In April 2018, Sacramento County’s district attorney announced that after more than 40 years, investigators had found the Golden State Killer. And they’d done it by putting his DNA profile on genetic genealogy websites.
Joseph James DeAngelo was arrested, pleaded guilty, and is serving 26 life sentences. His case marked a seismic shift in how investigators use DNA in cold cases. And yet, lurking in the background were concerns over the lack of regulation regarding police use of genetic genealogy. When cops want to peek inside your family tree, should anything stop them?
On Friday’s episode of What Next: TBD, I spoke with Nila Bala, a senior attorney at the Policing Project at NYU Law School, about law enforcement and genetic genealogy technology—and what’s being done to regulate it. Our conversation has been edited and condensed for clarity.
Lizzie O’Leary: Genetic genealogy might sound complicated, but it’s not all that different from building a basic family tree. You just do it by comparing DNA instead of last names or a common great-grandparent. And then when you add in the crime piece, what happens?
Nila Bala: There’s a lot of cold cases in this country, right? There’s DNA that’s sitting, that they’ve tried to use the government databases to see if they could find a match, but they have been unsuccessful. And what law enforcement is doing is they’re sending in this sample that they have, that they haven’t identified, into these open source databases and uploading that information and seeing if it pings off of anybody who’s in the system already.
I think people who have maybe watched CSI or listened to a true crime podcast might have this idea that a DNA profile is infallible and complete. One of the things that I find interesting about genetic genealogy is that it takes DNA that is not a perfect match. Can you explain that difference a bit?
The way genetic genealogy works is, let’s say you get that raw DNA file from 23andMe or Ancestry.com. It’s going to look at quite a significant part of your genome that determines things like hair color, or if you’re going to get a certain disease, which is, I should mention, different from the government databases that use noncoding portions of your DNA. So there’s a lot more information encapsulated in a 23andMe-type DNA test. It’s not looking for a perfect match, but it’s going to search and see if there are certain segments that match. And even small partial matches are going to be generated by that search. And then it’s really up to the individual to do the work of figuring out if that match means anything.
We started out by talking about the Golden State Killer, and he was located by using the site GEDmatch. I wonder if you could explain what makes GEDmatch different from Ancestry.com, 23andMe, other kind of direct-to-consumer genealogy sites.
GEDmatch is different because it’s open source—or you could even say crowdsourced. The idea is that individual users can take their raw file—no matter where they initially got that saliva sample processed—and upload it. GEDmatch was started as a hobby, really, in 2010. It only became this crime-solving tool a couple of years ago, around the time of the Golden State Killer case. And it’s very rapidly become used for that as one of its main features.
How and when did law enforcement get interested in using this open-source DNA technology?
Right around 2018. And then from then we saw a rapid growth. Now I would say, we’re talking 150, probably 200 cases that have been solved using this technology. So I think police officers realized that the databases the governments keep are fairly limited. In many states, you have to be convicted of a felony before you’re in that database, versus these open source databases.
A couple of years ago, a research paper in Science estimated that 60 percent of white Americans could be identified. And now it’s probably upwards of 90 percent, given how many more people have taken tests and uploaded their DNA since that paper was published.
So it’s possible that someone like me—I’ve never put my DNA into a consumer-facing database, but I know I have relatives who were genealogy hobbyists—that I could be identified in some way by familial DNA in one of these databases?
Yeah. It’s not only possible, but it’s likely.
That’s the shocking privacy piece to it, right? That’s why I think everybody should be concerned or be thinking about this issue even if you personally haven’t spit into a tube and sent in your saliva sample and gotten your DNA.
There might be somebody in your family who has and that’s enough to build out a family tree and track you down.
In Centerville, Utah, in 2019, an elderly woman was alone in a locked church, playing an organ and someone broke in and assaulted her, choking her nearly to death. Investigators working on the case wanted to use GEDmatch’s database to test some blood found at the crime scene. But they couldn’t.
