Jay Antico, manager of clinical lab, stands before tubes of saliva that consumers have sent to Ancestry for DNA analysis on April 12, 2018 at the Illumina headquarters in La Jolla, Cal. Ancestry, a Utah-based company, contracts with Illumina to conduct the laboratory analysis that has attracted millions of customers but also raised long-term privacy concerns. (Stuart Leavenworth/McClatchy/TNS)
Jay Antico, manager of clinical lab, stands before tubes of saliva that consumers have sent to Ancestry for DNA analysis on April 12, 2018 at the Illumina headquarters in La Jolla, Cal. Ancestry, a Utah-based company, contracts with Illumina to conduct the laboratory analysis that has attracted millions of customers but also raised long-term privacy concerns. (Stuart Leavenworth/McClatchy/TNS) Credit: Stuart Leavenworth

The apprehension last month of a suspect in the notorious Golden State Killer cold case resulted from a remarkable piece of detective work, as detailed in a Los Angeles Times story published in the Sunday Valley News last week. It also raises a red flag about potential invasions of privacy that would dwarf the massive Facebook-Cambridge Analytica data breach, in which the personal information of more than 70 million users was shared without their knowledge or permission.

Joseph James DeAngelo Jr., the suspect arrested in connection with a 10-year rampage of rapes and murders in California, was identified by investigators using an amateur genealogy website called GEDmatch.com. Anyone can set up a free profile on the site by uploading a DNA sample in hopes of finding, for example, long-lost relatives. An open-source platform, it has been described as the Wikipedia of DNA.

Using a DNA sample from the scene of a rape and murder in 1980, investigators used the site to find common relatives dating back as far as the early 1800s. They eventually worked their way down the family tree, winnowing the myriad possibilities through more conventional, tried-and-true detective work before zeroing in on DeAngelo. This enterprising approach won plaudits from those who lived through the Golden State Killerโ€™s reign of terror from the mid-1970s to the mid-1980s, but privacy experts expressed grave misgivings.

While GEDmatchโ€™s privacy policy warns users that the data, which is not encrypted and is stored in plain text, could be used for other purposes besides genealogical research, itโ€™s a safe bet that many of them never imagined it would be used as a crime-solving tool. And investigators did not require a warrant to access it, although The New York Times notes that they would have to have certified online that the DNA was their own or that of someone for whom they were legal guardians or that they had โ€œobtained authorizationโ€ to upload the sample. Whether that certification will withstand a legal challenge remains to be seen, but that is beside the much bigger point.

GEDmatch stores about 950,000 user profiles, while the commercial sites 23andMe and Ancestry.com have a combined total of about 15 million customers. The DNA stored in these databases also contains genetic information about many millions of other family members who may have no wish to disclose it and have not given permission for it to be used in this fashion. As The New York Times notes, โ€œA lot can be learned about a family simply by accessing one memberโ€™s DNA.โ€

With advances in technology that allow the highly accurate identification of people by small variations in their DNA, law enforcement has created its own databases of samples taken from those convicted โ€” and sometimes those merely accused โ€” of crimes. These DNA profiles can be held indefinitely.

But the enormous popularity of genetic testing sites as aids in genealogy research or in finding hereditary diseases creates a whole other dimension in their possible use for investigative purposes. The privacy of millions of unwitting people is implicated, and site users themselves may well not have carefully considered all the ways in which their genetic profile might be used.

Presumably a search warrant would be required for police to access data on one of the larger commercial sites. But what would constitute probable cause for obtaining one? Would the mere probability that a match would be found on these databases that contain information about millions of people suffice? If so, it would enable fishing expeditions of the kind that the Fourth Amendment was expressly intended to prohibit.

There is also good reason to fear that hackers might misappropriate information from such databases to use for their own purposes, some of which have very possibly not even been thought of yet. Imaginative expropriation of data is a signature of the digital age.

The many practical and ethical questions this situation presents should not obscure one central fact, though. As a matter of individual responsibility, no person has the right to knowingly compromise the intimate personal information of relatives, no matter how distant, without their knowledge or consent.