When the Law Falls Short: How a Legal Act Can Still Be Unethical.

     Just because something is legal does not mean it is right. In the world of forensic investigative genetic genealogy (FIGG) this truth is playing out in ways that should alarm anyone who values privacy and trust. Picture this: a law-enforcement agency, determined to crack a case, quietly searches a genetic genealogy database. The database’s terms and conditions could not be clearer—law-enforcement use is strictly prohibited. And yet, under current law, nothing stops them from doing it anyway. This is not a grey area. It is a deliberate bypassing of explicit rules—rules that millions of users rely on when they share their most intimate genetic data. The law may shrug, but ethics do not. When legal power is used to sidestep consent and override clearly stated boundaries, we must ask: is this justice, or a sanctioned breach of trust?

     In a previous blog-post that considered the role of the professional genealogist in the FIGG process, attention was drawn to the fact that the Federal Bureau of Investigation (FBI) had accessed the MyHeritage genetic genealogy database to generate investigative leads that eventually led to the identification of Bryan Kohberger as a possible suspect in the killing of four university students at the University of Idaho in 2022.[1] Accessing this database was in direct contravention of the Terms of Service of MyHeritage.[2] In a voir dire prior to the trial of Kohberger, the defence, in calling into question the credibility of FIGG, attempted to have the evidence of the FIGG search excluded from the trial, arguing that, ‘… the FBI had violated an internal policy and the terms of service of one or more genealogy databases to come up with the lead that led to Kohberger.”[3] The Judge sitting in the voir dire ultimately dismissed the claims of the defence, allowing the evidence that arose from the FBI use of FIGG to be included at trial. In considering the findings of the Judge in the vior dire, it can only be assumed that, even though the FBI accessed the MyHeritage genetic genealogy database in contravention of their ‘Terms of Service,’ that access, however unethical it may have been perceived, was not unlawful. 

     The Terms of Service of the use of the MyHeritage database specifically states,

  Any use of the DNA Services for law enforcement purposes, forensic examinations, criminal investigations, “cold case” investigations, identification of unknown deceased people, location of relatives of deceased people using cadaver DNA, and/or all similar purposes, is strictly prohibited, unless a court order is obtained.[4]

     These Terms of Service are applicable to all that use the MyHeritage database, and far from seeking to be obstructive to law-enforcement, the primary role of the company in having these Terms of Service in place is to protect the privacy of their customers.[5] The fact that MyHeritage, and for that matter other genetic genealogy databases such as Ancestry, actively take steps to protect their customers privacy by protecting who has access to their customer’s DNA ‘match list’ is a major drawcard for customers using those databases. The ethical concerns of how a customer’s DNA profile is used in the services provided by a company such as MyHeritage was borne out in a study in 2025 by Hannah Marlor, Kate Randall and Aaron Opuku Amankwaa that considered whether police should use genetic genealogy databases to assist in solving crime.[6]  Marlor et. al. found that many respondents in their study expressed concerns about potential privacy issues, especially if law-enforcement was given open access to genetic genealogy databases.[7] In order to attract customers to use the services of genetic genealogy database companies, such as MyHeritage and Ancestry, these companies need to show that they have addressed the concerns of customers, especially with regard to privacy protections when customer’s DNA profiles are added to genetic genealogy databases, and especially with who has access to those profiles. In the study by Marlor et. al. it was reported that several participants in the study emphasised the need for strict regulation, accountability, and oversight of law-enforcement, and that this regulation, accountability, and oversight, could be achieved with law-enforcement investigators having to apply for a Court issued Warrant to gain access to genetic genealogy databases.[8] The fact that a court warrant is required by law-enforcement to access the MyHeritage genetic genealogy database is made quite clear in its Terms of Service.  

