This post is updated as events transpire.
This post lists key events in the evolution of “forensic genetic genealogy” or “investigative genetic genealogy”, the application of genetic genealogy techniques to criminal investigations. It is not meant to be a list of “solved” cases (that’s available here, in part) nor a discussion of pros and cons. Rather, the intent is to track the progression of the field and its impacts on the industry and genetic privacy. Feel free to suggest additional entries in the comments.
The Timeline
- 2010 — CeCe Moore wrote “If one of my loved ones was murdered and I had access to that DNA sample, you better believe that I would be using our databases to try to figure out who was guilty.”
- 2011 — In the first known attempt to use genetic genealogy to identify criminals, Colleen Fitzpatrick, working with Washington State detectives, used Y-DNA to suggest that the killer’s surname was Fuller. This lead did not pan out as there had been a name change in the killer’s paternal lineage.
- 2014 — A Florida police department surreptitiously uploaded a rapist’s DNA sample to GEDmatch. They were not able to identify him.
- July 2014 — A court order to search the Sorenson Y-DNA database led to the false suspicion of a New Orleans filmmaker and ultimately to the database being shut down.
- 2015 — Barbara Rae-Venter used genetic genealogy to discover the true identity of “Lisa”, who had been kidnapped as an infant then abandoned. Learning her original identity led to the discovery that her kidnapper had murdered her mother. Rae-Venter and colleagues ultimately used genetic genealogy to identify him, too.
- 2017 — The DNA Doe Project was founded by Dr Margaret Press and Dr Colleen Fitzpatrick to apply genetic genealogy methods, especially atDNA, to the identification of unknown bodies.
- Early 2018 — CeCe Moore began working two Doe cases for a Texas police department. Whether the databases had granted her permission to use their customers in this way is unclear.
- 10 April 2018 — The DNA Doe Project identified the Ohio murder victim “Buckskin Girl” as Marcia L. King from Arkansas. She had been strangled in 1981.
- 24 April 2018 — The Golden State Killer, a brutal rapist and murderer who had escaped justice for for more than 30 years, was arrested after Barbara Rae-Venter identified him through genetic genealogy. Days later it was revealed that GEDmatch database had been used without their knowledge. Not until December 2020 did the world learn that FamilyTreeDNA’s parent company had collaborated with the FBI as early as 2017 and that Rae-Venter had also used MyHeritage’s database without their knowledge.
- Late April 2018 — MyHeritage updated their Terms and Conditions to say “using the DNA Services for law enforcement purposes, forensic examinations, criminal investigations and/or similar purposes, without a court order and without prior explicit written permission from MyHeritage, is strictly prohibited. It is our policy to resist law enforcement inquiries to protect the privacy of our customers.” Similarly, the Terms at 23andMe read: “you agree not to …. use any information received through the Services to attempt to identify other customers, to contact other customers (other than through features for contacting other users such as DNA Relatives offered pursuant to the Services), or for any forensic use.”
- 1 May 2018 — FamilyTreeDNA’s parent company acknowledged that they had complied with a federal subpoena to identify one of their yDNA customers in March 2017. Buzzfeed later discovered that the subpoena was related to the Golden State Killer case.
- 8 May 2018 — Parabon NanoLabs announced a new Genetic Genealogy Service headed by CeCe Moore. Within 9 days, they had uploaded about 100 DNA profiles to GEDmatch.
- 24 May 2018 — GEDmatch changed their Terms of Service to specify that investigations of violent crimes, defined as homicide and sexual assault, were allowed, as were law enforcement attempts to identify unknown deceased remains.
- 28 July 2018 — A 31-year-old rapist was arrested based on evidence generated by forensic genetic genealogy. This remains the first known case of genetic genealogy being used in an active criminal investigation, as opposed to a cold case or unidentified remains.
- 7 December 2018 — A man was arrested for burglary in Texas with the help of Parabon. He has not been accused of a violent crime, meaning that his case apparently violated GEDmatch’s Terms of Service at the time.
- Mid-December 2018 — FamilyTreeDNA changed their Terms of Service to allow law enforcement to use their database. Although required by their own Terms of Service to notify their customers of changes to the Terms, they failed to do so. The change was first reported by Buzzfeed in January 2019.
- January 2019 — Melinde Lutz Byrne became a Consulting Forensic Genealogist for Bode Technology.
- January 2019 — MyHeritage was used to identify and arrest Jerry Westrom, in violation of their Terms and Conditions.
- 31 January 2019 — We learned that FamilyTreeDNA had granted the FBI access to their database of more than a million customers. That access began as early as Fall 2018, in contravention of their Terms of Service. FTDNA changed their Terms of Service in December 2018 to allow law enforcement to use their database, but they failed to notify their customers, as required by that very same contract.
