpoena requiring that company to divulge a particular user’s name and payment information to allow investigators to continue on in their investigation and that family tree. And generally speaking, once you have voluntarily shared your data with a third party, like a genetic testing service, the Fourth Amendment’s protection against unreasonable searches and seizures, against warrantless search and searches and seizures, simply doesn’t apply. That’s the current law. Now the Supreme Court is currently considering a case that may—may, we don’t know how it will be decided yet—but may reshape this idea that once you share your data with any third party, however nominally…now that data is outside the bounds of the Fourth Amendment’s warrant requirement. So this could really change, but it’s unclear whether or not it will.

On the calls for a national genetic database.

Amy McGuire: I think many people would like to see that happen, I think, from both from a public health perspective but also from a research perspective. The National Institutes of Health has talked for a long time about having a national database of genetic information for research purposes and we’ve really gotten a lot of pushback. I think our fundamental values in the United States around privacy and concerns about genetic discrimination and how people might use genetic information still are very pervasive. We do have all 50 states and the federal government sort of signed on to this idea of having a database of genetic information from suspected and convicted criminals to varying degrees. And there seems to be general public support for that—although as you start to move a little bit further out into people who have been suspected of nonviolent crimes and things like that, I think there’s less support for them being included in these forensic databases. So expanding out from that to a non-forensic database, where we just collect people’s DNA at birth, for example, and just have a national registry, I think I would be surprised if we had widespread public support for that in our country.

On if claiming physician-patient confidentiality as a way to prevent law enforcement from using genetic testing services.

Amy McGuire: Genetic genealogy databases—and even the direct to consumer genetic testing companies—they go to great lengths to not establish a physician-patient relationship with their customers and to basically say that the information that they’re giving back is not medical information, it’s not diagnostic information. And so oftentimes they don’t even have a licensed health care provider involved in their services. So in those circumstances there is no physician-patient relationship or even attorney-client relationship that would privilege the information in the way that you would if it was your medical information and it was obtained during the course of your medical care.

On whether it’s a matter of time before there is a national genetic database.

Amy McGuire: It’s only a matter of time before we’re all in… yeah, well absent some strong legal regulation. And, you know, Congress or a particular state could enact some sort of genetic privacy law that says law enforcement can’t use your DNA just because it’s shared with some third party like a 23andMe, GEDmatch.com, a state or the federal government could do that. Absent that kind of action, I think what this case demonstrates is that when investigators can’t solve the crime using the existing mechanisms and tools they have at their disposal, they look for other sources—new ways to expand the net of whose DNA they can search.

Support great science journalism!

Segment Guests

Amy McGuire

Amy McGuire is a professor of biomedical ethics and director of the Center for Medical Ethics and Health Policy at Baylor College of Medicine. She’s based in Houston, Texas. 

Natalie Ram

Natalie Ram is an assistant professor and director of the Center for Medicine and Law at the University of Baltimore School of Law in Baltimore, Maryland. 

Segment Transcript

IRA FLATOW: This is Science Friday. I’m Ira Flatow. A bit later in the hour, we’re talking all about dogs. What can neuroscience tell us about how they think and feel about the world around them? You want to talk dogs, our number is 844-724-8255.

But first, genetic testing sites. They’re really nothing new. They’ve been growing in popularity over the past decade. Enough so, that the idea of spitting into a tube and sending it in the mail to a website to find out more about your family tree, or even your risk of certain inherited diseases, well, that doesn’t seem all that strange to most people, does it?

But in the case of the Golden State killer, that has brought to light many questions that still need answering about direct-to-consumer genetic testing and FamilySearch databases. For example, who controls your data once you’ve shared it with a third party site? Should law enforcement be able to use a consumer genetic database to aid in a criminal case? And when that data links you to a family tree, how do you protect the privacy of those that haven’t willingly shared it like you have?

That’s what we’re going to be talking about. Our number 844-724-8255. You can also tweet us @scifri. Let me introduce my guests, Dr. Amy McGuire, Professor of Biomedical Ethics, Director of the Center for Medical Ethics and Health Policy at Baylor College of Medicine. Welcome to Science Friday.

AMY MCGUIRE: Thank you. Hi, Ira.

IRA FLATOW: Hi. Natalie Ram, Assistant Professor of Law at the University of Baltimore School of Law. Welcome to Science Friday.

NATALIE RAM: Hi. Thanks for having me.

IRA FLATOW: You’re welcome. Natalie, I want to ask you first, can you take us briefly through the details of this case, the Golden State killer case. How did the police come to use consumer genetic database to catch him?

NATALIE RAM: So the Golden State killer committed at least a dozen murders and maybe more than 50 rapes during the 1970s. And so was quite a prolific criminal. And police had collected a lot of genetic material leftover at those crime scenes. And over time, had basically sequenced that genetic information. Compared it to the genetic profiles of individuals in the California and the national known offender registry and known offender database of genetic profiles. And they did not get a match.

