chevron-down Created with Sketch Beta.
April 29, 2024

23andMe, My Mom, and My Second Cousin

The Immediate Need for Regulation of Investigative Genetic Genealogy in Law Enforcement Searches

By Angelica Lee


During the 1970s and 1980s, the Golden State Killer killed a dozen people and committed at least fifty rapes in California. It took over 30 years for detectives to identify and arrest Joseph James DeAngelo, a former police officer, as the Golden State Killer through a new technique called investigative genetic genealogy (IGG). Law enforcement reportedly used the same technique in 2022 to identify Bryan Kohberger as a suspect in the now infamous Idaho college murders case.

 Use of DNA databases has been a well-accepted law enforcement practice since the creation of the Combined DNA Index System (CODIS), the United States national DNA database, in the early 1990s. The investigative usage of direct-to-consumer genetic testing (DTC-GT) databases, however, is significantly different from the traditional CODIS approach. Notably, individuals provide their DNA to DTC-GT companies to learn about their ancestry and potential health predispositions. DTC-GT profiles also reveal much greater information about an individual’s genetic data compared to CODIS; DTC-GT companies provide law enforcement agencies access to hundreds of thousands of DNA data points while CODIS provides access to only two dozen markers.

The DTC-GT industry has grown to include millions of profiles, thereby changing the lives of users across the country. With the fast development of IGG practices in law enforcement methodology, the public is becoming increasingly ill-prepared to consent to law enforcement searches of DTC-GT databases. This issue is compounded by how DTC-GT companies continue to be responsible for setting their own privacy protections for consumers. These privacy policies are inconsistent across the industry. While 23andMe and Ancestry have comprehensive privacy policies that require law enforcement agencies to follow a “valid legal process” to obtain access to consumer DNA, many DTC-GT companies fail to provide consumers with a readily accessible genetic data policy. Consequently, investigators in the Golden State Killer case were able to use GEDmatch, a public platform where users can upload DTC-GT data, to find DeAngelo without his or the GEDmatch founders’ consent.

Furthermore, Maryland and Montana are the only states that have passed legislation specifically addressing the usage of DTC-CT databases in police investigations. However, these laws do not adequately protect DTC-GT consumer privacy. As the IGG technique becomes more popular across the country, the absence of broader regulation of the DTC-GT industry is becoming increasingly problematic.

This article describes the IGG technique and its growing popularity; details the privacy implications of IGG; reviews how DTC-GT companies, states, and the federal government have addressed privacy concerns thus far; and proposes three potential solutions to regulate the practice of IGG. 


What is IGG and Why is it Popular?

 As an initial matter, it is important to understand how a consumer’s DNA ends up on a DTC-GT database. Typically, a person becomes interested in taking a DNA test kit to find relatives, get insights into their health, and learn whether they have genetic variants they can pass on to their future children. That consumer then buys a test kit from a DTC-GT company, such as 23andMe, Ancestry, or FamilyTreeDNA, and sends back a saliva sample for lab evaluation. Genealogists then estimate the relationships between the consumer’s DNA and others in the DTC-GT database to construct a family tree. Afterwards, a consumer may hire a genealogist to further construct the family tree using newspaper articles, obituaries, last name origins, and the Social Security death index. Consumers can also upload their DNA data file to a public platform like GEDmatch to find additional matches from other testing companies.

 IGG comes into play when law enforcement finds suspect DNA at a crime scene. IGG is distinguishable from traditional forensic science work because it requires a type of DNA testing that state laboratories cannot perform. Instead, the IGG technique combines DTC-GT DNA tests with the practice of genealogy. After a vendor laboratory completes a thorough analysis of the DNA sample, a forensic genealogist will enter the genetic profile into a genealogy website like GEDmatch to find potential familial relationships. As demonstrated in recent IGG cases, these relationships may include the potential suspect’s mother or second cousin. Upon finding relatives, police are then able to narrow down the list of suspects and reduce the overall number of innocent relatives tested for DNA comparisons.

Importantly, law enforcement cannot arrest a suspect solely based on familial relationships and must use other leads to support probable cause for an arrest. According to Christi Guerrini, a leading legal and medical scholar in genomic technologies, it is more accurate to interpret IGG as an additional tool in law enforcement’s arsenal for traditional investigatory work.

Furthermore, law enforcement agencies can use IGG to revive investigations that have gone cold, including at least 100,000 unsolved major violent crimes and 40,000 unidentified bodies in the United States alone. And, in tandem, IGG also has the potential to exonerate wrongfully convicted individuals. For the first time, in 2019, genetic genealogists exonerated an incarcerated person: Christopher Tapp, who had served twenty years in prison for a murder and rape he did not commit. They were able to link the DNA evidence at the crime scene to another man, Brian Leigh Dripps, who ultimately confessed to the crimes.

