The identity of the Golden State Killer, a notorious serial killer who terrorized California in the 1970s and 1980s, evaded police for decades. The case went cold. Then, recently, investigators got a major break: A match for what seemed to be a close relative of the killer, uploaded onto a genealogy website. Investigators scoured the relative’s family tree for potential suspects. Eventually, they landed on Joseph James DeAngelo, a 72-year-old former police officer who lived near many of the crime scenes. DeAngelo was arrested outside his home Tuesday on two charges of murder in the 1978 slayings of Katie and Brian Maggiore in Rancho Cordova.
The remarkable way that investigators say they cracked the 44-year-old case has sparked a conversation about the privacy you give up when you spit in a tube and mail away your DNA to companies like 23andMe or AncestryDNA to find out about your heritage—as the Golden State Killer case makes clear, you’re giving up your privacy, but also the privacy of those related to you.
So far, the Sacramento County District Attorney’s office has been mum on details of how her office obtained the relative’s DNA profile, accessed the genealogy database, and which genealogy database investigators used. (The DA’s office has not yet responded to our request for comment.) However, the lead investigator told the Mercury News that his team’s primary tool was GEDmatch, an ancestry profile in which raw genetic data is shared publicly, making no court order necessary.
GEDmatch said in a statement provided to Gizmodo: “We understand that the GEDmatch database was used to help identify the Golden State Killer. Although we were not approached by law enforcement or anyone else about this case or about the DNA, it has always been GEDmatch’s policy to inform users that the database could be used for other uses, as set forth in the Site Policy.”
Both Ancestry and 23andMe told Gizmodo they were not approached by law enforcement in the Golden State Killer case. However, if you’ve read the privacy policies of 23andMe or AncestryDNA, that such companies could potentially hand over your DNA to law enforcement shouldn’t surprise you. It’s right there in the fine print. As Ancestry puts it: “AncestryDNA will never disclose your Data to insurance providers, employers or law enforcement (unless compelled by valid legal process).” The emphasis, of course, is on that last part.
Law enforcement could obtain a court order compelling companies including 23andMe and AncestryDNA to fork over access to their genetic databases. They could also potentially make fake profiles containing the DNA of a suspect and see if it returned any matches.
This isn’t the first case in which ancestry DNA testing has been used to nab a suspect. Another case illustrates how the use of such DNA evidence can go terribly awry. In 2015, after DNA evidence exonerated an innocent suspect in a 1998 murder, police in Idaho Falls combed the records of Ancestry.com for close matches to DNA at the crime scene, landing on a man named Michael Usry who matched 34 of 35 genetic markers on the Y-chromosome that belonged to the killer. Police wound up arresting Usry’s son, whose name was only cleared after 33 days when another DNA test found he wasn’t a match. The privacy lesson here is explicit: When you send your DNA away to find out whether you’re Scandinavian or Italian, you can wind up incriminating your relatives for crimes they didn’t commit. In the time of the viral web, such false accusations have the potential to cause real harm, even if the name of an innocent suspect is officially cleared.
Such methods of criminal investigation are bound to only become more prevalent as the sizes of companies’ DNA databases, like those of Ancestry’s, swell. Some laws do protect against abuses of genetic privacy, but none of those prevent law enforcement from combing through Ancestry’s DNA database to solve a murder.
Some states, including California, do have strict guidelines that prevent cops from pursuing unlikely familial search matches, but those guidelines pertain to searching criminal DNA databases for familial DNA matches. (Such tactics helped pin another California killer, the Grim Sleeper, in 2010.)
It is important, said Greg Hampikian, a Boise State University professor, director of the Idaho Innocence Project, and expert in forensic DNA, to distinguish between familial searchers of criminal DNA databases and genealogical searches of the broader public.
But, Hampikian argues that, before we all erupt in outrage over the violations of privacy that led to nabbing a suspect in a cold-case, we should consider everything at stake.
“It’s always creepy when the police investigate people close to you, but you have to ask, who is hurt and who benefits?” he told Gizmodo. “This is such an obvious way to solve a crime when you have a string of rapes or murders. You have to try.”
Ellen Wright Clayton, professor of health policy at Vanderbilt University and a staunch advocate for genetic privacy, echoed his sentiments.
“Privacy is an important good, but it’s not the only good. We have to decide as a society how we’re going to trade these things off,” she told Gizmodo. “I, like many people, think it’s probably a pretty good thing that this guy got captured. Bringing people to justice is an important social cause.”
Clayton also pointed out that because the criminal databases typically used in familial searches often include a disproportionate number of people of color compared to the overall population, searching commercial databases may actually be less discriminatory.
“There’s been a debate for quite a while about familial searching. It’s using forensic databases, which heavily oversample minorities,” she said. “I suspect this is a different demographic.”
Hampikian also stressed that combing through genealogy databases to hunt for criminals is unlikely to become a norm any time soon.
“These are exceptional cases where the public safety is a critical issue,” he said. “I don’t think this will be the usual procedure for cases.”
Data indicates that, at least in the past, such law enforcement tactics have been unusual. Ancestry publishes law enforcement requests in its annual transparency report, and in all of 2015, 2016, and 2017 the company received no valid legal requests for genetic information.
“Ancestry advocates for its members’ privacy and will not share any information with law enforcement unless compelled to by valid legal process,” an Ancestry spokesperson said.
Still, the case does bring to the forefront other important facets of genetic privacy. As Tiffany Li, a tech lawyer and resident fellow a the Yale Information Society Project, tweeted in response to the Golden State Killer news, “Reminder: When you give your DNA data to companies like Ancestry.com or 23andMe, you give up not only your own genetic privacy, but that of your entire family.” And while law enforcement may not be able to get its hands on your Ancestry data easily, for example, certain types of insurers could, as could hackers.
Ultimately, police use of non-criminal genetics databases highlights a need for standards for genealogical searches in relation to crimes. In the Idaho Falls case, for example, if investigators had used a DNA test that looked at a smaller number of genetic markers, which some crime labs do, Usry might have wound up matching the DNA even though he was innocent. Guidelines for when police may turn to genealogical searches and the quality of DNA evidence they use could ensure that innocent lives are less likely to get caught up in the fray.
Above all else, the Golden State Killer makes this clear: When you spit in a tube to find out about your genetic heritage, a lot more is at stake than whether or not you’ve got Irish DNA.