And so they developed more detailed information about the Golden State killer’s genetic profile. And started comparing it with publicly searchable genealogical databases. There was an unsuccessful effort where it looked like there might be a partial match. And investigators obtained a judicial subpoena to get one individual’s DNA and then a warrant for a direct DNA sample from someone who was not a match.

And then investigators uploaded this profile of the Golden State killer’s genetic information to a website called GEDMatch.com, which is designed to aid in genealogical research. And there they obtained partial matches that indicated not that the people who’d uploaded their genetic information to GEDMatch had committed these crimes, but that a genetic relative of one of those individuals might have committed the crimes. Worked backwards from there developing family trees. Zeroed in on Joseph James DeAngelo. And then followed him around collecting items he’d thrown away to obtain a discarded bit of DNA to make their final match. And then they arrested him.

IRA FLATOW: Well, let’s just clear up a little bit when we talk about genetic websites. There are some sites that actually test your data when you spit in the tube and you send it out. And then there’s other sites where you just upload your data to compare and connect with other family trees for example, right, Natalie?

NATALIE RAM: That’s correct. So a website like 23andMe or an Ancestry DNA service can both sequence your genetic information, that’s who you send your say, your cheek swab or your saliva sample to. They’re going to return the data to you. They also allow you to download a much more complete set of data than they’re analyzing. And that’s your data. And you can then upload it to these third party sites like GEDMatch, which is designed to allow folks in the ancestry space to compare their DNA to folks in the 23andMe space, because normally those two groups don’t talk to one another.

IRA FLATOW: So does one type of website offer more privacy than the other?

NATALIE RAM: Well, it depends what you mean by privacy. So 23andMe, and Ancestry DNA, and other services like those are more like a walled garden. And so they will inform their users that they may be required to comply with court orders. But that they will do their best to fight them. Whereas, the GEDMatch platform, from what I’ve learned about the site in the last couple of days, is really a much more open system. It doesn’t make as many promises. It’s not a for-profit enterprise.

IRA FLATOW: Amy McGuire, before this case, people were not talking much about the bioethics of something like this happening where people could submit their genetic information and not realize what could be done with it. What were the biggest concerns about genetic privacy before then? And what concerns do you have now?

AMY MCGUIRE: So I think genetic privacy has always been a concern regarding genetic testing, genetics research. And since the beginning of these direct-to-consumer genetic testing companies coming onto the scene, there’s been a lot of concern about privacy policies and making sure that people’s information is protected. And always, there’s going to be a trade-off.

And so the people who are using these services tend to think that the benefits to them, whether it’s finding out information about potential health risks through companies like 23andMe, or whether it’s connecting with potential genetic relatives, finding out more information about their ancestry, those are considered benefits that people have typically felt when they use these services outweigh the privacy risks. Although, there’s a big concern that people may not fully understand what risks they’re going to be encountering when they do these services.

IRA FLATOW: But it seems that– I was thinking about this. This is almost a parallel to the Facebook scandal that’s going on now. Hey, I didn’t know you were going to do this with my information. Now we’re hearing something like hey, I didn’t know you were going to do this with my information about my genes.

AMY MCGUIRE: Yeah. I think that’s a very good point. I think that in the big data world that we live in now, it’s not just genetic information. It’s social media information. It’s information that we share online. It’s information that has come up with regard to people’s cell phone activities. So it’s really, we’re kind of at an inflection point, I think, in our society and in our legal system to be thinking about how do we handle privacy issues in the context of big data where you’re inevitably going to be sharing your information, whether intentionally or unintentionally, with other third parties.

IRA FLATOW: Our number 844-724-8255. You can also tweet us @scifri. Amy, it seems like there is really no way to escape having my genetic information shared online, even if my third cousin takes the test and uploads it somewhere. That means I’m related to my third cousin. And so something about me is up online. Is it not?

AMY MCGUIRE: Yeah, I think that’s true. And you know I participated in a study that was done out of MIT several years ago where we first looked at this familial matching through genetic databases. And it was surprisingly easy actually, to identify people through their familial matches on genetic genealogy databases. And one of the things that struck me is you may not even know you’re related to the person who has uploaded their data. They could be fourth, fifth, sixth generation cousins who you don’t know who they are.

And you had no idea you had any relation to them. And yet, their information could in some ways be used to identify you. So I do think it raises really important questions, particularly with– that’s what makes the genetic piece of this slightly different than like Facebook information, because genetic information is in and of itself inherently familial. And so you can tell information about your genetic relatives through your own DNA.

IRA FLATOW: And Natalie, could a genetic testing company refuse to share my information with law enforcement? Are they protected under any sort of law?

