Don't delay: Delete your DNA today

What to do now

Changes of legislation and policies

What does the ECtHR ruling change for the government and the police? Article 44 of the European Convention of Human Rights (ECHR) states that the "The judgment of the Grand Chamber shall be final" and article 46 that "The High Contracting Parties undertake to abide by the final judgment of the Court in any case to which they are parties" - so the UK government can't ignore this ruling. Jack Straw confirmed in Parliament that "The judgment... goes on to suggest that distinctions should be made between the nature of offences for which samples have been taken, and discusses whether they should be time-limited and whether there should be an independent review. Those matters will be considered by my right hon. Friend the Home Secretary in consultation across Government. We have an obligation to report initially to the Council of Ministers and the Council of Europe by March."

The Joint Committee on Human Rights explained the mechanism of abiding by such rulings in its 31st report:

The UK has undertaken to give effect to the ECHR and to give effect to the judgments of the ECHR. The UK must abide by ECHR judgments by: (1) putting an end to the breach identified by the Court (the obligation of cessation); (2) preventing any further violations in the future (the obligation of non-repetition); (3) repairing the damage caused to the individual (the obligation of reparation); (4) paying to an individual applicant any award of just satisfaction made by the ECtHR (the obligation to make just satisfaction).

The obligation of cessation

The "blanket and indiscriminate nature of the powers of retention of the fingerprints, cellular samples and DNA profiles of persons suspected but not convicted of offences" must cease. "The Court recalls that it has found that the retention of the applicants' fingerprint and DNA data violates their rights under Article 8. In accordance with Article 46 of the Convention, it will be for the respondent State to implement, under the supervision of the Committee of Ministers, appropriate general and/or individual measures to fulfil its obligations to secure the right of the applicants and other persons in their position to respect for their private life."

Solicitor Peter Mahy, a human rights specialist at Sheffield-based Howells LLP representing Messrs S and Marper, puts it succinctly: "It will be very interesting to see how the UK government respond. The government should now start destroying the DNA records of those people who are currently on the DNA database and who are innocent of any crime." Up to one in five of the more than five million DNA profiles may have to go.

A process has to be put in place to deal with the scale of this operation. The Scottish Police Services Authority (SPSA), a non-departmental public body (NDPB), centrally handles the removals of more than 20,000 Scottish DNA records every year. Police forces in England and Wales will likely look at this model. With its role of overseeing delivery of the NDNAD Service, the NPIA should be a candidate for a similar central function. In the meantime those innocents whose DNA is on the NDNAD should request removal as explained earlier.

The retention rules will have to change too. The legislation enables the police to take and retain fingerprints and DNA samples indefinitely, but it does not compel them. Section 64 of the Police and Criminal Evidence Act 1984 (PACE) as amended by the Criminal Justice and Police Act 2001 includes:

(1A) Where - (a) fingerprints or samples are taken from a person in connection with the investigation of an offence, and (b) subsection (3) below does not require them to be destroyed, the fingerprints or samples may be retained after they have fulfilled the purposes for which they were taken but shall not be used by any person except for purposes related to the prevention or detection of crime, the investigation of an offence or the conduct of a prosecution.

The police may take samples and may retain them indefinitely, but it's up to them. The current rules were not decided by Parliament; they are established in the Retention Guidelines for Nominal Records on the Police National Computer, a document issued by the Association of Chief Police Officers (ACPO). This document also provides a template for the letter sent by chiefs of police when refusing requests for destruction of DNA records.

Chris Sims, ACPO lead on Forensics and Chief Constable of Staffordshire Police announced: "We will study this judgment carefully and consider in detail implications which could have a profound impact on the way in which the police service makes use of DNA technology to protect the public and tackle crime... It is important to stress that the existing law on the taking and retention of DNA and fingerprints remains in place. Police will continue to take DNA from those people arrested for crimes and will investigate crimes and bring offenders before the court using DNA evidence until such time as there is a legislative change."

This statement is overly cautious - no legislative change is needed for the ACPO to change its guidelines. What must change is the retention of records and samples. Taking DNA from those arrested for a crime is not the issue. Home Office minister Vernon Coaker, agreed in a Parliament debate in November that the "[ACPO retention] guidelines will need to be reviewed in the light of the outcome of the S and Marper case, and a PACE review is currently under way."

