By Rebecca Robbins

The identity of one of California’s most notorious serial killers had been a mystery for decades — until this week, when law enforcement arrested a suspect. Investigators revealed on Thursday that they made the breakthrough using a remarkable tool: a genealogy website.

The unusual manner in which the Golden State Killer case was cracked has sparked wonderment — as well as privacy concerns about how law enforcement can and does use the genetic information that consumers give up to genetic testing companies. That’s because companies generally say on their websites that a customer’s genetic information can be shared with law enforcement if demanded with a warrant.

In the Golden State Killer case, investigators took DNA collected years ago from one of the crime scenes and submitted it to one or more websites that have built up a vast database of consumer genetic information.

The primary tool used was GEDmatch, a free open-source website that pools together genetic profiles uploaded by users seeking to conduct research or fill in gaps in their family trees. Investigators got access to GEDmatch’s database not with a court order, but by creating a fake profile and name on the site. (GEDmatch was not approached by law enforcement, the site said in a statement to users who log in.)

The results led law enforcement to the suspected killer’s distant relatives, who were among the millions of consumers who have paid up and mailed in a spit kit to track down long-lost family members, learn more about their ancestry, or gauge their risk for medical conditions. That created a pool of potential suspects under the same family tree that investigators eventually narrowed down to 72-year-old former police officer Joseph James DeAngelo.

In addition to GEDmatch, investigators may have also used commercial sites.

Four of the leading companies — 23andMe, Ancestry, Family Tree DNA, and MyHeritage — all said they were were not involved in the Golden State Killer investigation.

A spokesperson for the Sacramento County District Attorney’s office declined to answer questions about which genealogy sites were used. The DA spokesperson also wouldn’t say whether law enforcement relied on any voluntary or involuntary cooperation from the companies behind the sites.

Some sites require consumers to send in a sample of saliva or cells swabbed from inside their cheeks — something that investigators in the Golden State Killer case presumably would not have had from a decades-old crime scene. Other sites like GEDmatch, however, allow users to simply upload raw genetic data in the form of endless A’s and C’s and G’s and T’s — a process that hypothetically could have allowed investigators to get the information they needed without getting cooperation from companies.

Privacy advocates are still concerned that these companies leave the door open to sharing a customer’s genetic information with law enforcement. They say that doing so represents Orwellian state overreach and worry that customers may not realize what they’re agreeing to — or, even worse, that the imperfect technology involved puts innocent people at risk. Privacy advocates have also raised concerns about genetic testing sites that sell purportedly anonymized genetic data to third parties, typically to drug makers. Those data, they fear, could ultimately wind up in law enforcement’s hands.

Here’s a breakdown of some of leading companies’ policies and histories when it comes to efforts by law enforcement to crack a case.

23andMe

“Under certain circumstances, your information may be subject to disclosure pursuant to a judicial or other government subpoena, warrant or order, or in coordination with regulatory authorities.” — company website

The best-known company in the space has received five requests for user data, covering six different accounts, from law enforcement and other U.S. government authorities. It has complied with none of them, according to a report on the company’s website last updated in December.

23andMe has said its policy is to resist law enforcement inquiries in order to protect customer privacy, and that it has never given customer information to law enforcement officials. The company doesn’t allow users to submit genetic data processed by a third party to turn up long-lost family members in the 23andMe database.

Ancestry

“We may share your Personal Information if we believe it is reasonably necessary to … comply with valid legal process (e.g., subpoenas, warrants).”— company website

In a remarkable 2014 incident, Ancestry gave a customer’s DNA sample to police to comply with a search warrant.

The case involved the 1996 rape and murder of an 18-year-old woman. One killer was convicted and sentenced to life in prison in 1998, but the police department in Idaho Falls, Idaho, still believed there was another person involved. Police came to Ancestry demanding the name of a person that matched the DNA, but the information that the company provided ultimately did not produce a match. (That information came from a publicly available database that Ancestry has since shuttered.)

Since then, Ancestry has said it received no legal requests for genetic information that it deemed valid in 2015, 2016, and 2017, and therefore did not disclose any such information to law enforcement.

In 2017, the company received 34 law enforcement requests for non-genetic user information that it deemed valid. It provided information in response to 31 of those 34 requests, all of which involved investigations into credit card misuse and identity theft, according to a company report.

Family Tree DNA

“We also may be required to disclose an individual’s personal information in response to a lawful request by public authorities, including to meet national security or law enforcement requirements.” — company website

The company’s database played a key role leading to the 2015 arrest of a murder suspect in Phoenix.

An independent genealogy consultant assisted police with their investigation by using a suspected killer’s DNA profile to tap at least one database. She wrote in a 2014 email that only Family Tree DNA had a particular marker test from a certain region in the profile, according to public records first reported by the Arizona Republic. The genealogist ultimately helped turn up the suspect’s last name, prompting authorities to look closer.

MyHeritage

“MyHeritage will not disclose any of your personal information except … if required by law, regulatory authorities, legal process or to protect the rights or property of MyHeritage or other users.” — company website

MyHeritage is among the sites that allow users to upload DNA data processed by another company or provider. That service, of course, is meant only for people uploading their own personal DNA data — not authorities looking to nab a criminal.

GEDmatch

“While the results presented on this site are intended solely for genealogical research, we are unable to guarantee that users will not find other uses.” — company website

Unlike most of the other leading sites, GEDmatch doesn’t run a business that charges customers for processing a spit kit or cheek swab and uploading the genetic profile into the company database. The site identified as key to cracking the Golden State Killer case is essentially run by users and volunteers. And although the ostensible purpose of the site is for researchers and family historians to draw comparisons and find leads, there are few protections against law enforcement or other third parties from using the pooled data however they please.

In the message to posted users following the breakthrough in the Golden State Killer case, the site said: “It is important that GEDmatch participants understand the possible uses of their DNA, including identification of relatives that have committed crimes or were victims of crimes.”

And the site’s privacy policy urges anyone requiring “absolute privacy and security” not to upload their genetic data in the first place. “If you already have it here,” the site warns, “please delete it.”