When investigators revealed last week that a genealogy website had played a major role in catching alleged Golden State Killer Joseph James DeAngelo, a 72-year-old former police officer, some people worried what that meant for DNA privacy.
A law enforcement photo provided by the Sacramento County Sheriff's Office shows Joseph James DeAngelo, the suspected Golden State Killer.Photo: AP Images
The Golden State Killer terrorised California in the 1970s and 1980s, killing at least a dozen people and raping many more, but the case went cold until a genealogy website allowed investigators to match crime scene DNA to what seemed to be a member of the killer's family, eventually leading them to DeAngelo.
For many, the idea that sending in spit to an ancestry DNA testing service could wind up pointing a finger at a relative as a criminal suspect was just a little unnerving.
It turned out that the site authorities had relied on most heavily was GEDmatch, which, unlike other sites such as 23andMe, is open source, meaning police could access genetic records without approaching the company for permission. Customers can upload genetic profiles from multiple services, allowing them to access a greater pool of potential relatives.
"We understand that the GEDmatch database was used to help identify the Golden State Killer," the company said in a statement to Gizmodo. "Although we were not approached by law enforcement or anyone else about this case or about the DNA, it has always been GEDmatch's policy to inform users that the database could be used for other uses, as set forth in the Site Policy."
But today Buzzfeed reports that investigators did use a subpoena to force another DNA testing site to reveal the identity of one of its customers.
...Family Tree DNA told BuzzFeed News that its parent company, Gene by Gene, received a federal subpoena from the Eastern District of California in March 2017 asking for "limited information" about a single customer account.
The company said it didn't know if the request was related to the search for the Golden State Killer. But Paul Holes, a retired investigator with the Contra Costa County District Attorney's Office who led the team that snared DeAngelo, confirmed to BuzzFeed News that they sent the subpoena to find out the name of the person tied to a particular profile in Family Tree DNA's database.
Investigators used a site called ysearch, run by FamilyTreeDNA, to find a DNA match to the killer, but then subpoenaed the company to find out who it was. The investigators knew 67 genetic markers on the killer's Y chromosome. Eventually, ysearch returned a match for 12 of them, but one of those 12 was unusual. It was a false lead.
Investigators went back to the drawing board, creating a fake profile on GEDMatch, through which they found what seemed to be a second cousin of the killer. That, too, led to a false lead. Eventually, by searching public records for relatives of potential third or fourth cousins of the killer, they finally identified DeAngelo as the leading suspect.
If you've read the privacy policies of 23andMe or AncestryDNA, the fact that such companies could potentially hand over your DNA to law enforcement shouldn't surprise you. It's right there in the fine print.
Both companies have stated they will not hand over such data without a court order. AncestryDNA publishes law enforcement requests in its annual transparency report, and in all of 2015, 2016 and 2017, the company received no valid legal requests for genetic information. Likewise, according to 23andMe's transparency report, as of 2017, 23andMe had received five requests from government agencies for information and had complied with none.
But, as was demonstrated here, investigators can also make fake profiles containing the DNA of a suspect to see if it returns any matches.
This isn't the first criminal case in which ancestry DNA testing has been used. In 2015, after DNA evidence exonerated an innocent suspect in a 1998 murder, police in Idaho Falls combed the records of Ancestry.com for close matches to DNA at the crime scene, landing on a man who matched 34 of 35 genetic markers on the Y-chromosome that belonged to the killer. That led police to his son, but a DNA test eventually cleared his name.
Still, if investigators in that case had used a DNA test that looked at a smaller number of genetic markers, which some crime labs do, the man might have wound up matching the DNA even though he was innocent.
But even staunch genetic privacy advocates have pointed out that, when pursuing a criminal that threatens public safety, privacy isn't the only factor to consider.
"Privacy is an important good, but it's not the only good. We have to decide as a society how we're going to trade these things off," Ellen Wright Clayton, a professor of health policy at Vanderbilt University, told Gizmodo last week.
"I, like many people, think it's probably a pretty good thing that this guy got captured. Bringing people to justice is an important social cause."
But the case is a reminder that when you spit in a tube to find out about your ancestry or health or what wine you might most like, you are giving up some genetic privacy, as well as the privacy of your family members. And more guidelines are certainly needed to determine who may access our genetic data and under what circumstances.