Case Study: 23andMe and the Golden State Killer: Genetic Privacy at a Crossroads

"DNA is not like a Social Security number. You can change your Social Security number. You can't change your DNA. And you share it with people who never consented to any of this." — Erin Murphy, legal scholar, New York University School of Law

Overview

On April 24, 2018, law enforcement announced the arrest of Joseph James DeAngelo, a 72-year-old former police officer, as the suspected Golden State Killer — a serial rapist and murderer responsible for at least 13 murders and more than 50 rapes across California between 1974 and 1986. The case had been cold for over three decades. The break came not from traditional detective work or new forensic technology applied to old evidence, but from a technique that had never before been used to solve a major crime: investigative genetic genealogy, using a publicly accessible consumer DNA database. The method's stunning success in catching a serial killer collided immediately with fundamental questions about genetic privacy, the consent of relatives, the governance of consumer DNA databases, and the boundaries of law enforcement access to biological information. This case study examines the investigation, the genetic privacy landscape it disrupted, and the unresolved questions it left behind.

Skills Applied: - Analyzing genetic privacy through the lens of consent, consent externalities, and familial data - Evaluating the legal frameworks (GINA, Fourth Amendment, state genetic privacy laws) applied to consumer genetic databases - Balancing public safety interests against individual and familial privacy rights - Connecting genetic privacy to the broader themes of Chapter 12

The Investigation

The Cold Case

The Golden State Killer — also known as the East Area Rapist and the Original Night Stalker — terrorized California for over a decade. The crimes were exceptionally violent and left lasting trauma on survivors and communities. Despite extensive investigation, including DNA evidence collected from crime scenes, the perpetrator remained unidentified for more than 30 years. Traditional law enforcement databases — including CODIS, the FBI's Combined DNA Index System — produced no match, meaning the suspect had never been convicted of a qualifying offense and had no DNA profile in law enforcement databases.

The Breakthrough: GEDmatch

In early 2018, investigator Paul Holes and attorney and genealogist Barbara Rae-Venter took a novel approach. They uploaded a DNA profile derived from crime scene evidence to GEDmatch, a free, publicly accessible website where individuals voluntarily upload their DNA profiles (typically generated by 23andMe or AncestryDNA) to find genetic relatives beyond what the original testing company's database could provide.

GEDmatch was not a law enforcement tool. It was created in 2010 by two hobbyist genealogists, Curtis Rogers and John Olson, as a community resource for people interested in discovering relatives and building family trees. Users uploaded their raw DNA data files — the data they had received from 23andMe, AncestryDNA, or other testing services — and GEDmatch's algorithms matched them with other users who shared significant stretches of DNA.

When Holes uploaded the crime scene DNA to GEDmatch, the database returned several partial matches — individuals who shared enough DNA with the unknown suspect to be distant relatives (third cousins, fourth cousins, and more distant relations). None of these matches were the suspect. But they were biological relatives of the suspect, which meant that the suspect could be located through genealogical research.

Building the Family Tree

Rae-Venter and a team of genealogists used the GEDmatch matches as starting points for traditional genealogical investigation. They built family trees extending back several generations, then worked forward to identify living descendants who could be the suspect. They cross-referenced with public records — census data, birth and death records, marriage records, voter registrations, real estate transactions — to narrow the candidate pool.

The process took several months. The team eventually identified Joseph James DeAngelo as the most likely suspect: a man of the right age, who had lived in the right areas of California at the right times, and who was a descendant of the ancestral lineages connected to the GEDmatch matches.

To confirm, investigators obtained a discarded DNA sample — a swab from the door handle of DeAngelo's car — and compared it to the crime scene DNA. It matched. DeAngelo was arrested on April 24, 2018.

In June 2020, DeAngelo pleaded guilty to 13 counts of murder and 13 counts of kidnapping. He was sentenced to life in prison without the possibility of parole.

The Genetic Privacy Questions

Consent and the Genetic Relative

The GEDmatch users whose DNA profiles matched the crime scene evidence had consented to upload their data to GEDmatch for ancestry research. They had not consented to their data being used for law enforcement purposes. And they were not suspects — they were innocent people whose biological connection to a distant relative made them unwitting participants in a criminal investigation.

More fundamentally, the technique relied on a feature of DNA that makes it categorically different from other personal data: DNA is shared. When one person uploads their genetic profile, they are sharing information about every biological relative — parents, siblings, children, cousins, aunts, uncles, and even distant relations stretching back generations. A fourth cousin shares approximately 0.2% of their DNA with you — enough for GEDmatch to detect the relationship. You share approximately 50% of your DNA with a sibling, 25% with a grandparent, and 12.5% with a first cousin. The person who uploads their data consents for themselves. Their relatives do not consent at all.