    So, how does the FBI access the genetic genealogy database of MyHeritage without a court warrant, to undertake a FIGG search, and that access is not deemed, in any way, to be unlawful? A possible explanation is provided by James Patterson and Vicky Ward, who, with specific reference to the Kohberger case, argue that,

The FBI can legally… [search a genetic genealogy database against its Terms of Service and without a Court Warrant]…because … there is a loophole in Justice Department policy that permits government agencies to use discretion when searching data provided to websites that do not have customers’ permission to share it.[9]

     The term ‘discretion’ is defined as ‘1. Wise conduct and management exercised without constraint; the ability coupled with the tendency to act with prudence and propriety. 2. Freedom in the exercise of judgement; the power of free decision-making.’[10] And, with this definition in mind, it should be noted that most, if not all, law-enforcement officers have a power of discretion. The use of discretion as a power to act could be as simple as a law-enforcement officer deciding to issue a warning for a traffic violation, in place of a fine. There is no law that says that a police officer must issue a fine for all traffic violations. Alternatively, as in the Kohberger case, it could mean accessing a genetic genealogy against terms of service, if that police officer believes that the discretionary power he is using, like the warning in place of a fine for a traffic violation, can be justified. Justification of discretionary action includes, but is not limited to whether the action is urgent in nature, can be justified as necessary in all the circumstances, is not an unlawful act, and is being exercised in the public interest, for the greater good of the public and public safety. The discretionary power to act is both subjective and open to being tested, but is importantly based on the beliefs of the person acting, considering all the circumstances that exist at the time the decision to act is made.   

     Being a subjective power to act, the accessing of the MyHeritage genetic genealogy database by the FBI in the Kohberger case to identify an investigative lead, was subject to testing in Court, and found by the Judge to be a lawful act. As such, the evidence of the FIGG search was deemed suitable to be admitted into evidence at trial. But could the accessing of the MyHeritage database by law-enforcement in the Kohberger case, even though lawful, be deemed unethical, as it breached the Terms of Service of the company, and allowed the FBI to search the profiles of those users that had supplied their DNA profiles to the database on the understanding that they would not be open to search by law-enforcement, without the knowledge, nor the consent of MyHeritage? Could the debate surrounding the unethical nature of the actions by law-enforcement be further swayed by the fact that the DNA profile that the FBI would have uploaded to the MyHeritage database (that being the unknown DNA obtained from the homicide crime scene) would have had to have been uploaded under a fake/false name. Whether these acts, based on the balance of probability, were necessary and urgent in the circumstances to allow a breach of trust of MyHeritage users, is, and will remain, open for speculation.

     There is no debate that law-enforcement officers need a power of discretion, especially in circumstances that are urgent and require action that, although in routine circumstances would be considered unethical, is deemed necessary to prevent someone being placed in danger, or someone being hurt. An issue arises, though, when a law-enforcement officer exercises a power of discretion in circumstances that may not be urgent or necessary in the circumstances, and is exercised more in order to obtain a quicker result. In these circumstances the conduct of the law-enforcement officer crosses that unethical line, even though the conduct is not unlawful.

     In the case of Bryan Kohberger, the four University of Idaho students that Kohberger murdered, were killed on 13 November 2022. DNA located at the crime scene on a knife sheath that investigators believed was left by Kohberger was uploaded to the Combined DNA Index System (CODIS), which unfortunately returned no matches to any DNA profiles contained within that database. As a result, and in accordance with Department of Justice Guidelines, the crime scene DNA was uploaded to Family Tree DNA and GedMatch PRO, for the purpose of Forensic Investigative Genetic Genealogy (FIGG).[11] Family Tree DNA and GedMatch PRO are the only two genetic genealogy databases law-enforcement are permitted to use for the purpose of FIGG. These two companies make no secret of that fact that they permit law-enforcement to use their databases, and customers are required to either opt-in or opt-out of permitting their individual DNA profiles to be included in FIGG searches. The crime scene DNA that was uploaded to the genetic genealogy databases of Family Tree DNA and GedMatch PRO returned matches, however, there were a very low number of matches, which made it difficult to effectively build family trees to isolate a potential suspect.[12]  As such, and on 10 December 2022, investigating police requested that this work be stopped, and a decision was made to upload the crime scene DNA profile to the MyHeritage and GedMatch genetic genealogy databases without Warrant – a direct breach of the Terms of Service of both MyHeritage and GedMatch, and in breach of the Department of Justice Guidelines for the use of FIGG. It was this action that law-enforcement claimed had been undertaken using their power of discretion.

