Tuesday 19 March 2019

My input to FTDNA's Citizen Panel

Recently I was privileged to be invited to be part of FamilyTreeDNA's Citizen Panel to advise on steps to meet the privacy requirements of FTDNA's members and at the same time allowing the FTDNA database to be of service to the wider community.

FTDNA have long been leaders in the field of genetic genealogy - they were the first company to provide DNA tests aimed specifically at the genealogy community and remain the only company to provide their customers with an infrastructure for running their own DNA projects. In fact, it can be argued that without FTDNA there would have been no genetic genealogy - I certainly owe them a debt of gratitude for fostering my own emergence as a genetic genealogist. This active promotion of Citizen Science has resulted in great advances in the field of genetics, such as the ongoing characterisation of the Tree of Mankind (Y-Haplotree) and the Tree of Womankind (mitochondrial Haplotree). They were also the first company to introduce a chromosome browser and many other tools to help with the interpretation of our autosomal DNA results. They have also actively supported the community through sponsorship of scientific meetings and conferences, such as Genetic Genealogy Ireland and the DNA Lectures at Who Do You Think You Are - Live!

So it was an honour to be part of the Citizen's Panel and to help contribute to the continued leadership of this great company.

The use of Genetic Genealogy Techniques by law enforcement is just the latest in the potential applications of these techniques. We as a community have been using these same techniques for many years to help adoptees connect with their birth families, and the use by law enforcement is a further natural extension of the methodology. It also has potential applications in any mass grave situation and in the future we may see its increasing use in such circumstances (e.g. to help identify soldiers who have been killed in the field of battle, to identify victims of natural disasters, such as the California Wild Fires, to identify the children buried at the former Tuam Children's Home, etc). And the availability of public, crowd-sourced databases to help achieve these important objectives will help increase the likelihood of successful identification and positive outcomes. Recent surveys have demonstrated broad public support for the use of public DNA databases to achieve these aims, but have hinted that additional regulation may be necessary.

FTDNA are to be congratulated for their continuing leadership in this regard. They are the first of the commercial companies to recognise the power of crowd-sourced databases to achieve the Greater Good. Their revised Terms of Service and Privacy Statement address a lot of the concerns that have been raised in the ongoing debate about law enforcement access to public DNA databases and they should be commended for this latest revision. No doubt as the debate continues, and different perspectives are aired, the need to revise and refine the approach to privacy and consent will change and the Terms will evolve accordingly. This is only natural. Privacy, Consent & Data Protection are not static topics. They never were. They are ever-evolving and will continue to evolve over the course of time.

In addition, their new Law Enforcement Matching FAQs and Law Enforcement Guide are an important advance toward explaining the current situation, allaying customers concerns, and satisfying the need for information.

So well done to FTDNA on taking the lead in addressing this issue head on and advancing the cause of the Greater Good. Hopefully, as the debate continues, additional safeguards will be identified and introduced such that any potential risks associated with the process of Law Enforcement Matching will be effectively neutralised.

Being part of the Citizen's Panel was of enormous benefit to me personally. It afforded me the opportunity to review all the many blog posts and Facebook comments that have been exchanged over the past year or so since the prime suspect in the Golden State Killer case was identified in April 2018. The advice I provided was based on my assessment and interpretation of the various perspectives and concerns aired in this ongoing debate. I hope I have captured all of them. In addition, I also have to thank my colleagues here in the UK and Ireland for our extremely fruitful ongoing discussions, partially arising out of GDPR, and many of my recommendations are based on these interchanges. In particular, I would like to thank Debbie Kennett, James Irvine, John Cleary, Donna Rutherford and Michelle Leonard whose sage advice and measured commentary have helped form my own opinions.

