First They Came For The Murders: Regulating DTC Genetic Testing First They Came For The Murders: Regulating DTC Genetic Testing

By: Olivia Stevens

I will admit it, I am a true crime addict. I even subscribe to podcasts called, “Crime Junkie” and “My Favorite Murder.”  However, I am not alone in the zealous fascination.  According to Edison Research—the leading podcast research organization—two of the top five the most listened to podcasts in 2020 were true crime.[1]  Among the most notorious true crime stories is the Golden State Killer AKA the Visalia Ransacker AKA the East Area Rapist AKA the Original Night Stalker AKA EARONS.[2]  For over four decades, the serial killer of many names but no true identity, was a Rubik’s cube for not only the police but for websleuths, national media, and — of course true crime podcasts.  Until a third cousin of the Golden State Killer (GSK) took a DNA test.[3]  

            Detectives finally caught the elusive GSK by “harnessing genetic technology already in use by millions of consumers to trace their family trees.”[4] Otherwise known as a familial search.  A familial search is a deliberate effort to find close biological relatives after failure to find an exact DNA match.[5]  Detectives first used the Golden State Killer’s genetic material from a rape kit to establish a DNA profile on FamilyTreeDNA which allowed them to set up a fake account and search for matching GSK family-customers.[6]  Here they identified GSK’s unknown third cousin.[7] A third cousin is someone who shares a great-great grandparent with you.[8]  At four generations of separation, family trees exponentially expand resulting in thousands of third cousins.[9]  Nevertheless, that third cousin’s genetic match through process of elimination, led detectives to the GSK’s true identity and capture.[10] 

Upon the announcement of the Golden State Killer’s capture, investigators and prosecutors assured the public that the genetic information relied on was from people who voluntarily made public.[11]  However, a Los Angeles Times investigative report reveals, “the actual investigation was broader and more invasive, conducted without a warrant, and appeared to violate the privacy policy of at least one DNA company.”[12]  Law enforcement’s search occurred unbeknownst to the companies, let alone those customers used.[13] According to court discovery records, the DNA-matching effort used to catch this prolific killer involved convert searches of private DNA housed by the two for-profit companies—despite their privacy policies.[14]  These searches were warrantless.[15]

While the true crime world roared in celebration at GSK’s creative investigation approach, others cringed.  Mummers from legal scholars and some legislators have grown louder voicing rightful concerns that this largely unregulated revolutionary approach is violating the privacy of the people who join DNA databases to learn about themselves — not to help the police arrest their relatives for violent crimes.[16]  Since GSK, the floodgates opened and within two years law enforcement has used familial searches to identify more than forty murder and rape suspects in cases as old as a half-century.[17]  As recent as this month, law enforcement used familial search to identify and charge an Oregon man in two cold-case murders.[18]  The Portland Police Bureau explained that the crosschecking of DNA recovered from the scene with ancestry records led to them to the suspect’s siblings and through process of elimination, eventual the suspect.[19]

Consequently, the question presents itself, in a process that allows for one of the most prolific serial killers to be brought to justice, what is the scholars and legislators concern?  And should those concerns worry the 100 million people who have used direct to consumer (DTC) genetic test?[20]  According to Science Magazine, if you are white, live in the United States, and a distant relative has uploaded their DNA to a public ancestry database, there’s a good chance an internet sleuth can identify you from a DNA sample you left somewhere.[21] Now, while law-abiding citizens may brush this reality off, Martin Niemöller’s “First They Came” warning poem should set alarm horns blaring.[22] 

New York University law professor and expert on DNA searches Erin Murphy warns, “[i]f your sibling or parent or child engaged in [DNA crowdsourcing] activity online, they are compromising your family for generations.”[23]  If the capture of GSK demonstrated anything, it showed that anonymity is impossible.  GEDmatch, the most common crowdsourcing DNA database and also known for its role in the GSK case, allows users to upload their DNA profile from other websites.[24]  It is estimated that GEDmatch only encompasses about 0.5% of the U.S. adult population,  if GEDmatch were to rise to 2%, more than 90% of people of European descent will have a third cousin or closer relative and could be found by this way.[25]  The GSK case and further Research has shown that by cross-referencing their birth date, sex and postal code, for instance, with publicly available information.[26]  A report published by the University of Washington, demonstrated how researchers were able to run searches that let them guess more than 90% of the DNA data of other users.[27]

