Ruth Dickover, director of UC Davis' forensic science program, described law enforcement's approach as a glimpse into a future in which virtually all genetic information is accessible to the government.
"Unlike a Social Security number that can be forged," she said, "your DNA is your DNA, and it's with you from birth to even a little after death."
The arrest of Joseph James DeAngelo Jr. this week in the terrifying attacks in the 1970s and 1980s has sparked debate about police tactics and whether the DNA match raises privacy concerns.
How exactly did they make the match?
It hinged on GEDmatch.com, an open-source platform in which people volunteer their genetic information in hopes of finding long-lost family members.
The largest genealogy services, 23andme and Ancestry.com, conduct DNA tests for paying customers but largely shield their findings from other parties. GEDmatch is a free service; consenting users upload test results from a variety of genealogy websites and cross-reference their findings to discover relatives who might have tested with different companies.
"It's kind of intended to be unregulated so people on their own initiative can load their information," UC Berkeley law professor Andrea Roth said.
It's easy to see why people would cheer the use of such tactics, Roth said. But "before we celebrate, we have to remember that the government probably looked at a lot of innocent people before getting here," she said.
What does GEDmatch have to say?
GEDmatch says it was not approached by law enforcement regarding the case, but it said users should be cognizant their data could be used by outside parties.
"While the database was created for genealogical research, it is important that GEDmatch participants understand the possible uses of their DNA, including identification of relatives that have committed crimes or were victims of crimes," the company said in a statement. "If you are concerned about non-genealogical uses of your DNA, you should not upload your DNA to the database and/or you should remove your DNA that has already been uploaded."
That made the site the perfect tool for investigators, who were able to search without needing a warrant and parse genetic profiles of a new swath of individuals who hadn't previously been arrested.
What are the privacy concerns?
DNA doesn't simply identify an individual, warned Lee Tien, senior staff attorney for the Electronic Frontier Foundation. It identifies whole families.
"People say, 'I signed this consent form,' but he or she is not the only one. The privacy of everyone I'm related to is affected," Tien said.
If investigators had no reasonable suspicion the Golden State Killer or his relatives were GEDmatch users, the tactic is the "definition of a fishing expedition," Tien said.
Melissa Deangelo, a GEDmatch.com user from Mississippi, said Friday she was surprised by the company's disclosure that DNA housed on the site may have played a role in the suspect's arrest.
"Is it an invasion of privacy? Yes," she said. "Was it worth the risk considering what he was doing? It was."
(She does not think the Deangelo family she married into is directly related to the man accused in the California serial killer case.)
Former Los Angeles County Dist. Atty. Steve Cooley thinks the public safety benefit of mining DNA outweighs privacy concerns.