Police may have their man, but at what cost to the rest of us in an era where data privacy already is greatly flawed and companies have, and own, your genetic information?
No one has thought about what are the possible consequences.”The trail of the Golden State Killer had gone cold decades ago. The police had linked him to more than 50 rapes and 12 murders from 1976 to 1986, and he had eluded all attempts to find him.
In the years since, scientists have developed powerful tools to identify people by tiny variations in their DNA, as individual as fingerprints. At the same time, the F.B.I. and state law enforcement agencies have been cultivating growing databases of DNA not just from convicted criminals, but also in some cases from people accused of crimes.
The California police had the Golden State Killer’s DNA and recently found an unusually well-preserved sample from one of the crime scenes. The problem was finding a match.
But these days DNA is stored in many places, and a near-match ultimately was found in a genealogy website beloved by hobbyists called GEDmatch, created by two volunteers in 2011.
Anyone can set up a free profile on GEDmatch. Many customers upload to the site DNA profiles they have already generated on larger commercial sites like 23andMe.
The detectives in the Golden State Killer case uploaded the suspect’s DNA sample. But they would have had to check a box online certifying that the DNA was their own or belonged to someone for whom they were legal guardians, or that they had “obtained authorization” to upload the sample.
“The purpose was to make these connections and to find these relatives,” said Blaine Bettinger, a lawyer affiliated with GEDmatch. “It was not intended to be used by law enforcement to identify suspects of crimes.”
But joining for that purpose does not technically violate site policy, he added.
Erin Murphy, a law professor at New York University and expert on DNA searches, said that using a fake identity might raise questions about the legality of the evidence.
The matches found in GEDmatch were to relatives of the suspect, not the suspect himself.
Since the site provides family trees, detectives also were able to look for relatives who might not have uploaded genetic data to the site themselves.
On GEDmatch, “it just happens they got lucky,” said Dr. Ashley Hall, a forensics science expert at the University of Illinois in Chicago.
23andMe has more than 5 million customers, and Ancestry.com has 10 million. But the DNA in databases like these are relevant to tens of millions of others — sisters, parents, children. A lot can be learned about a family simply by accessing one member’s DNA.
“Suppose you are worried about genetic privacy,” Ms. Murphy said. “If your sibling or parent or child engaged in this activity online, they are compromising your family for generations.”
If I'm DeAngelo's defense attorney, I'm moving to have all this DNA evidence tossed on on that technicality. And even though from a genetic perspective, I'm adopted and I'd like some genetic testing done for the possibility of hereditary diseases, I'm loathe to do so for exactly these reasons.
It's a lot to think about in the era of privacy. When I was in school the Human Genome Project was just getting underway. 20 years later we have commercial DNA databases with millions of subjects. It's something that needs regulation, and fast. It doesn't meet the Dr. Ian Malcolm test:
"Your scientists were so preoccupied with whether they could, they didn't stop to think if they should."
We've got to get a handle on this fast, because it's going to be used again, and quickly. The intersection of Silicon Valley tech, police investigation, and data privacy is already a massive trainwreck.