Does DNA testing put your privacy at risk?You’re probably living under a rock if you haven’t heard the term “Golden State Killer” at least once in the past week. A decades-old serial killer and rapist was allegedly caught thanks to a combination of old-fashioned police work and technology known as familial DNA. Besides the expected buzz over the hopeful conclusion of an unsolved case, many people have been up in arms about the privacy implications of the authorities’ use of DNA testing websites and other resources to generate new leads. Whether your feelings about this story lean toward excitement that new techniques are being used to crack cold cases, trepidation over what this might mean for privacy rights or ambivalence, it’s important to sort out fact from fiction to determine what kinds of risks DNA testing websites pose to the general public. To help you out, we’re getting to the bottom of the most frequently asked questions surrounding this case and others like it.

How exactly did DNA testing websites factor into the killer’s capture?

As this was a cold case, the DNA used languished in storage for many years, after any potential leads connecting it with a known offender had been exhausted. The FBI operates a database that contains DNA samples taken from convicted offenders, arrestees and others in the judicial system, but no hits had ever come up on this perpetrator’s sample. California authorities tried an alternative method to try and find a match — they created a fake identity and uploaded the killer’s genetic code to a free, open-source website database, GEDmatch, and used the results to craft a family tree and narrow down potential suspects based on factors like age, location and more. This eventually led them to a man named Joseph DeAngelo, who they surveilled in order to collect his discarded DNA (e.g., trash) and match it to their existing DNA sample before arresting him. The arrest brought joy and trepidation in equal amounts, the latter mostly due to the fears of massive privacy invasion it brought to mind.

Has this type of technique been used before?

While this technique isn’t one that has been used often, it’s not brand new. The first example of police using familial DNA to solve a cold case happened in the U.K. in the early 2000s, when a DNA sample from a notorious murder was partially matched to a teenage boy. He was too young to be a suspect, having not been born yet, but the connection led U.K. police to his uncle, who was arrested and convicted for the crime. And in the U.S. in 2010, a serial killer nicknamed the Grim Sleeper was caught thanks to a partial DNA match to the murderer’s son when he was booked into the prison system. In both of these instances, however, it’s important to note that they still relied on the official system to succeed, as the DNA that helped lead law enforcement to the true perpetrator was already in the system.

The use of non-official databases to conduct familial DNA research for criminal cases is a much stickier subject. It can produce powerful results, such as an instance in 2014 when police gave a genealogist they met at a conference the DNA profile of a killer in a cold case. Within two months, the researcher sent them the killer’s likely last name and eventually, this helped them track down the perpetrator and make an arrest. Murders and other violent crimes aren’t the only cases being solved with this technology either; a major identity thief was caught in 2016 thanks to familial DNA.

What is the success rate?

Exciting as these successful captures might be, there is a bigger risk for false positives in this type of research, which could put innocent people in the crosshairs of law enforcement and risk ruining their lives. Take the case of Michael Usry, as reported on by Wired, who police zeroed in on as a potential suspect for a 1998 murder after getting a positive hit on his father’s DNA in an open database owned by genealogy service Ancestry. After getting Usry’s father’s name from Ancestry, police picked him up and took a cheek swab for further DNA testing — a nerve-wracking 33 days later, Usry was proven innocent. Unfortunately, a 2014 study in the U.K. (noted in Wired’s piece) determined that only 17% of familial DNA searches resulted in the identification of a relative of the true offender in a case. That’s an alarming 83% failure rate, something that has not gone unnoticed by critics. It’s also important to remember that, especially for older cases from times with lax or nonexistent regulations around collecting evidence, the risk for cross-contamination also increases the potential for false positives.

Are there regulations regarding this investigation technique?

You might be wondering what kind of regulations, if any, there are surrounding the use of familial DNA in criminal investigations. Unfortunately, there isn’t much yet. Maryland and the District of Columbia have both outright banned familial DNA searches by law enforcement, while other states, including California — where the Golden State Killer case takes place — highly regulate it. Most states, however, have no regulations in place one way or another due to this technology being relatively new and sparsely used. Wired explains that, in California, police are required to get permission from a committee run by the state department of justice before even running a search. Furthermore, the search must yield a match that conforms to the rigorous criteria set for reliability, including proof that the results share an identical Y-chromosome (which is passed directly from father to son). A report in 2012 revealed that only about 10% of searches turn up a match that warrants a follow-up investigation.

