GEDMatch and the Fourth Amendment: No Warrant Required

COMMENTARY Crime and Justice

GEDMatch and the Fourth Amendment: No Warrant Required

May 13th, 2021 13 min read

Commentary By

Charles "Cully" Stimson @cullystimson

Acting Chief of Staff and Senior Legal Fellow

Zack Smith @tzsmith

Legal Fellow, Meese Center

The police did not need a warrant to query the public consumer genetics website, as some privacy advocates and legal scholars have argued. Ashley Cooper / Getty Images

Key Takeaways

Police don’t need a warrant to collect abandoned DNA at a crime scene ... and don’t need a warrant to query CODIS because it is a government database.

A criminal who leaves his DNA at a crime scene does not have standing under the Fourth Amendment to complain about what a distant relative does with her own DNA.

Law enforcement officials should not be required to obtain a warrant to search third-party genetics websites that allow for public access.

He murdered 13 people, raped at least 50 women, and committed burglaries all across California during the 1970s and 1980s. He was called the East Area Rapist, the Original Night Stalker, and eventually the Golden State Killer.

He got away with his crimes until 2018 when a genetic genealogist, working with law enforcement, uploaded DNA recovered from the crime scenes into a public consumer genetics website, which “matched” DNA from a list of distant relatives of the suspect.

Then, using publicly available information, police created a very large family tree. Through the process of elimination and additional investigation, they eventually found who they thought was the notorious rapist-murderer, William Earl Talbott II. When Talbott’s DNA matched the crime scene DNA, he was arrested, confessed, was charged, and pled guilty to his crimes.

Of course, other more recent cases have been solved using this method. On May 6, 2021, a Florida jury found Thomas Garner guilty of first-degree murder for the 1984 death of Navy recruit Pamela Cahanes.

The police did not need a warrant to query the public consumer genetics website, as some privacy advocates and legal scholars have argued, for reasons that one of us (Cully Stimson) wrote about at length here. This type of search, called long-range familial searching, does not implicate the Fourth Amendment’s prohibition against unreasonable searches and seizures requiring law enforcement to obtain a warrant, even under the most expansive reading of recent Supreme Court precedent.

Forensic DNA v. Consumer Genetics 101

To understand why police don’t need a warrant to query third-party sites, it’s important to understand, at least at a basic level, the difference between law enforcement’s use of DNA for forensic DNA analysis, and the consumer genetics industry’s, including third-party websites’, use of DNA for providing genealogical information to consumers.

When most people hear the word DNA (an acronym for deoxyribonucleic acid, the unique molecules inside cells that contain the genetic information responsible for the development and function of an organism and that is passed from one generation to the next), they think of crime shows like “Law & Order” or “NCIS” or “Blue Bloods.” There, the police collect biological material left at a crime scene, send it out for DNA testing, and then upload that specific genetic profile into the FBI’s national DNA database called CODIS. This process is called forensic DNA analysis.

If the contributor of that DNA already has a profile in CODIS, then CODIS registers a “hit” or match. If the crime scene DNA profile uploaded into CODIS does not produce a “hit,” then the police have to try to solve the case without the benefit of DNA.

Police don’t need a warrant to collect abandoned DNA at a crime scene by a criminal suspect and don’t need a warrant to query CODIS because it is a government database.

In contrast to forensic DNA, which has been used by law enforcement since 1986, the consumer genetics industry is relatively new. Because costs for genetic testing have gone down substantially, and because of the public’s increasing interest in genealogy, the consumer genetics industry has emerged in the marketplace.

Today, anyone can enter into a contract with a consumer genealogy company, send in a saliva sample, and get his or her private genetic profile. That profile, which is unique to that consumer, is not available to the public, is safeguarded by the company, and is provided only to the consumer. Reports from these companies typically estimate your ethnicity, plot your DNA on a world map, and for an additional fee, build out your genetic family tree.

If, for some reason, police want to query a consumer genetics company’s database, those companies typically require law enforcement to obtain a warrant or subpoena.

