SACRAMENTO, Calif. -- Investigators have revealed they used a public genealogical DNA database to find the ex-policeman they believe is a shadowy serial killer and rapist who terrified California decades ago, calling the technique groundbreaking. But the site's co-founder said he has privacy concerns after learning that law enforcement used the site and insists that his company does not "hand out data."

Joseph James DeAngelo, 72, was arrested Tuesday after investigators matched crime-scene DNA with genetic material stored by a distant relative in the online database GEDMatch. From there, they narrowed it down to the Sacramento-area grandfather using DNA obtained from material he'd discarded, police said.

Paul Holes, the lead investigator on the case, told the Mercury News in San Jose, California, that the investigative team used GEDMatch, a Florida-based website that pools DNA profiles that people upload and share publicly.

Get Breaking News Delivered to Your Inbox

GEDMatch is a free site where users who have obtained DNA profiles from commercial companies such as Ancestry.com and 23andMe can upload them to expand their search for relatives. Ancestry.com and 23andMe said Thursday that they weren't involved in the case. Major for-profit companies do not allow law enforcement to access their genetic data unless they get a court order.

Holes said officials did not need a court order to access GEDMatch's database of genetic blueprints.

Holes, a cold case expert and retired Contra Costa County District Attorney inspector, said GEDMatch was his team's biggest tool. Investigators have over the years developed DNA profiles of the then-unidentified "Golden State Killer" suspect from crime scenes, but no matches came up on federal criminal DNA databases, so they turned to the database, reports the Mercury News.

But there are privacy concerns as well. There are not strong privacy laws to keep police from trolling ancestry databases, said Steve Mercer, the chief attorney for the forensic division of the Maryland Office of the Public Defender. It's not clear whether people who use public DNA databases like GEDMatch fully understand that it's possible their DNA could later be used to incriminate a relative.

While people may not realize police can use public genealogy websites to solve crimes, it is probably legal, Murphy told the Associated Press.

"It seems crazy to say a police officer investigating a very serious crime can't do something your cousin can do on a Tuesday," Murphy said. "If an ordinary person can do this, why can't a cop? On the other hand, if an ordinary person had done this, we might think they shouldn't."

Law enforcement in several states are authorized to search criminal DNA databases for relative matches on unknown suspect DNA profiles. Some jurisdictions use "familial searching" on federal databases like the FBI's CODIS, which contains DNA of criminals. Familial DNA searching has made inroads in some U.S. states and other countries in the last decade, leading to high-profile arrests, but has also caused controversy amid civil-liberties qualms. Critics view the technique as a DNA dragnet that can single out otherwise law-abiding people for scrutiny because of family ties.

Familial searching of criminal DNA databases is subject to restrictions, but when it comes to a public database like GEDMatch, "the police officer's ability to throw some information into a public database like this is wholly unregulated," Erin Murphy, a law professor at New York University Law School, told The Atlantic.

In 2017, "48 Hours" investigated a case in which a public DNA database pointed police in Idaho to a New Orleans filmmaker in the 1996 murder of Angie Dodge. Idaho Falls Police obtained a court order to obtain the identity of the person who submitted a profile -- which was a "partial" match to their suspect DNA profile -- from Ancestry.com, which had acquired the database. Police honed in on the filmmaker -- the son of the man they identified -- as a possible suspect, but when they obtained a DNA sample from him, he was cleared.

The story raised serious questions about what happens when police use publicly available DNA databases to solve cases – and what happens when an innocent man is tagged as a suspect.

Private genealogy companies are quick to point out that they don't share their clients' information with law enforcement unless they are subject to a court order, which is rare, reports the Mercury News. A 23andMe spokesman told the paper: "Broadly speaking, it's our policy to resist law enforcement inquiries to protect customer privacy. 23andMe has never given customer information to law enforcement officials."

An Ancestry spokesman gave a similar statement to the paper: "Ancestry advocates for its members' privacy and will not share any information with law enforcement unless compelled to by valid legal process."

Neither company was approached by law enforcement about the Golden State Killer case, the paper reports. Nor, however, was GEDMatch, according to a company statement; but the website is free and available for all to use.

"This was done without our knowledge, and it's been overwhelming," Curtis Rogers told The Associated Press.

In a statement released to Friday, GEDMatch says it makes clear to users that the genetic information they upload, while primarily used for the purpose of finding relatives, isn't private.

"We understand that the GEDmatch database was used to help identify the Golden State Killer," GEDmatch operator Curtis Rogers said in a statement released to the paper. "Although we were not approached by law enforcement or anyone else about this case or about the DNA, it has always been GEDmatch's policy to inform users that the database could be used for other uses, as set forth in the Site Policy … While the database was created for genealogical research, it is important that GEDmatch participants understand the possible uses of their DNA, including identification of relatives that have committed crimes or were victims of crimes."

Rogers reportedly said users who have concerns their profiles may be used for "non-genealogical uses" should remove it from the site or refrain from uploading it.

GEDMatch is also used by the DNA Doe project, a non-profit that works to name the deceased who remain unidentified. Most recently, the DNA Doe project was hailed for its work with Ohio authorities to use a public genealogy DNA database to identify "Buckskin Girl," an unidentified murder victim found with a distinctive Buckskin jacket near an Ohio roadway in 1981, as 21-year-old Marcia King of Arkansas.

DNA Doe co-founders Margaret Press and Colleen Fitzpatrick told Crimesider they've chosen to focus their work with law enforcement only on identifying victims -- not searching for suspects -- in order to avoid privacy and ethical concerns. The genetic genealogists say they have been approached by law enforcement agencies for help finding unidentified criminals with unknown DNA profiles in various cases, but they've turned them down.

"We were very careful to stay on the right side of the line between the victim and the killer," Fitzpatrick said. "When you start with the criminal element, there are lot of questions that people might feel uncomfortable that their DNA has been used to do this."

The Golden State Killer case is this first time they are aware of that law enforcement has used GedMatch in arresting a suspect, and both say it raises valid privacy concerns. They suspect that investigators in the Golden State Killer case searched GedMatch using methodology similar to theirs, though investigators haven't offered specifics. Fitzpatrick cautioned that for everyone who uploads their DNA to GEDMatch, their relatives' information is then also accessible to anyone who uses the database and to whatever end.

"We can all agree it's great that this guy is finally caught, but at the same time, what's the risk for the benefit of getting him off the street?" Fitzpatrick said.

Despite the concerns, they hope people will continue to publicly share their DNA, albeit with the caveat that everyone who shares is should be informed it might be used by law enforcement so they can weigh the potential consequences. They see great benefit to using the database for things like connecting adoptees to their birth family and identifying Does, such as in the "Buckskin Girl" case.

"We're hoping people won't panic and say the benefit still outweighs the risk," Press said.

But they stress they are genealogists -- not law enforcement officials or privacy advocates -- and a broader conversation must now ensue.

"This is uncharted territory," Press said. "No one has hashed this out in court, had any public discourse or ethical arguments one way or another and it's a conversation that needs to be had. Now is the right time for that."