I found that the recommendations arising from my review incorporated a useful summary of the key issues that we as a community (and as a society) currently face. As such, I think that many people would find this very helpful in educating themselves about the issues involved and formulating their own opinions. As this is merely a summary of issues that have already been aired publicly, and as there was no requirement for a Non-Disclosure Agreement, I have appended my analysis and recommendations in their entirety below (this was an email that I sent on Feb 25th). I also believe that doing so is important as it helps promote the transparency of the Citizen's Panel (which ideally should reflect the broad range of views held by the customer base). I hope people find the advice informative (there are hyperlinks within the text) and that it is a useful contribution to the ongoing debate.

We are in exciting and unchartered territory. We are living in interesting times. The decisions we take today may have huge implications for privacy, consent, data protection, and the Greater Good. The debate is not over and will continue well into the foreseeable future. But it is very encouraging to see that FTDNA took many of my suggestions on board for their revised Terms of Service and no doubt this will be only one of many future revisions of their Terms over the coming years.

Hopefully other companies will follow suit as the situation evolves. People want to contribute to the Greater Good and there is a moral imperative to facilitate that happening. The devil is in the detail - we need to identify all potential risks and introduce sufficient (and not overly-restrictive) safeguards to minimise them. FTDNA's revised Terms of Service are a step in the right direction.

Maurice Gleeson
March 2019
FTDNA have kindly sponsored the Genetic Genealogy Ireland conference that I organise each year in Dublin & Belfast. I am very grateful for this sponsorship. They have occasionally paid part of my travel and accommodation expenses at these events.

My advice to FamilyTreeDNA as a member of the Citizen's Panel:

Feb 25th, 2019

Dear Bennett and Max

Thank you for inviting me to be part of the Citizen’s Panel. It is an honour and a privilege and I am very grateful indeed.

Let me start by saying that if it wasn’t for you both, I would not be the citizen scientist that I am today. None of us would. Without FamilyTreeDNA’s vision and the creation of an infrastructure that allows ordinary citizens to run their own DNA Projects, the genetic genealogy community as we know it today, would never have emerged. And therefore, I am acutely aware of the debt of gratitude that we owe to FTDNA as a company, to all its employees, and to the both of you in particular.

With that in mind, what follows comes from a place of deep respect for you both and I hope my honest and direct assessment serves as a useful addition to the ongoing conversation. Please feel free to pass these comments on to your legal team to help them in their exploration of the various international legal ramifications, and also to your PR consultants to help them in their efforts at damage control. My current thoughts have formed gradually over the past few months (having read the many posts and comments and blogs relating to this issue) and are likely to evolve further as the situation unfolds.

Ever since the news that the FBI were making use of the FTDNA database, I have struggled with the two default options before us for a database that allows LE (Law Enforcement) access:
  1. default opt in database, from which customers can opt out
  2. default opt out database, into which customers can opt in

1. The current situation: default “opt in”, optional “opt out” of all matching
The current situation is a default opt in database from which customers can opt out. But doing so means opting out from all matching, which for many customers was the main reason for joining the database in the first place. Some may claim that their consumer rights have been infringed by this move and may have a legitimate case for compensation. Not only might this impose a financial strain on the company, but it would be extremely bad press.