 Given its immeasurable potential for criminal justice work, prosecutors are calling IGG “one of the greatest revolutions.” It builds upon the expansion of the DTC-GT industry, with the DNA test kits market projected to expand at a compound annual growth rate of 16.1% from 2020 to 2030. As of today, 23andMe has sold over 12 million DNA kits, Ancestry has sold over 20 million, and FamilyTreeDNA has sold over 2 million. Furthermore, GEDmatch has more than 1.4 million users globally. These gigantic databases can significantly impact law enforcement efforts for a myriad of crimes.

Even so, there is currently little regulation regarding the practice of IGG or these DTC-GT companies.

Privacy Concerns

Lack of Consumer Consent

Many legal scholars argue that individuals upload their genetic information to websites like GEDmatch to find distant relatives, not to solve crimes. Some users choose to keep their GEDmatch profiles private for this very reason. They argue that even if a DNA match could assist law enforcement efforts, they do not want to be a “genetic informant” for a relative. A 2020 Consumer Reports survey supports this sentiment: 24% of respondents who had not taken a DTC-GT DNA test were worried about the privacy of their data or genetic material. Additionally, 25% reported being “extremely concerned” about how DTC-GT companies protect the privacy of their consumers.

Interestingly, a 2019 Pews Research Center survey suggests that approximately 48% of Americans say it is acceptable for DTC-GT companies to share consumers’ DNA with law enforcement to assist with investigations. In fact, the aftermath of the Golden State Killer case suggests that many users do want to be genetic informants against their distant relatives. When it became public that investigators used GEDmatch to find the Golden State Killer, the founders worried that thousands of people would delete their accounts. Instead, a GEDmatch founder reported that they received “5,000 new uploads to the site shortly after Mr. DeAngelo’s arrest—a daily record.”

Overall, these statistics show that despite the privacy concerns associated with DTC-GT companies, many Americans support the usage of IGG. Legal scholars argue, however, that the standard of individual consent does not hold up in the DTC-GT industry. Due to ineffective consent procedures, many consumers are unaware that DTC-GT companies can share genetic data with third parties, including law enforcement, research scientists, and the pharmaceutical industry. In fact, several companies have acted outside the scope of consent they secured from their users, yet they failed to suffer any repercussions. Given that companies profit from law enforcement searches, the lack of consequences for violating consumer consent is extremely alarming. Benjamin Berkman, a member of the National Institutes of Health’s Department of Bioethics, summarizes the predicament well: “Genealogy is typically done for entertainment purposes. People may not realize uploading their DNA could be responsible for a cousin’s arrest as well.”

Misuse by Law Enforcement

 One of the biggest concerns resulting from the prevalence of IGG technology is misuse by law enforcement. According to Ellen Clayton, a professor of law at Vanderbilt Law School, when DNA becomes available to DTC-GT companies, DNA loses any protection afforded to it by existing privacy laws. Consequently, there is a possibility of the misuse of DNA by downstream actors, including law enforcement officers conducting surreptitious testing for criminal investigations. DNA analysis is not perfect, and it can result in mistakenly implicating someone in a crime. For example, in 2014, Michael Usry, Jr., lived in a constant state of anxiety for a month when an IGG search linked him to a murder he did not commit. Law enforcement pointed to circumstantial evidence, including the fact that he was a filmmaker who made films involving homicide plotlines, and close familial markers to identify Usry as a suspect. Ultimately, Usry’s DNA did not match the crime scene sample. Nonetheless, his case serves as a prime example of how IGG searches can infringe on innocent people’s daily lives.

 On a similar note, one type of IGG called autosomal genealogy cannot distinguish between sibling DNA. As a result, if a person’s sibling commits a crime and leaves DNA at the scene, that person may be subjected to law enforcement surveillance following an IGG search. According to Erin Murphy, a Norman Dorsen Professor of Civil Liberties at NYU Law, the implications of this become even more complex when considering illegitimate children. A person may not know they exist at all, yet their DNA has the power to make that person a suspect in a law enforcement investigation.