This creates what the chapter calls a consent externality: one person's privacy decision imposes consequences on others who had no role in and may have no knowledge of the decision. The relative who uploaded their DNA to GEDmatch may have been searching for adopted family members or building a family tree. They did not know that their data would lead police to a cousin they had never met.

GEDmatch's Response

GEDmatch initially had no policy addressing law enforcement use of its database. After the Golden State Killer arrest, the platform faced intense public scrutiny. In May 2019, GEDmatch changed its default settings so that new users had to explicitly opt in to allow law enforcement matching — a significant policy reversal that acknowledged the privacy implications.

In December 2019, GEDmatch was acquired by Verogen, a forensic genomics company that provides DNA sequencing services to law enforcement. The acquisition raised concerns among privacy advocates who argued that a community genealogy tool had been effectively absorbed into the law enforcement ecosystem.

The Broader Ecosystem: 23andMe and AncestryDNA

The major DTC genetic testing companies — 23andMe and AncestryDNA — maintain much larger databases than GEDmatch (23andMe has tested over 14 million people; AncestryDNA has tested over 22 million). Both companies have published policies stating that they do not grant law enforcement access to their databases without a valid warrant, court order, or subpoena — and that they will fight overly broad requests.

However, these policies have limitations:

Users can download their raw data and upload it elsewhere. Even if 23andMe refuses to share data with law enforcement, a user can download their raw DNA file from 23andMe and upload it to GEDmatch or any other platform — at which point the data is subject to that platform's policies, not 23andMe's.

Corporate policies are not law. A company's privacy policy is a unilateral promise that can be changed at any time. If 23andMe were acquired by a company with different privacy values — or if the company faced financial difficulties and saw its data as a monetizable asset — its current policies could be reversed.

Bankruptcy and data assets. In late 2023, 23andMe experienced a significant data breach, and the company subsequently faced severe financial difficulties, including a shareholder lawsuit and potential bankruptcy. The question of what happens to genetic data when a DTC testing company goes bankrupt — who acquires the data, under what restrictions, and whether users can effectively request deletion — remains largely unresolved by existing law.

The Legal Landscape

The Fourth Amendment

The Fourth Amendment protects against unreasonable searches and seizures and generally requires a warrant based on probable cause. But GEDmatch is a publicly accessible platform where users voluntarily share their DNA. Under the "third-party doctrine," information voluntarily shared with a third party (the database) may lose Fourth Amendment protection.

However, the Supreme Court's 2018 decision in Carpenter v. United States limited the third-party doctrine for cell phone location data, holding that the pervasive and revealing nature of such data requires a warrant. Some legal scholars argue that genetic data — even more intimate and permanent than location data — should receive similar protection. But no court has yet applied Carpenter to genetic genealogy databases.

GINA

The Genetic Information Nondiscrimination Act prohibits genetic discrimination in health insurance and employment but does not restrict law enforcement use of genetic data. GINA was designed to protect against discrimination, not to regulate criminal investigations. The Golden State Killer case falls entirely outside GINA's scope.

State Laws

A few states have enacted laws addressing law enforcement use of consumer DNA databases. Maryland, in 2021, became the first state to require a court order for law enforcement to search consumer genetic databases and to limit such searches to violent crimes. Montana passed similar legislation. But most states have no specific restrictions, leaving the practice governed by platform policies and general Fourth Amendment principles.

The Debate: Safety vs. Privacy

The Case for Investigative Genetic Genealogy

The Golden State Killer case produced a genuinely compelling public safety result. A violent serial offender who had evaded justice for over 30 years was identified and brought to trial. Since the Golden State Killer arrest, investigative genetic genealogy has been used to solve hundreds of cold cases, including murders, sexual assaults, and unidentified remains. The technique has brought closure to victims' families and removed dangerous individuals from communities.

Proponents argue:

• The data was voluntarily shared. GEDmatch users chose to upload their DNA to a public platform. Law enforcement did not hack, subpoena, or coerce access — they used the database in the same way any other user would.
• The privacy intrusion is minimal. The investigation focused on genetic matching to identify potential relatives of the suspect, not on analyzing the health or trait information of GEDmatch users.
• The stakes are extraordinary. Solving violent crimes — murders and rapes — is among the most compelling state interests recognized by law. The privacy cost of genetic genealogy should be weighed against the gravity of the crimes it helps solve.

