Investigators in California revealed Thursday that they were able to track down and arrest Joseph James DeAngelo, the suspected Golden State Killer, using genetic information provided to genealogical websites, creating new and troubling concerns about how personal data is handled by the services.
Steve Grippi, the chief deputy district attorney at the Sacramento County District Attorney’s Office, said law enforcement used DNA samples collected from crime scenes to create a genetic profile of the suspect. It then combed over online family trees, searching for relatives of the Golden State Killer, according to the Sacramento Bee.
“We found a person that was the right age and lived in this area, and that was Mr. DeAngelo,” Grippi said, according to The New York Times.
Sacramento County District Attorney Anne Marie Schubert described the DNA samples from DeAngelo as “abandoned,” stating when a person leaves their DNA in a place that it becomes “public domain” and is free to be used by law enforcement.
“He was totally off the radar till just a week ago, and it was a lead they got, somehow they got information and through checking family or descendants—it was pretty complicated the way they did it—they were able to get him on the radar,” Ray Biondi, a former lieutenant in the Sacramento County Sheriff’s Department homicide bureau, told the New York Times.
The novel method for tracking down the killer proved successful and appears to have resulted in the arrest of a man who is believed to be responsible for at least 12 murders and 50 rapes between 1976 and 1986. However, it presents some privacy concerns regarding genealogical information collected to gene testing services.
DNA tests have grown increasingly popular in recent years and have put a significant amount of genealogical data into the hands of the companies that operate the services. 23andMe reports processing the DNA of more than five million customers, while Ancestry.com says it has received DNA tests from more than 10 million people.
That information is of interest to law enforcement agencies, as many of the private databases of genealogical data can prove to be quite comprehensive. According to the Electronic Frontier Foundation, the services create DNA profiles that include YSTR and mtDNA, the genetic markers that determine patrilineal and matrilineal relationships. Most state and federal DNA databases do not store that information.
Both Ancestry.com and 23andMe can and will provide information to law enforcement, and both companies provide guides for agencies looking to access data, though 23andMe said it is the company’s policy to resist such requests. Users consent to the possibility that their information may be surrendered to law enforcement when they use the services—though some may object to that if they were made more aware of the possibility.
“Reminder: When you give your DNA data to companies like Ancestry.com or 23andMe, you give up not only your own genetic privacy, but that of your entire family,” Tiffany Li, a tech lawyer and Resident Fellow a the Yale Information Society Project, tweeted.
What is more worrying about this case in particular is the apparent ability of law enforcement to create a genetic profile for someone by using DNA they have collected from public spaces. Such methods would seem to bypass the standard requirement to issue a subpoena or acquire a search warrant to access data from the online services and could result in police accessing information from someone without their explicit consent.
So far, the major players in commercial DNA tests have all denied any involvement in helping law enforcement track down the Golden State Killer. The New York Times reported representatives at 23andMe denied working with police on the case. Sarah Emerson at Motherboard tweeted that Ancestry.com issued a similar denial, as did MyHeritage.
Most of these services extract genetic profiles from customers by collecting saliva samples. It seems unlikely that the police would be able to submit a sample suitable enough to create a profile for these services, but they were clearly able to create a similar profile through some means. Sacramento’s District Attorney’s Office declined to disclose what services it used to track down the genealogy of the Golden State Killer.
There’s likely no heartbreak in learning that a notorious criminal is behind bars, but the case is a good reminder to be careful what information you share and who you share it with. Genealogy sites are mostly self-regulated, often inaccurate, and can share your genetic information with anyone from law enforcement to advertisers. Keep that in mind before sending off your tube of saliva.
Update, April 27, 5:10pm: A spokesperson from 23andMe provided Gizmodo with the following statement:
It has always been our policy to resist all law enforcement inquiries to protect customer privacy. 23andMe has never given customer information to law enforcement officials. Our platform is private, and does not support the comparison of genetic data processed by any third party to genetic profiles within our database. Further, we do not share customer data with any public databases, or with entities that may increase the risk of law enforcement access.