The recent capture of a suspect for the notorious Golden State Killer crimes was a vindication of both diligent detective work and modern technology. More than four decades after the first incident attributed to the GSK, which ultimately tallied at least 12 murders, 45 rapes, and more than 100 home burglaries, 72-year-old Joseph DeAngelo was arrested in his California home. The long-delayed breakthrough came after Paul Holes, a retired investigator for both Contra Costa County’s Sherriff and District Attorney, used the open-source genealogy service GEDmatch to search for genetic profiles that aligned with DNA recovered at the crime scenes.

It took a lot of legwork before Holes and his associates got some genetic hits. The web of relatives sharing genetic traits with DeAngelo initially encompassed about a thousand people who were then narrowed down to a small group of third and fourth cousins. The investigative team spent months drawing intricate family trees and poring over genetic comparisons. When they finally landed on DeAngelo, DNA samples obtained at restaurants and from discarded beverage cans matched with crime scene DNA, and the Citrus Heights resident was taken into custody.

Open source genealogy sites can expose you to investigation even if you haven’t left your DNA at a crime scene or uploaded it to an open database yourself.

The case was a major breakthrough for both forensic investigators and crime victim advocates. But it also had some troubling implications for civil libertarians and privacy proponents. Of course, we all know that the DNA we leave behind as we proceed through our daily routines is a potential evidentiary trail. For the most part we’re comforted that access to genetic databases maintained by law enforcement is controlled, though the degree varies state by state. In California, “familial searching”—as opposed to searching for a specific suspect—faces a relatively high bar. Further, large for-profit companies like Ancestry.com and 23andMe demand court orders before they allow investigators to prowl through their databases.

But the DNA information in open source databases such as GEDmatch is different. Anyone—including cops—can access it. And these DNA inventories can be huge, because people often take their information from proprietary companies like Ancestry.com and upload them, voluntarily, to the open source sites to find more hits. As is acknowledged in its privacy policy, GEDmatch grants “third parties,” including law enforcement, free rein to dig through your genetic data in hopes of catching a malefactor who may be a distant relative, or—let’s face it—may be you.

That leads to some ambivalence about DNA testing and the ever-expanding body of open-source genetic information, no matter where you fall on the political spectrum. On the one hand, the average citizen is likely to be pleased that suspects in horrendous crime sprees are nabbed. On the other, the sites can expose you to investigation even if you haven’t left your DNA at a crime scene or uploaded it to an open database yourself.

“Unfortunately, there’s a lot of misinformation about what can be done with [open source genealogy] information,” said Curtis Rogers. “It’s not like a fingerprint, where you either have a confirmation or you don’t.”

If, for example, that fourth cousin you never knew existed uploaded their DNA, there’s a partial match to your genes sitting out there for all to see. Now suppose your long-lost evil twin gets pulled in by the cops and swabbed. His or her DNA provides a very close match to yours and, via the fourth cousin’s readily available genetic information, implicates you both. Fanciful? Perhaps—but also possible, and that gets at the heart of the debate: protections of privacy and against unreasonable search and seizure often seem fanciful until they’re needed.

And they may well be needed now, says Berkeley law professor Andrea Roth, an authority in forensic DNA typing. The Golden State Killer’s case is a breakthrough, perhaps, but it’s no outlier: a lot of law enforcement agencies are digging through genetic databases for potential matches. So, uploading genetic information to an open source database is a decision far weightier than it might seem; it could have profound privacy implications for any unwitting relatives, even distant ones.

The Golden State Killer, says Roth, “… is the tip of the iceberg. When police access this information, they may investigate people [with shared DNA], even though there’s no proof of wrongdoing,” on the part of the suspects, that is. “Or if someone related to you uploads information, you may become a target of investigation without your knowledge.”

In a phone interview with California, GEDmatch co-founder Curtis Rogers emphasized that his site doesn’t post genetic information.

“What you do see are genetic matches,” which are derived from participant-uploaded DNA sequences, Rogers said. “You go onto our site, upload your genetic information, and you can obtain 2,000 matches for free, including the [degree of consanguinity]. Specific DNA sequences are not visible. People can put up and remove their information easily. Basically, we use algorithms that help people find matches with other people who may be relatives, distant or otherwise. We don’t own or sell the data. We don’t make money.”

Uploading information to GEDmatch and similar sites involves implicit consent: by using the site, you agree to surrender your information to the public domain.

As to police use of GEDmatch, Rogers said, that possibility is acknowledged on the site, which informs potential participants about the ways law enforcement could employ uploaded data.

“Unfortunately, there’s a lot of misinformation about what can be done with [open source genealogy] information,” said Rogers. “It’s not like a fingerprint, where you either have a confirmation or you don’t. It’s not true, as some people believe, that investigators go straight from identifying a distant relative to getting a match on a criminal. There are a lot of other data they have to analyze, a lot of additional work they have to do. With [the Golden State Killer suspect], for example, we were just one step in a long process.”

There’s little question that genealogical datasets can contribute positively to forensic results, however. As Roth implies, the arrest of DeAngelo could mark the beginning of a new era in law enforcement, with investigators closing scores of cold cases. Just last week, Indiana investigators announced the arrest of John D. Miller, who reputedly confessed to killing 8-year-old April Tinsley near Fort Wayne 30 years ago. As with DeAngelo, Miller was traced and ultimately identified through public genealogy databases.

