chevron-down Created with Sketch Beta.
June 11, 2024 Feature

Regulating Forensic Investigative Genetic Genealogy: The Case for Judicial Oversight and the Bipartisan Model Legislation Passed in Maryland

Tebah Browne and Barry Scheck

In 2018, Forensic Investigative Genetic Genealogy (FIGG) was used to identify the Golden State Killer, Joseph DeAngelo, a police officer who committed at least 13 murders, 51 rapes, and 120 burglaries across the state of California between 1974 and 1986. FIGG immediately captured the imagination of law enforcement and the public. FIGG takes advantage of single nucleotide polymorphism (SNP) sequencing, genealogical techniques used to predict an individual’s ethnicity or ancestry, and the growth of direct-to-consumer (DTC) databases—repositories of SNP DNA samples sent by millions of people around the world seeking to track their ancestry and biological relationships. An SNP profile from probative biological evidence recovered from a crime scene can be compared to SNP profiles in a DTC database to build family trees and ultimately identify the most recent common ancestor (MRCA) of the putative perpetrator. FIGG heralded the prospect of miraculously solving cold cases, exonerating the wrongly convicted, and finding the source of unidentified human remains (UHR). However, it also raised serious concerns about protecting privacy, intimate genetic information, and civil liberties from the unregulated use of this formidable new tool.

Accordingly, in 2019, the Federal Bureau of Investigation (FBI) canvassed suggestions from experts and promulgated model regulations for FIGG that applied to the FBI itself, all federal law enforcement, and state law enforcement officials who received federal aid to conduct DNA testing. This effort was led by Thomas Callaghan, then the chief biometric officer at the FBI and the father of the Combined DNA Index System (CODIS). CODIS enables federal, state, and local forensic laboratories to exchange and compare short tandem repeat (STR) DNA profiles electronically, thereby linking serial violent crimes to each other, to persons convicted of crimes, and—in some states—to individuals under arrest. CODIS also helps the National Missing Persons DNA Database identify missing and unidentified persons. As of August 2023, CODIS has produced over 674,405 hits and assisted in more than 656,893 investigations.

Because the backbone of the CODIS system is the STR DNA profile, Callaghan and his colleagues crafted their FIGG model regulations to build on CODIS and not destroy it by requiring the following: No FIGG searches could be undertaken unless a forensic sample recovered in an investigation was reasonably believed to come from a putative perpetrator of a violent crime and produced an STR DNA profile that did not generate a confirmed match in CODIS. In short, the FIGG search process was directed at finding a person who matched an unidentified STR DNA profile, not a “matching” SNP profile.

Most importantly the FBI’s model FIGG regulations reflected a concern that the constitutional underpinnings of the CODIS system, as enunciated by the Supreme Court in Maryland v. King, might not be sufficient to pass constitutional muster when doing SNP searching without additional privacy protections, including (1) the informed consent of all individuals whose SNP profiles are in a DTC database that permits law enforcement access; (2) the informed consent of individuals not in a DTC database who agree to provide SNP samples to investigators during the FIGG search; (3) a search warrant from a judge, which must be obtained to do SNP analysis of any covertly collected reference sample; and (4) guarantees that all SNP and family tree data obtained during the search will be treated as confidential information for law enforcement identification purposes only and ultimately destroyed if the search does not result in the filing of criminal charges, or at the conclusion of a case brought as a result of the FIGG search, and all subsequent judicial proceedings, pursuant to an appropriate court order.

The FBI had good reason to be concerned. In Maryland v. King, a 5–4 decision with Justice Scalia dissenting, the Supreme Court found that taking buccal swabs from arrested individuals to obtain an STR DNA profile for identification purposes and CODIS searches was “reasonable” under the Fourth Amendment and did not require a warrant. The Court asserted that this is no different than matching an arrestee’s face to a wanted profile, tattoos to known gang symbols to reveal criminal affiliation, or the arrestee’s fingerprints to those recovered from a crime scene. In this context, an STR DNA profile “is another metric of identification used to connect the arrestee with his or her public persona, as reflected in records of his or her actions that are available to police.” The Court assumed the “CODIS loci” from which STR DNA profiles are derived are “non-protein coding junk regions of DNA” and do not have any association with a genetic disease or any other genetic predisposition. Accordingly, the Court concluded an arrestee had a “diminished” expectation of privacy in a CODIS search of such “junk” STR DNA profiles and there was little need for a warrant because the search “involves no discretion that could be properly limited by the ‘interpolation of a neutral magistrate between the citizen and the law enforcement officer.’”