- 8 February 2019 — Anne Wojcicki, CEO of 23andMe, discussed the slow-down in the market, saying “My hypothesis is that you have some of the effect from Facebook, people concerned about privacy, you had Golden State killer and so people pause.”
- 15 February 2019 — We learned that FTDNA had formed a financial partnership with Bode Technology for forensic investigations.
- 12 March 2019 — In response to backlash from the earlier Terms of Service controversy, FTDNA introduced an opt-out system for law-enforcement matching. However, they automatically opted in the majority of their customers by default.
- 14 May 2019 — We learned that the owner of GEDmatch had personally granted permission in December 2018 for Parabon to use the database to investigate an assault, although the Terms of Service at the time only allowed homicide and sexual assault investigations.
- 19 May 2019 — GEDmatch implemented a new opt-in system for law enforcement matching. All DNA kits were automatically opted out, and users could choose to make their kits available to law enforcement agents. The default setting for new uploads, however, was to be opted in; the description did not state that the kit would be exposed to law enforcement. GEDmatch also expanded their definition of allowable crimes from homicide and sexual assault to “murder, nonnegligent manslaughter, aggravated rape, robbery, or aggravated assault.”
- 22 May 2019 — Yours truly wrote about the importance of informed consent for forensic genetic genealogy and government agents accessing private databases.
- 22 June 2019 — Yours truly analyzed database growth and showed that the decline in rate correlates to the publication of the Golden State Killer case.
- 1 August 2019 — FamilyTreeDNA began charging $650 for law enforcement agencies to upload a forensic DNA kit and $700 for private entities to upload on behalf of an agency. The previous price was $100.
- 24 September 2019 — The US Department of Justice issued an interim policy for forensic genetic genealogy investigations that specified such searches could proceed “only in those [genetic genealogy] services that provide explicit notice to their service users and the public that law enforcement may use their service sites to investigate crimes or to identify unidentified human remains” (page 6).
- 27 September 2019 — FTDNA announced that it had hired Barbara Rae-Venter, who solved the Golden State Killer case, to lead a new in-house Genetic Genealogy Unit.
- 18 October 2019 — Othram announced a forensic genealogy service for law enforcement. The team includes Anthony Lukas Redgrave and Lee Bingham Redgrave. Both have since left the company.
- 5 November 2019 — We learned that GEDmatch was served and complied with a warrant in June or July to provide matching data for users who had not opted in to law enforcement matching.
- 7 November 2019 — 23andMe issued a statement saying that they “would use every legal remedy possible” to challenge a warrant were they to be served one.
- 8 November 2019 — AncestryDNA announced that they would “seek to narrow the scope of any compelled disclosure, or even eliminate it entirely.”
- 12 November 2019 — Melinde Lutz Byrne became the Director of Forensic Genealogy at Bode Technology.
- November 2019 or before — The FBI used genetic genealogy to identify a stalker in violation of the Terms of Service in effect at both GEDmatch and FamilyTreeDNA. This transgression did not become public until September 2022. At the time of his arrest, the use of genetic genealogy was not mentioned.
- 9 December 2019 — GEDmatch announced that they had sold their operations to Verogen, a company that manufactures and sells forensic lab equipment. The sale price was later disclosed to be $15 million.
- 22 February 2020 — NBC News reported that Orlando Detective Fields (the same detective behind the GEDMatch warrant) lied to family members in a murder investigation to obtain DNA samples.
- 19 July 2020 — GEDmatch was hacked, taking the site down and setting the entire database to be available for universal matching, regardless of the users’ settings or applicable law in their home jurisdictions. Although GEDmatch claimed to have fixed the problem, another privacy breach happened the next day. On July 21st, MyHeritage users experienced a phishing attempt that may have been related to the GEDmatch hack.
- 7 December 2020 — CBS Sacramento reported that newborn blood samples for disease screening were being used by law enforcement without parental knowledge or consent.
- 8 December 2020 — Groundbreaking investigative reporting from the Los Angeles Times revealed that FamilyTreeDNA (and/or its parent company) was collaborating with the FBI on the Golden State Killer case as early as 2017 and that the genetic genealogist working on the case uploaded his DNA file to MyHeritage without that company’s knowledge. His closest match was there.
- December 2020 — GEDmatch debuted their GEDmatch Pro portal to upload law enforcement (including Doe) cases. Kits uploaded through the portal are then matched to opt-in kits in the main database. The $199 fee charged for uploads was not publicly disclosed at the time; the fee has since been raised.
