DTC Genealogy: The Golden State Killer Paradigm and GEDmatch Policy
The forensic-identification paradigm shift triggered by a single 2018 case: the Golden State Killer case (a 44-year cold serial-murder + serial-rape case solved through genealogical comparison of crime-scene DNA against the GEDmatch direct-to-consumer database, the Joseph James DeAngelo arrest April 2018), the technical workflow (the Verogen ForenSeq Kintelligence kit, the FamilyTreeDNA + GEDmatch + Ancestry + 23andMe consumer database landscape, the genetic genealogist's family-tree reconstruction methodology), the GEDmatch May 2019 policy reversal requiring opt-in consent for law-enforcement queries, and the 2020 to present global casework arc + the UK + Australia + Canada + India policy debates this paradigm has triggered.
Last updated:
Investigative genetic genealogy (IGG) is a forensic identification technique that uploads a crime-scene DNA profile to a consumer genealogy database, identifies partial matches indicating distant relatives, and uses family-tree reconstruction to narrow the suspect pool to a single candidate for conventional STR confirmation. The approach entered forensic practice in April 2018 when it led to the arrest of Joseph James DeAngelo as the Golden State Killer, a serial offender who had evaded CODIS identification for four decades because he held no qualifying criminal record. IGG does not replace traditional forensic DNA evidence: the genealogical analysis is investigative intelligence, and a direct STR match from independently collected DNA remains the evidentiary standard. Since 2018, IGG has been applied in hundreds of cold cases across the United States and is under active policy review in the United Kingdom, Australia, Canada, and India.
Investigative genetic genealogy (IGG) solved the Golden State Killer cold case in 2018 by uploading a crime-scene DNA profile to GEDmatch, identifying distant relatives through SNP partial matches, and reconstructing family trees until a single suspect emerged. The technique has since spread to cold-case units across the US, UK, Australia, and Canada, each jurisdiction developing its own consent and legality framework.
Key takeaways
- Joseph James DeAngelo was identified as the Golden State Killer not through CODIS (which had no matching record) but through SNP partial matches in GEDmatch that pointed to third-cousin relatives, enabling family-tree reconstruction to a single candidate.
- The confirmation step was a covertly collected DNA sample from a discarded cup, generating a conventional STR match to the crime-scene profile. IGG was investigative intelligence; the STR match was the evidence.
- GEDmatch changed from opt-out to opt-in for law-enforcement access in May 2019, reducing the searchable database from roughly 1.2 million to 185,000 profiles within weeks.
- The consent problem is structural: uploading one person's profile exposes the genetic information of all biological relatives who never consented to any testing.
- As of 2025, no jurisdiction outside the US has enacted specific IGG legislation; India's DNA Technology Bill was not enacted and the BSA 2023 broad admissibility provisions leave court-by-court assessment as the operative framework.
On 24 April 2018, retired police officer Joseph James DeAngelo was arrested at his Sacramento home and charged with multiple counts of murder. DeAngelo was identified as the Golden State Killer, a serial offender responsible for at least 13 murders, more than 50 rapes, and over 100 residential burglaries across California between 1974 and 1986. The case had defeated investigators for four decades. The technique that finally cracked it was not a conventional DNA database query. It was investigative genetic genealogy.
Law enforcement had held a full DNA profile of the Golden State Killer since the early 1990s, recovered from biological evidence at crime scenes. That profile had been searched repeatedly against the FBI's Combined DNA Index System (CODIS), one of the major national DNA databases, and had produced no match. CODIS contains profiles from convicted offenders and arrestees; the Golden State Killer had never been convicted of a qualifying offence. The break came when the crime-scene profile was uploaded to GEDmatch, a publicly accessible genealogy database populated by consumers who had uploaded their own direct-to-consumer (DTC) genetic test results for ancestry research.
The GEDmatch search returned partial matches: individuals who shared enough segments of genetic material with the unknown profile to suggest they were relatives of the unknown person, probably at the level of second or third cousin. From those partial matches, a team of genetic genealogists built family trees, narrowed the candidate pool using conventional genealogical records (birth certificates, census data, obituaries), applied demographic constraints (age, sex, known California residence), and eventually identified a shortlist of one: Joseph James DeAngelo. A discarded coffee cup provided his DNA, confirming the match to the crime-scene profile. The arrest followed.
