Privacy questions behind catching suspected Golden State Killer

Privacy questions behind catching suspected Golden State Killer
© Getty Images

The Golden State Killer criminal investigation is an astonishing law enforcement accomplishment and a powerful signal of the reach of the police in the era of big data — but did breaking open this cold case breach acceptable privacy norms?

Here’s what we know. The Golden State Killer, alleged to be Joseph James DeAngelo, is now linked to an almost incomprehensible string of serious violent crimes: at least a dozen murders, 50 rapes, and more than 100 burglaries and home invasions committed over two decades. While that kind of rap sheet is common in true crime thrillers, in the real world the names of serial killers are etched in the public consciousness precisely because there are so few of them.

At the time of DeAngelo’s arrest, law enforcement officials announced that the Golden State Killer case was aided by DNA evidence from an unlikely source, a public DNA database. That DNA evidentiary trail deviates from business-as-usual practices intended to serve criminal investigators while simultaneously safeguarding evidence from contamination and privacy from invasion.


While the use of DNA to confirm a known suspect’s presence at a crime scene is relatively common, the use of DNA evidence to solve crimes with unknown offenders is far less common than popular media portray. Drawing on my experimental research on the use of DNA to aid felony criminal justice investigations in Los Angeles and Orange County (CA), among other U.S. cities, I would suggest it is used sparingly. Over the last several days, we have learned that the approach used in the Golden State Killer case is rarer still — the use of public DNA databases — the same ones you and I can use to connect with estranged relatives and to learn about our ancestry.

Typically, crime scene investigators will collect what they call questioned evidence — evidence suspected to have been left by the offender — from the crime scene. Following strict protocols maintaining chain of custody, that evidence is processed in the local crime lab, and where possible, a DNA profile is extracted. That profile is so reliable that it is sometimes referred to as a DNA fingerprint.

In a normal investigation, that DNA profile is submitted to the state’s law enforcement agent who maintains that state’s database of unique DNA profiles within the Combined DNA Index System (CODIS). The DNA profile can be compared to DNA profiles within that state’s DNA Index or compared to profiles in other states’ DNA Indexes through the national database network, which is maintained by the FBI.

Here is where the Golden State Killer case becomes rather unusual. It appears that a DNA profile for the Golden State Killer was generated and compared to other profiles in CODIS. It has been reported there was no match. That lack of a match would typically stop an investigation and leave the trail cold, hence referrals to this as a “cold case.”

Then investigators took an unusual step that led to a break in the case by obtaining access to an open source DNA database called GEDMatch. As pointed out on the website DNA Geek, this database is similar in concept to an individual CODIS database that is a repository for identified DNA profiles. But, rather than being maintained by the government and managed by the FBI, GEDMatch includes DNA profiles voluntarily submitted by private citizens.

A law enforcement search of this database yielded what is called a familial match. That is, it yielded a partial match that was insufficient to identify the person matched as the suspect, but sufficient to determine that there were people genetically linked to the suspect.

This is where the search for the Golden State Killer collided with privacy, quickly triggering a debate. The challenge here is that these extra-legal searches are not subject to the same privacy protections as those afforded to profiles submitted to CODIS.

For a profile to be submitted to CODIS for a search, the state CODIS administrator must affirmatively assert that it is reasonable to believe that the evidence in question was from a suspect in a criminal investigation. In this case, however, the match was to a person who was not part of the investigation. That is, to a family member of the suspect, but affirmatively not to the suspect.

This technique poses several challenges. First, in this case it is unclear whether the comparison occurring outside law enforcement evidentiary chains follows applicable state law protecting citizen privacy and rights against unreasonable searches. There are many federal regulations protecting personally identifiable information (PII) in a number of situations, and states each have rules regarding how PII can be used in criminal justice contexts, including criminal investigations. To be clear, I am not asserting a constitutional rights violation in this case, rather that the law is not settled with respect to this issue.

Second, while the use of databases such as GEDMatch is in unclear legal territory, it may well be that a much bigger privacy issue exists. In the course of my research, I have observed a trend among law agencies toward creating local DNA Index Systems (LDIS) that exist off the established FBI-led law enforcement grid.

These LDIS databases are off the grid in the sense that they are not subject to the protections afforded profiles entering the FBI’s CODIS system. Generically, law enforcement officers put together a database of DNA profiles, often comprised of profiles collected at arrest from those perceived as the usual suspects, and maintained for future comparison against questioned crime scene evidence. The legal protections afforded these profiles are simply unknown. The use of GEDMatch is essentially the use of an off-the-grid database when CODIS does not yield a match.

I applaud all of the law enforcement agencies for their effective investigation of this case. The brutality of the Golden States Killer’s crimes are unspeakable. But, the next investigation may not be conducted with similar benevolence, and the questions it raises about privacy must be pursued.

John K. Roman, Ph.D. is a senior fellow in Economics, Justice and Society at NORC at the University of Chicago where he studies innovative crime policies and programs.