The obligation of non-repetition

The recent PACE review made it clear that it will be amended in line with the judgment. "The Government does not intend to make any proposals at this time in area. That is because of an outstanding case in the European Court of Human Rights... a response in respect of this area of policy will be made following consideration of the Judgement by the Court."

It is necessary for the legislation to change so that it is no longer possible for the police to create and follow policies that violate our human rights. However, effective change of current retention practices can happen much sooner with a change of policy.

The obligations of reparation to make just satisfaction

The Court considers that "the finding of a violation, with the consequences which will ensue for the future, may be regarded as constituting sufficient just satisfaction in this respect. The Court accordingly rejects the applicants' claim for non-pecuniary damage." Hence the reparation will consist of deleting the DNA profiles and destroying the DNA samples and fingerprints of Messrs S and Marper. The government has to pay within three months, ie by March 4, the sum of €39,387 awarded by the Court in respect of costs and expenses.

The Committee of Ministers has the responsibility to monitor the measures taken by the UK to comply with the judgment. "[U]ntil the state in question has adopted satisfactory measures, the Committee of Ministers does not adopt a final resolution striking the judgment off its list of cases, and the state continues to be required to provide explanations or to take the necessary action."

Some misconceptions

Retaining DNA of a large number of individuals has not proved helpful. A GeneWatch analysis shows that when "the number of individuals with DNA profiles on the Database... doubled from 2 million to 4.5 million... there has been no corresponding increase in the number of crimes detected. The percentage of recorded crimes which involve a DNA detection has remained roughly constant at 0.36%... The Home Office recognises that the increased number of crime scene profiles added to the Database drove the increase in DNA detections."

Nothing in the ECHR ruling affects the ability of the police to take DNA samples from those they arrest during their investigations. Nor does the ruling ask for wholesale deletion of DNA records of convicted criminals, though it does note that in other Council of Europe member States "[t]he retention of DNA profiles of convicted persons is allowed, as a general rule, for limited periods of time after the conviction or after the convicted person's death. The United Kingdom thus also appears to be the only member State expressly to allow the systematic and indefinite retention of both profiles and samples of convicted persons."

The Joint Committee on Human Rights in the conclusions of its report notes "[d]elays of upwards of five years in resolving the most significant breaches of the European Convention are unacceptable unless extremely convincing justification for the delay can be provided." This only serves to reiterate that those who are innocent and on the NDNAD should not delay requesting the removal of their DNA records. ®

(The full text of the judgement is available on the British and Irish Legal Information Institute website and you can download a six minutes video of the reading of the judgment's summary from a hard-to-find page on the Council of Europe's website.)

David Mery is a technologist and writer based in London. Last year he was one of 64 who requested from the Metropolitan Police to have his DNA profile purged and DNA samples destroyed. His request was one of 18 that were deemed exceptional enough to be granted. His website is

Other stories you might like

  • Returning to the Moon on the European Service Module
    Moving to series production and dealing with the US, where things are done slightly differently

    Interview NASA has set late August as the launch window for its much-delayed Artemis I rocket. Already perched atop the booster is the first flight-ready European Service Module (ESM). Five more are in the pipeline.

    Airbus industrial manager Siân Cleaver, whom The Register met at the Goodwood Festival of Speed's Future Lab, has the task of managing the assembly of the spacecraft, which will provide propulsion, power, water, oxygen and nitrogen for the Orion capsule.

    Looking for all the world like an evolution of the European Space Agency's (ESA) International Space Station (ISS) ATV freighter, the ESM is not pressurized and measures approximately 4 meters in length, including the Orbital Maneuvering System Engine (OMSE), which protrudes from the base.

    Continue reading
  • Running DOS on 64-bit Windows and Linux: Just because you can
    DOS isn't dead. You can still run it and its apps, even now

    FOSS Fest There are still ways to run DOS apps under 64-bit Windows and Linux, and a lot of free apps to choose from.

    One of the differences between the Microsoft and Apple approaches to maintaining widely used OSes is that Apple is quite aggressive about removing backwards compatibility, while Microsoft tries hard to keep it.

    One of the few times Microsoft removed a whole compatibility layer from Windows was with the launch of 64-bit Windows, which went mainstream with Vista in 2007. 64-bit editions of Windows can't run 16-bit apps, whether they're for DOS or Windows.

