A third-party genealogy database was a critical resource for the arrest in a cold case that stumped California law enforcement for decades.
But the use of family members' DNA without their consent to find the "Golden State Killer" has highlighted potential privacy concerns involved with genealogy databases and DNA testing.
Those who participate in DNA testing websites "are doing it for the purposes of genealogy, family history and in some cases finding their biological family," CeCe Moore, an independent genetic genealogist, told ABC News.
For "most it never even occurred to them [that] their DNA might be used to identify a serial killer or any sort of perpetrator," Moore said. "If people didn't know their DNA was being used in that way, they couldn't have consented to it. And if they didn't consent to it is that ethically questionable? These are things that need to be considered."
There are different kinds of genealogy sites available. Companies like AncestryDNA and 23AndMe, which are direct-to-consumer, generally do not allow their DNA samples to be searched by authorities. GEDmatch, however, permits people to upload their DNA information to the site, and the samples are widely available for searches.
According to Moore, customers using commercial DNA companies like 23AndMe have legal teams who "work very hard to protect their customers' privacy. In fact, it's probably their biggest priority. I don't think people need to have a lot of concerns about that."
In the case of the "Golden State Killer," Moore said, "it would have been extremely difficult if not impossible to have gotten the [mystery killer's] DNA into those companies' databases. For example, at AncestryDNA and 23AndMe you have to use a lot of saliva. So only a living person can do that. You can't get it from crime scenes."
But, these companies do allow users to download their raw data, she continued.
"So once your results are processed, there's a file you can download to your computer. Once you do that, the company can no longer be responsible for the privacy of your data," she said.
"Then you have control of your own data, as you should," Moore said. "But you need to think about from there what you are doing with it. Some people upload it to a whole bunch of different sites trying to get more information. But if you are concerned about your genetic privacy then you need to really educate yourself on the privacy policies of those sites that you might use."
She continued, "If you're someone who highly values your privacy then [third-party sites like GEDMatch] may not be something you want to participate in because you can't be guaranteed the same level of protection that you would from a huge corporation."
Moore said the genealogy "community has a lot of trust in GEDmatch," which she said has nearly 1 million users and is often used to resolve family mysteries and adoption cases. However, GEDmatch "couldn't control how someone might use their database because they allow uploads. That's how they function. They're not the ones testing the DNA -- they're accepting raw data files from the commercial companies that test the data. That's their purpose."
It was GEDmatch that helped track down the suspected "Golden State Killer," believed to have committed 12 murders, at least 50 rapes and multiple home burglaries throughout California in the 1970s and 1980s.
In the "Golden State Killer" investigation, law enforcement uploaded the mystery killer's DNA to GEDmatch in an effort to match his information with the other profiles on the site, Moore said.
Based on the pool of people with their information on the genealogy website, investigators were then able to build a family tree of the unknown killer’s relatives, authorities said.
They narrowed the search based on age, location and other characteristics, eventually leading them to 72-year-old Joseph DeAngelo, Sacramento County District Attorney Anne Marie Schubert told ABC News.
Authorities surveilled DeAngelo and collected his discarded DNA. Then they plugged that DNA back into the genealogy database and found a match, linking DeAngelo's DNA to the "Golden State Killer" DNA gathered at multiple crime scenes, Schubert said.
DeAngelo was taken into custody on Tuesday. He has not entered a plea.
GEDmatch said in an April 27 statement, "We understand that the GEDmatch database was used to help identify the Golden State Killer. Although we were not approached by law enforcement or anyone else about this case or about the DNA, it has always been GEDmatch’s policy to inform users that the database could be used for other uses, as set forth in the Site Policy."
"While the database was created for genealogical research, it is important that GEDmatch participants understand the possible uses of their DNA, including identification of relatives that have committed crimes or were victims of crimes," the statement added. "If you are concerned about non-genealogical uses of your DNA, you should not upload your DNA to the database and/or you should remove DNA that has already been uploaded. To delete your registration contact firstname.lastname@example.org."
District Attorney Greg Totten of Ventura County -- where the unknown killer's DNA was first retrieved from a 1980 double murder -- said genealogy databases are a powerful tool for solving case homicides. He challenges the notion that these sites can violate users' privacy.
"People use this database to search their family tree, to search for relatives. It is a public database," Totten told ABC News. "And the bottom line here is we have brought a serial killer, serial rapist and a dangerous predator to justice as a result of that."
He added, "For the crime victims, the horror of the crime, the sense of loss, just the harm that is done by the crime, it can be lifelong. So perhaps the most gratifying aspect of this case was we could finally begin the healing process and the closure process for the countless victims that this individual had preyed upon."
After 30-year-old New York resident Karina Vetrano was strangled to death while on a jog in 2016, her grieving father poured his energy into advocating for familial DNA testing in the state. Before an arrest was made, Phil Vetrano hoped to use the DNA recovered from the crime scene to identify a possible suspect in his daughter's killing.
Police did not use familial DNA testing to make their case against the man arrested in Karina Vetrano’s case, but Phil Vetrano didn't stop advocating for its use in New York state, paving the way for its approval in 2017.
But familial DNA testing has drawn criticism from some attorneys and civil liberties advocates, who say that it unfairly involves law-abiding people in cases because of their family members.
Jay Stanley, a senior policy analyst with the American Civil Liberties Union (ACLU), is concerned about how DNA searches could impact innocent people.
"Everybody is glad to see a case like this solved," he said of the "Golden State Killer" arrest. "But we have to be mindful of the precedents that are set, and how innocent people could be affected down the line."
Stanley said the "Golden State Killer" case raises civil liberties issues including "the uploading of the suspect’s DNA to the genealogy web site, the sequencing of so-called ‘abandoned DNA’ without a warrant, and the use of ‘familial DNA’ searches."
"By uploading the suspect’s DNA to the genealogy site, the police in this case have set a precedent for making a crime suspect’s DNA public. Where will this lead? Not all suspects are guilty," Stanely said. "'Abandoned' DNA should not be sequenced by the government without a warrant. Otherwise, all of us are susceptible to having our DNA sequenced at any time, because we all leave DNA behind everywhere we go."
"At a minimum, familial DNA searches need to be subject to stringent checks and balances and transparency requirements," he said. "More than one person has submitted their DNA to a database only to have a family member wrongly targeted as a top suspect in a murder investigation because of a partial DNA match."
A spokesperson for direct-to-consumer DNA testing company AncestryDNA said it "advocates for its members’ privacy and will not share any information with law enforcement unless compelled to by valid legal process."
The company said it didn't receive any valid legal requests for genetic information in the last three years.
A spokesperson for 23andMe, another direct-to-consumer DNA testing company, said it "has never given customer information to law enforcement officials, and we do not share information with employers or insurance companies, ever, under any circumstance."
"Unlike GEDMatch, 23andMe is a private platform, it's not possible to take information from external databases and cross reference with information from ours," the spokesperson said. "Further, we do not share customer data with any public databases, or with entities that may increase the risk of law enforcement access."
"Our research with academic and industry collaborators is conducted only with qualified researchers to better understand and treat disease. This research involves de-identified, summarized data from customers who consent to participate in research," the company said. "No individual or personally identifiable information (name, email, address, etc.) is shared. Research consent is completely optional and requires a signed informed consent document, separate from our terms of service. Our research collaborations are governed by strict privacy protocols. All of our research partners are required to meet the same rigorous privacy and security standards we hold ourselves to, including robust technical and organizational controls."