The most popular consumer genetics companies in the United States are AncestryDNA and 23andMe, followed by a few lesser-known competitors. According to Ancestry, the company has three million paying subscribers, over 20 billion records, and more than 15 million people in the AncestryDNA network.

A secondary consumer genetics industry consisting of third-party consumer genetics companies has also emerged. GEDMatch, a public consumer genetics clearinghouse that allows users to find distant relatives by comparing their genetic code against more than 1 million others, is the most commonly known third-party site.

Unlike companies such as AncestryDNA or 23andMe, third-party sites allow consumers to upload their raw DNA data from their AncestryDNA or 23andMe profile in order to find close and distant relatives. Some third-party companies, like GEDMatch, allow anyone to upload raw DNA data, including law enforcement, and allow consumers to use an alias.

Third-party sites produce reports to the person or entity that uploads the raw DNA data, and the report lists close or distant relatives in the format of a family tree.

No Warrant Required for Public Third-Party Sites

The Fourth Amendment contains two clauses, one that prohibits “unreasonable searches and seizures” and another specifying the requirements for a search warrant. There is a line distinguishing between conduct attributable to the government and conduct attributable to private parties. It is only the former that raises a potential Fourth Amendment issue.

Whether the government has conducted a “search” often depends on whether a court believes that the government has intruded on an individual’s reasonable expectation of privacy. The two-part test, announced by the Supreme Court in 1967 in its seminal decision in Katz v. United States, is (1) did the affected individual have an actual (subjective) expectation of privacy, and (2) is that expectation one that society is prepared to recognize as reasonable.

Complicating Fourth Amendment law are two developments that largely began in the 19th century but accelerated in the 20th and which continue apace in this century—specifically, the transition from what was principally an agricultural economy to a commercial one and sense-improving advances in technology.

The first development is the fact that we now give third parties (e.g., banks and credit card companies) an enormous amount of information about ourselves in order to engage in commerce. And in general, by giving this information to third parties, we have essentially given up the right to claim that this information is protected by an expectation of privacy.

The second development is the advent of technology. We have enhanced our senses’ ability to see and hear at a distance utilizing emerging technologies (e.g., spotlights, microphones, and mobile phones). The Court has had to grapple with how to square rights guaranteed under the Fourth Amendment with traditional notions of privacy. The Court has taken an incremental approach, resolving each case by applying the Fourth Amendment to whatever new technology was used in that case rather than announcing bright-line rules.

For example, in 2001, the Court held in Kyllo v. United States that the police violated the Fourth Amendment when they used a thermal-imaging device outside a suspect’s home to detect heat coming from private areas inside the home that was generated by heating lights designed to help grow marijuana indoors.

In 2012, in Jones v. United States, the issue was whether the police needed a warrant to attach a GPS tracking device to a suspect’s car for more than 10 days. The device, which was attached to the suspected robber’s Jeep for 28 days, provided the government with data about the vehicle’s location within 50 to 100 feet and relayed more than 2,000 pages-worth of data over the four-week period. In an opinion authored by the late Justice Antonin Scalia, the Court held that the police needed a warrant because “the Government physically occupied private property for the purpose of obtaining information. We have no doubt that such a physical intrusion would have been considered a ‘search’ within the meaning of the Fourth Amendment when it was adopted.”

Then, in 2014, the Court ruled unanimously in Riley v. California that the police generally must obtain a warrant before conducting a search for digital information stored on a cell phone seized from an individual who has been arrested. The decision was a major movement towards treating computer searches differently than physical searches. Chief Justice John Roberts, who wrote the majority opinion in Riley, presented the challenge for the Court: the need to decide “how the search incident to arrest doctrine applies to modern cell phones, which are now such a pervasive and insistent part of daily life that the proverbial visitor from Mars might conclude they were an important feature of human anatomy.”

