In April 2018, Sacramento County investigators arrested Joseph James DeAngelo, a 72-year-old retired police officer, for a string of murders and rapes that had terrorized California for over a decade. The Golden State Killer had eluded capture for more than 40 years. What finally broke the case was not a witness, a confession, or a hit in a law enforcement database. It was a free genealogy website called GEDmatch, where hobbyists upload their DNA to find distant relatives.[s]
Forensic genetic genealogy has since helped solve more than 1,300 cases across the United States.[s] The technique matches crime scene DNA against public genealogy databases, identifies distant relatives of the unknown suspect, and uses traditional genealogy to build a family tree that narrows the pool to a single person. It has identified serial killers, exonerated the wrongly convicted, and given names back to unidentified remains that had gone unclaimed for decades.
But forensic genetic genealogy also means that millions of people who never committed a crime, and never uploaded their own DNA, can be swept into a criminal investigation because a third cousin decided to trace their ancestry. The legal framework governing this practice remains thin: a patchwork of voluntary corporate policies, a single federal interim guideline, and a handful of state laws that most states have not adopted.
How Forensic Genetic Genealogy Works
The process begins with DNA recovered from a crime scene. Investigators first run it through CODISCombined DNA Index System — the FBI's national database that stores DNA profiles from convicted offenders, arrestees, and unidentified crime scene evidence, used to link crimes and identify suspects., the FBI’s Combined DNA Index System, which holds profiles of roughly 14.7 million convicted persons and 4.4 million arrestees.[s] If CODIS returns no match, investigators turn to consumer genealogy databases.
Unlike CODIS, which uses 20 short tandem repeat (STR) markers, consumer DNA tests analyze roughly 700,000 single nucleotide polymorphisms (SNPsSingle nucleotide polymorphisms; genetic variations used in DNA analysis to identify individuals and trace family relationships.) across the genome.[s] That density allows identification of relatives as distant as third or fourth cousins. Investigators upload the crime scene SNP profile to a database, retrieve a list of partial matches, then hire genetic genealogists to build family trees using public records: birth certificates, obituaries, marriage licenses, census data. The process can narrow hundreds of genetic relatives down to a single suspect.
In the Golden State Killer case, crime scene DNA matched several third cousins on GEDmatch’s database of nearly one million profiles.[s] Investigators built family trees, cross-referenced approximate age and California residency, and arrived at DeAngelo. Officers surveilled him and collected a discarded item containing his DNA, which confirmed the match. DeAngelo pleaded guilty to 13 murders and at least 50 rapes committed between 1974 and 1986.[s]
The Scale of the Privacy Problem
A 2018 study led by Columbia University computer scientist Yaniv Erlich found that forensic genetic genealogy searches could already identify 60% of Americans of European descent through third-cousin matches, even if those individuals had never uploaded their own DNA.[s] “It basically says that almost all of us are already findable,” Natalie Ram, a law professor at the University of Baltimore, told PBS at the time.[s]
The average person has approximately 800 relatives at the third-cousin level or closer.[s] If even one of those 800 people uploads a DNA profile to a searchable database, investigators may be able to trace the genetic trail back to any of them. This is the core tension: one person’s voluntary decision to share their DNA effectively enrolls hundreds of relatives in a system that can be searched by law enforcement, without those relatives’ knowledge or consent.
“People who submit DNA for ancestors testing are unwittingly becoming genetic informants on their innocent family,” Steve Mercer, chief attorney for the forensic division of the Maryland Office of the Public Defender, told NPR.[s]
Forensic Genetic Genealogy and the Kohberger Case
The technique’s most high-profile recent test came in the 2022 murders of four University of Idaho students. When CODIS returned no match for DNA found on a knife sheath at the crime scene, the FBI uploaded the profile to publicly accessible genealogy databases and built a family tree of relatives. That tree led investigators to Bryan Kohberger, a 28-year-old criminology graduate student.[s]
Officers traveled to Kohberger’s parents’ home in Pennsylvania and conducted a trash pull, recovering DNA that tied him to the crime. He was arrested in December 2022 and sentenced in July 2025 to four consecutive life terms.[s]
Kohberger’s defense mounted a novel Fourth Amendment challenge, arguing that the FBI’s warrantless search of genealogy databases violated his constitutional rights. Ada County Judge Steven Hippler rejected the argument, ruling that Kohberger “exposed his DNA to the public by leaving it on the sheath, thus forfeiting any reasonable expectation of privacy in the DNA left behind.”[s] The judge did not address the broader question of whether searching through the DNA of millions of uninvolved database users constitutes an unreasonable search.