The Golden State Killer case introduced a new forensic identification paradigm and triggered a global policy debate about consent, privacy, and the governance of genealogy databases.
By the end of this topic you will be able to:
- Describe the SNP-based IGG workflow from crime-scene sample to family-tree reconstruction, and explain why CODIS STR profiles cannot substitute for consumer SNP array data in this process.
- Explain the structural consent problem in IGG, including why uploading one profile exposes the genetic information of biological relatives who never consented to testing.
- Distinguish between IGG as investigative intelligence and conventional STR profiling as the evidentiary standard, using the DeAngelo coffee-cup confirmation as the reference case.
- Compare the law-enforcement access policies of GEDmatch, FamilyTreeDNA, AncestryDNA, and 23andMe, including the GEDmatch opt-in shift in May 2019 and its quantitative effect on the searchable database.
- Summarise the legislative status of IGG across the US, UK, Australia, Canada, and India as of 2025, noting which jurisdictions have enacted specific statutory authority and which rely on existing admissibility frameworks.
The Technical Workflow: From Crime Scene to Family Tree
The starting point is a DNA profile from the crime scene. In the Golden State Killer investigation, the technology used was single nucleotide polymorphism (SNP) genotyping, not STR profiling. CODIS profiles are built from 20 STR loci, optimised for database matching between forensic samples and convicted-offender reference profiles. STR profiles are not comparable across consumer DTC databases. Consumer DTC tests (AncestryDNA, 23andMe, MyHeritage, FamilyTreeDNA) genotype hundreds of thousands of SNPs across the genome, producing a raw data file or array file. Investigative genetic genealogy requires the crime-scene sample to be genotyped for the same SNP array format.
Verogen's ForenSeq Kintelligence kit, launched in 2020, was designed specifically for this purpose. It targets approximately 10,000 SNPs selected to be informative for kinship inference without requiring the full consumer array format, part of the broader MPS-based forensic genetic genealogy paradigm that the DeAngelo case established. The kit can be run from low-quality, degraded samples standard in forensic casework. Earlier applications, including the Golden State Killer case, used modified consumer microarray protocols adapted to work with extracted crime-scene DNA.
Once a SNP profile is available, it is uploaded to a genealogy database in the standard GEDCOM or raw-data format. GEDmatch, at the time of the Golden State Killer investigation, was publicly accessible. The system returned a ranked list of matches by estimated degree of relationship, based on the amount of shared DNA across all chromosomes measured in centimorgans (cM):
The crime-scene profile's closest matches in GEDmatch were estimated third cousins, meaning they shared a set of great-great-grandparents with the unknown person.
From those third-cousin matches, the genetic genealogist (Barbara Rae-Venter, who had previously used the same technique to identify a victim in a 1981 unidentified-remains case) built upward-and-downward family trees. She traced matched individuals' lineages up to shared common ancestors, then traced all descendants of those ancestors forward in time to identify anyone who fit the demographic profile of the Golden State Killer: male, Californian, born approximately 1940 to 1950. The tree-building used publicly available genealogical records: US census data, vital records (birth, marriage, death), newspaper obituaries, genealogy databases such as Ancestry.com, and social media profiles. After months of work, the candidate list narrowed to a small number of individuals. DeAngelo, whose age, location, and absence from CODIS matched the profile, emerged as the primary candidate.

The discarded coffee cup is a critical detail. Once DeAngelo was identified as a candidate, investigators did not arrest him on the basis of the genealogical analysis alone. They collected his discarded DNA covertly from a cup he left at a public place, generated a standard forensic STR profile, and confirmed a match against the Golden State Killer crime-scene STR profile before making the arrest. The genealogical analysis was intelligence, not evidence. The forensic confirmation was the evidentiary foundation, the same confirmation-then-arrest discipline applied in major biometric casework.
The Consumer Database Landscape: GEDmatch, FamilyTreeDNA, 23andMe and Ancestry
The four principal consumer genomic databases hold different volumes of data and have adopted different policies on law-enforcement access:
AncestryDNA (Ancestry.com, now privately held, previously NASDAQ: ACOM) held approximately 22 million customers' genetic profiles by 2024, making it the largest consumer genomic database in the world. Its terms of service have consistently prohibited law-enforcement access without a valid court order. Ancestry does not voluntarily respond to law-enforcement requests and has not made its database available for IGG searches. Its raw data files are nonetheless widely uploaded to GEDmatch by users who tested at Ancestry.