2. The new proposal: default “opt in”, optional “opt out” of LE matching
The new proposal to have a separate “opt out” option such that "Users can opt-out of Law Enforcement Matching at any time, while retaining the ability to see all of their matches” is a step toward remedying the current situation and no doubt will satisfy a lot of your customer base. But there are several major risks associated with this approach that could substantially damage the business:
  1. It will be easy to apply the revised consent process to new customers, but much more difficult to apply it to existing customers. Emails could be sent out to all customers telling them they can opt out if they want to, but many customers do not read their emails and others do not bother replying. Lack of objection to the default “opt in” cannot be interpreted as express or explicit consent. FTDNA could lock people out of their accounts until such time as they had acknowledged they are happy being opted in automatically, but a lot of people haven’t accessed their account for years so this too is not a foolproof method of confirming that people are consenting to the default opt in. 
  2. In addition, dead people will obviously not be able to re-consent, and many have not appointed beneficiaries … so do dead people have rights in this regard? Do their families? It is important that FTDNA does not to appear to walk over the (perceived) rights of dead people. And in addition, this will be a particularly sensitive issue for some people with indigenous status both within the US and outside (such as the Havasupai tribe).
  3. Many Users manage kits for other people - there is no guarantee that they will consult with those people and therefore there is a real risk that some customers will be opted in for something they did not consent to. This is a major flaw in the proposed new system and FTDNA will be heavily criticised for it.
  4. The FBI only have jurisdiction in the US. They don’t have jurisdiction in Europe, the Middle East, Australia, etc. So all customers falling outside of the FBIs jurisdiction should automatically be opted out of the "LE-only" database.
  5. there is a convincing argument that access to matches' personal data (e.g. names, email addresses, matching segment data) by LE is beyond the intention for which the database was set up and requires separate optional “opt in” consent in a similar way to consent for scientific research (see the dedicated consent processes at Ancestry & MyHeritage)
  6. this specific point is made in the Future of Privacy Forum’s Best Practice Guidelines (see section IIb on page 4). LE access clearly falls under the “incompatible secondary use” category and this would therefore require "separate express consent". (Incidentally, the fact that FTDNA has been expelled from the forum raises serious concerns in people’s minds and FTDNA will be branded in the media as "the company that does not follow Best Practice Guidelines”.)
  7. Under GDPR, there is a specific requirement to collect “freely given, specific, informed and unambiguous consent” from customers before sending them marketing emails (Article 32). The same GDPR requirements also apply when allowing LE to access the personal data (name, email, family tree) of any matches that any of the kits uploaded by LE may have. Consent must be explicitly “opt in” and cannot be “opt in” by default. This is covered in the section on consent in the Guide to GDPR and falls under section 3 of the UK’s Data Protection Act 2018  Your legal team should offer specific advice not just on the GDPR requirements in this regard, but also the requirements of the DPA 2018. Further specific information on the use of personal data by LE is available from the Information Commissioner’s Office.
  8. in the UK, the Information Commissioner's Office (ICO) is particularly sensitised to LE use of personal data following a recent investigation into the UK Police’s use of a “Gang Matrix” (consisting of suspected gang members) which was shared by the police with several different government organisations. The ICO found this to be in breach of GDPR and an Enforcement Notice was instituted against the police. If a company (such as FTDNA) were to be perceived as doing something similar, a hefty fine (of up to 20 million euro or 4% of company annual turnover) might be levied as well as an Enforcement Order. The largest fine to date is 50 million euro (against Google last month).
  9. From the discussions on Facebook, it would appear that at least one person has instituted a GDPR complaint (there may be others). There is also talk of a class action law suit. Furthermore, there are dedicated groups whose sole objective is to aggressively fight against perceived breaches of privacy and “forced consent". NOYB is one such group and they have brought successful GDPR actions against Google and Facebook … so there is a real risk that they could take similar action against FTDNA, particularly if alerted by an aggrieved customer or a competitor. Any such legal activity will tie up FTDNA in terms of time, money & resources, not to mention the damage to its public image and the opportunity cost resulting from the consequent loss of business. Thus such possible consequences are to be avoided at all costs.
  10. FTDNA is in danger of losing its EU/US Privacy Shield status by converting a genealogy database into an LE database. One of the basic principles of the Privacy Shield is data integrity and purpose limitation  The revocation of the Privacy Shield is likely to hit European recruitment hard.
  11. FTDNA relies greatly on the support of volunteer project administrators to promote the company both online and offline at various genealogy events. Those admins who disagree with the proposed opt out policy are likely to become disillusioned and withdraw their support for the company or post damaging negative comments which could impact on the company’s sales and reputation.

For these reasons the optional "opt out” system will not work. It has to be changed to an optional “opt in” with “opt out” being the default position. This move is likely to severely compromise the ability of the “LE-only” database to catch killers & rapists (something we all want to do), but we cannot set up a database for US law enforcement that is in breach of international data protection laws even if the benefits for the greater good are plainly evident to all. In fact, if the "LE-only” database is built in the wrong way, with undue haste and lack of forethought, the public will lose trust in the process and ultimately more harm than good will be done by this precipitous action. 