Where the Law Stands
The legal landscape for forensic genetic genealogy remains fragmented. Current Fourth Amendment doctrine offers little protection. Under the “abandonment doctrine,” courts have held that DNA left in public spaces, and data voluntarily uploaded to third-party platforms, carries no reasonable expectation of privacy.[s] Whether uploading genetic data to a genealogy website should be treated the same as discarding a cigarette butt is a question legal scholars continue to debate.
The only federal policy governing forensic genetic genealogy is the Department of Justice’s 2019 interim policy, which applies to DOJ agencies and state or local agencies receiving federal funding for genetic genealogy searches.[s] The policy limits searches to violent crimes (homicide and sexual assault) and the identification of human remains. It requires that CODIS be searched first and that other investigative leads be exhausted. It bars officers from using DNA profiles to assess disease risks or psychological traits.[s]
The DOJ policy does not require a warrant. It does not cover state or local agencies acting without federal funds. And its exception for cases presenting “a substantial and ongoing threat to public safety or national security” gives prosecutors broad discretion to expand forensic genetic genealogy beyond violent crimes.[s]
State Laws: A Patchwork
Only a handful of states have passed laws specifically addressing forensic genetic genealogy. Maryland and Montana, in 2021, became the first states to require judicial authorization before law enforcement could search consumer DNA databases.[s] Utah has since passed a similar comprehensive statute.[s]
Maryland’s law is the most detailed. It restricts forensic genetic genealogy to cases of murder, rape, felony sexual offenses, and threats to public safety or national security. Officers must certify that CODIS and other reasonable investigative leads have been exhausted. The law requires licensing for laboratories and genetic genealogists, mandates destruction of DNA samples when investigations end, and creates criminal penalties for violations.[s]
Montana’s 2021 law requires a warrant for familial DNA searches on consumer databases, and a separate 2023 genetic privacy law mandates that government agencies obtain a warrant to access genetic data held by direct-to-consumer testing companies, effective June 2025.[s] Texas has taken a different approach, establishing a property right for residents over their genetic samples and data.[s]
Minnesota prohibits genetics companies from disclosing genetic information to law enforcement without express written consent, a search warrant, or a court order.[s] But most states have passed no specific legislation at all, leaving the decision about whether and how police can search consumer DNA databases to the companies themselves.
The Companies: Gatekeepers by Default
In the absence of comprehensive law, corporate policy is the primary barrier between law enforcement and consumer DNA data. The two largest direct-to-consumer companies, 23andMe and AncestryDNA, have refused to allow law enforcement searches of their databases.[s] Both require a valid search warrant before releasing any genetic information.
FamilyTreeDNA took the opposite approach. In 2018, it became the only major direct-to-consumer company to grant police access, allowing the FBI to upload crime scene DNA and search its database of more than one million profiles.[s] The company altered its user agreement without notifying customers; many did not learn about the change until BuzzFeed News reported on it.[s] FamilyTreeDNA now allows users to opt out of law enforcement matching, though U.S. users are opted in by default.
GEDmatch, the free open database used to crack the Golden State Killer case, initially had no policy on law enforcement use at all. After the DeAngelo arrest, investigators used GEDmatch without identifying themselves as law enforcement.[s] In 2019, GEDmatch switched to an opt-in model for law enforcement searches, which reduced the number of searchable profiles by 90%, from 1.4 million to roughly 140,000.[s] GEDmatch was later acquired by Verogen, a forensic genetics firm.
The problem with relying on corporate policy is its impermanence. As NIH bioethicists Benjamin Berkman, Wynter Miller, and Christine Grady noted in Annals of Internal Medicine, users of genealogy sites often do not understand that their data may be available to investigators, and companies can change their terms of service unilaterally.[s] A company’s refusal to cooperate with law enforcement today is no guarantee of its policy tomorrow.