- 7 January 2021 — FamilyTreeDNA and its parent company, Gene by Gene, both merged with a small, Australian pharmacogenetics company called myDNA. As myDNA had no background in genetic genealogy, what this means for family historians—and for law enforcement applications—was not clear.
- 11 January 2021 — GEDmatch once again changed their Terms of Service. Although they claim “Your opt-in and opt-out settings remain unchanged,” they surreptitiously redefined what “opt out” means. Previously, opt-out kits were not visible to Doe investigations (unidentified bodies); now they are. Even if the Doe was murdered, these kits are no longer considered violent crime cases under the new Terms of Service. The slope gets slipperier.
- 17 January 2021 — (on or about) Some users from outside the USA reported that DNA kits they had deleted from GEDmatch were back in the system and available to matching. GEDmatch apparently explained to one user, who’d deleted the kits more than a year ago, “We had an issue with restoring kits from the eu/unknown server recently.” As of the 19th, the problem seemed to be fixed, but GEDmatch had not issued a public explanation or apology.
- May 2021 — The state of Maryland passed a new law restricting the use of forensic genetic genealogy.
- 6 December 2021 — The conviction of William Earl Talbott II was overturned by a Washington State Court of Appeals because of juror bias. Talbott was the first person convicted using “investigative genetic genealogy”. He was accused of murdering a young Canadian couple in 1987. Prosecutors will likely appeal the decision or try him again.
- January 2022 — GEDmatch Pro raised the fee for law-enforcement kits from $199 to $550.
- July 2022 — A New Jersey lawsuit contended that State Police there subpoenaed the newborn blood sample of a child because they lacked probable cause to collect a sample from the child’s father, a suspect. The child was born about 16 years after the alleged crime. The child’s DNA was sequenced without parental consent in or around August 2021. The lawsuit references “grand jury subpoenas” (plural), suggesting that the genetic privacy of other children had also been violated.
- August 2022 — Verogen (parent company of GEDmatch and GEDmatch Pro) and Gene by Gene (parent company of FamilyTreeDNA) announced a partnership for forensic investigative genetic genealogy. The financial terms were not disclosed.
- September 2022 — The public learned of another misuse of forensic genetic genealogy—to arrest a stalker—in 2019. At the time, neither FamilyTreeDNA nor GEDmatch allowed law enforcement to use their databases for crimes of that nature. Neither the database(s) used nor the genetic genealogy company doing the work were named.
- 12 October 2022 — A paper in Forensic Science International outlined the need for oversight in forensic genetic genealogy and announced the formation of the Board of Certification for Investigative Genetic Genealogy. The name was later changed to the Investigative Genetic Genealogy Accreditation Board for trademark reasons.
- 1 December 2022 — Verogen, the for-profit company that owns GEDmatch, increased the fee for law-enforcement kits from $550 to $700, without warning.
- December 2022 — The Board of Certification for Investigative Genetic Genealogy (later renamed the Investigative Genetic Genealogy Accreditation Board) was announced to address the urgent need for “data privacy, public trust, proficiency (and agency trust), and accountability” in the field. Some of the founding board members were later exposed for circumventing GEDmatch’s privacy protections to aid their forensic cases.
- 9 January 2023 — QIAGEN, a European biotechnology company, purchased Verogen—and by extension GEDmatch—for $150 million in cash. QIAGEN anticipated Verogen to generate income of $20 million in 2023. The GEDmatch portion of the deal was valued at about $60 million.
- April 2023 — William Leslie Arnold, a teen murderer who escaped from prison in 1967, was identified using the AncestryDNA database. He had been living peacefully under an assumed name in Australia and died in 2010. Escape is not a qualifying offense for forensic genetic genealogy per the Department of Justice policy, and AncestryDNA explicitly forbids the practice using their database.
- 26 June 2023 — A participant in a genealogy Facebook group revealed that a Doe case from Riverside County, California, had been uploaded to MyHeritage against the Terms of Service.
- 30 July 2023 — During a presentation at the Ramapo Investigative Genetic Genealogy Conference, it was revealed that a “loophole” (a security flaw) at GEDmatch allowed forensic kits to see users who had opted out of law-enforcement matching. The existence of the loophole was an “open secret” amongst forensic genetic genealogy practitioners.
- 18 August 2023 — The Intercept published a shocking exposé on the use of the GEDmatch security hole. Some of the world’s most prominent forensic genetic genealogists secretly discussed how to trigger the programming bug. One “described hiding the fact that her organization had made an identification using an opted-out profile.” Among them: founding members of the Investigative Genetic Genealogy Accreditation Board, including Margaret Press and CeCe Moore.