    Continue reading
  • China's blockchain boosters slam crypto as Ponzi scheme
    Communists reckon Bill Gates and Warren Buffet got it right

    Executives at China's Blockchain-based Service Network (BSN) – a state-backed initiative aimed at driving the commercial adoption of blockchain technology – labelled cryptocurrency "the biggest Ponzi scheme in human history" in state-sponsored media on Sunday.

    "The author of this article believes that virtual currency is becoming the largest Ponzi scheme in human history, and in order to maintain this scam, the currency circle has tried to put on various cloaks for it," wrote Shan Zhiguang and He Yifan in the People's Daily.

    He Yifan is the CEO of startup Red Date Technology – a founding member and architect behind BSN – where he serves as executive director. Co-author Zhiguang Shan is chair of the BSN Development Alliance.

    Continue reading
  • Carnival Cruises torpedoed by US states, agrees to pay $6m after waves of cyberattacks
    Now those are some phishing boats

    Carnival Cruise Lines will cough up more than $6 million to end two separate lawsuits filed by 46 states in the US after sensitive, personal information on customers and employees was accessed in a string of cyberattacks.

    A couple of years ago, as the coronavirus pandemic was taking hold, the Miami-based biz revealed intruders had not only encrypted some of its data but also downloaded a collection of names and addresses; Social Security info, driver's license, and passport numbers; and health and payment information of thousands of people in almost every American state.

    It all started to go wrong more than a year prior, as the cruise line became aware of suspicious activity in May 2019. This apparently wasn't disclosed until 10 months later, in March 2020.

    Continue reading
  • India extends deadline for compliance with infosec logging rules by 90 days
    Helpfully announced extension on deadline day

    India's Ministry of Electronics and Information Technology (MeitY) and the local Computer Emergency Response Team (CERT-In) have extended the deadline for compliance with the Cyber Security Directions introduced on April 28, which were due to take effect yesterday.

    The Directions require verbose logging of users' activities on VPNs and clouds, reporting of infosec incidents within six hours of detection - even for trivial things like unusual port scanning - exclusive use of Indian network time protocol servers, and many other burdensome requirements. The Directions were purported to improve the security of local organisations, and to give CERT-In information it could use to assess threats to India. Yet the Directions allowed incident reports to be sent by fax – good ol' fax – to CERT-In, which offered no evidence it operates or would build infrastructure capable of ingesting or analyzing the millions of incident reports it would be sent by compliant organizations.

    The Directions were roundly criticized by tech lobby groups that pointed out requirements such as compelling clouds to store logs of customers' activities was futile, since clouds don't log what goes on inside resources rented by their customers. VPN providers quit India and moved their servers offshore, citing the impossibility of storing user logs when their entire business model rests on not logging user activities. VPN operators going offshore means India's government is therefore less able to influence such outfits.

    Continue reading
  • Hangouts hangs up: Google chat app shuts this year
    How many messaging services does this web giant need? It's gotta be over 9,000

    Google is winding down its messaging app Hangouts before it officially shuts in November, the web giant announced on Monday.

    Users of the mobile app will see a pop-up asking them to move their conversations onto Google Chat, which is yet another one of its online services. It can be accessed via Gmail as well as its own standalone application. Next month, conversations in the web version of Hangouts will be ported over to Chat in Gmail. 

    Continue reading
  • OpenSSL 3.0.5 awaits release to fix potential worse-than-Heartbleed flaw
    Though severity up for debate, and limited chips affected, broken tests hold back previous patch from distribution

    The latest version of OpenSSL v3, a widely used open-source library for secure networking using the Transport Layer Security (TLS) protocol, contains a memory corruption vulnerability that imperils x64 systems with Intel's Advanced Vector Extensions 512 (AVX512).

    OpenSSL 3.0.4 was released on June 21 to address a command-injection vulnerability (CVE-2022-2068) that was not fully addressed with a previous patch (CVE-2022-1292).

    But this release itself needs further fixing. OpenSSL 3.0.4 "is susceptible to remote memory corruption which can be triggered trivially by an attacker," according to security researcher Guido Vranken. We're imagining two devices establishing a secure connection between themselves using OpenSSL and this flaw being exploited to run arbitrary malicious code on one of them.

    Continue reading

Biting the hand that feeds IT © 1998–2022