Genealogy sites aren’t just useful for researching your family tree anymore, after genetic information from one platform helped solve a four-decade old cold case in the Golden State. Now, privacy experts say everyone should be aware of what information they give away with their DNA.
The Golden State Killer case baffled police for decades. But the man believed to have murdered at least 12 people and raped 50 women across California between 1976 and 1986 was finally captured. The alleged killer, Joseph James Deangelo, a 72-year-old former police officer, was arrested on Tuesday by Federal Bureau of Investigation agents. It was done with the help of two pieces of DNA evidence discarded at the scene of the crime and a small, independent genealogy site.
The FBI submitted DNA to GEDMatch under a fake name.
Authorities found the alleged serial killer by submitting the DNA sample to genealogy site GEDMatch under a fake name. On Friday, GEDMatch, a Lake Worth, Fla.-based site confirmed its DNA-matching service was used. “Although we were not approached by law enforcement or anyone else about this case or about the DNA, it has always been GEDmatch’s policy to inform users that the database could be used for other uses,” spokesman Curtis Rogers told MarketWatch.
DNA could eventually affect your ability to get a job or insurance
It is never been easier to share your DNA with the world. “Everything the police did is something your Aunt Sally could do,” said Erin Murphy, professor at New York University School of Law. “We are still learning about what the genome will be able to tell us and the legal structures are not in place to circumscribe that information,” she says. “If we are able to use genomes to predict behavioral traits, that could affect your ability to get a job or your ability to get insurance.”
‘Everything the police did is something your Aunt Sally could do.’
The FBI’s use of genealogy sites is only the beginning, Murphy says. The latest case involving GEDMatch is “a wake-up call” to rethink our relationship with these technologies—in the same way people are re-examining their relationship with Facebook FB, -0.33% after recent privacy violations at the social media site, she says. “I don’t think we want to live in a world where no one can have any data,” Murphy says. “Nor do I think we should have total transparency for police.”
“We’ve been warning people about this for years,” says Pam Dixon, executive director of the World Privacy Forum, a Washington, D.C.-based think tank. “When you upload your DNA to a company like GEDMatch, you don’t have federal privacy protections under HIPPA.” The Health Insurance Portability and Accountability Act of 1996 restricts who is allowed to access medical information, but this only applies to health-care providers, health-care clearinghouses and health plans.
Parents and children could find out that they’re not related
People who don’t contribute their DNA to sites may also be affected, says Kayte Spector-Bagdady, an assistant professor in the Department of Obstetrics and Gynecology at the University of Michigan Medical School. The Golden State Killer suspect, for example, didn’t contribute his own DNA. “He was smart enough to avoid that,” she says. “GEDMatch even captures third and fourth cousins. There’s no way to control what your blood relatives do.”
‘There’s no way to control what your blood relatives do.’
There are other implications for people who yearn to create their family tree online. Among them: “People who donated sperm anonymously could later be outed by family members through these ancestry-matching companies that they didn’t contribute to themselves,” Spector-Bagdady says. “A child could contribute their data and realize they have siblings they didn’t know about it, or realize that their social father is not actually their biological father.”
It is also possible to “reverse identify” people through their DNA. One study using software and internet searches, published in the journal Science in 2013, demonstrated that surnames can be recovered by matching the Y chromosome of an anonymous subject to genetic data from, say, a third cousin with a known surname. In 2008, the Translational Genomics Research Institute, a nonprofit research firm in Scottsdale, Ariz., published a similar study.
Genealogy sites outline their privacy protection policies
23andMe and Ancestry.com, which weren’t involved in the capture of the Golden State Killer, have lengthy privacy policies. 23andMe states: “We will not sell, lease or rent your individual-level information to any third party or to a third party for research purposes without your explicit consent.” Similarly, Ancestry.com’s policy states it doesn’t share genetic information with employers, insurance providers, or third-party marketers “without your consent.”
Genealogy must balance the common good with privacy.
A spokesman for 23andMe told MarketWatch, “23andMe has never given customer information to law enforcement officials.” A spokesperson for Ancestry.com said the site releases an annual online transparency report. According to that report, “We received no requests for information related to genetic information of any Ancestry member, and we did not disclose any such information to law enforcement.” Genealogy packages start at $79.99 on 23andMe and $59 on Ancestry.com.
These sites must balance the common good with an individual’s privacy. “Isn’t is a good thing to have caught this killer? Yes, it is,” Dixon says. “But what if there’s a significant disease running in your biological family and you are adopted? Should you find and tell your relatives? What about custody cases or ownership claims? All of these questions introduce profound ethical issues. The old world of ‘I have nothing to hide, so I’m not concerned’ is no longer applicable.”