NATALIE RAM: So police will probably start with a request. And these kinds of companies can refuse a request. Their ability to refuse a subpoena or a judicial warrant is much more limited. So as has happened in this investigation, there was a subpoena made to a different website– not to GEDMatch– a subpoena requiring that company to divulge a particular user’s name and payment information to allow investigators to continue on in their investigation on that family tree.

And generally speaking, once you have voluntarily shared your data with a third party, like a genetic testing service, the Fourth Amendment’s protection against unreasonable searches and seizures against warrantless searches and seizures simply doesn’t apply. That’s the current law. Now the Supreme Court is currently considering a case that may– may, we don’t know how it will be decided yet– but may reshape this idea that once you share your data with any third party, however nominally, the Fourth Amendment– now that data is outside the bounds of the Fourth Amendment’s warrant requirement. So this could really change. But it’s unclear whether or not it will.

IRA FLATOW: Is that any data or just genetic testing data, the cases before the court?

NATALIE RAM: Oh, so the case before the Supreme Court has to do with your cell phone location data, the historical cell phone location data. So that case isn’t about genetic information. But what the Supreme Court says about the Fourth Amendment’s application to that data could help us reframe how we think about privacy in other contexts, including for genetic information. It’s also worth noting that there are a number of federal laws that protect data of certain kinds in certain settings.

So there is the HIPPA Privacy Rule which protects health-related information. But it’s not at all clear that the kind of data we’re talking about when we’re talking about these direct-to-consumer companies, or these genealogical data platforms, are dealing in health-related information. And there’s other kinds of protections that apply to scientific research data. But that’s also not really applicable here. So we’re kind of in a space without a lot of legal protections against a subpoena, or certainly a warrant, and maybe even a request.

IRA FLATOW: We’re going to take a break. And when we come back, we’re going to talk more with Amy McGuire and Natalie Ram, and our questions from 844-724-8255. You can also tweet us @scifri. Stay with us. We’ll be right back after this break.

This is Science Friday. I’m Ira Flatow. We’re talking this hour about privacy issues, genetic testing, and law with my guests Dr. Amy McGuire Professor of Biomedical Ethics, Director of the Center for Medical Ethics and Health Policy at Baylor College of Medicine. Natalie Ram, Assistant Professor of Law at the University of Baltimore Law School. Our number 844-724-8255. You can also tweet us @scifri.

With the Golden State killer case in mind, I’ve been following– we have a lot of listeners in California– the cold case of the Zodiac killer. And people are talking about, hey, maybe we could find the Zodiac killer using DNA evidence. Have we learned anything from The Golden State killer case, Amy and Natalie, about going after the Zodiac killer? Is there any lesson there?

AMY MCGUIRE: At a minimum, it shows that this kind of technique can produce results. And that can be a big win for public safety. I have some concerns about the use of genealogical databases and other kinds of genetic databases in this way. In part because they don’t fall within the scope of traditional legislative structures for whose DNA should be searchable by the police.

IRA FLATOW: One of the things that we’ve been noticing more and more as law enforcement gets more active is that we’ve had facial recognition. We have thousands and thousands of cameras around big cities and other places just constantly taking pictures of people’s faces, or in public places, airports, whatever. Could we expect now to see a collection of a database of DNA also randomly taken and used?

AMY MCGUIRE: So I think many people would like to see that happen, I think, both from a public health perspective, but also from a research perspective. The National Institutes of Health has talked for a long time about having a national database of genetic information for research purposes. And we’ve really gotten a lot of pushback. I think our fundamental values in the United States around privacy and concerns about genetic discrimination and how people might use genetic information still are very pervasive. We do have all 50 states and the federal government signed on to this idea of having a database of genetic information from suspected and convicted criminals to varying degrees.

And there seems to be general public support for that. Although as you start to move a little bit further out into people who have been suspected of nonviolent crimes and things like that, I think there’s less support for them being included in these forensic databases. So expanding out from that to a non-forensic database where we just collect people’s DNA at birth for example, and just have a National Registry, I would be surprised if we had widespread public support for that in our country. Other countries might have an easier time with that.

IRA FLATOW: OK. Let’s go to the phones 844-724-8255. Let’s go to Cleveland. Hi. Welcome to Science Friday.

BILL EATON: Yes. This is Bill Eaton calling from Cleveland. I was thinking of some way we might be able to get around this by either going through doctor-patient privilege or attorney-client privilege.

IRA FLATOW: What about that? Could you deny saying, you can’t give that to me. You’re my doctor or lawyer.

AMY MCGUIRE: So with the data–

NATALIE RAM: So with the– go ahead, Amy. I’m sorry.

