A version of this article first appeared in the Daily Journal on May 22, 2018.

When you share your DNA with a private genealogy database, it’s not only potential relatives searching for matches. The Golden State Killer case shows that law enforcement—and others—may be searching your DNA too, without legal restraints against misuse. This raises privacy and civil liberties concerns that should alarm everyone, even if you think you have nothing to hide.

 According to news reports, police identified Joseph DeAngelo, the alleged Golden State Killer, by uploading crime scene DNA under a false name to a crowd-sourced, privately run, genealogy database. Using a technique called “familial searching,” which identifies genetically similar DNA, investigators found a kinship match between the forensic DNA and DNA from DeAngelo’s distant relative. Investigators then surreptitiously collected “discarded” DNA from DeAngelo himself, ultimately matching that to the original forensic sample.

The Golden State Killer, a serial rapist and murderer, eluded police for years.  DeAngelo's arrest seems to have solved this decades-old cold case. However, allowing police and private companies to use these techniques without legal constraints violates privacy and could link people to crimes they didn’t commit. 

DNA has implicated the wrong person in the past. Court records indicate police originally—and mistakenly—suspected an Oregon man was the Golden State Killer based on similar DNA research. In 2014, familial DNA searching led police to suspect that a New Orleans resident had committed a years-earlier Idaho rape and murder. A second DNA test cleared his name. And in 2012, a California man named Lukis Anderson was implicated for murder after his DNA was found at the crime scene, despite a rock-solid alibi.

In cases like these, the person linked through DNA becomes a suspect for a time, facing the very-real indignity of living under a cloud of suspicion until and possibly after their names are cleared. In some cases, like Mr. Anderson’s, they may also spend  months in jail.

Advances in DNA technology will likely make these false identifications more common. Increasingly, forensic samples come from “touch” DNA—miniscule samples of DNA deposited on physical surfaces that people have touched—rather than from a single source, such as blood or semen.  Touch DNA is less reliable and harder to match both because it may not include enough DNA for meaningful interpretation and because it often contains DNA from multiple people—some of whom may have had no connection to the crime at all. A person’s DNA can remain on an item that has been handled by many others or can be transferred to an item that was never in their possession. For example, in Mr. Anderson’s case, paramedics likely transferred his DNA to the murder victim when they responded to the crime scene hours after dropping Anderson off at the hospital.

But genetic privacy concerns go far beyond criminal justice. Our DNA contains our entire genetic makeup. It can reveal where our ancestors came from, who we are related to, our physical characteristics, and whether we are likely to get a host of genetically determined diseases. Researchers have also theorized DNA may predict race, intelligence, criminality, sexual orientation, and even political ideology.

It’s hard to prevent DNA linked to us from ending up in private databases, because, as in the Golden State Killer case, a distant relative you don’t know may add their own DNA. Not only could this be used to identify you, it could be used to predict how you vote, whether you’re a credit risk, or even when you might die. If this genetic information falls into the wrong hands it could impact our lives in unimaginable ways.

Currently there are no clear legal protections against improper access to and misuse of this data, not just by law enforcement, but also by insurers, data brokers, or private investigators. Once a person submits DNA to a database—or their DNA is submitted without their knowledge—nothing besides company policy may protect it. 

And even if you don’t choose to add your own DNA to a private database, a relative could, essentially, make that choice for you by adding their own. In 2012, researchers used genetic genealogy databases and publicly-available information to identify nearly 50 people from just three original anonymized samples.

In the excitement over the Golden State Killer, we shouldn’t lose sight of the urgent need for legal rules to govern access to private DNA. However, there's a real question whether a warrant that allows the search of DNA from millions of people who, themselves, are clearly not suspects, could ever meet the particularity requirements of the Fourth Amendment. The ability to research family history and disease risk shouldn’t carry the risk that our data will be accessible to police or insurers and used in ways we never could have foreseen.