And FTDNA’s public image will suffer hugely. Despite the best intentions of FTDNA, it will be seen as the company that ultimately destroyed the possibility of a voluntary database that helps LE catch killers & rapists.

3. The alternative solution: default “opt out”, optional “opt in” to LE matching
If FTDNA copied the same process introduced by Gedmatch, this would be a significant advance. Consent is explicitly obtained from all new Users to “opt in” to a database that is clearly described as allowing LE access. Gedmatch has a second option for their Users, namely that those who choose to can additionally “opt out” of having LE (or anyone else for that matter) see their kit (the “Research kit only” option). Thus there is an initial informed consent obtained from each User followed by an "escape route" should they so desire. This two-step process goes a long way toward reassuring customers and building trust in the system. 

And this 2-step process could also be introduced by FTDNA. Copying the Gedmatch approach would allay a lot of fears and help restore public confidence in FTDNA. It would also potentially allow FTDNA to collaborate with Gedmatch on resolving the exact same legal issues. 

This optional “opt in” LE-only database will take a lot longer to build than a default “opt in” database, but it will be more robust and less vulnerable to attack, thus helping to ensure its survival and making it more likely that it will achieve its goals of catching violent criminals and bringing closure to victim’s families.

However, even with the alternative default “opt out” / optional “opt in” LE-only database, there remain several very significant problems: 
  1. the ongoing legal action by Maryland (and potentially other states) arguing that LE access is a breach of the 4th Amendment. The publicity of the case may be even more damaging to FTDNA (and Gedmatch) than any eventual legal decision.
  2. the inherent vulnerability of the database to exploitation by undesirable forces (see below)

4. Vulnerability of the database 
Even if a separate optional "opt in" database is created for LE use, what is to stop them from continuing to use the general database surreptitiously, in the same way the FBI were using it before FTDNA discovered them? Conceivably, the FBI (or any LE agency) could say that they will comply with the revised Terms of Service but thereafter could simply upload DNA profiles “undercover”, just like they did previously. FTDNA might not be any the wiser of this surreptitious activity. And some customers would have their personal data (name, email, etc) exposed to the FBI if any of them were a match to the undercover FBI kits. 

So this scenario begs several questions: 
  1. how can FTDNA monitor the database to ensure that any such undercover kits are either prevented from being uploaded, or are quickly identified and removed?
  2. what is the penalty for breach of the Terms of Service? Would FTDNA refuse to work with the FBI if it did not observe these Terms?

It doesn’t stop there. Any organisation could potentially gain access to the database as long as they were able to upload somebody’s DNA. The Mafia or organised crime could potentially use it to identify the families of specific individuals, perpetrate revenge attacks, or even disrupt witness protection programmes. I know this is far-fetched but you can imagine the damage to FTDNA’s reputation if it ever came to pass.

But most importantly what this demonstrates is that, in the absence of a method to prevent rogue kits from entering the database, FTDNA will never be able to 100% guarantee the confidentiality of their customer’s personal data. This would be catastrophic both legally (GDPR, etc) and from the perspective of FTDNA’s public image. This is why involving a legal team and a PR consultant is so vital. In addition, the legal team will need to consider implications not just in the US but across a variety of different legal systems across the world.

So how then can FTDNA protect itself against this type of undercover activity? One possible solution is to require that all DNA transfers from other companies have to have a cryptographic signature as proposed by Yaniv Erlich. This would clearly identify where the original DNA results had been generated and “non-permissible" kits could be rejected.

This does not address the possibility of some people trying to create a “fake” or “spoof” DNA sample, although this is more of a problem with saliva-based DNA kits. Nevertheless, in order to sustain a good reputation, FTDNA will need to take (and be very publicly seen to take) the appropriate and proportionate action to protect its customers' data. It will also need to prepare for a possible external audit, either by the relevant US authority or GDPR representative or both. 

