Privacy concerns after public DNA used to ID “Golden State Killer”

SACRAMENTO, Calif. — Investigators have revealed they used a public genealogical DNA database to find the ex-policeman they believe is a shadowy serial killer and rapist who terrified California decades ago, calling the technique groundbreaking. But the site’s co-founder said he has privacy concerns after learning that law enforcement used the site and insists that his company does not “hand out data.” 

Joseph James DeAngelo, 72, was arrested Tuesday after investigators matched crime-scene DNA with genetic material stored by a distant relative in the online database GEDMatch. From there, they narrowed it down to the Sacramento-area grandfather using DNA obtained from material he’d discarded, police said.

Paul Holes, the lead investigator on the case, told the Mercury News in San Jose, California, that the investigative team used GEDMatch, a Florida-based website that pools DNA profiles that people upload and share publicly.

GEDMatch is a free site where users who have obtained DNA profiles from commercial companies such as Ancestry.com and 23andMe can upload them to expand their search for relatives. Ancestry.com and 23andMe said Thursday that they weren’t involved in the case. Major for-profit companies do not allow law enforcement to access their genetic data unless they get a court order.

Holes said officials did not need a court order to access GEDMatch’s database of genetic blueprints.

Holes, a cold case expert and retired Contra Costa County District Attorney inspector, said GEDMatch was his team’s biggest tool. Investigators have over the years developed DNA profiles of the then-unidentified “Golden State Killer” suspect from crime scenes, but no matches came up on federal criminal DNA databases, so they turned to the “open-source” database, reports the Mercury News.

GEDMatch is one of the databases used by the DNA Doe project, a non-profit that works to name the deceased who remain unidentified. Most recently, the DNA Doe project was hailed for its work with Ohio authorities to use a public genealogy DNA database to identify “Buckskin Girl,” an unidentified murder victim found with a distinctive Buckskin jacket near an Ohio roadway in 1981, as 21-year-old Marcia King of Arkansas. 

Dr. Elizabeth Murray, a forensic anthropologist with Mount St. Joseph University in Cincinnati, hailed the work done through the DNA Doe Project to apply genetic genealogy to the identification of unknown persons as “groundbreaking.” Murray, who has worked on more than 30 Ohio cold cases, started working with the DNA Doe project when she met the founders at a conference last year.

“This is not your run of the mill ‘DNA solves unidentified person,'” said Murray at a press conference announcing the identification this month. “I think you’ll hear today that this is really some revolutionary and groundbreaking work.”

But there are privacy concerns as well.

Law enforcement in several states are authorized to search criminal DNA databases for relative matches on unknown suspect DNA profiles. Some jurisdictions use “familial searching” on federal databases like the FBI’s CODIS, which contains DNA of criminals. Familial DNA searching has made inroads in some U.S. states and other countries in the last decade, leading to high-profile arrests, but has also caused controversy amid civil-liberties qualms. Critics view the technique as a DNA dragnet that can single out otherwise law-abiding people for scrutiny because of family ties.

Familial searching of criminal DNA databases is subject to restrictions, but when it comes to a public database like GEDMatch, “the police officer’s ability to throw some information into a public database like this is wholly unregulated,” Erin Murphy, a law professor at New York University Law School, told The Atlantic.

While people may not realize police can use public genealogy websites to solve crimes, it is probably legal, Murphy told the Associated Press.

“It seems crazy to say a police officer investigating a very serious crime can’t do something your cousin can do on a Tuesday,” Murphy said. “If an ordinary person can do this, why can’t a cop? On the other hand, if an ordinary person had done this, we might think they shouldn’t.”

In 2017, “48 Hours” investigated a case in which a public DNA database pointed police in Idaho to a New Orleans filmmaker in the 1996 murder of Angie Dodge. Idaho Falls Police obtained a court order to obtain the identity of the person who submitted a profile — which was a “partial” match to their suspect DNA profile — from Ancestry.com, which had acquired the database. Police honed in on the filmmaker — the son of the man they identified — as a possible suspect, but when they obtained a DNA sample from him, he was cleared.

The story raised serious questions about what happens when police use publicly available DNA databases to solve cases – and what happens when an innocent man is tagged as a suspect.

There are not strong privacy laws to keep police from trolling ancestry databases, said Steve Mercer, the chief attorney for the forensic division of the Maryland Office of the Public Defender.  It’s not clear whether people who use public DNA databases like GEDMatch fully understand that it’s possible their DNA could later be used to incriminate a relative. 

Private genealogy companies are quick to point out that they don’t share their clients’ information with law enforcement unless they are subject to a court order, which is rare, reports the Mercury News. A 23andMe spokesman told the paper: “Broadly speaking, it’s our policy to resist law enforcement inquiries to protect customer privacy. 23andMe has never given customer information to law enforcement officials.”

An Ancestry spokesman gave a similar statement to the paper: “Ancestry advocates for its members’ privacy and will not share any information with law enforcement unless compelled to by valid legal process.”

Neither company was approached by law enforcement about the Golden State Killer case, the paper reports. Nor, however, was GEDMatch, according to a company statement; but the website is free and available for all to use.

“This was done without our knowledge, and it’s been overwhelming,” Curtis Rogers told The Associated Press.  

In a statement released to Friday, GEDMatch says it makes clear to users that the genetic information they upload, while primarily used for the purpose of finding relatives, isn’t private.

“We understand that the GEDmatch database was used to help identify the Golden State Killer,” GEDmatch operator Curtis Rogers said in a statement released to the paper. “Although we were not approached by law enforcement or anyone else about this case or about the DNA, it has always been GEDmatch’s policy to inform users that the database could be used for other uses, as set forth in the Site Policy … While the database was created for genealogical research, it is important that GEDmatch participants understand the possible uses of their DNA, including identification of relatives that have committed crimes or were victims of crimes.”

Rogers reportedly said users who have concerns their profiles may be used for “non-genealogical uses” should remove it from the site or refrain from uploading it.

DNA Doe Project co-founder Margaret Press, a genetic genealogist, told the Atlantic that the use of this technology is “going be debated for a very long time in law and forensics and genealogy and everywhere you can imagine.”