And finally, in 2018, in Carpenter v. United States, the issue before the Court was whether the government needed a warrant to obtain cell site location information (CSLI) from wireless carriers for the account of a suspected serial robber. In that case, police requested and received from MetroPCS and Sprint call origination and call termination location data for Carpenter’s incoming and outgoing calls during the four-month period when the string of robberies occurred. MetroPCS produced records spanning 127 days, and Sprint produced two days of CSLI covering the period when Carpenter’s phone was “roaming.” In all, the government obtained 12,898 location points cataloging Carpenter’s movements—an average of 101 data points per day.

Prosecutors placed Carpenter’s CSLI on top of the location, date, and time the stores were robbed, and proved that Carpenter (or at least his phone) was at the stores on the date and times when they were robbed.

Since the CSLI was third-party information, in the hands of a company, the trial court and appellate court denied Carpenter’s claim of a Fourth Amendment violation.

In a 5–4 decision, the Supreme Court held that Carpenter’s rights had been violated and that police may not collect historical cell-site location information from a cell-phone provider without a warrant, at least when the police seek seven days-worth or more of that information.

The majority reasoned that “requests for cell-site records lie at the intersection of two lines of cases, both of which inform our understanding of the privacy interests at stake.” Those two lines of cases are (1) those that address a “person’s expectation of privacy in his physical location and movements,” otherwise known as the Katz reasonable-expectation-of-privacy test, and (2) those where the “Court has drawn a line between what a person keeps to himself and what he shares with others,” otherwise known as the third-party doctrine.

In the penultimate paragraph of the majority opinion, the Court summarized the characteristics of CSLI that led it to extend Fourth Amendment protections to such data: (1) its deeply revealing nature; (2) its depth, breadth, and comprehensive reach; and (3) the inescapable and automatic nature of its collection. The fact that the information was collected by a third party made no difference to the majority.

These three factors are now referred to as the new Carpenter test.

There is no doubt that raw genetic information provided by a consumer to GEDMatch or another third-party genetics platform satisfies the first and second prongs of the Carpenter test, as they are extremely revealing and are deep, broad, and comprehensive.

But unlike CSLI, which automatically happens when you use your cell phone (you cannot use it without the phone linking up to cell towers), consumers have a choice about whether to upload their private raw genetic profile to a third-party genetics’ website.

If a consumer decides to voluntarily upload his information to GEDMatch, he knows, based on the terms and conditions of GEDMatch, that his information is public, and that anyone, including law enforcement, can query the database.

Said another way, a cell phone user has no choice but to tolerate his phone contacting and communicating, automatically, with a cell tower, but consumers do have a choice whether to upload their raw genetic profile to a public third-party website. There is no “inescapable and automatic nature of collection” by third-party consumer genetics providers: the consumer herself exercises independent choice, and takes an action consistent with that choice, to provide (or not provide) heretofore private information to a public website.

Furthermore, Fourth Amendment rights are personal rights, not vicarious rights. As such, a criminal who leaves his DNA at a crime scene does not have standing under the Fourth Amendment to complain about what a distant relative—whom he likely never met, much less knows about—does with her own DNA or raw genetic profile.

>>> The Fourth Amendment Does Not Require Law Enforcement Officials to Get a Warrant to Search Third-Party Consumer Genetics Websites

Long-Range Familial Searching Helps Police Solve Cold Cases

Seattle Lovers Case Solved

In 1987, Jay Cook and Tanya van Cuylenborg, a young couple who were both just 18, set out in a gold van for an overnight trip to the Seattle area. But tragedy struck when they encountered a killer. The murderer raped Cuylenborg, bound her with plastic ties, and shot her in the head. Cook was beaten with rocks and strangled. And inside their vehicle, the man left a pair of plastic gloves, which detectives believe was meant to taunt them.

The case went cold for over three decades.

In April 2018, there was a breakthrough when American genetic genealogist CecCe Moore, working with law enforcement authorities, uploaded the unknown suspect’s DNA from the crime scene to GEDMatch. Moore’s efforts paid off because the suspect’s crime scene DNA was shared by two individuals who were second cousins. Using that connection, Moore then followed the trail by creating a large family tree from publicly available information, eliminated those who had passed away or who had clearly not been in that area at the time of the murders, and eventually narrowed the pool of possible killers down to one person, William Earl Talbott II.