Furthermore, a new technique used in conjunction with IGG called DNA phenotyping can lead to further discrimination of minority groups across the globe. For example, in Germany, DNA phenotyping erroneously indicated that the DNA found at a murder scene belonged to a Romani person. Consequently, the police targeted and harassed the Romani community for two years before discovering that the DNA evidence was contaminated. The existing disparities within the United States criminal justice system are evident, with African Americans incarcerated in state prisons at five times the rate of whites; DNA phenotyping raises concerns regarding the potential exacerbation of discriminatory practices within African American communities, especially considering that the accuracy of DNA phenotyping can vary widely depending on the trait. For example, DNA phenotyping can predict brown eyes with ninety percent accuracy, but it cannot pinpoint gray eyes.

 Given all these potential misuses of IGG technology by law enforcement, it is no surprise that many policy experts are asking for an outright ban on IGG searches.

Outdated Federal Laws Fail to Protect DTC-GT Consumer Privacy

Carpenter Third-Party Doctrine

Fourth Amendment jurisprudence fails to provide DTC-GT consumers with legal recourse when companies give law enforcement nonconsensual access to DNA for IGG searches.

The Fourth Amendment protects “the right of the people to be secure in their persons, houses, papers, and effects against unreasonable searches and seizures.” In Katz v. United States, the court articulated that the Fourth Amendment “protects people, not places… what [one] seeks to preserve as private, even in an area accessible to the public, may be constitutionally protected.” In Smith v. Maryland, the court clarified that “a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.” This principle is known as the third-party doctrine. In that case, law enforcement used a pen register to record telephone numbers from a suspect’s telephone line. The defendant did not have a reasonable expectation of privacy because it is public knowledge that telephone companies keep records of outgoing calls; thus, while his conversations were private, he had voluntarily turned over the numbers he had called to his telephone company.

Similarly, in United States v. Miller, federal agents subpoenaed Miller’s bank records due to his alleged involvement in a bootlegging conspiracy. The court held that he had no reasonable expectation of privacy over these bank records because these records were not confidential. He had voluntarily given the bank employees access to his information by doing business with the bank. Thus, these records did not fall under Fourth Amendment protection.

The third-party doctrine was key in the court’s decision in Carpenter v. United States. There, the government used cell site location information (CSLI) data to pinpoint Carpenter’s whereabouts during a series of robberies, which implicated “the privacies of [his] life” and constituted a warrantless search. The court emphasized that Carpenter had a reasonable expectation of privacy because “a cell phone—almost a ‘feature of human anatomy’—tracks nearly exactly the movements of its owner.” The retrospective nature of CSLI data enabled the police to determine all his past whereabouts. Importantly, the third-party doctrine did not govern because the “vast, expansive, and nearly infallible” nature of CSLI data is qualitatively different from the data people turn over to the telephone companies in Smith v. Maryland or the banks in United States v. Miller.

 According to Teneille Brown, a professor at S.J. Quinney College of Law, the court’s reasoning is even stronger in the context of DNA. Much like CSLI data, DNA’s expansiveness and ability to provide the government insight into an individual’s private life is unparalleled. As a result, DNA has much more potential to reveal personal information compared to a person’s cell phone, or even their unique fingerprints.

 Some may argue that individuals voluntarily send their DNA to a DTC-GT company, meaning the third-party doctrine should govern. However, this argument does not consider the aforementioned reasons people submit their DNA to these companies. Also, unknown distant relatives are unlikely to know that their DNA profiles are in these databases. They do not voluntarily turn over their DNA to third parties, nor can they meaningfully consent to law enforcement searches. The only way to avoid generating CSLI data is to never use a cell phone; there is no substantial equivalent for DNA. Therefore, federal regulation must acknowledge the uniqueness of DNA’s ability to give law enforcement an intimate image of a person’s life.

Health Insurance Portability and Accountability Act of 1996

 Likewise, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) fails to provide DTC-GT consumers with adequate protection over their DNA. HIPAA protects individuals’ health information used or disclosed by a covered entity. The HIPAA Privacy Rule, which implements the requirements of HIPAA, only applies to four types of covered entities: (1) healthcare providers, (2) health plans, (3) health clearinghouses, and (4) business associates of these entities. DTC-GT companies do not fall under any of these categories. Thus, while genetic tests ordered by a doctor fall under the Privacy Rule, DTC-GT DNA test kits do not have the same protections. This is not common knowledge, as demonstrated by the fact that 52% of respondents in a survey believed federal medical privacy laws like HIPAA protect the results of DTC-GT DNA test kits.

DTC-GT DNA test kits did not exist in 1996, but now, nearly 20% of Americans have used one. The limited scope of the Privacy Rule indicates that it is not sufficient to serve as the default health privacy regulation.

