The Golden State Killer Case Was Cracked with a Genealogy Web Site
The unusual manner in which the Golden State Killer case was cracked has sparked wonderment—as well as privacy concerns about how law enforcement can and does use the genetic information that consumers give up to genetic testing companies. That’s because companies generally say on their websites that a customer’s genetic information can be shared with law enforcement if demanded with a warrant.
Details about exactly what happened in the Golden State Killer investigation remain murky, but here’s what’s known: Investigators took DNA collected years ago from one of the crime scenes and submitted it in some form to one or more websites that have built up a vast database of consumer genetic information.
The results led law enforcement to the suspected killer’s distant relatives, who were presumably among the millions of consumers who have paid up and mailed in a spit kit to track down long-lost family members, learn more about their ancestry, or gauge their risk for medical conditions. That created a pool of potential suspects under the same family tree that investigators eventually narrowed down to 72-year-old former police officer Joseph James DeAngelo, the Sacramento Bee and other news outlets reported.
The lead investigator on the case, Paul Holes, told The Mercury News that his team relied most heavily on GEDmatch, a free open-source website that pools together genetic profiles uploaded by users seeking to conduct research or fill in gaps in their family trees. GEDmatch’s database can be accessed without a court order. (GEDmatch was not approached by law enforcement, the site said in a statement to users who log in.)
Holes’s comments don’t preclude the possibility that investigators may have also used commercial sites.
Three of the leading companies — 23andMe, Ancestry, and Family Tree DNA — all said they were were not involved in the Golden State Killer investigation. Motherboard reported the same thing about MyHeritage.
A spokesperson for the Sacramento County District Attorney’s office confirmed the Sacramento Bee’s reporting, but declined to answer questions about which genealogy sites were used. The DA spokesperson also wouldn’t say whether law enforcement relied on any voluntary or involuntary cooperation from the companies behind the sites.
Some sites require consumers to send in a sample of saliva or cells swabbed from inside their cheeks—something that investigators in the Golden State Killer case presumably would not have had from a decades-old crime scene. Other sites like GEDmatch, however, allow users to simply upload raw genetic data in the form of endless A’s and C’s and G’s and T’s—a process that hypothetically could have allowed investigators to get the information they needed without getting cooperation from companies.
Privacy advocates are still concerned that these companies leave the door open to sharing a customer’s genetic information with law enforcement. They say that doing so represents Orwellian state overreach and worry that customers may not realize what they’re agreeing to—or, even worse, that the imperfect technology involved puts innocent people at risk. Privacy advocates have also raised concerns about genetic testing sites that sell purportedly anonymized genetic data to third parties, typically to drug makers. Those data, they fear, could ultimately wind up in law enforcement’s hands.
All of that is a big part of why several states have put limits on how authorities can conduct familial DNA searches, or banned them entirely.
Here’s a breakdown of some of leading companies’ policies and histories when it comes to efforts by law enforcement to crack a case.
“Under certain circumstances, your information may be subject to disclosure pursuant to a judicial or other government subpoena, warrant or order, or in coordination with regulatory authorities.” — company website
The best-known company in the space has received five requests for user data, covering six different accounts, from law enforcement and other U.S. government authorities. It has complied with none of them, according to a report on the company’s website last updated in December.
23andMe has said its policy is to resist law enforcement inquiries in order to protect customer privacy, and that it has never given customer information to law enforcement officials. The company doesn’t allow users to submit genetic data processed by a third party to turn up long-lost family members in the 23andMe database.