23andMe (NASDAQ: ME, filing for Chapter 11 bankruptcy protection in March 2025) held approximately 15 million customer profiles. Its policy mirrored Ancestry's: no voluntary law-enforcement access, production only on receipt of valid legal process. The company's 2023 data breach exposed partial genetic data for approximately 7 million customers through credential-stuffing attacks, raising further concerns about the data-security context in which forensic genetic databases operate.
FamilyTreeDNA (Gene by Gene Ltd., Houston, Texas) held approximately 3 million profiles by 2024. It controversially disclosed in January 2019 that it had been voluntarily cooperating with FBI requests since 2018, allowing law-enforcement queries without customer knowledge or consent. Following public backlash, the company introduced an opt-out mechanism and later revised this to an opt-in requirement.
GEDmatch, founded in 2010 by Curtis Rogers and John Olson as a free, openly accessible tool for genealogists to cross-compare results across different testing companies, was the platform used in the Golden State Killer case. At the time, its default setting allowed all uploaded profiles to be matched against all others, including by law-enforcement users who uploaded profiles. By May 2019, GEDmatch's database held approximately 1.2 million profiles.
The GEDmatch May 2019 Policy Reversal and Verogen Acquisition
Before the Golden State Killer case became public, law enforcement had been using GEDmatch's open database without the knowledge of GEDmatch's founders or most of its users. The arrest announcement in April 2018 disclosed that GEDmatch had been the discovery mechanism, prompting an immediate reaction from the genealogy community and privacy advocates.
GEDmatch users had uploaded their profiles to find relatives and understand their ancestry, not to contribute to a forensic database. When a user uploads their profile, they expose not just their own genetic information but information about every biological relative, including those who never consented to any genetic testing. A third-cousin match exposes the shared great-great-grandparents' lineage and all descendants of that lineage: potentially hundreds of living relatives who never chose to participate.
In May 2019, GEDmatch changed its default policy from opt-out to opt-in for law-enforcement matching. Under the new policy, a profile was accessible for law-enforcement queries only if the owner had affirmatively opted in. This reduced the database available to law enforcement from approximately 1.2 million profiles to approximately 185,000 profiles within weeks, a reduction of about 85 per cent. The practical impact was significant: the probability of finding a partial match at the third-cousin level in a database of 185,000 is substantially lower than in a database of 1.2 million.
In December 2019, GEDmatch was acquired by Verogen, Inc., a San Diego-based company founded in 2017 as a spin-off from Illumina with a specific focus on forensic genomics. Verogen's acquisition created a vertically integrated pathway from forensic sample genotyping (ForenSeq Kintelligence) to database search (GEDmatch) within a single commercial entity, raising governance questions that had not existed when GEDmatch was an independent, volunteer-run genealogy tool. The opt-in policy was retained following the acquisition. In 2023, Verogen was itself acquired by QIAGEN, a global life sciences company.
Global Casework Arc: 2018 to the Present
The success of the Golden State Killer case immediately prompted law-enforcement agencies in the United States to apply investigative genetic genealogy to other cold cases. By 2024, the Parabon NanoLabs Snapshot Investigative Genetic Genealogy service, which became the primary commercial provider of IGG casework after the Golden State Killer case, reported having contributed to more than 300 solved violent crime cold cases in the United States, including the 1969 murder of Cathy Cesnik (a victim later connected to the Netflix documentary "The Keepers") and a series of unsolved rape-murders dating to the 1970s and 1980s across multiple states.
In Australia, Queensland Police announced in 2020 that it would seek approval to use investigative genetic genealogy for a small number of priority cold cases, with oversight from the Office of the Information Commissioner and a requirement for ministerial approval in each case. The Australian Institute of Criminology published a research paper in 2022 examining the legal framework and concluding that existing Australian law did not clearly prohibit IGG but that specific legislative authority would be preferable to relying on existing judicial interpretations of search powers.
In the United Kingdom, the Forensic Science Regulator published initial guidance on investigative genetic genealogy in 2023, noting that the technique could potentially be used in serious crime investigations but that it would require a careful legal framework. The Human Tissue Act 2004 and associated regulations govern forensic DNA analysis, and the Biometrics Commissioner has oversight of DNA database use. The National DNA Database (NDNAD) contains profiles from individuals arrested for recordable offences, but IGG by definition involves searching outside NDNAD. The Home Office commissioned a review of the legal framework in 2024.