Genetic Information Nondiscrimination Act

 The Genetic Information Nondiscrimination Act (GINA) extends the HIPAA Privacy Rule to genetic information even if it is not health information “in the ordinary sense of the word.” Its emphasis, however, is not the protection of consumers’ genetic privacy. Rather, it prohibits discrimination based on genetic information in the contexts of health insurance and employment. Therefore, like HIPAA, GINA does not protect genetic data from DTC-GT companies.

How These Privacy Concerns Have Been Addressed So Far

Company Policies


 23andMe and Ancestry are industry leaders and have set the standard for better data practices and privacy protection.

23andMe provides privacy information through accessible graphics and videos as well as links to several comprehensive privacy documents. Their main privacy page discusses the process of sharing DNA information with law enforcement, stating that 23andMe “will not release any individual-level personal information to law enforcement without your explicit consent unless required by law.” Consumers must opt in to share their genetic data across features, ranging from research consent documents, 23andMe’s DNA Relatives Tool, and law enforcement searches. According to their guide for law enforcement, 23andMe requires a valid legal process, like a warrant or court order, to produce information about users.

Notably, because 23andMe does not authenticate or verify an individual’s identity when they sign up for an account, the DNA sample has no chain of custody. It falls outside the scope of 23andMe’s terms of service to use the Personal Genetic Service for criminal investigations, including submitting samples from crime scenes or incarcerated people.

23andMe also publishes a quarterly transparency report regarding law enforcement requests. As of January 2023, the transparency report indicates that 23andMe has never produced data to law enforcement without prior, explicit consent by the individuals specified in the request.

Despite these comprehensive documents, legal scholars argue that consumers are still unlikely to make sufficiently informed decisions. There are six separate pages where 23andMe provides critical privacy information, and the average consumer most likely will not click on each page before opting in to sharing their genetic information. Nonetheless, 23andMe’s website provides a starting point for providing consumers with information regarding law enforcement searches.


 Ancestry also provides a user-friendly privacy page that includes videos, frequently asked questions, and links to important resources such as their transparency report, guide for law enforcement, and archived versions of their privacy statement and terms and conditions. Like 23andMe, Ancestry requires a valid legal process for law enforcement to gain access to user data, and consumers must opt in to these searches.

One welcome difference between 23andMe and Ancestry is that Ancestry provides consumers with a video solely on the topic of law enforcement requests. The video is 1.5 minutes long and gives a high-level overview of Ancestry’s safeguards for law enforcement requests, which Ancestry supplements with a brief explanation under their frequently asked questions.

Critics argue that Ancestry suffers from the same defects as 23andMe regarding accessible privacy information. Additionally, unlike the 23andMe website, Ancestry does not discuss the potential privacy risks of using their services outside of their research consent form. Those who do not opt in to participate in research are unlikely to read this consent form to find adequate information on privacy risks. Despite this, Ancestry also offers a starting point for other DTC-GT companies to model.


Of these three DTC-GT companies, FamilyTreeDNA appears the least comprehensive when providing privacy information. They do not have a privacy page; instead, a prospective consumer must scroll all the way to the bottom of the main page to access privacy information. To their credit, FamilyTreeDNA provides a comprehensive introduction on IGG matching, information on how to opt in and out of IGG matching, a transparency report, and IGG matching frequently asked questions.

In 2019, U.S. News & World Report named FamilyTreeDNA the “Best for Genealogical Research and Strict Privacy” among the major DNA testing kits. Even so, FamilyTreeDNA violated its own terms of service when it cooperated with the Federal Bureau of Investigation to analyze crime scene DNA samples for nearly a year. In response to consumer backlash, FamilyTreeDNA created an opt-out feature so that consumers must actively choose not to have their profiles available to law enforcement. In October 2022, Leah Larkin, founder of The DNA Geek, a genealogical DNA analysis service, put it bluntly: “Anyone in the United States who uploads to the FamilyTreeDNA database is exposed to IGG unless they take extra, hard-to-find, steps to opt out. This is not consent.”

As of December 2023, it appears that FamilyTreeDNA has now adopted an opt-in policy and will only comply with law enforcement requests that follow a valid legal process. FamilyTreeDNA also states that they only allow law enforcement to upload DNA files for cases involving unidentifiable human remains, sexual assault, homicide, or child abduction. Despite these changes, FamilyTreeDNA still lags significantly behind 23andMe and Ancestry regarding the accessibility of privacy information and the maintenance of public trust.


As mentioned previously, GEDmatch is not a DTC-GT company. It is a free website where users of 23andMe, Ancestry, and FamilyTreeDNA can upload their DNA files to find additional matches outside of their DTC-GT databases. The founders built the website specifically for genetic genealogy research, although the website captured international attention following the Golden State Killer case. Surprisingly, a prospective law enforcement agency would have to click the “Privacy Policy & Terms of Use” link at the bottom of the main page to find any information on IGG searches.