Forensic Genetic Genealogy Keeps Expanding
Despite the unresolved privacy questions, the use of forensic genetic genealogy continues to accelerate. In April 2026, Florida Attorney General James Uthmeier announced a $600,000 partnership with Othram, a Texas-based forensic genetics firm that claims to have helped solve at least 600 cold cases nationwide.[s] Uthmeier’s stated goal is to work through Florida’s backlog of more than 21,000 unsolved murder cases spanning 60 years.[s]
A 2025 policy Delphi study published in PLOS Genetics, convening 31 experts from forensic science, law, bioethics, and genetic genealogy, found broad agreement that forensic genetic genealogy needs regulation, but no consensus on what that regulation should look like.[s] The experts’ strongest area of agreement: law enforcement should not participate in direct-to-consumer databases against the platforms’ terms of service.
The gap between what the technology can do and what the law addresses continues to widen. Forensic genetic genealogy can solve cases that were once considered permanently cold. It can bring answers to families who have waited decades. But it operates in a space where the genetic data of millions of uninvolved citizens serves as raw material for criminal investigations, often without their knowledge, consent, or any meaningful legal oversight. Until legislatures close that gap, the boundary between public safety and genetic privacy will be drawn not by courts or elected officials, but by the terms-of-service pages that almost nobody reads.
On April 24, 2018, Sacramento County Sheriff’s deputies arrested Joseph James DeAngelo, a 72-year-old retired police officer, outside his home in Citrus Heights, California. DeAngelo was charged with the murders and rapes attributed to the Golden State Killer, a serial offender responsible for 13 known homicides, at least 50 sexual assaults, and more than 100 burglaries across California between 1974 and 1986.[s]
The arrest was the product of forensic genetic genealogy, a technique that had never been used publicly in a criminal investigation. Investigators extracted a SNP profile from crime scene DNA and uploaded it to GEDmatch, an open genealogy database with nearly one million profiles. The search returned partial matches to several individuals who were the equivalent of third cousins to the crime scene donor.[s] Working with genetic genealogist Barbara Rae-Venter, investigators built family trees using those matches and cross-referenced them with demographic information: age, sex, and California residency during the crime window. The trees converged on DeAngelo. Officers collected a discarded item containing his DNA, which confirmed an STR match to the crime scene profile. DeAngelo later pleaded guilty to the murders.
Since that case, forensic genetic genealogy has helped solve more than 1,300 criminal cases and unidentified remains identifications across the United States.[s] The technique has become a standard tool in cold case investigations. It has also created a constitutional and ethical dilemma that legislatures, courts, and regulators have addressed only in fragments.
Forensic Genetic Genealogy: The Technical Process
Forensic genetic genealogy relies on a fundamental difference between two types of DNA analysis. Law enforcement’s traditional tool, the FBI’s Combined DNA Index System (CODISCombined DNA Index System — the FBI's national database that stores DNA profiles from convicted offenders, arrestees, and unidentified crime scene evidence, used to link crimes and identify suspects.), uses short tandem repeat (STR) analysis, examining 20 highly variable lociSpecific positions on chromosomes where particular genes or DNA sequences are located. in non-coding sections of the genome to produce a 40-datapoint profile.[s] CODIS holds approximately 14.7 million convicted person profiles, 4.4 million arrestee profiles, and 1.1 million forensic profiles. It can identify a person only if that individual’s profile is already in the database.
Consumer DNA tests, by contrast, analyze approximately 700,000 single nucleotide polymorphisms (SNPsSingle nucleotide polymorphisms; genetic variations used in DNA analysis to identify individuals and trace family relationships.) spread across the genome.[s] That density enables identification of genetic relatives as distant as fourth cousins, because even distant relatives share recognizable segments of identical SNPs inherited from common ancestors. The more DNA two people share, the closer their genetic relationship.
When CODIS fails to return a match, forensic genetic genealogy laboratories extract and sequence SNPs from the crime scene sample, then upload the resulting profile to a consumer genealogy database that permits law enforcement searches. Currently, only two major platforms allow this: GEDmatch (now owned by Verogen) and FamilyTreeDNA.[s]
The database returns a list of profiles that share SNP segments with the uploaded sample, ranked by the amount of shared DNA. Genetic genealogists then use public records to build family trees around the closest matches, working backward through generations until they identify candidates who fit the case parameters: age, sex, geography, and timing. When investigators settle on a suspect, they obtain a confirmatory STR sample, typically through surveillance and collection of discarded DNA (a coffee cup, a tissue, a piece of trash), and compare it directly to the crime scene profile via standard CODIS methodology.
