Ancestry.com rejected a police warrant to access user DNA records on a technicality

Zack Whittaker
This illustration picture shows a saliva collection kit for DNA testing displayed in Washington DC on December 19, 2018. - Between 2015 and 2018, sales of DNA test kits boomed in the United States and allowed websites to build a critical mass of DNA profiles. The four DNA websites that offer match services -- Ancestry, 23andMe, Family Tree DNA, My Heritage -- today have so many users that it is rare for someone not to find at least one distant relative. (Photo by Eric BARADAT / AFP) (Photo credit should read ERIC BARADAT/AFP via Getty Images)

DNA profiling company Ancestry.com has narrowly avoided complying with a search warrant in Pennsylvania after a search warrant was rejected on technical grounds, a move that is likely to help law enforcement refine their efforts to obtain user information despite the company's efforts to keep the data private.

Little is known about the demands of the search warrant, only that a court in Pennsylvania approved law enforcement to "seek access" to Utah-based Ancestry.com's database of more than 15 million DNA profiles.

TechCrunch was not able to identify the search warrant or its associated court case, which was first reported by BuzzFeed News on Monday. But it's not uncommon for criminal cases still in the early stages of gathering evidence to remain under seal and hidden from public records until a suspect is apprehended.

DNA profiling companies like Ancestry.com are increasingly popular with customers hoping to build up family trees by discovering new family members and better understanding their cultural and ethnic backgrounds. But these companies are also ripe for picking by law enforcement, which want access to genetic databases to try to solve crimes from DNA left at crime scenes.

In an email to TechCrunch, the company confirmed that the warrant was "improperly served" on the company and was flatly rejected.

"We did not provide any access or customer data in response," said spokesperson Gina Spatafore. "Ancestry has not received any follow-up from law enforcement on this matter."

Ancestry.com, the largest of the DNA profiling companies, would not go into specifics, but the company's transparency report said it rejected the warrant on "jurisdictional grounds."

"I would guess it was just an out of state warrant that has no legal effect on Ancestry.com in its home state," said Orin S. Kerr, law professor at the University of California, Berkeley, in an email to TechCrunch. "Warrants normally are only binding within the state in which they are issued, so a warrant for Ancestry.com issued in a different state has no legal effect," he added.

But the rejection is likely to only stir tensions between police and the DNA profiling services over access to the data they store.

Ancestry.com's Spatafore said it would "always advocate for our customers’ privacy and seek to narrow the scope of any compelled disclosure, or even eliminate it entirely." It's a sentiment shared by 23andMe, another DNA profiling company, which last year said that it had "successfully challenged" all of its seven legal demands, and as a result has "never turned over any customer data to law enforcement."

The statements were in response to criticism that rival GEDmatch had controversially allowed law enforcement to search its database of more than a million records. The decision to allow in law enforcement was later revealed as crucial in helping to catch the notorious Golden Gate Killer, one of the most prolific murderers in U.S. history.

But the move was widely panned by privacy advocates for accepting a warrant to search its database without exhausting its legal options.

It's not uncommon for companies to receive law enforcement demands for user data. Most tech giants, like Apple, Facebook, Google and Microsoft, publish transparency reports detailing the number of legal demands and orders they receive for user data each year or half-year.

Although both Ancestry.com and 23andMe provide transparency reports, detailing the amount of law enforcement demands for user data they receive, not all are as forthcoming. GEDmatch still does not publish its data demand figures, nor does MyHeritage, which said it "does not cooperate" with law enforcement. FamilyTreeDNA said it was "working" on publishing a transparency report.

But as police continue to demand data from DNA profiling and genealogy companies, they risk turning customers away — a lose-lose for both police and the companies.

Vera Eidelman, staff attorney with the ACLU’s Speech, Privacy, and Technology Project, said it would be "alarming" if law enforcement were able to get access to these databases containing millions of people's information.

"Ancestry did the right thing in pushing back against the government request, and other companies should follow suit," said Eidelman.

A popular genealogy website just helped solve a serial killer cold case in Oregon