New technologies are radically advancing our freedoms, but they are also enabling unparalleled invasions of privacy. This week’s arrest of the Golden State Killer suspect, Joseph DeAngelo, has rightfully set off alarms among some scientists and ethicists worried that consumer DNA may be widely accessed by law enforcement. Detectives in California used a public genealogy database to identify the suspect, raising serious concerns about genetic privacy. As a criminal defense attorney practicing in Los Angeles, I am especially concerned about how law enforcement uses consumer DNA to bypass Fourth Amendment protections.
Investigators retained DNA evidence from the Golden State Killer’s crime scenes, but they were not able to match it to any of the convicts’ and arrestees’ DNA profiles stored in the FBI’s Combined DNA Index System. As a workaround, police decided to take advantage of the fact the millions of Americans have had their genetic information tested by various commercial companies, often as part of their personal genealogical research.
The police reportedly drew on the open-source GEDmatch service, which does not test DNA but allows users searching for relatives to them to upload the results of such tests from other companies. Apparently, a relative of DeAngelo had submitted test results to GEDmatch. This familial genetic link led the police to suspect DeAngelo. The police directly connected DeAngelo to the murders and rapes by matching old crime scene DNA to his obtained from some items he had recently discarded in public.
This is not the first case where ancestry DNA testing has been used to identify a suspect. Another case illustrates how the use of such DNA evidence can lead to false accusations. In 2015, after DNA evidence exonerated an innocent suspect in a 1998 murder, police in Idaho Falls combined Ancestry.com records for close matches to DNA at the crime scene, landing on a man named Michael Usry who matched 34 of 35 genetic markers on the Y-chromosome that belonged to the killer. Police wound up arresting Usry’s son, whose name was only cleared after 33 days when another DNA test found to not match his DNA. The privacy repercussions, including false accusations and even wrongful convictions, are troubling.
Such methods of criminal investigation are bound to only become more prevalent as the sizes of companies’ DNA databases grow. Some laws protect against abuses of genetic privacy, but none of those prevent law enforcement from combing through public DNA databases. Many courts have ruled, citing cases involving photographs and fingerprints, that we do not have a reasonable expectation of privacy under the Fourth Amendment in DNA that we leave in public.
Still, the case brings forefront several important issues in genetic privacy. As Tiffany Li, a tech lawyer and resident fellow at the Yale Information Society Project, tweeted in response to the Golden State Killer news, “Reminder: When you give your DNA data to companies like Ancestry.com or 23andMe, you give up not only your own genetic privacy, but that of your entire family.” And while law enforcement may not be able to get its hands on your Ancestry data easily, for example, certain types of insurers could, as could hackers. While some members of the public have expressed that they are fine with giving up their family DNA data to catch a serial killer, this rationale has a slippery slope effect, and can justify almost any invasion of privacy, including facial recognition and iPhone backdoors.
Ultimately, police use of non-criminal genetics databases illustrates the need for standards for genealogical searches in relation to crimes. In the Idaho Falls case, for example, if investigators had used a DNA test that looked at a smaller number of genetic markers, which some crime labs do, Usry might have wound up matching the DNA even though he was innocent. Guidelines for when police may turn to genealogical searches and the quality of DNA evidence they use could help protect innocent people from false accusations and even wrongful convictions.