The Fourth Amendment Question
The constitutional challenge to forensic genetic genealogy centers on the Fourth Amendment’s prohibition of unreasonable searches. The most significant test to date came in the prosecution of Bryan Kohberger for the November 2022 murders of four University of Idaho students.
After CODIS returned no match for DNA found on a knife sheath at the crime scene, the FBI uploaded the SNP profile to publicly accessible genealogy databases and identified Kohberger through familial matches. Officers then conducted a trash pull at his parents’ Pennsylvania home, recovering DNA that tied him to the crime scene.[s]
Kohberger’s defense argued that the FBI violated the Fourth Amendment by searching genealogy databases without a warrant. In February 2025, Ada County Judge Steven Hippler denied the motion to suppress, ruling that Kohberger had “exposed his DNA to the public by leaving it on the sheath, thus forfeiting any reasonable expectation of privacy in the DNA left behind” and that “there is no reasonable expectation of privacy in DNA found at a crime scene which is subsequently analyzed to identify an unknown suspect.”[s]
The ruling tracked established abandonment doctrine, under which courts have allowed law enforcement to test DNA from discarded items (cigarette butts, hair clippings, chewing gum) without a warrant.[s] But it left unaddressed the question that privacy scholars consider more consequential: whether the act of searching millions of uninvolved database participants’ genetic profiles constitutes a Fourth Amendment search in itself. Kohberger was sentenced in July 2025 to four consecutive life terms.[s]
Legal scholars have pointed to the Supreme Court’s 2018 decision in Carpenter v. United States, which held that warrantless access to cellphone location data violated the Fourth Amendment because of the data’s revealing nature and the fact that individuals do not meaningfully “volunteer” it. Natalie Ram of the University of Baltimore has argued that this reasoning should extend to genetic data shared with consumer platforms.[s] No appellate court has yet ruled on the question.
The Federal Policy Framework
The Department of Justice’s September 2019 interim policy on Forensic Genetic Genealogical DNA Analysis and Searching remains the only federal guidance governing the practice.[s] Its key provisions:
- Forensic genetic genealogy may be used only for unsolved violent crimes (homicide and sexual assault) and identification of human remains, though an exception allows broader use for cases presenting “a substantial and ongoing threat to public safety or national security.”
- The forensic profile must first be uploaded to CODIS, and CODIS must fail to return a probative match.
- Officers must use only databases that provide explicit notice to users about law enforcement searching.
- A suspect may not be arrested based solely on a genetic genealogy match; confirmatory STR analysis comparing the suspect’s DNA directly to the crime scene profile is required.
- Officers may not use a suspect’s genetic profile to assess disease risks or psychological traits.[s]
The policy does not require a warrant. It applies only to DOJ agencies and to state or local agencies receiving federal funding for forensic genetic genealogy. Any agency operating without federal funds is not bound by it. The Harvard Civil Rights-Civil Liberties Law Review noted that the policy’s public safety exception “will determine the extent to which FGGS use is actually limited” and that it lacks a mechanism to ensure law enforcement obtains informed consentAn ethical and legal requirement in research that participants must be fully informed about the nature, risks, benefits, and procedures of a study, and must voluntarily agree to participate without coercion or misrepresentation. A key principle in research ethics. rather than relying on notice alone.[s]
State Legislation: Three Models
Three states have passed comprehensive laws specifically regulating forensic genetic genealogy. Maryland and Montana enacted theirs in 2021; Utah followed with a similar statute.[s]
Maryland (HB 240) requires judicial authorization before any forensic genetic genealogy search. Eligible cases are limited to murder, rape, felony sexual offenses, and threats to public safety or national security. Officers must certify that CODIS and other reasonable leads have been exhausted. The law mandates licensing for laboratories conducting SNP sequencing and for genetic genealogists performing the analysis. DNA samples and data must be destroyed when the investigation concludes. Criminal penalties attach to violations, and a private right of action with liquidated damages allows individuals to enforce the statute in court. Maryland also requires annual public reporting on law enforcement use of forensic genetic genealogy.[s]
Montana requires a warrant for familial DNA searches on both consumer databases and the state’s criminal DNA identification index. A separate 2023 genetic privacy law, effective June 1, 2025, mandates that government agencies obtain a warrant before accessing genetic data held by direct-to-consumer companies. Montana also imposed data localization requirements for its residents’ genetic data.[s]
Minnesota took a consent-based approach, prohibiting direct-to-consumer companies from disclosing genetic information to law enforcement without express written consent, a search warrant, or a court order.[s]
Several states, including Tennessee, Texas, and Virginia, have passed broader genetic privacy laws that indirectly affect forensic genetic genealogy by regulating how direct-to-consumer companies handle genetic data and respond to law enforcement requests.[s] Texas established a property right for residents over their genetic samples and data. But most states have enacted nothing specific to forensic genetic genealogy, leaving the practice governed only by the DOJ interim policy (if federal funds are involved) or by nothing at all.