What are the arguments against use of this technology by law enforcement?

Coming on the heels of the privacy fervor sparked by Facebook’s Cambridge Analytica scandal, it’s no surprise that many people are up in arms about the potential privacy risks presented by the use of this technology by law enforcement. It’s one thing to use a database maintained and regulated by the FBI, which comprises of DNA taken knowingly from those in it, but unregulated databases used by the general public or private companies for the purposes of tracing ancestry and genetic health is quite another. For one thing, as we’ve already discussed, there’s a high risk for false positives. In fact, that factored into this case itself, as last year police mistakenly pegged a man in Oregon for the Golden State Killer. While this technology can certainly be useful to solving crimes, critics argue that it should be highly regulated and laws written or updated to account for the rights of American citizens. For example, if someone is proven innocent (as with the Usry case), it should be forbidden for law enforcement to keep their genetic material on file.

If I am a member of a DNA testing website, is my privacy at risk?

For the average person, this probably boils down to worries about personal privacy risks. If you have ever used a DNA testing website like 23andMe or Ancestry, you might be wondering whether your genetic information is available for law enforcement to access anytime it wants. Here are some important facts to keep in mind:

Commercial DNA testing websites have strong privacy policies. Fortunately, for users of private commercial websites, there are usually strong privacy policies in place that protect the rights of the consumer and their DNA. Many of them straight out say they do not cooperate with law enforcement. 23andMe has an entire page on its site detailing its policies when it comes to dealing with law enforcement requests. Although Ancestry did comply in 2014 with the Usry case, it has since removed the database that law officers used, and no longer complies with law enforcement requests for access or information. You can read its privacy policy here. The best thing for you to do, whether you’ve utilized a DNA testing site in the past or plan to in the future, is to thoroughly read all privacy policies and terms of service to understand your rights and what is and is not allowed when it comes to your submitted DNA.

Not just any DNA can be used. It’s important to understand that the website law enforcement in California used to crack the Golden State Killer case is not a DNA testing service. It does not do any DNA testing itself, and sites that do testing usually require a sample that needs a live human being to produce (e.g., a large amount of saliva or a cheek swab). When it comes to the DNA found at crime scenes, those evidence samples are rarely going to pass muster for submitting to a commercial DNA testing service. That’s why law enforcement has its own labs, which are trained in the testing of genetic material obtained from crime scenes. GEDmatch allows anyone to upload raw data files containing their DNA information to its database, which is how California law enforcement was able to get the cold case DNA sample into the database in the first place. It’s unlikely, even if law enforcement were to bypass the terms of use for a commercial testing site, that it would be able to get a cold case DNA sample accepted.

It’s up to you to protect your data. When your data is in the hands of the service you used to conduct your DNA testing, it’s protected by privacy policies. However, if you elect to download the data for your own use, it’s in your hands and becomes something you need to protect. For the most part, the people who uploaded their genetic information to GEDmatch elected to do so, and the site has released a statement indicating that its terms of service warn users that the databases could be used for other purposes besides the expected. If you are worried about the potential for law enforcement or other entities to connect your DNA to a crime or something else, your best bet is to not utilize a publicly accessible database. If you already have, know that you can always request for your information to be removed. Finally, if you are keeping raw data files on your computer, protect them the same way you would any other sensitive information by storing them in a password-protected folder or encrypted hard drive.

It’s likely that, as DNA technology and research grows in sophistication, we will see even more cases like this come to light. The ethical and legal issues that arise will need to be fought out by lawmakers and other policy experts. In the meantime, the best the average person can do is pay attention when giving up their personal information and making informed decisions about what technology and websites to use. Learn more by following our privacy blog, which details the best ways to maintain your privacy in the Digital Age.