What does the “Golden State Killer” case mean for genetic privacy?

It’s a story that seems straight out of a CSI episode: A cold case involving a string of rapes and murders. A crime-scene DNA sample that sat in a freezer for decades. A forensic criminologist who thought outside the box to dig deeper. And a new technology that led him right to the suspect’s doorstep.

The background

The “Golden State Killer,” “East Side Rapist” and “Visalia Ransacker” – as he was variably known – was responsible for a spree of murders, rapes and robberies across Southern California during the ’70s and ’80s. Over the course of a decade, he allegedly killed 12 people, raped 45 women and burglarized more than 120 homes.

The crimes involved certain quirks and rituals that made authorities believe they were the work of a serial killer – and an intelligent one at that. He put meticulous planning into pursuing his victims, stalking them, burglarizing their homes and memorizing their routines (as well as earning himself another moniker – “The Original Nightstalker”). He toyed with law enforcement, at times even tipping them off to his next targets, yet continually evaded their clutches. Spurred by widespread public hysteria about when and where the killer would strike next, investigators at that time were desperate to crack the case, even enlisting a military special forces officer and a psychic to help. Still, nothing.

The breakthrough

Forty-some years later, law enforcement again got creative (and clever). By now, most of the DNA samples collected at the crime scenes had degraded. Yet one sample stowed away in a crime lab freezer was unusually well-preserved. When it didn’t match any DNA profiles of convicted felons in federal or state databases, investigators uploaded it to GEDMatch.com, an open-source genealogy database designed to help users connect with long-lost relatives. There, they found matches of distant relatives, and eventually zeroed in on the 72-year-old suspect – who, on top of a prolific criminal career, had a brief career in law enforcement. A DNA swab covertly collected from the suspect’s trash matched the crime-scene sample.

Open-source DNA databases and data privacy

In the wake of the Cambridge Analytica scandal, data privacy still looms large. And this case presents a powerful example of how personal online information can be used in ways never foreseen or intended.

DNA testing has taken off in recent years, with millions of Americans voluntarily submitting their genetic information to genealogy databases like GEDMatch and Ancestry. “Biobanks” of genetic data are valuable commodities. They can be bought and sold to researchers, insurance companies and other third parties – often without users’ knowledge, thanks to permissive language buried in the terms of service.

Few users realize that, by sharing their DNA profiles online, they’re not only exposing their own genetic information but also their relatives’. What begins as an innocent quest to identify distant relations could end up casting a wide net of criminal suspicion.

That’s exactly what happened in the Golden State Killer case. The suspect never submitted his own DNA sample to GEDMatch. But his distant relatives did. And that allowed law enforcement – through a fake user account – to hone in on him through his family tree.

A slippery slope?

While many are quick to celebrate the outcome, this approach raises an age-old question: Does the end justify the means? More specifically, should law enforcement have access to vast databases of genetic information? Should employers? Dating services? Insurance companies? Is this the first step down the slippery slope toward genetic surveillance?

Genetic data is far more intimate than Facebook profiles or “shadow profiles.” Even with identifying information stripped away – name, age, sex and the like – the DNA itself is an identifier. A mere handful of gene sequences can be readily traced to a single individual.

Limited legal protections

Finding DNA matches through relatives is often a fishing expedition. Though investigators eventually struck gold in this case, at first, they struck out. They initially misidentified an elderly Oregon man as a suspect based on his family tree. Only after securing a warrant to compel a DNA sample did they exonerate the man. In another case, a 36-year-old filmmaker became a murder suspect when police ran crime-scene samples through a DNA database of convicted felons and found similarities to the filmmaker’s father. (He was likewise exonerated.)

The latter approach – running familial searches through state and federal DNA databases of convicted felons – isn’t commonplace in California. In fact, before police can pursue that path, they must get clearance from a state oversight committee.

Federal law, too, provides at least minimal limits for the use of genetic data. The Genetic Information & Nondiscrimination Act of 2008 prevents health insurers and employers from making certain decisions based on DNA profiling.

Still, it’s clear that the law hasn’t kept pace with the rapid development of technology – or the complex ethical issues these databases raise.