     What needs to be considered in these circumstances is whether law-enforcement can justify their actions, which in normal circumstances, would be deemed an unethical act. The uploading of the crime scene DNA profile to MyHeritage occurred four (4) weeks after the murders. Can it be presumed that four weeks after the murders any actions taken by law-enforcement can still be deemed ‘urgent,’ and that those actions needed to be done to prevent someone else being hurt, or someone else being placed in danger? Consider that on the night of the murders, when first responders had no clear suspect for the murders, the decision was made by investigators and those in charge that there was no danger or threat to any other member of the public.[13] Is it reasonable to expect, and considering that the databases were accessed four weeks after the murders, that investigators should have applied for a Court Warrant to access the databases of MyHeritage and GedMatch, doing away with this entire debate?    

     The Kohberger case lays bare the uneasy fault line between law and ethics in the practice of FIGG. By exercising “discretion” to sidestep explicit contractual boundaries, law-enforcement acted within the law but outside the ethical framework that underpins public trust in genetic genealogy databases. The breach was not an impulsive act taken in the heat of imminent danger, but a considered choice made weeks after the murders—at a point where judicial oversight could and should have been sought.

     This highlights the central dilemma: discretion without ethical accountability risks becoming justification for convenience rather than necessity. When police powers reach into spaces where individuals have been assured protection—such as their most private genetic data—the issue ceases to be only about solving crime; it becomes about preserving public confidence in both justice and privacy. If law-enforcement agencies wish to sustain the legitimacy of FIGG as a tool for investigation, they must be held to the same standards of transparency, oversight, and consent that govern the citizens whose data they seek to use. Anything less may solve individual cases, but at the cost of eroding the trust that makes such investigative tools viable in the first place.

---

[1]     Brooke Smith, ‘Professional Genealogists and the Forensic Investigative Genetic Genealogy (FIGG) Process,’ https://allthingspolicing.com/professional-genealogists-and-the-forensic-investigative-genetic-genealogy-figg-process/, 21 July 2025, accessed 15 August 2025.

[2]     Ibid.

[3]     Michael Ruiz, ‘Bryan Kohberger case: Idaho judge unseals transcript of closed-door IGG hearing’, Fox News Channel, 24 February 2025, https://www.foxnews.com/us/bryan-kohberger-case-idaho-judge-unseals-transcript-closed-door-igg-hearing, accessed 15 August 2025.

[4]     MyHeritage, ‘MyHeritage Terms and Conditions,’ MyHeritage, https://www.myheritage.com/terms-and-conditions, updated 18 February 2025, accessed 15 August 2025.

[5]     Ibid.

[6]     Hannah Marlor, Kate Randall, Aaron Opoku Amankwaa, ‘Should the police use genetic genealogy databases to assist in solving crime? Survey among university students,’ Forensic Science International: Genetics, vol. 79, 2025, pp. 1-13.

[7]     Ibid., p. 9.

[8]     Ibid.

[9]     James Patterson and Vicky Ward, The Idaho Murders: Uncovering the Tragedy that Shocked the World, Penguin Random House, London, 2025, p. 263.

[10]   Bryan A. Garner, Black’s Law Dictionary, 10^th ed, Thomson Reuters, Minnesota, 2014, p. 565.

[11]   Patterson and Ward, The Idaho Murders, p. 263.

[12]   Ibid.

[13]   Ibid. p. 153-156.