The terms of service were very clear that GEDmatch would only be used by law enforcement for murder and rape. But the law enforcement officers in this case approached the head of GEDmatch, asked if he would make an exception and allow them to process the DNA in this unsolved assault. And he agreed. And of course, like one side we might say, “Hey, great. They found the person involved in this really bad assault.” But the other piece—
A little old lady was assaulted in church!
Right. It’s like, you can’t think of a case that might be more compelling to bend the rules on, right? But the other issue is, well, I suppose two-fold. One is it went against the terms and conditions that users expected, which meant that in a way their DNA was being used in a way they hadn’t consented to. But the other thing that this case highlights is that one man—Curtis Rogers—was able to change the way that law enforcement were using DNA technology, rather than a democratic process determining when this technology should be used.
There was actually an outcry after this Centerville case, because people felt dismayed that their privacy hadn’t really been regarded by this company and that they hadn’t had warning about what was going to happen.
It’s such a unique issue where it’s not just your privacy, it’s this other distant cousin’s privacy. In some ways we call it like the fourth-party issue, because there’s this other person out there who hasn’t even put their DNA into the system and they could be implicated as well. Because even if me, as a user, I know that my information is going in GEDmatch. I click the box and say, yes, law enforcement can use my information. That feels above board. But what about my third cousin? Do they know that their information essentially is out there as well, because my DNA and their DNA are linked?
And, as we mentioned earlier, cops can often search genetic genealogy databases without court approval. Just last month, two states passed laws pushing back on that: Montana and Maryland. In Maryland, this is a democratic sponsored law. In Montana, it’s Republican.
I find it particularly interesting that there does not seem to be one clear partisan position on this issue.
Yeah, I think that’s right. I think it’s a bipartisan measure because I think people across both parties want that democratic transparency, their privacy being protected. The instinct that our DNA is sacred and private and we want it protected is a universal one. As is the tendency to want to solve crimes. Like we all want that as well, and we want to be safe, so these laws strike a nice balance. Because they don’t ban the technology. They just make clear how it should be used.
Right now under the Supreme Court Fourth Amendment doctrine, [collecting DNA] is not considered a search or seizure. And so there is, right now, no Fourth Amendment protection for that piece. But under Maryland’s law, a law enforcement officer would have to go to a judge or magistrate and actually say, “I want to collect DNA from this person.” And essentially get a warrant for that.Additionally, the Maryland law says that the DNA data and the file that you create needs to be essentially managed and destroyed once the crime has been solved, which makes a lot of sense.
So it can’t hang out there on the database for years.
Exactly. And that was one of the things I was really concerned about too, because we know that DNA isn’t like your credit card. You can’t just change it if you get hacked or if you have identity theft. Your DNA’s integral to who you are. So it’s definitely really important to make sure this information is secure and that it’s not in the hands of the wrong people.
I think a lot of people might listen to this and say, “Well, I’ve never committed a crime. I’m not lurking in people’s windows. What’s wrong with saying, Yeah, sure, law enforcement can use my information?”
I think that’s the same argument people make generally about the criminal justice system.
Like, “I’m innocent. I have no problem with surveillance. I have no problem with the police doing pretty much anything because I’m innocent.” But privacy goes deeper than that. The idea of privacy and being able to lead a flourishing, thriving human life is that there are sectors of your life that the government can’t see into where you can develop yourself as a human being and as a person. But more than that, you may never have done anything wrong. And yet, knowing what I know about the criminal justice system, you could still be arrested, you could still be prosecuted, and things could still happen to you because humans make mistakes.
People think DNA is infallible just because it’s DNA, but human beings are involved at every step of the process, from collecting DNA to processing it. And of course, identifying whose DNA to process in the first place. Those are human decisions. And I am hopeful that this kind of framework, the framework that Maryland and Montana used in creating this law could actually be a useful framework for a lot of different technology, not just genetic genealogy.