Major Biometric Casework: Golden State Killer and Clearview AI

Between 1974 and 1986, Joseph James DeAngelo committed at least 13 murders, 50 rapes, and more than 100 residential burglaries across California. Investigators had maintained a partial DNA profile developed from crime-scene evidence but had no match in CODIS (the Combined DNA Index System) or any other law enforcement database. The case had gone cold for decades.

In 2017, Barbara Rae-Venter, a genealogist and retired intellectual property attorney, began working with investigator Paul Holes on a novel approach. Crime-scene DNA from the Golden State Killer cases was uploaded to GEDmatch, a publicly accessible genealogy database whose users submit their genotyped results from consumer ancestry kits (23andMe, AncestryDNA, MyHeritage) for comparison against other users. GEDmatch compares autosomal single-nucleotide polymorphism (SNP) profiles rather than the STR loci used in CODIS; SNP profiles reveal both close and distant familial relationships.

The crime-scene SNP profile matched multiple partial relatives on GEDmatch. Rae-Venter built family trees from these partial matches, tracing lineages forward in time through public genealogical records, obituaries, and social media, to identify candidate individuals who would fit the known biological profile of the killer (male, born approximately 1940-1950, Californian). The tree-building process eliminated branches systematically until a small number of candidates remained. DeAngelo, a former Sacramento-area police officer, was identified as a candidate.

To confirm the genealogical identification before arrest, investigators placed DeAngelo under physical surveillance and obtained discarded biological material (DNA from a tissue and a door handle) that produced a full STR profile matching the crime-scene evidence. He was arrested on 24 April 2018. He pleaded guilty in 2020 and was sentenced to life imprisonment without parole.

The case established investigative genealogy as a standard law enforcement technique in the United States. The FBI subsequently issued interim guidelines in 2019 requiring genealogical database searches to be limited to violent felonies and unidentified remains cases, and requiring that a CODIS search be conducted first. Several US states have enacted legislation governing genealogical database searches; California's AB 1706 (2021) codifies consent requirements and restricts searches to certain offence categories.

Outside the US, investigative genealogy is governed by different frameworks. In the UK, the National DNA Database Strategy Board's Forensic Genealogy Working Group published guidance in 2022; searches of commercial databases are not currently lawful without the database provider's consent and Home Office authorisation. In India, no equivalent framework exists, though the DNA Technology (Use and Application) Regulation Bill, which has been before Parliament intermittently since 2019, would create a statutory DNA data bank and address genealogical applications.

Aadhaar, administered by the Unique Identification Authority of India (UIDAI), is the world's largest biometric identity programme. As of 2024, approximately 1.3 billion Indian residents have enrolled, providing 10-fingerprint scans, iris images, and a facial photograph linked to a 12-digit UID. Authentication is used across hundreds of government welfare delivery systems (Public Distribution System, MGNREGA wage payments, direct benefit transfers) and across the banking sector under the eKYC (electronic Know Your Customer) framework.

The scale of the system created a correspondingly large attack surface. From approximately 2016 onward, a pattern of biometric fraud emerged across multiple Indian states in which welfare-scheme payments and banking transactions were authenticated using cloned fingerprints rather than the genuine enrolee's fingerprint. The attack method involved three variants. Rubber-pad attacks used silicone rubber casts taken from a genuine enrolee's finger (sometimes with the enrolee's knowledge and participation, sometimes not) to create a flexible overlay that could be worn over an attacker's fingertip. Silicone-overlay attacks used medical-grade silicone moulded to a higher-fidelity cast; several commercial-grade silicone kits for creating fingerprint overlays were documented in seized materials. Gelatin-layer attacks used Knox-brand gelatin dissolved in warm water and cast from a fingerprint impression on a smooth surface.

Cases were documented across Rajasthan, Jharkhand, Bihar, and Andhra Pradesh. A 2022 investigative report by The Wire and Reporters' Collective documented at least 50,000 Aadhaar-linked welfare fraud incidents in Jharkhand alone in which biometric authentication had been bypassed. UIDAI's response included mandatory liveness detection (measuring blood flow response, ridge flexibility, and electrical skin resistance at the biometric reader) as a required feature for Authentication Service Agencies from 2023, and fingerprint minutiae quality checks that flag implausibly uniform ridge patterns characteristic of silicone overlays.

From an evidentiary standpoint, cases in which Aadhaar authentication records were tendered as evidence of the accused's presence at a transaction site raised chain-of-custody questions. Authentication logs record the UID, the time, the device ID, and the biometric modality; they do not record whether the biometric was genuine or spoofed. Indian courts in several sessions-court matters have required supplementary expert evidence on liveness detection capability before treating an Aadhaar authentication record as proof of physical presence.

In comparison, the UK Home Office's identity document verification framework under the Identity Documents Act 2010 and the Biometric Residence Permit system do not face the same welfare-fraud attack surface, but liveness detection requirements have been incorporated into the UK Biometric Strategy (2022) for document verification at the border. The US NIST FRVT (Face Recognition Vendor Test) programme includes a Presentation Attack Detection component that evaluates vendor systems against artefact-based spoofing, and NIST SP 800-76 addresses biometric data quality standards for Homeland Security applications.

