DNA analysis site that led to the Golden State Killer issues a privacy warning to users

As more details emerge about the arrest of the man suspected to be the Golden State Killer, it’s clear that one of the most infamous unsolved cases of all time was cracked using a popular free online genealogy database.

The site, known as GEDmatch, is a popular resource for people who have obtained their own DNA through readily available consumer testing services and want to fill in missing portions of their family tree to conduct further analyses. Compared to a polished service like 23andMe, GEDmatch is an open platform lacking the same privacy and legal restrictions that govern user data on more mainstream platforms.

To home in on their suspect, investigators used an intact DNA sample taken at the time of a 1980 Ventura County murder linked to the serial killer. The team uploaded data from the sample into GEDmatch and were able to identify distant relatives of the suspect — a critical breakthrough that soon led to the arrest of Joseph James DeAngelo, 72.

Given the high-stakes nature of DNA data and the popularity of voluntary online DNA databases, the case immediately raised a number of flags for data privacy advocates.

On Friday, GEDmatch confirmed on its landing page for logged-in users that law enforcement sifted through its DNA database in the case:

To correct a BIG misunderstanding, we do not show any person’s DNA on GEDmatch. We only show manipulations of data such as DNA [matches].

We understand that the GEDmatch database was used to help identify the Golden State Killer. Although we were not approached by law enforcement or anyone else about this case or about the DNA, it has always been GEDmatch’s policy to inform users that the database could be used for other uses, as set forth in the Site Policy

While the database was created for genealogical research, it is important that GEDmatch participants understand the possible uses of their DNA, including identification of relatives that have committed crimes or were victims of crimes.

If you are concerned about non-genealogical uses of your DNA, you should not upload your DNA to the database and/or you should remove DNA that has already been uploaded. To delete your registration contact gedmatch@gmail.com.

Though an initial misunderstanding raised suspicion that law enforcement used a major player in consumer genetic testing like 23andMe or Ancestry DNA in the Golden State Killer development, investigators instead leveraged another voluntary DNA database with no such hoops to jump through. Both 23andMe and Ancestry require law enforcement to create a legal request in the form of a search warrant or a court order before accessing any specific genetic or personal information.

23andMe explains its policies toward forensics in a special page dedicated to its relationship with law enforcement:

Use of the 23andMe Personal Genetic Service for casework and other criminal investigations falls outside the scope of our services intended use.

Therefore, it is a violation of our TOS for law enforcement officials to submit samples on behalf of a prisoner or someone in state custody who has been charged with a crime.

While the revelation that investigators have apprehended a suspect in the long-cold case is good news, the incident is reigniting justifiable concerns around consumer DNA testing.

In an interview with The New York Times, Paul Holes, the Contra Costa county investigator who helped crack the case, marveled at the power of GEDmatch. “I was blown away with what it could do,” Holes said.