Genetic Privacy After Carpenter

In
Carpenter v. United States,
the Supreme Court tackles the issue of whether individuals still retain an
expectation of privacy in their location information when they “share” that
information with third party providers. The case began in 2010. After several
RadioShack and T-Mobile stores were robbed, police arrested four suspects. Timothy
Carpenter was one of the suspects. Under the
Stored Communications Act, the prosecutors
obtained location tracking data from these suspects’ cell phones. The data
records included over 12,000 location points, which led law enforcement to
connect Carpenter to the crimes. Carpenter moved to suppress the cell site
location information. He argued that obtaining the cell phone location tracking
records constituted a search under the Fourth Amendment and therefore, the
police were required to demonstrate probable cause to obtain a warrant.

In
a 5-4 ruling, the Court decided that the state does not have unrestricted
access and would generally need a warrant in order to access cell site location
information. “In light of the deeply revealing nature of CSLI [Cell Site
Location Information], its depth, breadth, and comprehensive reach, and the
inescapable and automatic nature of its collection, the fact that such information
is gathered by a third party does not make it any less deserving of Fourth
Amendment protection.” That is to say, merely sharing that data with a third
party does not, in itself, negate an individual’s reasonable expectation of
privacy when an individual has an otherwise reasonable expectation of privacy
in her data. Carpenter marks a
significant step in privacy protection. Before Carpenter, law enforcement could essentially track each American’s
movements. Now, in order to request the CSLI data, law enforcement officials
would need to obtain a warrant, which requires probable cause.

Although
Chief Justice Roberts emphasized that the Carpenter decision is a narrow one,
the spirit and reasoning behind the decision expanded the scope of protection
for sensitive data in other domains, including one’s genetic information.
Needless to say, one’s genetic data is sensitive and personal, and it reveals a
ton of information such as one’s ancestry, traits, susceptibility to health and
diseases, etc.

Both
states and federal agencies maintain DNA databases as law enforcement
means.  They collect, store, and share
genetic information through a centralized database – the Combined DNA Index
System (“CODIS”). As of February 2019, there are close to four million offender
profiles and an additional three and a half million profiles from arrestees.
The genetic data points stored in CODIS are noncoding DNA (“junk” DNA) used for
matching crime scene evidence with information in the database. Non-coding DNA
is believed to be noninformative of one’s private information. Maryland v. King,
569 U.S. 435, 464-65 (2013) (holding that “the processing of respondent’s DNA
sample’s 13 CODIS loci did not intrude on respondent’s privacy in a way that
would make his DNA identification unconstitutional” because “the CODIS loci
come from non-coding parts of the DNA that do not reveal the genetic traits of
the arrestee,” and observing that, “[i]f in the future police analyze samples
to determine, for instance, an arrestee’s predisposition for a particular
disease or other hereditary factors not relevant to identity, that case would
present additional privacy concerns not present here”).

However,
recently, a paper published by Noah Rosenberg’s
group at Stanford shows that junk DNA contains much more information than what we
previously had believed. This is significant because previous cases upholding
the legitimacy of databases that collect junk DNA were premised on the
presumption that no personal information could be learned from junk DNA – “the CODIS loci come from noncoding parts of the DNA that
do not reveal the genetic traits of the arrestee.” In Maryland v. King, Supreme Court noted that if non-coding alleles could provide
some information, and if law enforcement utilizes such information, additional
privacy concern would arise and need to be analyzed. After Carpenter, it is plausible that the scope of Fourth Amendment
protection would expand to apply in such situation.

Aside
from law enforcement databases, there are also commercial DNA databases. Direct-to-consumer
databases, such as 23andMe
and Ancestry.com,
have gained great popularity in recent years and have reached the scale of millions
of individuals. The purposes of direct-to-consumer DNA databases are completely
distinct from aiding in crime-solving by law enforcement. Consumers swab their
mouth and send in their DNA kit hoping to gain knowledge about their ancestry,
traits, family history, and even medical predispositions (E.g., https://www.23andme.com/dna-health-ancestry/). Therefore, the data collected by
these databases reveals much more sensitive personal information than those
databases maintained by law enforcement. Even though some commercial services
disclaimed the use of the coding DNA and limited itself to the use of junk DNA,
just like CODIS, its possession of the large amount of data points of their
users subject the consumers to risk of having their private information
revealed.

For
people who have already obtained their own DNA profiles and want to fill in
their family tree, they could use genealogy websites to do so. Websites such as
GEDmatch
provide such platform. Compared to 23andMe, GEDmatch is an open-source platform
and has a much less stringent privacy policy governing users’ data. Law
enforcement has been using these sites to solve cold cases. One example is the Golden
State Killer case. After uploading DNA from 1980
crime scene, they were able to identify and track down the killer through information
uploaded by his distant relatives. Since this case, GEDmatch has updated its terms of services
and alerted its user that “DNA obtained and authorized by law
enforcement” can be uploaded to identify a perpetrator of a “violent crime.”

For
open-source databases such as GEDmatch, anyone can upload genetic information
to the site, even if it is not their own.
While technological advances help society fight crimes, individual persons’
privacy interests are also at stake – one may unknowingly expose sensitive
information about their family members to law enforcement.

Then
the question is: how much privacy can one expect when an individual sends in
their DNA kit to a third-party DNA service provider? Before Carpenter, the answer is clear: under
the third-party doctrine, by voluntarily sharing information with a third
party, an individual loses any Fourth Amendment protection for such
information. Carpenter severely
limits the applicability of the third-party doctrine when people maintain a
reasonable expectation of privacy against surveillance even when their
sensitive, personal data was voluntarily given up to a third party.

Natalie
Ram compares genetic data with CSLI in Carpenter and concluded that individuals
could maintain a reasonable expectation of privacy in genetic data, even if
such data is shared with a third-party provider. First of all, genetic data is
presumptively private. In the Maryland v.
King opinion, the Court deemed the analysis of a compelled genetic sample
to be a separate Fourth Amendment event from the acquisition of the sample
itself. Ram argues that the separate consideration of consideration of genetic
analysis indicates that people not only have an expectation of privacy “in
their physical cells, but also in the genetic information those cells contain.”
Furthermore, most states have laws protecting genetic information, which
indicate the widespread understanding that genetic information ought to be
private. Furthermore, in Carpenter,
the Court found that a legitimate expectation of privacy did exist in the
recording of the defendant’s physical movements. The court presumes a
heightened expectation of privacy for the use of cell phone, a device referred
to by the Court as “a feature of human anatomy.” Here, with each person’s
genetic code – it is a literal feature of human anatomy.

Sharing genetic information with a third party does not automatically waived such expectation of privacy. The nature of the genetic codes is that they are automatic and inescapable. As we walk around every day, we shed DNA and “share” it with the outside world. Therefore, even though the act of submitting to direct-to-consumer databases might be voluntary or intentional, it is not truly voluntary given the characteristics of genetic information. This is particularly true for genealogy databases. If a person uploads his/her DNA profile, all his/her relatives (even distant relatives) are subject to the surveillance of law enforcement through familial search. There is no consent nor intention from these relatives to share their genetic information with a third party, and yet their privacy interest and their right under the Fourth Amendment would be at stake if Carpenter is not extended to cover these situations.

Laura Zhu is a J.D. candidate, 2020, at NYU School of Law.