In 2019, GEDmatch also found itself in hot water when users discovered that the company violated its own terms of service to assist with the arrest of a seventeen-year-old guilty of violent assault on an elderly woman. Thereafter, GEDmatch changed its policy so that users had to opt in to have their profiles made available for IGG searches. While this is a step in the right direction, experts are concerned that GEDmatch’s “policy flip-flops” are indicative of the problems associated with allowing self-regulation in the IGG field.

State Legislation


In June 2021, Maryland and Montana became the first states to pass laws specifically addressing law enforcement access to DTC-GT databases. They share two similarities: (1) a requirement to obtain judicial authorization before conducting IGG searches and (2) a limit on IGG searches to violent crimes, including murder and kidnapping.

Maryland’s statute is broad and regulates IGG searches as well as genetic investigations. Law enforcement are also prohibited from collecting a covert sample from a third-party non-suspect for subsequent IGG searches and must seek written informed consent. Additionally, it prescribes criminal penalties for violations and a private right of action for consumers. To support the exoneration of innocent individuals, the statute also allows defendants convicted of violent crimes to file an affidavit for post-conviction DNA testing.

Key pieces of the Maryland legislation have yet to roll out. For example, Maryland’s law requires “labs conducting testing for [IGG] must be licensed, and the Office of Health Care Quality must train technicians.” As of September 2022, Maryland Department of Health has failed to “publish best practices and minimum qualifications for people using forensic genetic genealogy.” This inaction comes as a surprise to many given that it is a bipartisan law that was one vote away from passing unanimously. However, a spokesperson for former Governor Larry Hogan reports that he thought the statute was “haphazardly drafted without consulting the stakeholders that it will affect.” Even so, the legislative records indicate that the Department of Health did in fact offer input on this law. It will now be up to Governor Wes Moore to enforce this state law now.

Notably, one criticism of the Maryland statute involves the racial tilts of the CODIS and DTC-GT databases. Maryland requires law enforcement to enter DNA into CODIS first. If CODIS does not produce an identifiable suspect, then law enforcement can use DTC-GT databases. In 2020, scholars determined that Black people represent 34% of samples in public databases while only composing 13% of the United States population. Thus, Maryland’s requirement could limit the amount of available DNA for searches in predominantly white DTC-GT databases. It will also likely help law enforcement solve more crimes committed by Black offenders compared to their white counterparts. While this article primarily focuses on the shortcomings of current policies and laws from a privacy perspective, one cannot ignore the racial implications that will underly any federal regulation of IGG.


Montana’s statute is significantly less comprehensive than Maryland’s. It requires law enforcement to obtain a warrant to search a DTC-GT database or the state’s DNA identification index. The bill also received bipartisan support. Importantly, Montana’s statute does not apply to all existing users of genetic testing services. According to the Electronic Frontier Foundation, law enforcement agencies do not need a warrant to utilize IGG searches if “the consumer whose information is sought previously waived the consumer’s right to privacy.” The statute fails to explain, however, how consumers can waive their privacy rights, and it is unclear how law enforcement agencies will be able to determine whether someone waived their privacy rights before conducting a search.


 Utah may become the next state to restrict IGG searches. In March 2023, the Utah legislature passed Senate Bill 156, colloquially known as the Sherry Black bill, after a victim whose killer was tracked down by police using IGG technology. Like Maryland’s law, the Sherry Black bill is very comprehensive. It allows law enforcement to conduct IGG searches to identify or exonerate a potential suspect and identify missing or unknown individuals. The Sherry Black bill also received bipartisan support, further indicating that citizens across the political spectrum are worried about law enforcement’s use of DNA from DTC-GT databases.

Department of Justice Interim Policy

 Due to the rise in IGG technology in 2019, the Department of Justice published an interim policy to serve as guidelines for the usage of IGG in solving crimes. It serves as the first set of comprehensive guidance to law enforcement at the federal level. The policy contains nine sections that discuss important components of IGG; these include the technique’s purpose and scope, application, background on IGG, limitations, case criteria, collaboration with other investigative agencies, investigative caution, sample and data control and disposition, and collection of IGG metrics. Much like the Maryland and Montana state laws, the Department of Justice announced in its press release that the policy “is designed to balance the Department’s relentless commitment to solving violent crimes and protecting public safety against equally important interests—such as preserving the privacy and civil liberties of all citizens.”