In Canada, the Privacy Commissioner of Canada published a guidance note in 2022 acknowledging that Canadian law enforcement had begun to explore IGG but that its use raised significant issues under the Privacy Act and PIPEDA (Personal Information Protection and Electronic Documents Act). No specific IGG legislation had been enacted by 2025.
In India, the DNA Technology (Use and Regulation) Bill, which had been introduced in the Lok Sabha in 2019 but not passed into law by 2025, would establish a statutory framework for DNA profiling in criminal investigations. The Bill's provisions focus on STR-based national DNA databases rather than SNP-based genealogy search, and it does not address investigative genetic genealogy specifically. However, the Bharatiya Sakshya Adhiniyam 2023's broad admissibility provisions for scientific evidence would likely permit a court to receive IGG-derived evidence if the methodology could be validated and the expert's credentials established.
| Jurisdiction | IGG legal status (2025) | Database governance | Oversight mechanism |
|---|---|---|---|
| United States (federal) | Permitted for violent crimes with FBI approval under DOJ 2021 policy | GEDmatch (opt-in), FamilyTreeDNA (opt-in), no mandatory national framework | DOJ policy; Maryland and Utah state statutes; CODIS rules separate |
| United Kingdom | No specific statute; FSR 2023 guidance pending legislative framework | GEDmatch accessible; NDNAD is STR-only; no IGG database framework | Forensic Science Regulator; Biometrics Commissioner; Home Office review |
| Australia | No specific statute; ministerial approval required per case in Queensland | GEDmatch accessible; no national IGG database policy | State and territory information commissioners; AISC oversight |
| Canada | No specific statute; Privacy Commissioner guidance notes concerns | No Canadian genealogy database policy | Privacy Commissioner of Canada; PIPEDA framework |
| India | No statute; DNA Technology Bill not enacted; BSA 2023 broad admissibility | No Indian consumer genealogy database of scale; international databases technically accessible | Court-by-court admissibility assessment; NABL accreditation framework does not address IGG |
Privacy, Consent and the Absent Third Party
The consent problem in investigative genetic genealogy is structural. When a person tests with a consumer DTC company and uploads their raw data to GEDmatch (or FamilyTreeDNA), they expose genetic information about all of their biological relatives, including relatives who have never consented to any genetic testing. A person sharing third-cousin-level DNA with the unknown crime-scene profile shares common ancestors with that profile, and those common ancestors had many other descendants, all of whom are affected by the search without their knowledge or consent. This structural imbalance parallels the consent problem discussed in the Puttaswamy and Aadhaar jurisprudence topic, where compelled or contextually pressured consent is treated as no consent at all.
Researchers at the University of California San Francisco (Erlich et al., Science 2018) estimated that, given the population coverage of US DTC databases by 2017 to 2018, approximately 60 per cent of US individuals of Northern European descent had at least one identifiable third-cousin or closer match in consumer databases. A database containing the profiles of approximately 3 million US individuals of European descent would cover 90 per cent of that population with at least one third-degree relative or closer match. At current database sizes and growth rates, effective universal coverage of the US white population may have been achieved. For most crime scenes where the offender is of Northern European ancestry, a genealogical path to identification likely exists in consumer databases.
The European Union's GDPR classifies genetic data as a special category of personal data (Article 9), subject to enhanced protections. Processing genetic data for law enforcement purposes requires a specific legal basis under Article 10, meaning a specific provision in national law. Germany's Strafprozessordnung provides such a basis for conventional forensic DNA analysis but does not explicitly address IGG. The European Data Protection Board has not yet issued specific guidance on IGG.
India's Digital Personal Data Protection Act 2023 classifies genetic data as sensitive personal data under the draft Data Protection Rules (expected in 2025). Its processing for any purpose requires specific consent, and the law-enforcement exemptions in the Act are narrowly defined. Without specific legislation, IGG-based evidence in Indian criminal proceedings would face significant data-protection challenges even where a court was otherwise willing to admit it under the Bharatiya Sakshya Adhiniyam 2023.
The Identification Paradigm: What IGG Is and What It Is Not
The most important operational distinction in investigative genetic genealogy is between identification and confirmation. IGG narrows an investigative candidate pool; it does not establish identity. The Golden State Killer's arrest was made possible by IGG, but the evidentiary basis for arrest and prosecution was the conventional STR match between the discarded coffee cup sample and the crime-scene profile. IGG produced a name; conventional forensic DNA produced the proof.