It turns out that the Court’s assumptions about STRs were wrong. Fifty-seven studies have linked forensic STRs (specifically THO1) with 50 unique traits and medical conditions including schizophrenia, Parkinson’s disease, and Down syndrome. SNP testing and searching are monumentally different enterprises and there should be no confusion or room for mistaken assumptions about the challenges they pose for protecting humanity’s most private and intimate genetic information. Currently, STR analysis involves about 30 loci that are noncoding. SNPs involve analysis of many thousands of locations on the genome and focus on sequences where people differ the most. 23andMe and use SNP profiles to “help predict an individual’s response to certain drugs, toxins, and risk to developing diseases.” It seems self-evident that SNP testing and searching via DTC databases, by their nature, involve information entitled to a greater expectation of privacy than STR testing, as well as a warrant procedure and oversight of discretionary calls concerning the execution of the search that can be “properly limited by the interpolation of a neutral magistrate between the citizen and the law enforcement officer.”

Indeed, in Carpenter v. United States, Justice Gorsuch directly addresses the issue of obtaining data from DTC ancestry databases. In the course of expressing doubts about “reasonable expectation of privacy” opinions concerning the use of a pen register to track the telephone numbers a person calls (Smith v. Maryland) and financial information voluntarily disclosed to banks and exposed to bank employees in the ordinary course of business (Miller v. United States), Gorsuch asks:

Why is someone’s location when using a phone so much more sensitive than who he was talking to (Smith) or what financial transactions he engaged in (Miller)? I do not know, and the Court does not say.

The problem isn’t with the Sixth Circuit’s application of Smith and Miller but with the cases themselves. Can the government demand a copy of all your e-mails from Google or Microsoft without implicating your Fourth Amendment rights? Can it secure your DNA from 23andMe without a warrant or probable cause? Smith and Miller say yes it can—at least without running afoul of Katz. But that result strikes most lawyers and judges today—me included—as pretty unlikely.

Justice Gorsuch goes on to call for the development of case law that draws on “‘democratically legitimate sources of law’—like positive law [statutes] or analogies to items protected by the enacted Constitution” rather than judicial biases or personal policy preferences. He suggests this approach should not be “hobbled” by Smith and Miller but instead directly address only questions about whether people have a reasonable expectation of privacy in materials they share with third parties. Under this approach, “your papers and effects do not automatically disappear just because you share them with third parties.” He goes on to note state or federal legislation “may help provide detailed guidance on evolving technologies without resort to judicial intuition”—“[i]f state legislators or state courts say that a digital record has the attributes that normally make something property, that may supply a sounder basis for judicial decisionmaking than judicial guesswork about societal expectations.”

Surely SNP profile data are someone’s “property,” and the way state legislation protects SNP data and the familial genetic relationships derived from them are important factors in any Fourth Amendment analysis. More interesting still, Gorsuch argues that even though positive law may help establish a person’s Fourth Amendment interest, there may be some circumstances where positive law cannot be used to defeat it. He points to the precedent that “‘[n]o law of Congress’ could authorize letter carriers ‘to invade the secrecy of letters’” and asks, “What other kinds of records are sufficiently similar to letters in the mail that the same rule should apply?” Again, SNP data may well fall into that category. Justice Gorsuch’s focus on the “revealing nature of the data collected” has proved to be prescient. A recent empirical analysis of all 857 federal and state judgments applying Carpenter from 2018 to March 2021 finds the most determinative factor was “the revealing nature of the data collected.”

Maryland’s FIGG Statute

Maryland was the first state to pass a law regulating law enforcement use of FIGG. A bipartisan effort led by state Senator Charles Sydnor and Delegate Emily Shetty began in the summer of 2020 using a blue-ribbon panel of diverse stakeholders ranging from the Maryland State Police to the Office of the Public Defender, the state crime laboratory, experts in bioethics, legal academics, the Maryland State’s Attorneys Association, the American Civil Liberties Union, and the Innocence Project. In weekly meetings, the blue-ribbon panel consulted with leading practitioners and experts in the field.