Unfortunately, the Department of Justice interim policy has several shortcomings. First, like Montana’s law, the policy requires law enforcement agencies to exhaust all other available techniques, like uploading the DNA to CODIS, before resorting to IGG. In addition to the racial biases this requirement perpetuates, many cold case investigators emphasize how highly degraded and fragile DNA evidence is. Paul Holes, a retired cold-case investigator involved on the Golden State Killer case, criticizes this requirement and states it “could potentially cause me to kill my case.” Additionally, the policy only applies to federal and state agencies that receive funding to conduct IGG from the Department, leaving many state and local law enforcement agencies outside the scope of regulation. Thus, any federal legislation should take into consideration the criticisms of key stakeholders and protect the individual privacy rights of all American citizens. As discussed further below, the interim policy, in conjunction with the Maryland and Montana state laws, serves as a good starting point for federal legislation.


Drafting Federal Legislation

Comprehensive federal legislation regulating IGG would be the most ideal solution to protecting DTC-GT consumers’ genetic privacy. Surprisingly, outside of the measures outlined above, there is very little guidance on how federal legislation should look from a litigation standpoint. No individual has yet taken legal action against these DTC-GT companies regarding IGG searches, which makes the need for federal legislation more dire. The lack of litigation may result from a combination of factors, including genetic illiteracy or indigent defendants who cannot afford to pursue legal recourse. This will likely change, however, as legal experts and leading non-profits continue challenging the broad scope of IGG searches.

The onus is on government actors to protect consumers from changeable, hard-to-understand policies. Federal legislation could build upon the strengths of the Maryland and Montana state laws. This could be accomplished by expanding the Department of Justice’s interim policy to apply to all law enforcement agencies, regardless of whether they receive funding from the Department to conduct IGG searches. Expansions might include (1) requiring a warrant to access DTC-GT databases, (2) limiting IGG searches to homicides and rapes, and (3) forbidding DTC-GT companies from sharing the familial information of non-consenting relatives beyond a defined familial proximity.

Implementing a Warrant Requirement

The Electronic Frontier Foundation and the American Civil Liberties Union have filed several amicus briefs arguing that the Fourth Amendment does not permit the surreptitious collection of DNA without a warrant. For example, in State v. Bentaas, the nonprofits challenged the collection of DNA from Teresa Bentaas, a lifelong resident of South Dakota, after the results of an IGG search linked her to a crime. They argue that because Bentaas was not under arrest or in government custody when law enforcement collected and sequenced her DNA, she was a free person with full protection under the Fourth Amendment. Ultimately, she was convicted but was released on parole after serving less than three months of her sentence.

The nonprofits made a similar argument in an amicus brief for State v. Burns. It became the first IGG case to reach a state supreme court. There, Burns’ attorneys argued that law enforcement violated his Fourth Amendment rights when they took a straw he left behind in a restaurant, extracted DNA from the straw, and matched it with DNA found at a rape scene without first obtaining a warrant. The Iowa Supreme Court has yet to rule on Burns’ appeal, but their decision can have profound implications for how far law enforcement can go to obtain DNA without a federal warrant requirement.

Montana’s law requires law enforcement to obtain a search warrant before using IGG techniques to find a direct user on a DTC-GT database. However, if consumers waive their rights to privacy while signing up for DTC-GT accounts, their information falls under a carve-out of the statute’s warrant requirement. This carve-out becomes especially concerning in a familial DNA search, as a person has no control over the shared DNA a family member submits to a DTC-GT database. Thus, federal legislation might extend warrant protections to everyone who has DNA in a DTC-GT database.

 In the past, law enforcement has typically worked with companies that do not require a valid legal process to obtain DNA, such as GEDmatch. In theory, a warrant requirement might discourage all companies with DNA databases from cooperating with law enforcement. It is important to note that while establishing probable cause for a warrant is notoriously difficult in other contexts, the probability of success in a DNA search is approaching mathematical certainty. Researchers estimate that 60% of Americans of Northern European descent are identifiable through DTC-GT databases through a third cousin or closer match, even if they did not sign up for profiles themselves. The mathematical probability of finding a match will only increase with the popularity of DTC-GT companies. Thus, a warrant requirement would raise the bar for IGG searches and demand diligent investigation before interrupting the lives of innocent consumers.

