The news was amazing: Police in California used DNA evidence collected decades ago to identify the suspected Golden State Killer, a serial killer and rapist active between the mid-‘70s and mid-‘80s.
Investigators from the Sacramento County Sheriff’s Department entered the old DNA into online genealogical database GEDmatch and were able to zero in on suspect Joseph James DeAngelo Jr. by linking the DNA sample to relatives in the database.
A suspected serial killer won’t generate much sympathy from the public, but privacy advocates say the case raises a series of difficult questions about uses of DNA.
The Golden State Killer “was absolutely evil,” said Pam Dixon, executive director of the World Privacy Forum. “We can all definitely agree that serial killers should be taken off the street.”
Still, Dixon and other privacy advocates wonder about the repercussions of the case. “There is no privacy right that I know of in regard to this kind of linking,” she said.
Among the major questions:
- What court approvals should police get before searching DNA databases?
- Should police be able to use DNA from distant relatives to track down criminals?
- And how long should DNA evidence be searchable?
These are difficult questions, but there doesn’t seem to be a huge push to create new DNA privacy regulations in the United States following the Golden State Killer arrest. Senator Chuck Schumer, a New York Democrat, has raised concerns about the privacy of DNA tests, but his office didn’t respond to questions about the Golden State Killer case.
One of the points of contention is that major DNA testing services retain long-term, or even perpetual, licenses to your DNA after you submit your test to them. Absent changes in the law, it’s possible that a future relative of yours, living 100 years from now, could be identified through your genetic material.
“By turning in one of these tests now, you’re giving up the privacy of your great-great-grandchildren,” said Joel Winston, a consumer rights lawyer and DNA testing critic from New York.
Large DNA testing services like 23andMe and Ancestry typically require police to get a court order before searching the databases, but GEDmatch bills itself as a more accessible, “open source” DNA database. Users of GEDmatch can mark their DNA as public, making it searchable; they can also choose keep it private or restrict it to research uses.
In the Golden State Killer case, police did not have a DNA match to DeAngelo, and the suspect did not have his own DNA tested. Instead, police used the old DNA collected at a crime scene to look for similar genetic profiles already entered in GEDmatch. Users typically enter their DNA information into GEDmatch after they have their DNA tested elsewhere.
When police had narrowed their suspect list to just a couple of people, they then tracked the 72-year-old DeAngelo, surreptitiously collected his DNA, and matched it to the old sample. Police arrested him on April 25, just short of 32 years after the Golden State Killer’s last suspected rape and murder.
GEDmatch, in an April 27 statement, pointed to its terms of service, which warns users that DNA results can be shared.
“While the database was created for genealogical research, it is important that GEDmatch participants understand the possible uses of their DNA, including identification of relatives that have committed crimes or were victims of crimes,” the statement said. “If you are concerned about non-genealogical uses of your DNA, you should not upload your DNA to the database and/or you should remove DNA that has already been uploaded.”
People who’ve used DNA testing services can ask that their genetic data be deleted from the services’ databases, but the data can only be removed while they’re alive, Winston noted. Your future relatives can’t ask that your DNA results be destroyed after you’ve died.
Part of the concern for privacy advocates is that there are few privacy protections in the United States for DNA data voluntarily shared with testing services or databases, said Michelle De Mooy, director of the Privacy and Data Project at the Center for Democracy and Technology.
DNA testing services collect data about “extremely personal and intimate areas of our lives” and they have privacy and security obligations, she said. “DNA data is … highly sensitive and implicates the privacy not just of a person but their entire family – past, present, and future – and it should be treated as such by commercial entities and the government.”
The good news for privacy-minded folks, at least in the United States, is that a 2008 law, the Genetic Information Nondiscrimination Act or GINA, protects people from having their DNA results used against them in limited scenarios involving health insurance and employment. In the European Union, the new General Data Protection Regulation (GDPR), which goes into effect May 25, will give residents new control over how their data, including DNA data, is used by organizations.
Still it’s time for a new debate on the limits of so-called “publicly available” data, De Mooy said. “Publicly available data is often characterized as free of risk for users because it’s released in aggregate or de-identified,” she said. “But it’s possible to reverse engineer a lot of this data and, even in aggregate or de-identified form, to share it in a way that violates user expectations of privacy or creates unintended consequences.”
In the Golden State Killer case, police “certainly violated the privacy expectations” of many people who uploaded their data, she added.
Don’t expect police to suddenly rush to copy the Golden State Killer investigators, however.
“It’s relatively expensive and time-consuming for law enforcement to do this type of investigation now, so it probably won’t be widespread just yet, [but] the evolution of technology almost always goes in the direction of cheaper and easier, De Mooy said.” It’s important for us to consider now how we should balance public interests with privacy rights.”
De Mooy and Winston also noted that DNA evidence isn’t always as accurate as it sometimes is billed. A DNA test can be blotched or incomplete, with close family members sometimes getting significantly different results.
De Mooy called on the U.S. Congress to pass baseline privacy legislation to establish basic rules around data collection, sharing, and use of data. A new law should be “responsive to a user’s privacy expectations instead of creating more check boxes or privacy policies,” she said.
Transparency about use of DNA and other data should be a part of a new law, she said. The World Privacy Forum’s Dixon agreed, saying new transparency rules about the use of DNA data should happen as an interim step toward other regulation. Users of DNA sites need prominent warnings, Dixon said.
People considering DNA tests should recognize “there are profound implications,” Dixon added. “If a website has not very clearly spelled out that there can, and probably will, be law enforcement access to genetic data, then that’s a problem.”