From the outset, the blue-ribbon panel concluded the privacy issues posed by SNP testing and searching were profound and analogous to challenges faced after the Supreme Court’s landmark decision in Katz v. United States, which held that the Fourth Amendment’s protection against unreasonable search and seizure extends to the interception of communications and applies to all conversations where an individual has a reasonable expectation of privacy. Soon after Katz was decided, Congress passed Title III of the Omnibus Crime Control and Safe Streets Act of 1968 (The Wiretap Act) that prohibits the unauthorized, nonconsensual interception of “wire, oral, or electronic communications” by government agencies as well as private parties. The act also establishes procedures for obtaining warrants to authorize electronic surveillance by government officials and regulates the disclosure and use of authorized intercepted communications by law enforcement. Significantly, Title III preempts all state laws to the extent that no state may allow access to wire, oral, or electronic communications with less justification than required by federal law; hence, Maryland law enforcement officials were quite familiar with the process and agreed that it had worked well. Similarly, the blue-ribbon panel and all the stakeholders were familiar with the U.S. Department of Justice’s Interim Policy on Forensic Genetic Genealogical DNA Analysis and Searching and believed the process and guidelines outlined in the Interim Policy could be readily adapted to a statutory scheme involving judicial supervision like a wiretap statute. That’s exactly what the blue-ribbon panel produced after a process that was remarkably collegial. The bill put forward by the sponsors received near-unanimous bipartisan support and passed in the 2021 legislative session.

The Maryland FIGG legislation mandates judicial supervision, protects third-party autonomy and data, grants equal access to the defense and prosecution, and ensures transparency and accountability.

Warrant Requirements

FIGG searches cannot be initiated without judicial authorization. A law enforcement agent, with approval from a prosecutor, must provide an affidavit stating inter alia that:

  1. The crime being investigated must be the act of or attempt to “commit, murder, rape, a felony sexual offense, kidnapping, human trafficking, or a criminal act involving circumstances presenting a substantial and ongoing threat to public safety or national security.”
  2. The forensic sample being analyzed must be biological evidence believed to originate from a “putative perpetrator”—“one or more criminal actors reasonably believed by investigators to have committed the crime under investigation and to be the source of, or a contributor to, a forensic sample deposited during or incident to the commission of a crime.”
  3. An STR DNA profile must have been obtained from probative biological evidence uploaded into a state and the federal CODIS system without matching an STR profile of a known person or an unsolved crime—please note that there are frequently changing requirements in CODIS for the number of loci detected in an STR DNA profile to qualify for an upload.
  4. Unless the crime being investigated presents an ongoing threat to public safety or national security concerns, reasonable investigative leads must have been pursued and failed to identify the perpetrator(s).

These requirements ensure that FIGG, which frequently features unregulated contractual relationships between law enforcement agencies and commercial firms that specialize in FIGG analysis and searching, does not quickly become the first DNA investigative step undertaken in most criminal cases and fits into the normal time-tested processes of the CODIS system. Judges are appropriately viewed as the gatekeepers of forensic evidence and are often tasked with determining the need for and validity of forensic methods. They serve as impartial arbiters who have little to no conflict of interest. These warrant requirements are oversight determinations traditionally left to judges, not prosecutors or police supervising themselves, because the competitive enterprise of ferreting out, solving, and prosecuting criminal activity carries inherent conflicts of interest. Beyond the warrant requirements, complex and challenging issues requiring judicial oversight arise when executing FIGG searches concerning the protection of third-party DNA samples and third-party privacy rights of relatives who never consented to their genetic or familial information being used in a FIGG investigation.