Limiting IGG Search Offenses

 For the first time, in 2019, a Florida judge granted a warrant to search GEDmatch’s entire database of nearly one million users. Within twenty-four hours, the Florida detective who asked for the warrant was able to gain access to all of GEDmatch’s users regardless of their privacy settings. This tells us that despite the restrictions these companies may impose on law enforcement access, a court may be able to override them. While the warrant in this case did not result in an arrest, detectives predict that broader access to 23andMe and Ancestry could solve “hundreds and hundreds of unsolved crimes overnight.” Thus, experts are deeply concerned that the judge’s decision will result in other agencies requesting similar search warrants for these DTC-GT databases, which have more than ten times as many users as GEDmatch. If this happens, Natalie Ram, a law professor at the University of Maryland’s Carey School of Law, thinks that someone who faces prosecution could raise a Fourth Amendment argument against the DTC-GT company. However, she does not think it is clear whether a DTC-GT company or a criminal defendant have standing to challenge a warrant effectively. Consequently, she advocates for legislation that requires narrowly tailored warrants.

Maryland attempted to address this issue by restricting IGG searches to murder, rape, or a felony sexual offense. The interim policy uses similar language for case eligibility and states that law enforcement can only conduct an IGG search for an unsolved violent crime where CODIS produces no matches or to identify the human remains of a suspected homicide victim. The policy also allows prosecutors to authorize IGG searches for crimes other than homicide or sexual offenses “when circumstances surrounding the criminal act[s] present a substantial and ongoing threat to public safety or national security.” Some legal scholars have criticized the usage of this broad language; the language encourages law enforcement to “use [IGG] as a last resort” but ultimately lets prosecutors decide what cases fall under this category.

Law enforcement has primarily used DTC-GT databases to solve violent crimes. However, there have been instances where law enforcement used the IGG technique to solve minor offenses, such as in Colorado where a burglar stole $1.40 from a car. A 2018 survey indicated that 79% of 1,587 respondents supported IGG use in homicide and rape cases, versus only 39% supported its use for property crimes. These results suggest that public opinion supports the creation of more definitive case criteria for IGG searches.

While allowing for prosecutorial discretion maintains flexibility in police investigations, IGG searches can produce mass amounts of information on individuals unrelated to criminal investigations compared to CODIS analyses. As a result, Congress may want to consider either defining the circumstances that may result in “a substantial and ongoing threat to public safety or national security” or limiting IGG searches to homicides and rapes.

Defining Familial Proximity

Najla Hasic, a graduate of Southern Illinois University School of Law, calls for Congress to forbid DTC-GT companies from sharing familial information with law enforcement altogether. In doing so, DTC-GT companies would only be able to share exact matches with law enforcement and preserve the privacy interests of non-consenting family members in these databases. An explicit ban on familial searching might be the best way to preserve the privacy rights of innocent relatives, but this approach would impractically hinder society’s interest in justice. Limiting IGG searches to exact matches would significantly decrease the amount of information available to investigative efforts.

 Interestingly, the interim policy does not discuss the boundaries of IGG searches for finding distant relatives. Each suspect has the potential to reveal hundreds of distant relatives, whether they are alive, dead, local, or international. Currently, IGG technology allows law enforcement to identify family relationships as far as third cousins with an approximate 90% likelihood. It may soon be possible to extend the technique with a greater probability of detection to even more distant family members.

As a result, federal legislation could opt for a middle approach: limit IGG searches to a prescribed level of familial proximity. Australia uses this approach in the context of accessing telecommunications metadata under the Telecommunications (Interception and Access) Act 1979. There, law enforcement must ask telecommunications providers to confirm the existence of metadata records before they can apply for a search warrant. In this context, Congress could consult stakeholders, such as genealogists and law enforcement, to define how distant a familial relationship can be to remain an actionable lead for investigations. Then, Congress could implement a requirement where law enforcement must submit requests to DTC-GT companies to determine the existence of genealogy records to a prescribed level of familial proximity.

Clarifying Opt-In Consent on DTC-GT Websites

Congress may also choose to regulate DTC-GT companies by requiring them to adopt a comprehensive “opt-in” feature for law enforcement searches.

 An opt-in feature allows DTC-GT users to actively choose whether their information can be included in an IGG search. There are no federal laws that require opt-in consent when creating a DTC-GT profile, meaning that consent processes vary considerably among companies. Additionally, many users do not read terms of service or privacy policies carefully because they are often long, vague, or too complex for the average American reader. In fact, researchers from Carnegie Mellon calculated that it would take each Internet user 76 work days to read the privacy policy on every website he or she has ever visited. These overly complicated privacy documents in conjunction with genetic illiteracy among the general population has created a deadly combination for the privacy rights of DTC-GT users.

 To combat this, one legal scholar recommends creating interactive videos that illustrate the process of DNA collection and laboratory procedures. Another video that discusses how IGG works could be valuable as well. These videos could serve as the first layer of obtaining consent from users. If the user affirmatively agrees to these terms, a second layer of information can discuss current federal genetic privacy laws and how IGG can identify individuals. Additionally, only a user who has confirmed reading the second layer of information could be allowed to opt in to law enforcement searches. This information could be provided on one central page with links to external, more comprehensive documents if the consumer wishes to learn more about their privacy rights.

