April 28, 2018

6 min read

The Golden State Killer Case Was Cracked with a Genealogy Web Site

Law enforcement’s use of an open-source DNA ancestry database raises questions about genetic privacy

By Rebecca Robbins & STAT

Andrew Brookes Getty Images

The identity of one of California’s most notorious serial killers had been a mystery for decades—until this week, when law enforcement arrested a suspect. Investigators revealed on Thursday that they made the breakthrough using a remarkable tool: a genealogy website.

The unusual manner in which the Golden State Killer case was cracked has sparked wonderment—as well as privacy concerns about how law enforcement can and does use the genetic information that consumers give up to genetic testing companies. That’s because companies generally say on their websites that a customer’s genetic information can be shared with law enforcement if demanded with a warrant.

Details about exactly what happened in the Golden State Killer investigation remain murky, but here’s what’s known: Investigators took DNA collected years ago from one of the crime scenes and submitted it in some form to one or more websites that have built up a vast database of consumer genetic information.

On supporting science journalism

If you're enjoying this article, consider supporting our award-winning journalism by subscribing. By purchasing a subscription you are helping to ensure the future of impactful stories about the discoveries and ideas shaping our world today.

The results led law enforcement to the suspected killer’s distant relatives, who were presumably among the millions of consumers who have paid up and mailed in a spit kit to track down long-lost family members, learn more about their ancestry, or gauge their risk for medical conditions. That created a pool of potential suspects under the same family tree that investigators eventually narrowed down to 72-year-old former police officer Joseph James DeAngelo, the Sacramento Bee and other news outlets reported.

The lead investigator on the case, Paul Holes, told The Mercury News that his team relied most heavily on GEDmatch, a free open-source website that pools together genetic profiles uploaded by users seeking to conduct research or fill in gaps in their family trees. GEDmatch’s database can be accessed without a court order. (GEDmatch was not approached by law enforcement, the site said in a statement to users who log in.)

Holes’s comments don’t preclude the possibility that investigators may have also used commercial sites.

Three of the leading companies — 23andMe, Ancestry, and Family Tree DNA — all said they were were not involved in the Golden State Killer investigation. Motherboard reported the same thing about MyHeritage.

A spokesperson for the Sacramento County District Attorney’s office confirmed the Sacramento Bee’s reporting, but declined to answer questions about which genealogy sites were used. The DA spokesperson also wouldn’t say whether law enforcement relied on any voluntary or involuntary cooperation from the companies behind the sites.

Some sites require consumers to send in a sample of saliva or cells swabbed from inside their cheeks—something that investigators in the Golden State Killer case presumably would not have had from a decades-old crime scene. Other sites like GEDmatch, however, allow users to simply upload raw genetic data in the form of endless A’s and C’s and G’s and T’s—a process that hypothetically could have allowed investigators to get the information they needed without getting cooperation from companies.

Privacy advocates are still concerned that these companies leave the door open to sharing a customer’s genetic information with law enforcement. They say that doing so represents Orwellian state overreach and worry that customers may not realize what they’re agreeing to—or, even worse, that the imperfect technology involved puts innocent people at risk. Privacy advocates have also raised concerns about genetic testing sites that sell purportedly anonymized genetic data to third parties, typically to drug makers. Those data, they fear, could ultimately wind up in law enforcement’s hands.

All of that is a big part of why several states have put limits on how authorities can conduct familial DNA searches, or banned them entirely.

Here’s a breakdown of some of leading companies’ policies and histories when it comes to efforts by law enforcement to crack a case.

23andMe

“Under certain circumstances, your information may be subject to disclosure pursuant to a judicial or other government subpoena, warrant or order, or in coordination with regulatory authorities.” — company website

The best-known company in the space has received five requests for user data, covering six different accounts, from law enforcement and other U.S. government authorities. It has complied with none of them, according to a report on the company’s website last updated in December.

23andMe has said its policy is to resist law enforcement inquiries in order to protect customer privacy, and that it has never given customer information to law enforcement officials. The company doesn’t allow users to submit genetic data processed by a third party to turn up long-lost family members in the 23andMe database.

Ancestry

“We may share your Personal Information if we believe it is reasonably necessary to … comply with valid legal process (e.g., subpoenas, warrants).”— company website

In a remarkable 2014 incident, Ancestry revealed to police the identity linked to a DNA sample to comply with a search warrant.

The case involved the 1996 rape and murder of an 18-year-old woman. One killer was convicted and sentenced to life in prison in 1998, but the police department in Idaho Falls, Idaho, still believed there was another person involved. Police came to Ancestry demanding the name of a person that matched the DNA, but the information that the company provided ultimately did not produce a match. (That information came from a publicly available database that Ancestry has since shuttered.)

Since then, Ancestry has said it received no legal requests for genetic information that it deemed valid in 2015, 2016, and 2017, and therefore did not disclose any such information to law enforcement.

In 2017, the company received 34 law enforcement requests for non-genetic user information that it deemed valid. It provided information in response to 31 of those 34 requests, all of which involved investigations into credit card misuse and identity theft, according to a company report.

Family Tree DNA

“We also may be required to disclose an individual’s personal information in response to a lawful request by public authorities, including to meet national security or law enforcement requirements.” — company website

The company’s database played a key role leading to the 2015 arrest of a murder suspect in Phoenix.

An independent genealogy consultant assisted police with their investigation by using a suspected killer’s DNA profile to tap at least one database. She wrote in a 2014 email that only Family Tree DNA had a particular marker test from a certain region in the profile, according to public records first reported by the Arizona Republic. The genealogist ultimately helped turn up the suspect’s last name, prompting authorities to look closer.

MyHeritage

“MyHeritage will not disclose any of your personal information except … if required by law, regulatory authorities, legal process or to protect the rights or property of MyHeritage or other users.” — company website

MyHeritage is among the sites that allow users to upload DNA data processed by another company or provider. That service, of course, is meant only for people uploading their own personal DNA data—not authorities looking to nab a criminal.

GEDmatch

“While the results presented on this site are intended solely for genealogical research, we are unable to guarantee that users will not find other uses.” — company website

Unlike most of the other leading sites, GEDmatch doesn’t run a business that charges customers for processing a spit kit or cheek swab and uploading the genetic profile into the company database. The site identified as key to cracking the Golden State Killer case is essentially run by users and volunteers. And although the ostensible purpose of the site is for researchers and family historians to draw comparisons and find leads, there are few protections against law enforcement or other third parties from using the pooled data however they please.

In the message to posted users following the breakthrough in the Golden State Killer case, the site said: “It is important that GEDmatch participants understand the possible uses of their DNA, including identification of relatives that have committed crimes or were victims of crimes.”

And the site’s privacy policy urges anyone requiring “absolute privacy and security” not to upload their genetic data in the first place. “If you already have it here,” the site warns, “please delete it.”

Correction: This article has been updated to reflect that, in a 2014 incident, Ancestry provided police with the identity linked to a DNA sample.

Republished with permission from STAT. This article originally appeared on April 26, 2018

More by Rebecca Robbins

STAT delivers fast, deep, and tough-minded journalism. We take you inside science labs and hospitals, biotech boardrooms, and political backrooms. We dissect crucial discoveries. We examine controversies and puncture hype. We hold individuals and institutions accountable. We introduce you to the power brokers and personalities who are driving a revolution in human health. These are the stories that matter to us all.

More by STAT