AMY MCGUIRE: I was just going say so with the genetic genealogy databases, and even the direct-to-consumer genetic testing companies, they go to great lengths to not establish a physician-patient relationship with their customers. And to basically say that the information that they’re giving back is not medical information. It’s not diagnostic information.

And so oftentimes they don’t even have a licensed health care provider involved in their services. So in those circumstances, there is no physician-patient relationship or even attorney-client relationship that would privilege the information in the way that you would if it was your medical information, and it was obtained during the course of your medical care.

IRA FLATOW: Let’s go to the phones to Kit in Sausalito, California. Hi, Kit.

KIT: Hi. I had kind of a similar question. I think your panelist began to discuss it. But hasn’t the privacy of genetic information been previously discussed in terms of genetic discrimination, finding some family or person who is predisposed to a disease would give insurance companies a leg up?

IRA FLATOW: Good question.

NATALIE RAM: There is a federal law, the Genetic Information Nondiscrimination Act, which prohibits employers and health insurers from using genetic data to make decisions, employment and insurability decisions. But that’s as far as that statute goes. It doesn’t apply to law enforcement. It doesn’t even apply to life insurance underwriters.

So the federal law on your genetic privacy is pretty limited. And again, though there is this federal privacy rule for health-related data, as Amy pointed out before, the kinds of services that we’re talking about here with these direct-to-consumer companies, they’re disclaiming that what they’re providing is health information.

IRA FLATOW: A tweet from Shane who says, “I’m concerned that the path this is following will interfere with people trying to reunite with biological families, like adopted children looking for their long lost families. Shouldn’t some consideration be given for adopted people?”

AMY MCGUIRE: Yes. So I’ll just say I think that raises a really interesting and important issue that’s kind of tangential to what we’re talking about today. But these genetic genealogy websites and these direct-to-consumer genetic testing company websites can be used for a whole variety of purposes with regard to identifying genetic relatives. And that’s one way in which they’re frequently used for children who have been adopted to find out more information and connect with potential relatives.

I also have heard of many anecdotal cases where obviously, there’s the risk of non-paternity being identified. So you find out that who you thought was your biological father was not your biological father through these, or you find out somebody else was your biological father. And also, cases of anonymous sperm donation. And being able to identify the anonymous sperm donor, which kind of undermines that whole system. So I think there’s a lot of ethical and legal questions about how these databases are being used in ways that kind of conflict with our existing expectations and laws around anonymity in certain circumstances.

IRA FLATOW: Is there any way to sort of regulate the industry? Well, people always say, oh, you’re going to regulate everything. But should there be a little more regulation?

AMY MCGUIRE: Natalie?

NATALIE RAM: The United States has often taken a hands-off approach when it comes to reproductive technologies, and genetic technologies, and the like. So that said, every state and federal government has set out whose DNA should be collected and stored in a database for law enforcement use to solve crime. And right now, the Supreme Court has previously signed off on the collection of genetic information from people convicted of crimes or arrested, but not yet convicted of crimes.

No state has suggested that everyone should go into a database. And for reasons that Amy identified earlier, I think that would be unlikely to gain traction. And so one of the things that troubles me about the use of genealogical databases is that once you start using these non-forensic databases, the net grows ever wider. And it’s as far as I can tell, so it’s only a matter of time before we’re all in.

IRA FLATOW: Say that again. It’s only a matter of time, even whether we want to or not.

NATALIE RAM: Yeah. Well, absent some strong legal regulation, Congress or a particular state could enact some sort of genetic privacy law that says law enforcement can’t use your DNA just because it’s shared with some third party like a 23andMe, GEDMatch.com. A state or the federal government could do that. Absent that kind of action, I think what this case demonstrates is that when investigators can’t solve the crime using the existing mechanisms and tools they have at their disposal, they look for other sources, new ways to expand the net of whose DNA they can search.

IRA FLATOW: All right. And on that chilling note [CHUCKLES] that’s all the time we have. We will revisit this I’m sure. Dr. Amy McGuire, Professor of Biomedial Ethics and Director of the Center for Medical Ethics and Health Policy at Baylor College of Medicine. And Natalie Ram, Assistant Professor of Law, University of Baltimore School of Law. Thank you both for taking time to be with us.

AMY MCGUIRE: Thank you.

IRA FLATOW: And have a good weekend.

NATALIE RAM: Thank you.

Copyright © 2018 Science Friday Initiative. All rights reserved. Science Friday transcripts are produced on a tight deadline by 3Play Media. Fidelity to the original aired/published audio or video file might vary, and text might be updated or amended in the future. For the authoritative record of Science Friday’s programming, please visit the original aired/published recording. For terms of use and more information, visit our policies pages at http://www.sciencefriday.com/about/policies/

Meet the Producer

About Katie Feather

Katie Feather is a former SciFri producer and the proud mother of two cats, Charleigh and Sadie.

Explore More