The trail of murders and assaults spanning California went unsolved for decades, until investigators turned to a tool more popular with genealogy hobbyists than law enforcement.

Investigators hoping to find the man who had become known as the “Golden State killer” obtained a genetic profile using crime scene DNA, and uploaded that information onto an open source database of publicly available genetic profiles. There was little expectation that the DNA would match directly with the killer. Investigators were instead conducting a familial DNA search in the hopes of finding a partial match that could lead to one of the killer's relatives. Investigators were in luck, and within days, they located Joseph James DeAngelo, who was charged in April in connection with 12 murders in California during the 1970s and 1980s.

Since then, police have made arrests in a number of high-profile cold cases using the same familial DNA search technique. In June, a man was arrested for the 1992 murder of a teacher in Lancaster, Pennsylvania, and an Indiana man was arrested for the 1988 murder of an 8-year-old.

Investigations using familial DNA searches largely build off techniques that law enforcement has used for decades, and any legal issues the method poses may seem simple and straightforward. If the data was voluntarily uploaded to a public website, how could that be an invasion of privacy?

But, according to attorneys and professors familiar with the topic, that apparent simplicity could be complicated by recent shifts in U.S. Supreme Court precedent regarding the privacy of shared information, and these cases may challenge the courts as they proceed through the justice system.

Or, as Natalie Ram, an assistant professor at the University of Baltimore School of Law focusing on bioethics and criminal justice, said, there is almost no analogy courts can use to sharpen their understanding of genetic information.

“Genetic information is involuntarily shared. I didn't pick my parents, or how many siblings I have, or my aunts, uncles, or cousins, but they share a certain portion of my genetic information. And more than that, I can't un-share it. It's not like Facebook, where I can choose who I am friends with,” Ram said. ”It is shared involuntarily and immutably. … It's hard for the law to figure out how, but it might really need to start.”

Familial DNA Searches

Law enforcement has been using familiar DNA searches for about the past decade.

One of the first high-profile cases involved the 2010 arrest of Lonnie David Franklin Jr., otherwise known as the Grim Sleeper. Similar to the investigation of the Golden State killer, the investigation stalled for years before police in California searched a database maintained by the state for partial DNA matches that, instead of identifying the killer, could identify a relative. The DNA ended up making a partial match with another man—Franklin's son, whose DNA had been uploaded into the state system after he had been arrested.

For decades, police have collected DNA information of people convicted of crimes. Some states also allow law enforcement to collect DNA of those who have only been charged with certain crimes. These databases are maintained by the FBI in what is known as CODIS, or the Combined DNA Index System.

The latest familiar DNA searches, however, are slightly different, since, instead of using CODIS, investigators used a publicly available database normally only used by genealogy hobbyists and researchers. The public sites also analyze a much broader data set than what is used in the CODIS system.

Typically, a familial DNA search begins with a person mailing a DNA sample to a genetic analysis company, like 23andMe or Ancestry.com, to develop a genetic profile, which shows a small portion of their much larger gnome. A users would then take his or her profile and upload it onto databases maintained by private companies that analyze the profiles and match them with others in the system.

Joseph J. DeAngelo Jr.

While hobbyists and geneticists often use the information to find lost relatives, resolve paternity questions, or help adopted children track down biological parents, police use the information to identify a suspect's parent, sibling, cousin, or second-cousin. From there, they gather a list of potential relatives, and then narrow down that list to a single suspect. Once they have a specific suspect, they use old-school detective techniques to obtain a new DNA sample from their suspect—such as collecting a discarded coffee cup, or piece of gum—and then they test the new sample against a sample taken from the crime scene. If there's a match, they make the arrest.

“It depends on the power and usefulness in having a lot of people put up their information on a publicly accessible website,” Penn State Law professor David Kaye said.

In the case of the Golden State killer, investigators searched through GEDmatch, which, according to media reports, has nearly 1 million users.

Some companies, like 23andMe, have policies stating they will not share a user's data unless a subpoena, warrant or court order is obtained, and, further state that the company will “use all practical legal and administrative resources to resist such requests.” Others have more open policies. GEDmatch, for instance, said in the wake of the Golden State killer arrest that its policy always told users that the data could be used for purposes unrelated to personal genealogy research.

Shifting Fourth Amendment Guidance 

Court watchers agree that privacy will be the biggest concern when courts begin to analyze how familial DNA searches are conducted, and one recent U.S. Supreme Court decision in particular is likely to factor into the privacy considerations.

The Supreme Court's decision from June in Carpenter v. United States dealt with whether police needed to obtain a warrant before they could get a cellphone company's cell-site records that were later used to show the whereabouts of a burglary suspect. Writing for the majority, Chief Justice John Roberts determined that the digital data at issue did not “fit neatly” into existing precedent, which typically holds that a person has no expectation of privacy if they voluntarily turn the sought-after information over to a third party.

“The government contends that the third-party doctrine governs this case, because cell-site records, like the records in Smith [v. Maryland] and [United States v.] Miller, are 'business records,' created and maintained by wireless carriers,” the syllabus' decision said. “But there is a world of difference between the limited types of personal information addressed in Smith and Miller and the exhaustive chronicle of location information casually collected by wireless carriers.”

In a dissenting opinion, Justice Samuel Alito said the ruling “destabilizes long-established Fourth Amendment doctrine,” and “guarantees a blizzard of litigation while threatening many legitimate and valuable investigative practices.”

Court watchers agreed that Carpenter marked a departure from precedent, and said it could give defense attorneys leverage if they seek to have the results of a familial DNA search tossed.

“The court said you're not voluntarily giving up your expectation of privacy just because your information is publicly available,” defense attorney Matthew Mangino, formerly the Lawrence County district attorney, said. “That's going to be the argument. What's the expectation of privacy.”

According to Ram, the closest analogy she could make would be to personal property shared between spouses; however, she said DNA is shared at such a greater degree, the analogy barely stands up.

“It's really difficult to wrap your head around the idea that information residing in another person's cells might have some interest of mine bound up in it,” she said. “It's really hard for courts to deal with the fact that genetic information is inherently shared.”

Kaye noted that, in the past, the amount of DNA law enforcement collected and analyzed was “not much more revealing than a photograph.” However, the DNA profiles that can be obtained through Ancestry or 23andMe can reveal some private health information, and as the technology enhances, law enforcement potentially could be accessing more and more of a person's genetic code.

“I think the courts would have some concern with this type of data,” Kaye said.

Both he and Ram also noted that states limit the DNA available to law enforcement.

“No state has suggested that ordinary members of the public should be put in those databases,” Ram said. ”The use of these genealogical databases are an end run around the legislative limits that state put in place for who should be subject to DNA searches.”

Kaye said these concerns could be avoided if law enforcement create a strong barrier between themselves and the information, or agree to only use smaller portions of DNA when doing the searches. He noted that some states have laws limiting the use of familial DNA searches to only the most egregious cases.

“The whole debate about taking DNA from arrestees turned on, can you trust the government to observe these limitations?” he said. “The more the government can say we've taken rigorous precautions to preserve privacy, the better the chances are in court.”

Most of the cases involving familial searches that make headlines involve heinous, cold cases. However, the method has been used to solve lower-level crimes, such as car break-ins.

Court watchers noted that Fourth Amendment protections do not vary depending on the severity of the crime, and said that, as the initial wave of familial search cases begin moving through the court system, the severity of these crimes may also factor into how the precedent develops.

“In these kinds of heinous cases, courts are not eager to exclude this evidence,” Ram said. “If the law gets made saying this is OK in these really serious cases, than that will be precedent.”