"If you build it, they will come," the famous mantra from Field of Dreams, is a line that data-based businesses should keep in mind as they amass information about customers. At some point, that data is going to be valuable in a legal matter and lawyers or police officers are going to come knocking, wanting to get access to it.
Last week, I wrote about companies like 23andMe and Ancestry.com—that collect DNA from their customers for health and genealogy tests—getting requests from police and federal agencies hoping to tie a customer (or his or her family member) to a crime. 23andMe, which hired its first privacy officer in February, told me it would be launching a transparency report within a month or two about government requests for information it received. But the report is live now, just a week later.
So far 23andMe, which has over a million customers and launched its genetic test in 2008, has received 4 requests from U.S. state law enforcement agencies and the FBI. The company says the requests affected five of its users, but that the company was able to deny the requests.
But wow. That indicates that five of 23andMe's customers were considered genetically relevant to a criminal investigation, whether it was the customer himself or herself, or a relative.
If 23andMe did have to turn over a customer's DNA, “we will notify the affected customer through the contact information provided to us, unless doing so would violate the law or a court order,” 23andMe privacy officer Kate Black told me by email last week. The company's transparency report will be updated quarterly.
"The Transparency Report represents our dedication to being forthcoming with our customers and doing everything we can to protecting customer information," said Black by email. "We have not released any customer information to law enforcement, and I'm personally committed to keeping it that way."
Transparency reports have traditionally been produced by technology companies, like Google, Facebook, and Verizon, to whom police turn when they want information about how people communicate and find information. It's novel to see a transparency report from a health tech company.
Privacy advocates had predicted for years that police, who have traditionally had access to a national genetic database of convicted criminals and arrestees, might start trawling through private genetic databases in order to make genetic matches with people who have never had run-ins with the law. But it's still surprising that people who handed genetic samples over for reasons of health or curiosity would have them repurposed for criminal genetic line-ups. And thanks to the practice of familial genetic searches, they put not just themselves in a line-up but anyone related to them.
Civil liberties groups have called for laws that would prohibit the use of private genetic databases for law enforcement purposes, but until one comes into existence, the only thing standing between police and the spit you send to a private DNA company is the company's lawyers. So far, 23andMe's lawyers have won that battle.
*Updated with comment from 23andMe privacy officer Kate Black.