When Talbott discarded a cup, police recovered it (which is allowable under the Fourth Amendment) and tests confirmed that the DNA on his cup matched the DNA left at the crime scene. Talbott was arrested and charged with the decades-old crimes. As stated earlier, Talbott was eventually linked to a whole series of previously unsolved rapes and murders, and pled guilty to those crimes.

Traci Hammerberg: Port Washington, Wisconsin, 1984

Traci Hammerberg was killed on December 15, 1984, while walking home sometime after midnight after partying with her friends. Tragically, in the early morning, Traci’s body was found brutally beaten and partially naked in a driveway. An autopsy determined that the 18-year-old had been raped, strangled, and bludgeoned in the head with a metallic object. Though authorities at the time were able to compose a DNA profile from semen found on Traci's body, a suspect was never identified until two years ago. He had already died of drug overdose in 2012, but the case could now be closed.

NorCal Rapist: Over 30 Years of Horror

A former University of California at Berkeley employee nicknamed the “NorCal Rapist” attacked women in a string of sexual assaults and kidnappings dating back almost 30 years. In many instances, he would break into homes, bind his victims, and repeatedly sexually assault them. He escaped the grasp of law enforcement for many years until 2018, when his DNA was finally linked to DNA recovered from several of the crime scenes. Roy Charles Waller, 60, was found guilty on 46 counts, including rape, sodomy, and kidnapping in connection with attacks on nine women between 1991 and 2009 in six counties throughout Northern California. In December 2020, justice was finally served when Waller was sentenced to 897 years to life in state prison.

Christine Frankie: Orlando, Florida, 2001

On October 21, 2001, Christine Franke was shot in the head by Benjamin Holmes after working her shift as a server at Cigarz bar at Universal CityWalk in Orlando. The 25-year-old University of Central Florida student’s killer left semen on her body and stole about $300. The case stalled for over 17 years until it was finally solved three years ago, after DNA that had been provided to AncestryDNA and GEDMatch by a second cousin of Holmes’ (whom he had never met) was linked to DNA from the crime scene. Additional investigation eventually led the authorities to Holmes.

Pameal Cahanes: Seminole County, Florida, 1984

Someone killed 25-year-old Pameal Cahanes shortly after she graduated from Navy bootcamp. She was beaten, strangled, and her body was dumped in an abandoned lot, where she was found on August 5, 1984, stripped naked except for her underwear.

The case lay dormant for years. Police recovered DNA from semen found on her body, and they ran it through existing databases in 2000 and 2005. But it returned no results. However, in 2018 investigators used information available from commercial databases to begin building a “family tree.” This led them to Thomas Garner, who had been stationed in the same area around the time Cahanes was murdered. After recovering items from Garner’s trash that contained his DNA, investigators confirmed that it matched the DNA recovered from Cahanes’s body. A Florida jury convicted Garner on May 6, 2021, of first-degree murder for killing Cahanes.

And DNA has tied him to the killing of Kathy Hicks too. She was murdered in 1982 in Hawaii, where Garner was stationed at the time.

Conclusion

As outlined in greater detail in the previously mentioned research paper, whether analyzed under a reasonable expectation of privacy prism, or by applying the third-party doctrine, or even stretching the boundaries of the Carpenter decision, law enforcement officials should not be required to obtain a warrant to search third-party genetics websites that allow for public access.

When consumers voluntarily contract with consumer genetics companies, and voluntarily post that report to a third-party website that gives the public and law-enforcement agencies access to the non-identifying information, they expose private information to the public. That information, including the consumer’s family tree, does not give vicarious Fourth Amendment rights to distant relatives. Law enforcement officers should not be required to get a warrant to query a public database on the off-chance that they may find a distant relative of a person who abandoned his or her DNA at a crime scene.

This piece originally appeared in The Federalist Society