A comprehensive opt-in feature would likely reduce the number of profiles available to law information significantly. This has already happened, when GEDmatch implemented an opt-in policy in 2019, with the number of available profiles drastically reducing from 1.4 million users to approximately 100,000 people. Nonetheless, an opt-in policy is an important step in ensuring that people who fail to read privacy policies do not unknowingly share their genetic information with law enforcement. It will also help build public trust in IGG and may result in more users becoming receptive to the usage of DTC-GT DNA samples in criminal investigations.

Establishing a Credentialing Process

 Implementing industry standards could serve as an additional solution to regulating IGG practices.

The current state of American genetic genealogy, says The DNA Geek’s Larkin, is “akin to the Wild West… there is no oversight, no credentialing, no education requirement, no minimum qualification, [and] no set of ethical standards.” The “Wild West” nature of genetic genealogy continues to grow with every DTC-GT test, as researchers project that the number of identifiable Americans of Northern European descent will climb from 60% to 90% in the next two or three years. Another study of 1,597 participants indicates that law enforcement access to DTC-GT databases ranks as one of the “most intrusive activities, on a par with searches of bedrooms, text messages, and emails.”

Consequently, creating a credentialing process can help increase awareness of the risks of using genealogical DNA analysis among investigative genetic genealogists and the community. Other countries have established accreditation frameworks where genealogists must pass certification exams and agree to abide by a set of ethical standards. Maryland’s law attempted to mandate licensing requirements for labs using IGG technology and the publication of best practices and minimum qualifications for genetic genealogists by the Maryland Department of Health. As of October 2022, neither of these attempts have come to fruition.

The most promising progress on this front is the formation of the Board for Certification of Investigative Genetic Genealogy (BCIGG). As justification for creating the board, Forensic Science International highlighted four reasons why credentialing is necessary in this field: “(1) the privacy of innocent people who are drawn unaware into criminal investigations, (2) public trust in [IGG] itself, (3) proficiency and ethical behavior of investigative genetic genealogists, and (4) accountability for incompetent or unethical practitioners.” The BCIGG certification process is much less rigorous than the Board of Certification of Genealogists process, which anecdotally has a 60% fail rate despite applicants spending up to 1,000 hours on their portfolios. The reduced rigor is understandable due to the narrow scope of investigative genetic genealogists’ reports in comparison to generalist genealogists; they do not need to transcribe documents or resolve conflicting evidence while matching suspect’s DNA to crime scene evidence.

Nonetheless, the BCIGG education requirement could be amended to be more like the American Board of Criminalistics Forensic DNA’s, which requires that applicants have a baccalaureate degree in a natural or forensic science from an accredited institution. Larkin points out that many well-known investigative genetic genealogists do not have degrees in these fields or college degrees at all. Thus, sufficient experience in IGG could satisfy an education requirement. However, due to the rising prominence and complexity of this field, an education requirement should continue to undergo strong consideration for the credentialing process.

Given the close nature of IGG and forensic science, at minimum, the BCIGG should expand its membership to prominent forensic scientists while board members continue to finalize the credentialing process. Other stakeholders notably absent from the board include DTC-GT founders, privacy attorneys, and Department of Justice officials who wrote the interim IGG policy. Including these stakeholders on the BCIGG would likely lead to a more robust and implementable credentialing process.


IGG is on its way to becoming a routine law enforcement procedure across the country. While this technology continues to revolutionize criminal justice work, appropriate regulatory safeguards are needed to ensure this tool does not come at the cost of DTC-GT consumer privacy. The privacy risks associated with IGG are only becoming increasingly clear as law enforcement uses this tool in new ways. Immediate action by DTC-GT companies, Congress, and investigative genetic genealogists is more necessary than ever. 

    Angelica Lee

    UC Law San Francisco, San Francisco, CA

    Angelica Lee is a J.D. candidate at UC Law San Francisco (formerly known as UC Hastings). During law school, she served as a Privacy Legal Extern at 23andMe; the views expressed in this article are her own and do not represent those of 23andMe. Additionally, she interned at the Federal Trade Commission and worked as a summer associate at Wilson Sonsini Goodrich & Rosati (WSGR). Pending bar results, she will join WSGR as a first-year associate, where she plans to work with tech and life sciences companies within WSGR’s Corporate Group. She can be contacted at [email protected].

    The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.