Almost a year ago, police apprehended Joseph DeAngelo—dubbed the Golden State Killer—for more than a dozen murders and 50 rapes committed in the 1970s and ’80s. His arrest was thanks to the advent of open-source DNA databases, which allowed law enforcement to match his DNA to that of a family member who had submitted their own genetic information for genealogical purposes. While this technology clearly helped bring DeAngelo to justice, it has raised a Pandora’s box of privacy concerns. One in particular has been largely neglected thus far by both policy advocates and the media.

DNA testing, once an expensive technology, is now so inexpensive that approximately 26 million people have taken advantage of it. With sites like and 23andMe, you can easily submit samples of your DNA and receive information about your family history and health. Both sites allow individuals to obtain raw DNA data files, which they can then upload to an open-source database like GEDmatch in order to connect them to distant family members. While the files are supposedly anonymous, one study found that an outside individual could identify an “anonymous” set of data using GEDmatch in just one day.

Anyone can upload genetic information—even if it’s not their own—to open-source sites. Officers can create a user profile for a suspect to a crime, upload the suspect’s DNA, and find a match, all without a court order of any kind. More than 20 arrests, many in cold cases, have occurred in the past year thanks to this technology, including one just last week in South Dakota.

In the months that followed the Golden State Killer’s arrest, the media applauded the use of technology to bring a “bad guy” to justice. At the same time, they also recognized some of the privacy concerns that this technology entails—namely the fact that when individuals submit their DNA to find family members, they probably don’t realize that the state could be using that information as part of a criminal investigation. Unlike fingerprints, DNA is linked across families, meaning that these individuals may unwittingly expose sensitive information about their family members to law enforcement.

But there’s another piece to the privacy puzzle—one less readily evident than the first piece but no less important: the suspect’s right to privacy. Indeed, suspects in these scenarios have no idea that law enforcement is uploading their DNA to a public website.

At first glance, this seems like a clear-cut case of the concern for public safety outweighing the right to privacy. After all, the suspect is the bad guy, and bad guys shouldn’t have a right to privacy regarding their identity.The truth is that most criminal cases are not akin to that of the Golden State Killer.

But criminal cases are rarely so unambiguous. In this case, every step of the DNA process—from collection to testing to storage—requires human intervention, meaning human error can affect the outcome. For example, law enforcement may collect DNA from a crime scene that officers believe belongs to the suspect but in reality belongs to someone else. This could lead to officers uploading an innocent person’s DNA to a public database, thus compromising that individual’s identity without their consent. And even if the state tries to delete the open-source database file after discovering the mistake, there is no guarantee that the citizen sleuth, a hacker, or an insurance company hasn’t already copied the DNA data file for their own gain.

When mistakes are made with DNA, the cost is higher than ever. Unlike other pieces of information that have been improperly released—such as a credit card numbers—biometric information like DNA cannot be changed. And even if the government does submit the correct person’s file, uploading a suspect’s DNA to an open database has significant repercussions and could affect a person’s ability to get a job or insurance—as both employers and insurance companies might discriminate against those with genetically determined risk.

The truth is that most criminal cases are not akin to that of the Golden State Killer—a man who committed dozens of violent crimes including burglary, rape, and murder for more than a decade—where suspending privacy feels like a relatively small price to pay to apprehend a serial killer. Rather, 80 percent of cases in state criminal dockets are misdemeanors like loitering, trespassing, and traffic violations. Additionally, the criminal justice system’s reach is vast—in fact, as many Americans have criminal records as have college degrees. Without regulations governing the uploading of DNA to open-source databases, we could soon be living in a future where many individuals’ sensitive information is routinely compromised.

What’s more, the data published on open-source websites includes more sensitive information than ever before, thanks to the way sites like 23andme and engage in DNA testing. Before open-source databases, law enforcement relied solely on CODIS, an FBI database for internal use, which all states participate in. Additionally, law enforcement agents could only test noncoding regions of DNA, meaning that results would identify the individual but would not provide any other information about their health, appearance, or ancestry. However, sites like 23andme and employ a different form of testing called single-nucleotide polymorphism, or SNP, testing. SNP testing is far more comprehensive than FBI’s traditional testing: For example, advertises that it “tests a person’s entire genome at over 700,000 locations.” This means that when a suspect’s DNA is uploaded, it’s not just their identity at stake; their genetic predispositions, health information, and ancestry information could all be compromised. And while the government is allowed to possess sensitive information, this authorization does not give officials the right to publish it.

The harms of publishing a suspect’s DNA online will far outlive their time in the criminal justice system. We know that 95 percent of individuals will one day be released from incarceration and re-enter society. These individuals already struggle to secure employment, educational opportunities, and housing because of their convictions. In fact, as evidence has become increasingly clear that public safety suffers when individuals can’t reintegrate back into society, more states than ever before are considering expungement and record-sealing laws to try to give re-entering citizens a real chance at a fresh start.

It isn’t hard to imagine a world where individuals face another collateral cost to being involved in the justice system, one that expungement is unlikely to ever remedy: violations of their genetic privacy. By uploading their DNA data to a public website, where it would be accessible to insurance companies and employers alike, law enforcement might forever compromise the ability of a person to truly re-enter society. Even worse, the privacy rights of family members, including children of those involved in the system, could also be compromised.

DNA testing technology will only become cheaper, with the resulting databases growing ever more expansive. We have a window of opportunity to formulate policies to govern law enforcement’s use (and possible abuse) of these powerful tools. If we truly believe in second chances for those who have made mistakes, then we must also craft policies to protect suspects’ genetic privacy. 

Image credit: vchal

Featured Publications