Moreover, unlike a bank account number or a password that can be changed, once DNA is out there, it’s out there for good.[28]  Security flaws in GEDmatch could permit national adversaries to create a powerful biometric database useful for identifying nearly any American.[29]  The same University of Washington research team, demonstrated how they exploited the GEDmatch genetic comparison engine without any illegal actions, “[they] went in through the main gates—they did not break in.”[30]  As recently as last year, GEDmatch experienced a data breach and hack that not only let the equivalent of twitter bots in, but also opted all users (regardless of their preference) into the law enforcement matching.[31]

Finally, Consumer Reports’ director of privacy and technology policy Justin Brookman warns that, “An individual’s most personal information is still being bought, sold, and traded without clear understanding or consent.”[32]  There is a deep concern that access to long-term care insurance can be impacted by the results of genetic testing.[33] Genetic information gathered by DTC genetic companies can be sold to third parties and used internally to benefit the company, with limited information provided to the consumer.[34]  Seventy-one percent (71%) of companies (39 of 55) provided information that indicated a consumer’s genetic data could be used internally by the company for purposes other than providing the results to the consumer.[35] Coincidently, the nation’s largest private equity firm Blackstone acquired DTC for $4.7 billion ($261 per person DNA).[36]  Although Blackstone Spokesperson assures they will not have access to user DNA, Alan Butler, interim executive director and general counsel of the Electronic Privacy Information Center rebuts, “[t]he big concern when there is a big deal like this is that investors might be interested in that data for other reasons, and not in the ways that consumers intended when they gave over that information.” [37]  DTC genetic testing company 23andMe Inc. also recently entered into a deal to merge with VG Acquisition Corp., a special purpose acquisition company founded by billionaire Richard Branson.[38]  American Bar Association’s Business Law Section Cyberspace Committee Chair Theodore F. Claypoole warns that “once your DNA is included in the database for Google, Blackstone, Merck, or the FBI, there is no removing it – and no way to change it.”[39]

So while the excitement of the GSK investigation has drifted into memory, each day more and more people upload their DNA profiles, and we inch closer to the 2% threshold. 

Fortunately, there is a growing trend by state and federal law makers to increase regulation of genetic information and cover non-traditional entities like DTC genetic testing companies.[40]  Additionally, in an effort to regulate themselves—or avoid federal regulation—popular DTC genetic companies like 23andMe and Ancestry have paired with the Future of Privacy Forum to release industry-based standard Privacy Best Practices for Consumer Genetic Testing Services.[41]  Additionally, in July 2020, Consumer Reports issued a white page report called, “Direct-to-Consumer Genetic Testing: The Law Must Protect Consumers’ Genetic Privacy.”[42]  The report highlights the concerning regulatory gaps in direct-to-consumer (DTC) generic testing that reveals the legal void of privacy safeguards to consumers highly sensitive data.[43]

The information shared with DTC genetic testing companies is neither protected nor are the DTC companies are bound to federal law.[44]  Although the Food and Drug Administration (FDA) has oversight over DTC genetic testing the agency’s concern is validity, not privacy.[45]  Similarly, the Federal Trade Commission (FTC) and Genetic Information Nondiscrimination Act (GINA) can control the marketing practices and discrimination, respectively of genetic testing companies but not privacy.[46]  Nor are DTC genetic testing companies regulated under the Health Insurance Portability and Accountability Act (HIPAA).[47]  HIPPA, the federal law that protects sensitive patient health information from being disclosed without the patient’s consent or knowledge, only applies to entities providing medical health care.[48]  As a result, DTC genetic testing companies are largely in control of consumers’ most personal information.[49]