Clearview AI was founded in New York in 2017 by Hoan Ton-That and Richard Schwartz. The company built a facial recognition database by scraping images from social media platforms (Facebook, Instagram, Twitter, YouTube, LinkedIn), public news sites, and other publicly accessible websites, associating each image with the originating URL, user handle, or page metadata. By 2020, the database contained approximately three billion images, growing to an estimated 50 billion by 2024. The system allowed a subscriber to upload a photograph of an unknown face and receive a ranked list of database images showing faces with high visual similarity, along with the source URLs.

Clearview sold access to law enforcement agencies primarily in the United States. A January 2020 investigation by the New York Times (Woodrow Cox, Caroline Haskins, Ryan Mac) revealed that more than 600 law enforcement agencies had used the system, including federal agencies such as the FBI and DHS, and hundreds of local police departments. The article also noted that Clearview had provided access to private companies, including a bank and a retail chain, though this was later restricted.

The regulatory and legal response was extensive and multi-jurisdictional.

In the United States, Illinois was the most significant state-level forum. The Illinois Biometric Information Privacy Act (BIPA, 740 ILCS 14), enacted in 2008, requires informed written consent before collecting biometric identifiers (including facial geometry scans) and prohibits the sale of biometric data. A class action filed in Illinois state court in 2020 (Thornley v. Clearview AI) alleged BIPA violations. Vermont and Virginia filed state attorney general actions. In 2022, Clearview settled the ACLU's BIPA suit, agreeing to stop selling access to private companies and limiting law enforcement sales to US federal agencies and state or local agencies in states without biometric privacy laws.

Outside the US, enforcement was more unambiguous. The UK Information Commissioner's Office (ICO) issued a preliminary enforcement notice in 2021 and a final notice in May 2022 ordering Clearview to delete all images of UK persons from its database and imposing a fine of 7.5 million GBP. The Italian data protection authority (Garante per la Protezione dei Dati Personali) issued an order in March 2022 prohibiting Clearview from processing Italian residents' data and fining the company 20 million euros. The Australian Information Commissioner (OAIC) found in November 2021 that Clearview had breached the Privacy Act 1988 by collecting facial images without consent and using them for a commercial purpose; the Commissioner ordered Clearview to delete Australian personal information. The French CNIL (Commission Nationale de l'Informatique et des Libertés) imposed a 20 million euro fine in 2022. The Greek DPA issued a 20 million euro fine in the same period.

The Clearview AI controversy accelerated a pre-existing debate about the admissibility of facial recognition evidence in criminal proceedings. The admissibility question has three layers: the reliability of the algorithm, the reliability of the human who reviews the algorithm's output, and the lawfulness of the underlying data collection.

On algorithmic reliability, the US NIST FRVT programme has provided the most systematic public benchmarking. FRVT Part 3 (Demographic Effects, 2019) found statistically significant false-positive rate disparities across demographic groups in most tested algorithms, with false-positive rates for Black women up to 100 times higher than for White men in some vendors' systems. This finding has been cited in US federal and state pre-trial Daubert hearings to challenge the reliability of specific vendor outputs.

In New Jersey v. Arteaga (Superior Court, 2021), a pre-trial challenge to facial recognition evidence produced by Amazon Rekognition was granted; the court excluded the evidence after finding that the prosecution had not established the algorithm's validated error rate for the specific demographic group of the suspect. In the UK, the Court of Appeal in R v. Atkins and Atkins (2009) had addressed facial mapping evidence (a different, pre-deep-learning methodology) and held that such evidence was admissible but required careful judicial direction about its limitations. The arrival of deep-learning facial recognition systems has led the Crown Prosecution Service to issue supplementary guidance in 2023 noting that AI-generated facial recognition outputs should be treated as investigative tools requiring human corroboration, not standalone identification evidence.

In India, the use of automated facial recognition systems (AFRS) in law enforcement has expanded through deployments by Delhi Police, Telangana Police, and others. The National Automated Facial Recognition System (NAFRS) was proposed by the National Crime Records Bureau (NCRB) in 2019 and has been progressively deployed. Indian courts have not yet produced a settled body of admissibility case law on AFRS outputs; the BSA 2023 does not address algorithmic identification tools specifically, but the Supreme Court's data-privacy reasoning in Justice K.S. Puttaswamy v. Union of India (2017) establishes a constitutional framework under which unrestricted facial recognition surveillance would require statutory authorisation and proportionality justification.

The legal frameworks governing biometric data have diverged significantly across jurisdictions in the period from 2018 to 2024.

The European Union treats biometric data as a special category under GDPR Article 9, requiring explicit consent or an enumerated legal basis (national security, vital interests, substantial public interest) for processing. The EU AI Act (2024) classifies real-time biometric identification systems in publicly accessible spaces as high-risk AI systems, requiring conformity assessments, and bans real-time remote biometric identification by law enforcement in public spaces except under a judge-issued warrant in specific circumstances.