This distinction matters because IGG can produce false leads. Family trees contain errors: incorrect paternity attributions, undisclosed adoptions, donor-conceived individuals, and data entry mistakes in genealogical records all introduce errors into the tree-building process. A genetic genealogist who incorrectly builds a branch of a family tree because a genealogical record is wrong, or because a reported relationship is not the biological relationship, can direct investigators toward an innocent person. At least one publicly reported case (the 2018 investigation of William Earl Talbott II for the 1987 murder of a Canadian couple, a case that did result in conviction) involved initial scrutiny of the suspect's relatives before the correct branch was identified.
Quality assurance in IGG requires genetic genealogists to:
- Document their tree-building methodology.
- Record the sources used for each generational step.
- Apply demographic constraints systematically.
- Acknowledge uncertainty at each branch where the genealogical record is incomplete.
Professional organisations including the International Society of Genetic Genealogy (ISOGG) and the Association of Professional Genealogists have developed codes of conduct for forensic genealogy work. The DNA Saves Lives Protecting America Act framework in the United States requires that laboratories conducting IGG hold AABB or equivalent accreditation and that genetic genealogists meet defined competency standards.
- Investigative genetic genealogy (IGG)
- A forensic identification technique that uploads a crime-scene DNA profile to a consumer genealogy database, identifies partial matches suggesting distant family relationships, and uses family-tree reconstruction to narrow the candidate pool to a suspect for conventional DNA confirmation.
- Single nucleotide polymorphism (SNP)
- A position in the genome where a single nucleotide varies between individuals. Consumer DTC genomic tests genotype hundreds of thousands of SNPs; SNP profiles are used in IGG because they can be compared across consumer databases in a way that CODIS STR profiles cannot.
- GEDmatch
- A consumer genealogy database founded in 2010, used in the Golden State Killer investigation. Changed from opt-out to opt-in for law-enforcement access in May 2019 following public backlash. Acquired by Verogen in 2019 and subsequently by QIAGEN in 2023.
- ForenSeq Kintelligence
- A Verogen (formerly Illumina) forensic SNP genotyping kit targeting approximately 10,000 kinship-informative SNPs, designed to generate profiles compatible with consumer genealogy databases from forensic-quality degraded crime-scene samples.
- Centimorgans (cM)
- The unit of genetic map distance used to measure shared DNA between individuals. A first-degree relative shares approximately 2,550 cM; a third cousin shares approximately 200-850 cM. The amount of shared DNA in centimorgans estimates the probable degree of relationship.
- Genetic genealogist
- A specialist who combines DNA match data with traditional genealogical record research to reconstruct family trees. In forensic IGG casework, the genetic genealogist converts partial database matches into a candidate pool for law-enforcement investigation.
- Opt-in policy
- The GEDmatch policy adopted in May 2019 requiring database users to affirmatively consent for their profile to be visible in law-enforcement queries, replacing the previous default-accessible open model.
- CODIS
- The FBI's Combined DNA Index System, the US national STR-based forensic DNA database. Contains profiles from convicted offenders, arrestees, and unidentified crime-scene samples. Not accessible through IGG workflows because STR profiles are not compatible with consumer SNP array formats.
- Barbara Rae-Venter
- The genetic genealogist who led the family-tree reconstruction in the Golden State Killer investigation. Previously used the same technique to identify an unidentified homicide victim (Baby Jane Doe) in 2017, demonstrating the technique's value in both suspect-identification and victim-identification contexts.
- Parabon NanoLabs
- A US company that became the primary commercial provider of forensic IGG casework following the Golden State Killer case, offering the Snapshot Investigative Genetic Genealogy service. By 2024 the company reported contributing to more than 300 solved cold cases in the United States.
The Golden State Killer was identified through investigative genetic genealogy because:
Can investigative genetic genealogy identify victims of crime, not just suspects?
How does investigative genetic genealogy differ from a CODIS familial DNA search?
Does the GDPR restrict police use of genealogy databases in EU countries?
Test yourself on Fingerprint Sciences with free, timed mocks.
Practice Fingerprint Sciences questionsSpotted an error in this page? Report a correction or read our editorial standards.