So far, observes Roth, such investigations appear legal in that uploading information to GEDmatch and similar sites involves implicit consent: by using the site, you agree to surrender your information to the public domain. However, a decision last month by the U.S. Supreme Court may have some bearing on the matter, Roth says.

“Familial searching in DNA registries of known offenders is tightly regulated,” Andrea Roth says. “So you can actually have more privacy protection if you’re a convicted felon.”

“The court ruled in Carpenter v. United States that the police need a warrant to obtain information on the location [of individual cell phones via cell towers] from a phone company,” says Roth. “That doesn’t apply to DNA of course, but it could have implications for genealogy companies, in that it involves the third-party doctrine.”

The third-party doctrine stipulates that anyone who willingly provides information to a “third party”—phone companies, banks, open source DNA databases, and the like—has no “reasonable expectation of privacy.”

But the court’s recent ruling turns that around. In a 5 to 4 decision, the justices ruled that cell phone location searches fall under the Fourth Amendment—which protects citizens from unreasonable search and seizure—and thus require a judge-issued warrant based on probable cause.

“That puts a crack in the third-party doctrine,” says Roth, “meaning it could ultimately apply to other third-party issues such as those involving open source genealogy databases.”

In the meantime, it can be assumed that police will continue grazing through open source sites such as GEDmatch, potentially subjecting innocent people to intrusive inquiries. In the case of the Golden Gate Killer, for example, Holes and his team were able to persuade a judge in Clackamas, Oregon, to order a DNA sample from a 73-year-old manafter his genes registered a hit on open source websites. He turned out to be innocent, and Holes refined his search techniques, ultimately homing in on DeAngelo.

“What’s ironic is that in many states—California, for example—familial searching in [government-owned] DNA registries of known offenders is tightly regulated,” Roth says. “But with open source databases, things are largely unregulated. So you can actually have more privacy protection if you’re a convicted felon.”

“I trust people,” Rogers said, “I have a lot of faith in educated people making decisions about their own data without the government telling them what to do.”

The issue of the third-party doctrine as it applies to DNA is likely to percolate through the courts for some time to come. Still, says Roth, if public sentiment moves in the direction of greater guarantees for genetic information privacy, “We should probably look for a legislative solution rather than a constitutional one. “ That way, even if the courts determine the Fourth Amendment doesn’t apply, “Legislation could provide protections for DNA information.”

Roth cites California’s 2016 Electronic Communications Privacy Act, which requires investigators to obtain warrants before seizing electronic communications. “It established that investigators can’t grab your emails, for example, just because you shared them with Google—that in effect, you dohave a reasonable expectation of privacy. We could do the same for DNA—pass legislation that requires a warrant based on probable cause before investigators can gain access to genetic information, even from an open source site.”

Rogers, however, is less than enthusiastic about fiat remedies, legislative or otherwise.

“I have a very deep concern about privacy,” he said, “but I don’t feel legislation and regulation are the answers. We’re doing everything possible to educate people on our site, including notifications about potential law enforcement activities. I trust people. I have a lot of faith in educated people making decisions about their own data without the government telling them what to do. In the end, I think we need to let the marketplace decide what’s on [genealogical sites] and how it’s used.”

“How is a police sketch produced by the silent witness that is DNA different from a sketch produced by interviewing an eye witness?” Sensabaugh

wonders.

That marketplace could well shrink, given that law enforcement’s waxing interest in open source DNA databases seems to be spooking the entire sector. FamilyTree DNA, a service similar to GEMmatch, recently announced it’s blocking all access to two public genealogical databases it manages, ysearch.org and mitosearch.org. The reasons? The new General Data Protection Regulation law implemented in May by the European Union—and the publicity generated by the Golden State Killer and similar cases.

At any rate, investigations involving open source databases are unlikely to become widespread because they’re extraordinarily complex, time-consuming, and expensive, says professor emeritus of Berkeley’s School of Public Health George Sensabaugh, echoing Rogers’ earlier sentiment. “Virtually everyone involved with the Golden State Killer case was a volunteer,” continues Sensabaugh, an expert in biomedical and forensic sciences. “It was a prodigious task. I think you’ll see it used sometimes on high profile cold cases, but not on the burglary down the block.”

Nevertheless, civil libertarians—or the merely paranoid—might want to prepare themselves for genetic profiling that takes it a step further. According to Sensabaugh, progress has been made in using genetic markers to identify the physical characteristics of a suspect. In other words, physical traits of a perpetrator could be determined by examining the DNA left at a crime scene. Skin, hair and eye color, facial characteristics, and body type might all be described. Or guessed.

“There have been some failures,” says Sensabaugh, “but also some successes. It’s a field that’s generating a lot of interest, particularly in Europe. The question that should be asked is how is a police sketch produced by the silent witness that is DNA different from a sketch produced by interviewing an eye witness? Recognizing human frailty and the unreliability of people in recounting events, I’d tend to believe the DNA over the eye witness.”

Editor’s Note: This story was updated after its initial publication to include information from a new source, George Sensabaugh.