Third-Party Protections

The Maryland statute provides a robust set of privacy protections:

  1. Biological samples subjected to FIGG analysis, whether forensic samples from the crime or third-party reference samples, may not be used to determine the sample donor’s genetic predisposition for disease or any other medical condition or psychological trait.
  2. FIGG analysis may only be conducted using DTC databases that (a) provide explicit notice to its service users and the public that law enforcement may use its service sites to investigate crimes or to identify human remains and (b) seek acknowledgment and consent—what’s known as an “opt-in” requirement.
  3. Informed consent shall be obtained in writing from third parties not in a DTC database whose DNA sample is sought to assist in a FIGG search, and all statements made in obtaining the informed consent shall be documented from beginning to end by video or audio recording.
  4. The third party shall be informed, at a minimum, of the following before giving informed consent in writing: (a) the investigation involves a crime specified in the warrant requirement; (b) the third party is not a suspect in the investigation and has the right to refuse to consent to the collection of a DNA sample; (c) the law prohibits the covert collection of a DNA sample if the third party refuses to consent to the collection of a DNA sample; (d) the third party has been identified through a search of a direct-to-consumer or publicly available open-data personal genomics database as a potential relative of an individual believed to have committed a crime; (e) investigators are seeking the third party’s DNA to assist in identifying the person who committed the crime, or to identify the victim of a homicide, and for no other purpose; (f) the third party’s DNA sample and any information obtained from its analysis will be kept confidential in accordance with a court order during the course of the investigation; (g) the DNA sample and any data obtained from it will be destroyed when the investigation or any criminal case arising from the investigation ends; and (h) the third party will receive notice by certified delivery that the destruction has occurred. All these representations accurately summarize the provisions of the statute.
  5. If the third party does not consent to provide a reference sample, law enforcement may not collect a covert reference sample from the individual.
  6. If investigators determine that one or more persons are the putative perpetrator and it is necessary to conduct a covert collection from the putative perpetrator or a third party, an affidavit must be submitted to the authorizing judge demonstrating that seeking informed consent from a third party creates a substantial risk that a putative perpetrator might flee, that essential evidence will be destroyed, or that other imminent or irreversible harm to the investigation will occur.
  7. Investigators shall make a proffer explaining how they plan to conduct collection in a manner that avoids unduly intrusive surveillance of individuals or invasions to their privacy.
  8. The covertly collected sample from the putative perpetrator may only be subjected to an STR test to see if it matches an STR DNA profile obtained from the forensic sample.
  9. Law enforcement must report back every 30 days about the progress of the covert collection, and without good cause shown, covert collection efforts will cease after six months.
  10. Upon completion of the FIGG investigation, the participating genetic genealogist shall turn over to law enforcement all records and materials, including materials sourced from public records, family trees, and other nongenetic data.
  11. The prosecutor shall retain and disclose all FIGG records in accordance with discovery laws and the constitution but may not otherwise use or share materials.
  12. No person may disclose genetic genealogy data or FIGG profiles not authorized by court order. Such disclosure is a misdemeanor subject to imprisonment not exceeding five years or a $5,000 fine. Anyone required to destroy FIGG material and willfully fails to do so is subject to imprisonment for one year.

Defense Access

Maryland provides the defense access to FIGG testing at trial and for post-conviction relief by requiring that defense counsel and their investigators undertake all the applications and obligations required of prosecutors under the statute. There have already been several post-conviction FIGG exonerations, including Chris Tapp, whose case involved the Idaho Innocence Project and the Idaho Falls Police Department working together at the insistence of the homicide victim’s mother who came to believe Tapp was innocent. The Ricky Davis and Barry Laughman exonerations also involved FIGG analysis. Especially in the post-conviction context, there is a good reason FIGG cases may involve wrongful convictions. After all, following the protocol of the FBI Interim Policy and the Maryland statute, these cases involve someone being convicted notwithstanding an STR DNA profile on probative crime scene evidence that excluded the defendant. In such cases, false confessions, jailhouse informers, unreliable forensic science, and Brady violations have too often been the way prosecutors have gotten convictions despite exculpatory DNA results. This was true in the Tapp, Davis, and Laughman cases, and there will surely be many more. As Stephen Kramer, former FBI FIGG analyst, points out, there are 80,000 forensic DNA samples added to CODIS every year from unknown individuals and 1.3 million unknown CODIS samples altogether.

