News of the apprehension of one of the most notorious serial killers in history, the Golden State Killer, was nearly upstaged by the innovative means police used to discover his identity. Through publicly available information on a genealogy website, police were able to identify suspect Joseph DeAngelo based on the DNA of the alleged killer’s family members who had used the service. But law enforcement’s move to close a painful chapter of California history has also opened a Pandora’s box of privacy concerns.
To crack the decades-old cold case, investigators took a crime scene DNA sample and ran it through GEDmatch, a free, open-source database of more than 650,000 genetically connected profiles. Primarily created for individuals (who had their DNA files in an electronic format, from sites like Ancestry.com and 23andMe) to find family members online, the website established a relationship between the crime scene DNA and one of its users. This allowed police to use an extended family tree to create a list of suspects that included DeAngelo. Then, police took a piece of discarded tissue paper from DeAngelo’s trash and matched it with the DNA from the crime scene. No warrant or court order was ever sought or required.
The Golden State Killer case highlights the ever-expanding nature of data collection that most of us are powerless to resist. For example, Facebook recently conceded that it accumulates information even on nonusers based in part on information voluntarily uploaded by its users. Similarly, DeAngelo was not a user of GEDmatch or any other private DNA site, but was located through the data of a relative, who was a user. Thus, while the attention today is on familial DNA and genealogy websites, it’s not hard to imagine future investigators turning to social media or other technology companies to glean information on the locations, habits and associations of even nonusers of those services.
PROTECTING FOURTH-PARTY PRIVACY
Our protection against government searches boils down to our conception of what constitutes a “reasonable expectation of privacy” in a given circumstance. Generally speaking, if someone has such an expectation, then the government needs to obtain a warrant or go through some other form of legal process to gain access to the desired information. Such access is regularly granted without any process in many instances because of the doctrine of third-party consent. This doctrine applies in situations where we’ve entrusted a third party with authority over a shared space – such as a shared apartment – or with particular information – such as with a phone or internet data.
Where we struggle, however, is in extending privacy protections to genealogy searches and other instances of mass data collection that involve the introduction of a fourth party. The third-party consent doctrine still relies on our own actions; we’ve (perhaps foolishly) trusted a third party with authority or information, and the government uses that trust to establish consent. But in these new fourth-party cases, we may not have given up the expectation of privacy. Our agency – and the implicit, transferable consent it carries with it – is suddenly no longer present.
With the massive amounts of data now available, police can completely circumvent the limitations of more traditional search methods. One way to understand this new paradigm is a jigsaw puzzle in which each piece represents the personal information of an individual. Imagine the police want access to your piece: until very recently, they had to find a legal way, such as obtaining a court order, to access it. However, a combination of mass data collection and advanced analytics now allows investigators to effectively recreate your piece by assembling the surrounding ones. You could be a nonuser who has explicitly opted out of sharing your jigsaw piece – but that may not matter.
The problem is that the government is rarely able to secure all of the pieces that border yours. Inevitably, there are inaccuracies and conjectures involved. For example, police still had to sift through over 100 potential suspects in the Golden State Killer case and initially targeted the wrong one. DNA mishaps and misidentifications can have dire consequences, including improper arrests and incarceration of innocent individuals swept up in the dragnet. In 2014, a New Orleans native named Michael Usry was arrested for a 1996 murder based on a partial familial DNA match. After spending 33 days in police custody, the investigators realized they had the wrong person and released him.
The thorny implications of fourth-party searches have begun to creep into state law and policy, at least as it applies to familial DNA searches and government DNA databases. Maryland and the District of Columbia have outright banned these searches, preventing individuals from inadvertently becoming genetic informants on their families. A handful of other states have sought to limit the use of DNA searches and to provide more oversight. In California, only a limited subset of cases qualify for familial DNA searches, and a police department is required to submit its request before a panel of the state’s Department of Justice for review.
While it is comforting to think that fourth-party searches are subject to at least some level of oversight, internal panels and policies such as California’s are simply insufficient. Our whole warrant system is premised on the belief that the review of a neutral arbiter – the judiciary – is essential to balancing individual rights with public prerogatives. Similarly, preventing wide-scale abuse of these supercharged search methods likely requires robust public reporting around the frequency and manner of their use.
None of this argument suggests that the police acted improperly in the Golden State Killer case – the world is clearly better off with the culprit behind bars. But even if we cheer the result, we should examine the process. Today’s outlier can easily become tomorrow’s norm, and before we adopt powerful new search capabilities, we should more carefully circumscribe how they will be used.
Image credit: isak55 
- “isak55”: https://www.shutterstock.com/g/isak55