States have varied in their successes in trying to safeguard their resident’s genetic privacy.  Some states have passed legislation that prohibits discrimination based on genetic information, but laws specifically aimed at genetic privacy remain rare.[50] Texas, Illinois, and Oklahoma, have laws that protect individuals from compelled disclosure of genetic information pursuant to a court order, such as a subpoena.[51] Illinois and Missouri restricts the sale of collected information by strictly limiting whether and the extent to which DTC genetic test results may be used.[52] 

The most aggressive of the state laws are Florida’s Florida Bill Restricting Life Insurers’ Use of Genetic Information (House Bill 1189) and California’s now-vetoed Genetic Information Privacy Act (GIPA).  Florida’s House Bill 1189, amends a Florida statute which prohibited insurers use of genetic information for insurance purposes and extends the restriction to life and long-term care insurers from canceling, limiting, or denying coverage or adjusting premium rates based on genetic information.[53]  Additionally, those insurers are prohibited from requiring or soliciting genetic information, using genetic test results, or considering a person’s decisions or actions relating to genetic testing in any manner for any insurance purpose.[54]  California’s GIPA attempted to extend even farther.  GIPA would direct DTC genetic companies on how they can use, sell, and share genetic information.[55]  California Governor Newson’s veto of GIPA, is a reflection of disagreement over the bill’s details of how to best safeguard genetic information – not a disagreement with the principle of the bill.[56]  He plans to work with the California Health and Human Services Agency and Department of Public Health to find solutions.[57] 

The most popular of solutions is merger of Florida and California’s state laws.  Consumer Reports suggest that policymakers broadly prohibit the use of genetic data in insurance underwriting and prohibit insurers from discriminating against individuals who do not provide such information.[58]  Moreover, Consumer Reports urges lawmakers to resolve the regulatory gap by making genetic data, created via DTC genetic testing, privileged and confidential, and empowering consumers to control who has access to their genetic information.[59]  However there is an alternative that American Bar Association’s Business Law Section Cyberspace Committee Chair Theodore F. Claypoole points out, “Americans [should] test their DNA through their doctors – where the results are protected by law . . . rather than through charlatans who provide little but entertainment and may use or sell your DNA for any purpose.”[60]

[1] Edison Research, Edison Research Announces Top 50 U.S. Podcasts for 2020 by Audience Size, Edison Research (Feb. 9, 2021),

[2] SF Gate, Here’s how the Golden State Killer got all of his nicknames, SFGATE.COM (Apr. 26, 2018),

[3] JV Chamary, How Genetic Genealogy Helped Catch The Golden State Killer, Forbes (June 30, 2020),

[4] Paige St. John, The untold story of how the Golden State Killer was found: A covert operation and private DNA, Los Angeles Times (Dec. 8, 2020)

[5] Hon. Herbert B. Dixton Jr., If You Think Your DNA Is Anonymous, Think Again!, American Bar Association (May 13, 2020),

[6] Supra note 4.

[7] Id.

[8], Counting Cousins—explaining second, third, and fourth cousins,  (last visited Mar. 21, 2021),

[9] Id.

[10] Id.

[11] Id.

[12] Id.

[13] Supra note 4.

[14] Id.

[15] Id.

[16] Heather Murphy, Tim Arango, Joseph DeAngelo Pleads Guilty in Golden State Killer Cases, New York Times (Jun. 29, 2020),

[17] Heather Murphy, Genealogy Sites Have Helped Identify Suspects. Now They’ve Helped Convict One., New York Times (Jul. 1, 2019)

[18] Neil Vigdor, Oregon Man Is Charged With Two Murders Committed Two Decades Apart, New York Times (Mar. 11, 2021),

[19] Id.

[20] American Hospital Association, Consumers Buy into Genetic Testing Kits, American Hospital Association (Sept. 16, 2019),

[21] Jocelyn Kaiser, We will find you: DNA search used to nab Golden State Killer can home in on about 60% of white Americans, Science Mag American Association for the Advancement of Science,

[22] Martin Niemöller, First They Came, Amnesty, (“First they came for the [], And I did not speak out Because I was not a [] . . . Then they came for me And there was no one left To speak out for me.”).

