On Thursday it was reported that the Sacramento County District Attorney’s Office used the help of a genealogy website in its pursuit and arrest of the alleged Golden State Killer. Joseph James DeAngelo Jr. was found thanks to DNA that was submitted by police to an ancestry platform, where data was used by investigators to narrow the search pool before an eventual 100 percent DNA match was revealed.
If you, like me, recently read Michelle McNamara’s I’ll Be Gone in the Dark, a thorough follow-up to her 2013 investigative report on the Golden State Killer in Los Angeles Magazine, then this new information was a bit surprising. Toward the end of the book, published posthumously, McNamara specifically mentioned how beneficial it would be if sites like 23andMe worked with investigators, but that their privacy regulations would prevent it. That’s not always true. According to a 2017 Atlanta Journal-Constitution story, police can potentially access DNA submitted to companies like Ancestry.com and 23andMe. “Typically police will collect the DNA of an unknown suspect at a crime scene and compare it to the federal government’s genetic information database, the Combined DNA Index System or ‘CODIS,’” The Atlanta Journal-Constitution story explains. If a CODIS database search (for a suspect or for their “close biological relatives”) comes up with no matches, then law enforcement may turn to companies like 23andMe. In most cases, these sites will refuse to comply in order to protect user privacy.
But it wasn’t 23andMe that helped find the Golden State Killer, nor any other platform you’ve likely heard of. Late Thursday afternoon, the lead investigator revealed that a tiny, open-source site called GEDmatch was responsible for matching DeAngelo’s DNA. Because GEDmatch is not a private company, law enforcement officials didn’t need a search warrant to compel it to open up its files; they could do all the work themselves. So why would anyone use GEDmatch, given its inability to protect users from investigators? Well, for one, it’s free—and, according to The Mercury News, it’s where curious people go to look for long-lost relatives. “If you require absolute security, please do not upload your data to GEDmatch,” the company website warns. “If you have already uploaded it, please delete it. ... While the results presented on this site are intended solely for genealogical research, we are unable to guarantee that users will not find other uses.” It appears that police were able to take DNA from crime scenes and partially match it against the DNA of a relative of DeAngelo who had used GEDmatch. What happened from there is unknown, but it’s possible that interviews with the relative led to a reveal of DeAngelo’s name, and then further investigations by law enforcement ended in his arrest and a 100 percent match of the original crime scene DNA against his own. It’s been reported that “discarded DNA”—which often means a thrown-out soda can or the like—was used to get that 100 percent match.
Prior to learning that GEDmatch was the company behind the DNA reveal, I reached out to several big names in the online genealogy market. Ancestry.com told me it did not work with police. “We have not been in contact with law enforcement regarding the Joseph James DeAngelo case,” a spokesperson told me. “Ancestry advocates for its members’ privacy and will not share any information with law enforcement unless compelled to by valid legal process.” The spokesperson also said the company didn’t receive any valid legal requests for genetic information in 2015, 2016, or 2017.
23andMe also said it wasn’t involved in the DeAngelo DNA match. “The answer is no we have not received inquiries regarding this case,” 23andMe managing editor Scott Hadly wrote in an email. “Broadly speaking it’s our policy to resist any law enforcement inquiries with all legal and practical means at our disposal.” Despite a handful of requests over the years, Hadly said that 23andMe has never given out customer information to law enforcement officials. (Also, it’s worth noting that 23andMe only processes saliva, so DNA found at the crime scene would not have been submittable.)
Another company, MyHeritage, answered similarly: “In response to your question regarding the Golden State Killer, I can confirm that MyHeritage was not involved and has not heard of this before,” director of PR Rafi Mendelsohn said in an email.
DNA has long been a fraught issue in California—and nationwide—and opponents have fought up until 2004 to resist expanding the offender DNA database. Privacy advocates have argued that it violates rights, and genealogy companies err on the side of restricting law enforcement access to their records in order to protect consumer security. Those are valid reasons to oppose increased state access to DNA, but now we’re also witnessing an incredibly significant victory as a result of GEDmatch offering open access to data, and also one that’s unlikely to be replicated by private companies like Ancestry.com and 23andMe. Consumer worries about privacy already put their platforms at risk, and the FTC has been called on to investigate them over privacy and security concerns. 23andMe has faced an FDA warning regarding a regulatory review. Catching one suspect doesn’t help businesses’ bottom line if the majority of people don’t trust them and won’t use their product. Thankfully, research projects like GEDmatch exist to fill that need. Hopefully it won’t be the last time they do.