The Case for Restriction

Privacy advocates and civil liberties organizations have raised equally compelling concerns:

• Consent of relatives is impossible. The fundamental problem is not the consent of the GEDmatch user who uploaded their data — it is the consent of every biological relative whose genetic information was implicitly shared. No consent mechanism exists for this externality. A person who has never taken a genetic test, never used GEDmatch, and never consented to anything can be identified through a relative's voluntary upload.
• Function creep is predictable. The Golden State Killer case involved a serial murderer. But the technique has since been used for less severe crimes, and there is no principled stopping point. If genetic genealogy is acceptable for murder, what about assault? Burglary? Immigration enforcement? Without clear legal boundaries, the technique will inevitably expand.
• Chilling effects on genetic testing. If people fear that their genetic data might be used by law enforcement — against them or their relatives — they may avoid DTC genetic testing, genetic research participation, or clinical genetic testing. This chilling effect could impede medical research and personal health management.
• Disparate impact. Genetic genealogy databases are not representative of the population. They are disproportionately used by white Americans of European descent interested in genealogy. This means the technique is more effective at identifying suspects with European ancestry, creating a disparate surveillance effect based on race and ethnicity.

Discussion Questions

1. The consent externality. You take a 23andMe test for ancestry purposes. You never upload your data to GEDmatch. But your third cousin does. Years later, your DNA is identifiable through your cousin's upload. Did you consent to this? Should the law protect you from your cousin's decision? How would you design a consent framework that addresses this problem?

2. The line-drawing problem. Investigative genetic genealogy solved a serial murder case. Would you support its use for: (a) a single murder, (b) a sexual assault, (c) an armed robbery, (d) a burglary, (e) a hit-and-run traffic fatality, (f) a missing persons case? Where do you draw the line, and what principle justifies your distinction?

3. The bankruptcy question. If 23andMe goes bankrupt, its genetic database — containing DNA data on 14+ million people — becomes a corporate asset that could be sold to the highest bidder. What legal protections should exist for genetic data in bankruptcy proceedings? Should genetic data be treated differently from other corporate assets?

4. Connecting to Mira and VitraMed. Mira's father is considering a partnership between VitraMed and a DTC genetic testing company (see Exercise B.3 in this chapter). Based on the 23andMe and Golden State Killer case, what specific risks should Mira raise with her father about combining clinical health records with genetic data?

Your Turn: Mini-Project

Option A: Policy Analysis. Research Maryland's 2021 law restricting law enforcement use of consumer genetic databases. Write a 1,000-word analysis covering: (a) what the law requires, (b) how it balances public safety and privacy interests, (c) how it differs from the approach of states without such laws, and (d) whether you would recommend similar legislation in your own state.

Option B: The Family Perspective. Imagine you discover that a relative uploaded their DNA to GEDmatch without consulting you. Write a 1,000-word reflection from three perspectives: your own (as a relative whose genetic data is now exposed), your relative's (who acted voluntarily and in good faith), and a law enforcement investigator's (who might use the data to solve a crime). Is there a resolution that respects all three perspectives?

Option C: Database Governance. Design a governance framework for a genetic genealogy database that balances openness for genealogical research with restrictions on law enforcement and commercial use. Your framework should address: (1) user consent and opt-in/opt-out mechanisms, (2) the consent externality for genetic relatives, (3) law enforcement access requirements, (4) commercial use restrictions, and (5) data retention and deletion policies.

References

• Holes, Paul, and Robin Gaby Fisher. Unmasked: My Twenty-Five Years as the Golden State Killer. New York: Celadon Books, 2022.

• Rae-Venter, Barbara. "Forensic Genealogy: An Introduction." Forensic Science International: Genetics 44 (2020): 102168.

• Erlich, Yaniv, Tal Shor, Itsik Pe'er, and Shai Carmi. "Identity Inference of Genomic Data Using Long-Range Familial Searches." Science 362, no. 6415 (2018): 690-694.

• Murphy, Erin. "Forensic DNA Typing." Annual Review of Criminology 1 (2018): 497-515.

• Ram, Natalie, Christi J. Guerrini, and Amy L. McGuire. "Genealogy Databases and the Future of Criminal Investigation." Science 360, no. 6393 (2018): 1078-1079.

• Carpenter v. United States, 585 U.S. ___ (2018).

• Genetic Information Nondiscrimination Act (GINA), Pub. L. 110-233, 122 Stat. 881 (2008).

• Greytak, Ellen M., et al. "Genetic Genealogy for Cold Case and Active Investigations." Forensic Science International 299 (2019): 103-113.

• Guerrini, Christi J., Jill O. Robinson, Devan Petersen, and Amy L. McGuire. "Should Police Have Access to Genetic Genealogy Databases? Capturing the Golden State Killer and Other Criminals Using a Controversial New Forensic Technique." PLOS Biology 16, no. 10 (2018): e2006906.