[23] Gina Kolata, Heather Murphy, The Golden State Killer Is Tracked Through a Thicket of DNA, and Experts Shudder, New York Times (Apr. 27, 2018),

[24] Heather Murphy, Why a Data Breach at a Genealogy Site Has Privacy Experts Worried, New York Times (Aug. 1, 2020),

[25] Jocelyn Kaiser, We will find you: DNA search used to nab Golden State Killer can home in on about 60% of white Americans, Science Magazine (Oct. 11, 2018),

[26] Kristen V. Brown, How a Third Cousin Could Give Away Your DNA Secrets, The Washington Post (Dec. 4, 2020),

[27] Peter Ney, Luis Ceze, Tadayoshi Koohno, Genotype Extraction and False Relative Attacks: Security Risks to Third-Party Genetic Genealogy Services Beyond Identity Inference, Paul G. Allen School of Computer Science & Engineering University of Washington (2019),

[28] Id.

[29] Antonio Regalado, The DNA database used to find the Golden State Killer is a national security leak waiting to happen, MIT Technology Review (Oct. 30, 2019),,identify%20some%20of%20his%20relatives.

[30] Id.

[31] Heather Murphy, Why a Data Breach at a Genealogy Site Has Privacy Experts Worried, New York Times (Aug. 1, 2020),

[32] Consumer Reports, The privacy risks of at-home DNA tests, The Washington Post (Sept. 14, 2020),

[33] Justin Brookman, Direct-to-Consumer Genetic Testing: The Law Must Protect Consumers’ Genetic Privacy, Consumer Reports (Jul. 2020),

[34] Id.

[35] James W. Hazel & Christopher Slobogin, Who Knows What, and When: A Survey of the Privacy Policies

Proffered by U.S. Direct-to-Consumer Genetic Testing Companies, 28 Cornell J. L. & Pub. Pol’y 35, 43 (2018),

[36] Stephen Gandel, Private equity wants to own your DNA, CBSNews (Aug. 7, 2020),; Matt Anderson, Blackstone to Acquire Ancestry®, Leading Online Family History Business, for $4.7 Billion, Blackstone (Aug. 5, 2020),

[37] Stephen Gandel, Private equity wants to own your DNA, CBSNews (Aug. 7, 2020),

[38] Kristen V Brown, 23andMe Goes Public as $3.5 Billion Company With Branson Aid, Bloomberg (Feb. 4, 2021),

[39] Theodore F. Claypoole, Privacy Risk of Recreational DNA Testing: States Take Action, The National Law Review (Sept. 8, 2020),

[40] Scott Loughlin, Katherine Kwong, Sophie Baum, California Governor vetoes bill to establish the Genetic Information Privacy Act, Hogan Lovells US LLP (Sept. 29, 2020),

[41] Carson Martinez, Privacy Best Practices for Consumer Genetic Testing Services, Future of Privacy Forum (last updated Feb. 9, 2021),

[42] Supra note 33.

[43] Id. at 3.

[44] Supra note 39.

[45] Supra note 33 at 11.

[46] Id.

[47] Supra note 39.

[48] Id.; Health Insurance Portability and Accountability Act of 1996, Centers for Disease Control and Prevention, (last visited Mar. 22, 2021).

[49] Supra note 33 at 5.

[50] Jake Holland, Daniel R. Stoller, With Congress Quiet, States Step in to Safeguard Genetic Privacy, Bloomberg Law (Sept. 1, 2020),

[51] Id.

[52] Supra note 33 at 7.

[53] Jo Cicchetti, Nolan Tully, Florida Bill Restricting Life Insurers’ Use of Genetic Information Signed by Governor DeSantis, Faegre Drinker Biddle & Reath LLP (Jul. 1, 2020),

[54] Id.

[55] Supra note 50.

[56] Supra note 40.

[57] Id.

[58] Supra note 33 at 10.

[59] Id.

[60] Supra note 39.