Thanks to improved DNA technology, authorities may soon confirm the identity of the Golden State Killer years after the case went cold. However, the way in which the DNA was traced has sparked a new conversation about privacy within genealogy websites. Companies such as Ancestry, Vitagene, and other DNA service providers are now rushing to distance themselves from the controversial investigation.

On Tuesday, police arrested Joseph James DeAngelo, a former cop and alleged serial killer, in what could be the end of a 40-year investigation. Authorities said they were able to link DeAngelo to the string of crimes, which included at least a dozen murders and 50 cases of rape, by using a genealogy service to trace his genetic material.

Golden State Killer
Sketches of the Golden State Killer

Law enforcement in California typically can’t access a genealogy website’s records without a court order. The FBI has its own central DNA database and police departments have begun to develop their own, but the DNA evidence on file for the Golden State Killer did not match any database samples. According to Contra Costa County District Attorney investigator Paul Holes, that’s when authorities turned to genealogy site GEDmatch.com. They were able to find DeAngelo because an unnamed relative’s DNA data was available online.

On GEDmatch, anyone can create an account, upload raw DNA data, and find other user profiles. The website’s policy statement claims that the company can’t promise absolute security but many find the website’s willingness to hand over personal DNA data to be an improper use of the customer agreement.

“We have not been in contact with law enforcement regarding the Joseph James DeAngelo case,” a spokesperson from Ancestry tells Inverse. “Ancestry advocates for its members’ privacy and will not share any information with law enforcement unless compelled to by a valid legal process.” Ancestry publishes all law enforcement requests in the company’s annual transparency report, where it states that the company received 34 valid law enforcement requests for user information in 2017 and provided information to 31 of those cases.

However, these requests were related to identity theft and did not require the disclosure of genetic information. On the company website, Ancestry states that as of December 31, 2017, it had never received a valid request for genetic information, a National Security Letter, or a request under the Foreign Intelligence Surveillance Act.

Ancestry and its direct competitors like 23andMe were quick to speak up and mention that that user data was not offered in the Golden State Killer investigation, but ancestry websites aren’t the only online services that collect user DNA. Wellness websites such as Vitagene use raw DNA data to also consult on diet, exercise, and personal health, and are just as susceptible to police interrogation.

“We appreciate the job of law enforcement authorities and respect their inquiries. However, our key priority remains intact: to protect customer privacy,” Vitagene CEO Mehdi Maghsoodnia tells Inverse. “We do not allow our customer data to be shared or processed by any third party without our customers’ explicit approval.”

But what is most startling about how the Golden State Killer case was handled is the fact that GEDMatch claims it didn’t know it was being used by police until the arrest was made. Curtis Rogers, the site’s operator, posted a message to users on Friday stating that the company was not approached by law enforcement but stands by its own utility in the investigation.

“We understand that the GEDmatch database was used to help identify the Golden State Killer,” says Rogers. “Although we were not approached by law enforcement or anyone else about this case or about the DNA, it has always been GEDmatch’s policy to inform users that the database could be used for other uses, as set forth in the site policy.”

Rogers highlighted the ways in which law enforcement could use the website’s data without company prior approval, including the “identification of relatives that have committed crimes or were victims of crimes.” While companies like Ancestry and Vitagene are resolute in stating that police cannot access user data, GEDMatch’s statement suggests DNA data might be accessible without company approval, simply by creating an account.

District Attorney Holes stated that GEDmatch was integral to DeAngelo’s arrest and investigators didn’t have to get a court order to access the site’s database. While California law states that a court order is needed to access a genealogy website’s records, the law says nothing about investigators creating their own accounts on the website to trace data.