The Golden State Killer case was cracked with a genealogy website. What does that mean for genetic privacy?
The identity of one of California’s most notorious serial killers had been a mystery for decades until law enforcement arrested a suspect. Investigators revealed on that they made the breakthrough using a remarkable tool: A genealogy website.
The unusual manner in which the Golden State Killer case was cracked has sparked wonderment—as well as privacy concerns about how law enforcement can and does use the genetic information that consumers give up to genetic testing companies. That’s because companies generally say on their websites that a customer’s genetic information can be shared with law enforcement if demanded with a warrant.
Details about exactly what happened in the Golden State Killer investigation remain murky, but here’s what’s known: Investigators took DNA collected years ago from one of the crime scenes and submitted it in some form to one or more websites that have built up a vast database of consumer genetic information.
The results led law enforcement to the suspected killer’s distant relatives, who were presumably among the millions of consumers who have paid up and mailed in a spit kit to track down long-lost family members, learn more about their ancestry, or gauge their risk for medical conditions.
That created a pool of potential suspects under the same family tree that investigators eventually narrowed down to 72-year-old former police officer Joseph James DeAngelo, the Sacramento Bee and other news outlets reported.
The lead investigator on the case, Paul Holes, told The Mercury News that his team relied most heavily on GEDmatch, a free open-source website that pools together genetic profiles uploaded by users seeking to conduct research or fill in gaps in their family trees. GEDmatch’s database can be accessed without a court order.
Holes’s comments don’t preclude the possibility that investigators may have also used commercial sites.
Three of the leading companies—23andMe, Ancestry, and Family Tree DNA—all said they were not involved in the Golden State Killer investigation. Motherboard reported the same thing about MyHeritage.
Some sites require consumers to send in a sample of saliva or cells swabbed from inside their cheeks—something that investigators in the Golden State Killer case presumably would not have had from a decades-old crime scene. Other sites like GEDmatch, however, allow users to simply upload raw genetic data in the form of endless A’s and C’s and G’s and T’s—a process that hypothetically could have allowed investigators to get the information they needed without getting cooperation from companies.
Privacy advocates are still concerned that these companies leave the door open to sharing a customer’s genetic information with law enforcement. They say that doing so represents Orwellian state overreach and worry that customers may not realize what they’re agreeing to—or, even worse, that the imperfect technology involved puts innocent people at risk.
Privacy advocates have also raised concerns about genetic testing sites that sell purportedly anonymized genetic data to third parties, typically to drug makers. Those data, they fear, could ultimately wind up in law enforcement’s hands.
All of that is a big part of why several states have put limits on how authorities can conduct familial DNA searches, or banned them entirely.
In the message to posted users following the breakthrough in the Golden State Killer case, the site said: “It is important that GEDmatch participants understand the possible uses of their DNA, including identification of relatives that have committed crimes or were victims of crimes.”
And the site’s privacy policy urges anyone requiring “absolute privacy and security” not to upload their genetic data in the first place.