Transparency and Accountability

The Maryland legislation requires public annual reports that state the number of requests made for FIGG, the number of times the requests were granted, the number of putative perpetrators identified, the cost of the procedure, and more. This information is necessary to assess the utility and value of the method and to determine if it is being fairly employed. Once the annual reports are developed, they will undergo a panel review process. The panel includes judges, crime laboratory directors, defense attorneys, prosecutors, bioethicists, and racial justice experts. The criminal penalties, albeit misdemeanors, for willful disclosure of FIGG materials and failure to make the required destruction of FIGG information increase public confidence that sensitive genetic data are being securely handled. Private FIGG laboratories and genealogists have expressed discomfort with these provisions and would prefer civil liability. This reaction has been surprising to many criminal legal professionals who recognize that FIGG cases involve extremely serious crimes and sensitive investigations.

Searching the DTC Databases and Building Family Trees

Once judicial authorization is granted, crime laboratories will usually contract with a private lab to process the forensic sample, conduct the SNP analysis, and generate the SNP profile. FIGG relies on a fundamental principle of genetics: Close relatives will share DNA from common ancestors, and the more distant the relationship, the less DNA sharing. The laboratory and the genealogist doing the analysis must be licensed. The SNP profile will then be uploaded to a DTC database that informs its users through an “opt-in” process that law enforcement is permitted to use the site to conduct investigations or identify human remains. Currently, only three DTC companies—GEDmatch PRO, FamilyTreeDNA, and DNASolves—qualify to be searched.

Genealogists will use the centimorgans (cM), a unit of genetic measurement, to determine the length of DNA segments that are shared with potential relatives of the unknown putative perpetrator. According to 23andMe, one of the largest direct-to-consumer genealogy companies, parent-offspring relationships will share approximately 50 percent of their DNA (~3700 cM); full siblings will share about 38–61 percent of their DNA (~2826 to 4537 cM); half-offsprings, uncle/aunt-niece/nephew, and grandparent-grandchild relationships will share approximately 17–34 percent of their DNA (~1264 to 2529 cM); and so on. For more distant DNA relatives, the percentage of shared DNA and the cM length decrease.

After searching, a list of potential DNA relatives is generated and genealogists can begin building family trees using public resources, such as obituaries, birth and/or marriage certificates, or social media. The genealogical research component of FIGG is analogous to solving a complicated jigsaw puzzle. It involves many moving parts and information assemblage, which can take months to complete for the individual researcher. Recently, companies such as Indago Solutions have started using artificial intelligence tools to streamline the process. Indago uses a Software as a Service platform that relies on algorithms, probabilistic inference models, and a neural net to perform every possible combination of factors to determine potential relationships and find the most recent common ancestor of the putative perpetrator. Genealogy at its core relies on its ability to predict genetic relationships between people from nongenetic data. In addition to the speed factor, the software shields nonrelevant public match data in public documents from the end user.

The Maryland Bill as a Model

The Maryland bill embraces the FBI Interim Guidelines and incorporates them into a judicial oversight mechanism based on state and federal wiretapping statutes, a process that is fit for this purpose and well-known. The Forensic Investigative Genetic Genealogy National Technology Validation and Implementation Collaborative, a group composed of forensic scientists, crime lab directors, and genetic genealogists, published their policies and procedures guidelines in 2023 and, in addition to acknowledging the Maryland FIGG bill, most of their recommendations can be found in the bill. One inadvertent shortcoming of the Maryland legislation is that it failed to provide an adequate pathway for FIGG testing of UHR. It was an error to condition FIGG testing of UHR on producing an STR DNA profile that could be uploaded to CODIS because that is often not possible given the nature of UHR samples. In January 2024, the bill was amended to resolve this issue.


With the growing popularity of FIGG, more states, specifically Montana and Utah, are creating statutes to regulate its use. Neither statute has the comprehensive “positive law” protections that are appropriate given the sensitive, secret, and powerful information contained in SNP data as opposed to STRs. Nor do they provide an adequate mechanism for judicial oversight to access for the defense. On the horizon is the challenge posed by whole genome sequencing and SNP to SNP comparisons without using STRs as a backstop. A strong bill with potent judicial oversight to deal with the unexpected is critical. 

    Tebah Browne

    The Innocence Project

    Tebah Browne is the forensic science policy specialist at the Innocence Project.

    Barry Scheck

    The Innocence Project

    Barry Scheck is the co-founder and special counsel to the Innocence Project and a professor of law at Cardozo Law School. He was also a member of the Maryland blue-ribbon panel that addressed privacy issues surrounding genetic genealogy profiles.

    The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.