Law enforcement scored a breakthrough this week by using a DNA match to identify a suspect in California's East Area Rapist case. But that tactic has put genetic testing companies on the defensive and raised questions about their ability to protect consumer privacy as investigators increasingly seek out DNA databases to solve crimes.
Major testing companies such as Ancestry and 23andMe quickly denied being the source of genetic analysis that led Sacramento County deputies to arrest Joseph James DeAngelo as the notorious East Area Rapist, also known as the Golden State Killer. But those companies are rapidly building the world's largest DNA databases, which they may not be able to keep private if law enforcement uses court warrants and other means to access the data.
Erin Murphy, a New York University law professor and expert on genetic privacy, said it's only a matter of time before investigators collect DNA from a crime scene, and then obtain a court order for a company like Ancestry and 23andMe to provide the identity of any matches, either direct ones or those of relatives.
"Absolutely that could happen," said Murphy, author of "Inside the Cell," an examination of forensic investigations. "Right now, that would be legally cutting-edge, but it seems completely plausible."
Jennifer Lynch, a lawyer at the Electronic Frontier Foundation, said that despite DNA testing's promise in detecting health disorders, learning about ethnicity and helping police solve crimes, there are privacy perils that many people ignore when they spit in a tube and send it to a testing company.
"It raises so, so many issues," said Lynch, whose California-based group advocates for consumers of digital technology. "What will happen if one of these companies goes bankrupt in the future? Will the personal data they have collected be sold off just like any other asset?"
Ancestry and other companies have long revealed to consumers, in privacy statements, that their personal genetic information could be released in response to a court order.
"If we are compelled to disclose your personal Information to law enforcement, we will do our best to provide you with advance notice, unless we are prohibited under the law from doing so," the Ancestry privacy statement says. Helix and other DNA testing companies issue similar warnings.
But many consumers skim over those disclosures while navigating the flashy websites these companies use to tout their family history services.
There's also the potential for law enforcement to make a false match, turning innocent people into suspects.
In 2014, police in Idaho Falls, Idaho, were trying to solve a cold case from 1996, in which a young woman was murdered in her apartment. Police obtained DNA from the scene, but could not match it in criminal databases. So they went to a then-public database started by the Sorenson Molecular Genealogy Foundation, which held results for roughly 100,000 DNA tests and had recently been purchased by Ancestry.
That analysis and other matches led police to question a man named Michael Usry Jr., a New Orleans filmmaker. But after police took a sample of his DNA, they found — many weeks later — it did not match the sample found at the crime scene.
Murphy cites the false match as a cautionary tale. On the one hand, she said, DNA absolved Usry of murder. But before that, it put him under a cloud of suspicion for weeks. "Imagine what that would be like," she said. "Imagine what that would mean if an employer, or a girlfriend, found out."
Following that case, Ancestry put the Sorenson database behind a firewall and took other measures to tighten up its privacy policies, and other big consumer genetics companies followed suit. In response to the East Area Rapist case on Thursday, 23andMe went further than Ancestry by stating it is "our policy to resist law enforcement inquiries to protect customer privacy."
Sacramento investigators said they cracked the East Area Rapist case by comparing DNA at a crime scene to data found on a genealogical site, a story first reported by The Sacramento Bee. Initially, authorities declined to state which site it used, throwing suspicion toward Ancestry and the other big commercial testing services.
On Friday, investigators revealed they used a Florida-based, open-source web service called GEDmatch to tie DeAngelo to the killings. Apparently, one of DeAngelo's relatives had uploaded genetic information onto the site, providing enough of a match for investigators to identify a suspect.
GEDmatch is a free, nonprofit site that allows people to upload raw data from other sites like Ancestry or 23andMe to compare with others' DNA. By its very nature, GEDmatch has fewer privacy controls than for-profit commercial sites, which is why investigators could easily access it.
Murphy said that consumers may have no problem with law enforcement accessing their genetic information in pursuit of criminals. But easy access to private DNA information could compromise consumers in other ways, she said, such as if insurance companies or employees were to obtain it.
There's also the reality that many people are unaware that one or more of their close relatives have submitted DNA results to public or private sites. "It just takes one person in a family to reveal the genetic information of everyone in the family," she said.