That’s why Natalie Ram, a law professor at the University of Maryland, cautions that, although families of missing loved ones may be desperate to get answers, it matters which DNA database they choose. Strict state and national laws govern how CODIS data can be used. Family member reference samples collected for the purpose of identifying missing persons can’t be used in other types of criminal investigations.
On the other hand, save for in a few states, consumer DNA databases are largely unregulated and can change their terms of service at any time. Currently, FamilyTreeDNA and GEDmatch both allow law enforcement to upload DNA profiles. (AncestryDNA and 23andMe prohibit this practice.) FamilyTreeDNA automatically makes new users’ profiles available for these searches, although customers can later opt out. With GEDmatch, users must proactively opt in. They can choose whether to be included in all law enforcement searches or only those involving the identification of human remains.
Ram says agreeing to these searches means users are opting not only themselves in, but also their immediate family members, and even far-flung genetic relatives. Even people who have never committed a crime could be questioned because they share a portion of DNA with a suspect. People leave behind trace amounts of DNA all the time, and genetic information found at a crime scene may not necessarily come from a perpetrator.
“If I had a missing loved one, I would feel much more comfortable contributing to the missing-persons family reference sample component of CODIS, because it is so protected and so limited in its use,” Ram says.
There’s also a risk that by taking a consumer DNA test, users will find out information about their family that they might not otherwise want to know.
There may also be a danger in handing over a DNA sample intended for CODIS to the police. Albert Scherr, a law professor at the University of New Hampshire, says that law enforcement could use a person’s DNA for something other than solving missing persons cases. “Historically, when the police get a hold of someone’s DNA in some form, they don’t let go of it,” Scherr says.
Some state and local law enforcement have established “rogue” DNA databases that operate outside the purview of federal regulations. These databases sometimes contain the DNA profiles of people who were simply arrested or questioned, but never convicted, including minors and even victims. In one recent case, San Francisco law enforcement used a DNA sample provided by a rape survivor to later link her to a separate crime.
Michelle Clark, a death investigator for the Office of the Chief Medical Examiner in Connecticut, told WIRED that the DNA samples collected would be used only to help solve missing persons cases. At the event, Glynn and public officials also explained the risks of consumer databases and their different privacy settings. “We wanted to make sure every general member of the public that takes one of these kits has full control and full autonomy over their DNA, their data, and what they want or don’t want to do with it,” she says.
