Plenty of people have voluntarily uploaded their DNA to GEDmatch and other databases, often with real names and contact information. It’s what you do if you’re an adopted kid looking for a long-lost parent, or a genealogy buff curious about whether you have any cousins still living in the old country. GEDmatch requires that you make your DNA data public if you want to use their comparison tools, although you don’t have to attach your real name. And they’re not the only database that has helped law enforcement track people down without their knowledge.
How DNA Databases Help Track People Down
We don’t know exactly what samples or databases were used in the Golden State Killer’s case; the Sacramento County District Attorney’s office gave very little information and hasn’t confirmed any further details. But here are some things that are possible.
Y chromosome data can lead to a good guess at an unknown person’s last name.
Cis men typically have an X and a Y chromosome, and cis women two X’s. That means the Y chromosome is passed down from genetic males to their offspring—for example, from father to son. Since last names are also often handed down the same way, in many families you’ll share a surname with anybody who shares your Y chromosome.
A 2013 Science paper described how a small amount of Y chromosome data should be enough to identify surnames for an estimated 12 percent of white males in the US. (That method would find the wrong surname for 5 percent, and the rest would come back as unknown.) As more people upload their information to public databases, the authors warned, the success rate will only increase.
This is exactly the technique that genealogical consultant Colleen Fitzpatrick used to narrow down a pool of suspects in an Arizona cold case. She seems to have used short tandem repeat (STR) data from the suspect’s Y chromosome to search the Family Tree DNA database, and she saw the name Miller in the results.
The police already had a long list of suspects in the Arizona case, but based on that tip they zeroed in on one with the last name Miller. As with the Golden State Killer case, police confirmed the DNA match by obtaining a fresh DNA sample directly from their subject—the Sacramento office said they got it from something he discarded. (Yes, this is legal, and it can be an item as ordinary as a used drinking straw.)
The authors of the Science paper point out that surname, location, and year of birth are often enough to find an individual in census data.SNP files can find family trees.
When you download your “raw data” after mailing in a 23andme or Ancestry test, what you get is a list of locations on your genome (called SNPs, for single nucleotide polymorphisms) and two letters indicating your status for each. For example, at a certain SNP you may have inherited an A from one parent and a G from the other.
Genetic testing sites will have tools to compare your DNA with others in their database, but you can also download your raw data and submit it to other sites, including GEDmatch or Family Tree DNA. (23andme and Ancestry allow you to download your data, but they don’t accept uploads.)
But you don’t have to send a spit sample to one of those companies to get a raw data file. The DNA Doe project describes how they sequenced the whole genome of an unidentified girl from a cold case and used that data to construct a SNP file to upload to GEDmatch. They found someone with enough of the same SNPs that they were probably a close cousin. That cousin also had an account at Ancestry, where they had filled out a family tree with details of their family members. The tree included an entry for a cousin of the same age as the unidentified girl, and whose death date was listed as “missing—presumed dead.” It was her.
Your DNA Is Not Just Yours
When you send in a spit sample, or upload a raw data file, you may only be thinking about your own privacy. I have nothing to hide, you might tell yourself. Who cares if somebody finds out that I have blue eyes or a predisposition to heart disease?
But half of your DNA belongs to your biological mother, and half to your biological father. Another half—cut a different way—belongs to each of your children. On average, you share half your DNA with a sibling, and a quarter with a half-sibling, grandparent, aunt, uncle, niece or nephew. You share about an eighth with a first cousin, and so on. The more of your extended family who are into genealogy, the more likely you are to have your DNA in a public database, already contributed by a relative.
In the cases we mention here, the breakthrough came when DNA was matched, through a public database, to a person’s real name. But your DNA is, in a sense, your most identifying information.
For some cases, it may not matter whether your name is attached. Facebook reportedly spoke with a hospital about exchanging anonymized data. They didn’t need names because they had enough information, and good enough algorithms, that they thought they could identify individuals based on everything else. (Facebook doesn’t currently collect DNA information, thank god. There is a public DNA project that signs people up using a Facebook app, but they say they don’t pass the data to Facebook itself.)
And remember that 2013 study about tracking down people’s surnames? They grabbed whole-genome data from a few high-profile people who had made theirs public, and showed that the DNA files were sometimes enough information to track down an individual’s full name. It may be impossible for DNA to be totally anonymous.
Can You Protect Your Privacy While Using DNA Databases?
If you’re very concerned about privacy, you’re best off not using any of these databases. But you can’t control whether your relatives use them, and you may be looking for a long-lost family member and thus want to be in a database while minimizing the risks.