The Database Gatekeepers
With legislative coverage so thin, the practical limits on forensic genetic genealogy are set largely by the companies that operate the databases.
23andMe and AncestryDNA, the two largest consumer testing services with databases exceeding 5 million and 10 million profiles respectively, have consistently refused to allow law enforcement searches. Both require a valid search warrant before releasing any genetic information. “We have clear policies stating we will not voluntarily work with law enforcement, and use all legal means to safeguard our customers’ data,” 23andMe’s chief legal and regulatory officer stated in 2019.[s]
FamilyTreeDNA became the only major direct-to-consumer company to grant law enforcement direct access to its database of over one million profiles. The company processed cases for the FBI without notifying its users and later changed its terms of service retroactively. Users in the United States are opted in to law enforcement matching by default, though they can choose to opt out.[s]
GEDmatch, the platform central to the Golden State Killer case, initially had no law enforcement policy. Investigators uploaded crime scene DNA without disclosing their identity or purpose.[s] After public backlash, GEDmatch introduced an opt-in model in 2019. The effect was immediate: searchable profiles dropped 90%, from 1.4 million to approximately 140,000.[s] Verogen, a forensic genetics firm, subsequently acquired GEDmatch.
NIH bioethicists Berkman, Miller, and Grady warned in 2018 that corporate policy alone is an unreliable safeguard: companies can change their terms of service unilaterally, and evidence suggests most users do not read them.[s] A company’s stance on law enforcement access is a business decision, not a legal right.
The Racial Equity Dimension
Forensic genetic genealogy’s effectiveness is not evenly distributed. The Erlich study’s 60% identifiability figure applied specifically to Americans of European descent, because they are the dominant consumers of direct-to-consumer DNA tests and because genealogical records for European-heritage families tend to be more comprehensive.[s] The technique is less effective for African American, Latino, Indigenous, and Asian American communities, where database representation is lower and genealogical records are often less complete.
This unevenness creates a two-sided equity problem. On one hand, communities underrepresented in genealogy databases receive less benefit from a powerful investigative tool. Cold cases in those communities are less likely to be solved through forensic genetic genealogy. On the other, as the NIH ethics team noted, there is a risk that expanding forensic DNA analysis “may lead to discrimination, particularly if police departments aggressively target certain groups by using racial or ethnic markers when looking for individual suspects.”[s]
What Comes Next
The expansion of forensic genetic genealogy shows no signs of slowing. In April 2026, Florida committed $600,000 to partner with Othram on its backlog of over 21,000 unsolved murders.[s] The Florida Legislature has separately allocated hundreds of thousands of dollars to cold case work.
A 2025 study in PLOS Genetics convened 31 experts in a modified policy Delphi and found that while there was broad agreement that forensic genetic genealogy requires regulation, participants “did not reach complete consensus with respect to any of the practices” under consideration.[s] The strongest area of agreement was opposition to law enforcement participating in databases against the platforms’ terms of service. Experts also expressed consistent concern about management of data and samples generated during investigations and the governance of private laboratories involved in the work.
The Electronic Frontier Foundation has argued that forensic genetic genealogy searches are “dragnets” that should never be permitted without judicial oversight, because officers conducting these searches “are rifling through the genetic data of millions of Americans who are not suspects in the investigation and have no connection to the crime whatsoever.”[s]
Until Congress or the courts establish a national framework, forensic genetic genealogy will continue to operate in a regulatory vacuum. The technique solves crimes. It also means that the genetic privacy of hundreds of millions of Americans depends on corporate terms of service, an interim DOJ policy with broad exceptions, and the laws of a few states. For everyone else, the legal boundary between personal genetic data and a law enforcement investigative lead is wherever a genealogy company decides to draw it.
