Genetic Privacy After Carpenter

In Carpenter v. United States, the Supreme Court tackles the issue of whether individuals still retain an expectation of privacy in their location information when they “share” that information with third party providers. The case began in 2010. After several RadioShack and T-Mobile stores were robbed, police arrested four suspects. Timothy Carpenter was one of the suspects. Under the Stored Communications Act, the prosecutors obtained location tracking data from these suspects’ cell phones. The data records included over 12,000 location points, which led law enforcement to connect Carpenter to the crimes. Carpenter moved to suppress the cell site location information. He argued that obtaining the cell phone location tracking records constituted a search under the Fourth Amendment and therefore, the police were required to demonstrate probable cause to obtain a warrant.

In a 5-4 ruling, the Court decided that the state does not have unrestricted access and would generally need a warrant in order to access cell site location information. “In light of the deeply revealing nature of CSLI [Cell Site Location Information], its depth, breadth, and comprehensive reach, and the inescapable and automatic nature of its collection, the fact that such information is gathered by a third party does not make it any less deserving of Fourth Amendment protection.” That is to say, merely sharing that data with a third party does not, in itself, negate an individual’s reasonable expectation of privacy when an individual has an otherwise reasonable expectation of privacy in her data. Carpenter marks a significant step in privacy protection. Before Carpenter, law enforcement could essentially track each American’s movements. Now, in order to request the CSLI data, law enforcement officials would need to obtain a warrant, which requires probable cause.

Although Chief Justice Roberts emphasized that the Carpenter decision is a narrow one, the spirit and reasoning behind the decision expanded the scope of protection for sensitive data in other domains, including one’s genetic information. Needless to say, one’s genetic data is sensitive and personal, and it reveals a ton of information such as one’s ancestry, traits, susceptibility to health and diseases, etc.

Both states and federal agencies maintain DNA databases as law enforcement means.  They collect, store, and share genetic information through a centralized database – the Combined DNA Index System (“CODIS”). As of February 2019, there are close to four million offender profiles and an additional three and a half million profiles from arrestees. The genetic data points stored in CODIS are noncoding DNA (“junk” DNA) used for matching crime scene evidence with information in the database. Non-coding DNA is believed to be noninformative of one’s private information. Maryland v. King, 569 U.S. 435, 464-65 (2013) (holding that “the processing of respondent’s DNA sample’s 13 CODIS loci did not intrude on respondent’s privacy in a way that would make his DNA identification unconstitutional” because “the CODIS loci come from non-coding parts of the DNA that do not reveal the genetic traits of the arrestee,” and observing that, “[i]f in the future police analyze samples to determine, for instance, an arrestee’s predisposition for a particular disease or other hereditary factors not relevant to identity, that case would present additional privacy concerns not present here”).

However, recently, a paper published by Noah Rosenberg’s group at Stanford shows that junk DNA contains much more information than what we previously had believed. This is significant because previous cases upholding the legitimacy of databases that collect junk DNA were premised on the presumption that no personal information could be learned from junk DNA – “the CODIS loci come from noncoding parts of the DNA that do not reveal the genetic traits of the arrestee.” In Maryland v. King, Supreme Court noted that if non-coding alleles could provide some information, and if law enforcement utilizes such information, additional privacy concern would arise and need to be analyzed. After Carpenter, it is plausible that the scope of Fourth Amendment protection would expand to apply in such situation.

Aside from law enforcement databases, there are also commercial DNA databases. Direct-to-consumer databases, such as 23andMe and Ancestry.com, have gained great popularity in recent years and have reached the scale of millions of individuals. The purposes of direct-to-consumer DNA databases are completely distinct from aiding in crime-solving by law enforcement. Consumers swab their mouth and send in their DNA kit hoping to gain knowledge about their ancestry, traits, family history, and even medical predispositions (E.g., https://www.23andme.com/dna-health-ancestry/). Therefore, the data collected by these databases reveals much more sensitive personal information than those databases maintained by law enforcement. Even though some commercial services disclaimed the use of the coding DNA and limited itself to the use of junk DNA, just like CODIS, its possession of the large amount of data points of their users subject the consumers to risk of having their private information revealed.

For people who have already obtained their own DNA profiles and want to fill in their family tree, they could use genealogy websites to do so. Websites such as GEDmatch provide such platform. Compared to 23andMe, GEDmatch is an open-source platform and has a much less stringent privacy policy governing users’ data. Law enforcement has been using these sites to solve cold cases. One example is the Golden State Killer case. After uploading DNA from 1980 crime scene, they were able to identify and track down the killer through information uploaded by his distant relatives. Since this case, GEDmatch has updated its terms of services and alerted its user that “DNA obtained and authorized by law enforcement” can be uploaded to identify a perpetrator of a “violent crime.”

For open-source databases such as GEDmatch, anyone can upload genetic information to the site, even if it is not their own. While technological advances help society fight crimes, individual persons’ privacy interests are also at stake – one may unknowingly expose sensitive information about their family members to law enforcement.

Then the question is: how much privacy can one expect when an individual sends in their DNA kit to a third-party DNA service provider? Before Carpenter, the answer is clear: under the third-party doctrine, by voluntarily sharing information with a third party, an individual loses any Fourth Amendment protection for such information. Carpenter severely limits the applicability of the third-party doctrine when people maintain a reasonable expectation of privacy against surveillance even when their sensitive, personal data was voluntarily given up to a third party.

Natalie Ram compares genetic data with CSLI in Carpenter and concluded that individuals could maintain a reasonable expectation of privacy in genetic data, even if such data is shared with a third-party provider. First of all, genetic data is presumptively private. In the Maryland v. King opinion, the Court deemed the analysis of a compelled genetic sample to be a separate Fourth Amendment event from the acquisition of the sample itself. Ram argues that the separate consideration of consideration of genetic analysis indicates that people not only have an expectation of privacy “in their physical cells, but also in the genetic information those cells contain.” Furthermore, most states have laws protecting genetic information, which indicate the widespread understanding that genetic information ought to be private. Furthermore, in Carpenter, the Court found that a legitimate expectation of privacy did exist in the recording of the defendant’s physical movements. The court presumes a heightened expectation of privacy for the use of cell phone, a device referred to by the Court as “a feature of human anatomy.” Here, with each person’s genetic code – it is a literal feature of human anatomy.

Sharing genetic information with a third party does not automatically waived such expectation of privacy. The nature of the genetic codes is that they are automatic and inescapable. As we walk around every day, we shed DNA and “share” it with the outside world. Therefore, even though the act of submitting to direct-to-consumer databases might be voluntary or intentional, it is not truly voluntary given the characteristics of genetic information. This is particularly true for genealogy databases. If a person uploads his/her DNA profile, all his/her relatives (even distant relatives) are subject to the surveillance of law enforcement through familial search. There is no consent nor intention from these relatives to share their genetic information with a third party, and yet their privacy interest and their right under the Fourth Amendment would be at stake if Carpenter is not extended to cover these situations.

Laura Zhu is a J.D. candidate, 2020, at NYU School of Law.