5. Some additional suggestions

You could also add the LE access opt in / opt out feature to the Family Tree Sharing section under the Privacy & Sharing tab. This would allow people to specifically opt out of sharing their family tree with LE. And this action on your part would provide further reassurance regarding the protection of customer's data.

It will be important to add a new FAQ about Law Enforcement Matching that addresses the following questions (I am very happy to help with this):
  1. How does the process work? 
  2. Does LE need a search warrant to upload a kit? 
  3. What documentation does LE need to provide to FTDNA?
  4. Who decides whether or not to allow the LE kit into the database?
  5. What cases are allowed in?
  6. Are there plans to allow kits to be uploaded by LE agencies in other countries (e.g. UK, China, Russia)?
  7. Will customers be informed if their DNA kit comes up as a match to an LE kit?
  8. Could some FTDNA customers end up in a Witness Protection Programme? (e.g. if there is a match to a gang member, Mafia, etc)

It would be very reassuring for customers if further data protection measures could be undertaken. For example, could an internal messaging system be used rather than sharing customers' email addresses? These can easily be used to identify people and track down their home addresses (we do this with adoptees all the time). There may be other actions that could be undertaken to optimise customers’ data protection and privacy. All such actions will help reduce the risk of a GDPR complaint or a time-consuming law suit … and will maximise the public perception that FTDNA is “doing the right thing” by its customers.

Customers will need reassurance that all potential risks have been considered, that the probability of each risk is low, and that (nevertheless) steps have been taken to minimise each of them. Separate FAQs will need to be developed for each one and I am very happy to help with the wording for these. Here are a few examples of the sort of concerns that customers have expressed on Facebook and other social media:
  1. What is the risk of wrongful targeting, arrest, conviction, imprisonment, and the death penalty? This is a particular concern among the African American community where the historical relationship with law enforcement has not been good. The Innocence Project has helped exonerate 350 people, 20 of whom were on death row, so the risk of wrongful targeting is very real and needs to be comprehensively addressed in order to regain customer confidence.
  2. Concerns have also been raised about the possible misuse of customer’s data if it fell into the wrong hands. Traditionally the main fear was insurance companies, but more recently people are discussing what would happen if totalitarian regimes or dictators got hold of our DNA? This is one of the reasons why DNA testing never took off in Germany. People have also raised concerns about the fact that China has surreptitiously tested 50 million people, and Middle Eastern customers have been concerned about the situation in Kuwait where (in 2017) the Supreme Court had to overturn legislation introduced by the government requiring all citizens and visitors to undergo DNA testing. The public needs to be reassured about the safeguards that are in place to prevent this type of misuse in the future.
  3. Will LE kits be easy to recognise by other customers? Is there a risk that a match to these kits will expose it publicly, or start “working the case”, alert potential perpetrators, put the genetic informant at risk, etc? How could such risks be mitigated, minimised, or neutralised? Ideally LE kits should be hidden from public view (like the "Research kit only option" at Gedmatch).

I hope you find these suggestions helpful. I’m sure other thoughts will emerge in due course. 

And thank you once again for allowing me the opportunity to share these thoughts with you both. FTDNA has a very strong presence in the UK and Ireland and I would not want to see this significant British & Irish database compromised. We recently returned from a very successful meeting in Belfast where Martin McDowell (Admin of the North of Ireland Project) presented on how most of his close matches are in the FTDNA database, thanks to the tenacious efforts that have been made to recruit Irish people, at both the Dublin & Belfast conferences, but also by the many Irish DNA projects and via the DNA Outreach Ireland network of volunteers that have worked hard on FTDNA’s behalf these past 6 years. We have built incredible momentum for FTDNA in Britain & Ireland and it would be a great shame to see this damaged in any way.

Looking forward to helping out in any way I can.

Warm regards

Dr Maurice Gleeson MB 
Genetic Genealogist
Education Ambassador, ISOGG