- 18 August 2023 — The same day The Intercept article appeared, Margaret Press of the DNA Doe Project issued a statement acknowledging the exploitation of multiple security bugs at GEDmatch and the failure to report them. The other conspirators had not issued public statements as of late 2024.
- 14 September 2023 (or thereabouts) — Verogen, the parent company of GEDmatch, announced that they had fixed the loopholes, evaluated their system for vulnerabilities, notified regulatory bodies, and added a binding contract with forensic genetic genealogists to deter violations of the Terms of Service in the future.
- September 2023 — FamilyTreeDNA changed the default status for new kits to be opted out of law enforcement matching. Kits that were previously opted in by default remained opted in.
- 23 January 2024 — FamilyTreeDNA and Othram announced a new exclusive partnership for forensic genetic genealogy search and analysis. The details are unclear.
- 1 July 2024 — GEDmatch reportedly increased the upload fee for forensic profiles from $700 to $1000.
- Around 25 July 2024 — FGG practitioners were notified that the forensic case fee for FamilyTreeDNA would double, from $700 per upload to $1400. Othram, which took over management of FamilyTreeDNA forensic case processing in January, is not subject to the additional fee.
- 30 August 2024 — Verogen (the corporate owner of GEDmatch) was sued in Illinois state court for violating the Illinois Genetic Information Privacy Act. This is a class-action lawsuit.
- 23 September 2024 — QIAGEN (the corporate owner of GEDmatch) and Bode (a forensics company) announced a partnership in which Bode would manage the financial transactions for GEDmatch Pro, the law enforcement portal into the GEDmatch database.
- 24 October 2024 — Verogen (the corporate owner of GEDmatch) was sued in US federal court for violating genetic privacy laws in the states of Alaska, Illinois, New Hampshire, New Mexico, and Oregon. One (of three) complaints centers on the security “loophole” that allowed some leading FGG practitioners to see people who had opted out of forensic matching. This is a class-action lawsuit.
I don’t know why anyone on this planet thinks they have any privacy in this day and age. My genealogy was progressing. WAS progressing. Our 140+ year old brick wall will likely remain a brick wall. If my mother is identified as a relation to a criminal you can bet your booties I’ll help any way I can. In the meantime our DNA matches are drying up. How can anyone think being on social media is safer than using GEDMatch?
The drying-up of matches is one of my biggest concerns. Trust is a critical element in DNA testing, and if consumers don’t feel that they can trust the industry, they’ll spend their disposable income elsewhere.
Hi,
I am concerned about this, as well. The Golden State Killer was known as the East Area Rapist in the 70’s and hit very close to home multiple times. He was caught only a mile from my brother’s home. I was happy he was caught, but I still have that ethical dilemma about my invasion of privacy. My dna is on Gedmatch, Ancestry, 23&me, and My Heritage. If I try to remove my dna from Gedmatch, will it still remain in the database for use? I love genealogy and want to continue with my tree, but I just don’t know how to proceed. Any guidance would be appreciated. This is such an ethical dilemma for me.
Thank you.
The site policy at GEDmatch says “When a registered GEDmatch user deletes or requests deletion of Raw Data, Genealogy Data, and/or profile information, copies of that information stored in an archive copy will be deleted upon storage of an updated archive copy, no later than 30 days after the user request.” In my experience, the kit in the main database is deleted immediately, and this policy says that any backups will be deleted within 30 days. Sadly, I no longer trust that opting out or even setting a kit to research will protect us from warrants.
As for how to proceed, there’s no one-size-fits-all recommendation. It depends on your level of comfort with “off-label” uses of your data and which companies are most vulnerable. 23andMe and Ancestry are the safest, both because they don’t allow uploads and because they have publicly declared that they will try to limit the scope of any warrant for genetic data. MyHeritage forbids law-enforcement investigations in their database, but I don’t know how they’d stop an unethical investigator from uploading against the Terms of Service. On the other hand, they’re probably not vulnerable to US warrants, given that they’re in Israel.
Thank you for the info. It’s very useful.
With no formal chain of custody for consumer-level DNA kits, how could the information be deemed valuable / trustworthy by courts or law enforcement ?
There is no identification verification for the dna submitted – we can put any name we choose on our file, many use aliases, initial or false/anonymous names.
And honestly – if my DNA being out there somehow leads to the closure of a case, I am thrilled for that.
Chain of custody comes into play when they do CODIS testing of the suspect. Prior to that, they’re using the exact same techniques proven to work for unknown parentage cases. They don’t need chain of custody for that.
No asian news? Virtually everything seems to be from or related to the United States.
At the moment, most of these cases are in the US, because that’s where most DNA testers live, where the allowed databases are, and where these cases are coming to court. If you know of reports about FGG from elsewhere, please let me know.