The United States has no federal biometric privacy statute. State-level legislation has been the primary regulatory mechanism. Illinois's BIPA (2008) is the most comprehensive and the most litigated. Texas (Capture or Use of Biometric Identifier Act, 2009) and Washington (Biometric Privacy Law, 2017) followed. The Biometric Data Privacy Act at federal level has been introduced multiple times without passing. The FTC has used its authority over unfair or deceptive trade practices to bring enforcement actions against companies collecting biometric data without adequate disclosure.

India's Digital Personal Data Protection Act 2023 (DPDP Act) treats biometric data as personal data but does not explicitly create a biometric special category equivalent to GDPR Article 9. The UIDAI Act 2016 and the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act 2016 provide a sector-specific framework for Aadhaar biometric data with prohibitions on sharing or misusing Aadhaar biometric data (section 29). The Supreme Court in the Puttaswamy Aadhaar judgment (2018) upheld the Aadhaar framework with limitations, including striking down section 57 which had allowed private companies to mandate Aadhaar authentication.

The UK Data Protection Act 2018, implementing UK GDPR, treats biometric data used for identification as a special category (schedule 1, condition 1). The Surveillance Camera Code of Practice (2021) governs facial recognition cameras in public spaces and requires prior publication of the surveillance zone, a privacy impact assessment, and consultation with the Surveillance Camera Commissioner. The Metropolitan Police's use of retrospective facial recognition (matching CCTV images against the Police National Database) has been subject to judicial review; the Court of Appeal in Bridges v. Chief Constable of South Wales Police (2020) found the existing deployment unlawful on the grounds that the criteria for inclusion in the watch list were not sufficiently defined by law.

Three cross-cutting themes unite the Golden State Killer, Aadhaar fraud, and Clearview AI cases and define the contested terrain for biometric evidence going forward.

Error rates and demographic disparities apply to every biometric modality. NIST FRVT found false-positive disparities in facial recognition. A 2021 NIST study of fingerprint algorithms (NIST IREX 10) found accuracy variation across demographic groups in latent fingerprint searches, though smaller in magnitude than in facial recognition. UIDAI's own audit data, published in 2023, reported that liveness detection upgrades reduced biometric authentication fraud rates but that the false-rejection rate for elderly rural populations (whose fingerprints can be degraded by manual labour) increased. Any expert tendering biometric identification evidence should be prepared to state the measured false-positive and false-rejection rates for the specific algorithm and population relevant to the case.

Spoofing and liveness detection create an ongoing arms race. The Aadhaar silicone-overlay attacks prompted UIDAI's 2023 liveness-detection upgrade; within months, researchers at several Indian academic institutions had demonstrated that ridge flexibility tests could be defeated with softer silicone formulations. In facial recognition, "deepfake" images and printed-photo attacks are evaluated annually in the NIST Presentation Attack Detection tests. The ISO/IEC 30107 series (Biometric Presentation Attack Detection) provides the international standard for liveness detection; the 2023 revision added requirements for adversarial testing.

Genealogy-biometric convergence will expand as consumer DNA databases grow. GEDmatch had approximately 1.4 million profiles when used in the Golden State Killer case in 2017; it had grown to over 1.6 million by 2024. FamilyTreeDNA, which opened its database to law enforcement in 2019, adds a further 3 million profiles. A 2018 study in Science (Erlich et al.) estimated that a database of 3 million US profiles would allow identification of approximately 60% of individuals of Northern European descent through third-cousin or closer matches. The same study's methodology applies to the Indian population once a sufficiently large SNP database of Indian ancestry profiles exists.

1. Investigative lead generation
   AFRS match, GEDmatch genealogical candidate, or Aadhaar authentication log. Document the tool, version, database size, and configuration. Note that this is an investigative lead, not an identification.
2. Human expert review
   A qualified facial image comparison expert (UK: NPIA-accredited; US: IAI-certified facial comparison specialist; India: CFSL-qualified) independently reviews the candidate match using validated methodology. Documents observations and conclusion.
3. Corroboration gathering
   Physical surveillance, discarded DNA (as in DeAngelo), cell-site records, documentary evidence. Biometric lead alone is not sufficient for arrest in most frameworks.
4. Chain-of-custody documentation
   For Aadhaar authentication logs: full device ID, AUA code, authentication timestamp, biometric modality, and liveness check result. For AFRS output: query image provenance, database version hash, algorithm version.
5. Error-rate disclosure
   Before expert testimony: obtain the vendor's published NIST FRVT or IREX results for the specific algorithm version and note any demographic false-positive disparities relevant to the subject's demographic group.
6. Court admissibility assessment
   Apply the governing standard: Daubert (US), Criminal Procedure Rules Part 19 (UK), BSA 2023 s.39 (India). Prepare to address algorithm reliability, examiner qualifications, and data-collection lawfulness.