Skip to content

Major Biometric Casework: Golden State Killer and Clearview AI

The biometric case studies that shape contemporary policy + admissibility: the Golden State Killer 2018 case as the genealogy-biometric paradigm shift, Aadhaar-linked fraud casework across Indian banking + welfare delivery (the cloned-fingerprint biometric-bypass cases, the rubber-pad and silicone-overlay attacks, the response from UIDAI's liveness-detection upgrades), and the Clearview AI face-recognition controversies (the 2020 New York Times exposé, the US Illinois BIPA + Vermont + Virginia litigation, the UK ICO + Italy Garante + Australia OAIC enforcement actions, the implications for face-recognition admissibility in court).

Last updated:

Share

Three cases from 2018 to 2023 define the current boundaries of biometric forensics casework. In 2018, investigative genealogy via GEDmatch identified Joseph James DeAngelo as the Golden State Killer; the court evidence was a conventional STR profile from discarded DNA, not the genealogical search itself. Systematic silicone-overlay attacks on India's Aadhaar welfare authentication system prompted UIDAI's mandatory liveness-detection upgrade in 2023. Clearview AI's mass harvest of approximately three billion facial images for law enforcement use triggered regulatory enforcement in seven jurisdictions between 2021 and 2022, and accelerated judicial scrutiny of automated facial recognition as standalone identification evidence.

Three cases from 2018 to 2023 define the current frontier of biometric forensics: the Golden State Killer solved through investigative genealogy and a DNA-to-biometric bridge; systematic cloned-fingerprint attacks on India's Aadhaar welfare authentication system; and the global regulatory enforcement response to Clearview AI's mass facial image harvest used for law enforcement identification.

Key takeaways

  • The Golden State Killer identification used GEDmatch genealogy as an investigative lead; the court evidence was a standard STR profile from discarded DNA, not the genealogical analysis itself.
  • Aadhaar biometric fraud used silicone or rubber-pad overlays at the capture device, not server-side attacks; UIDAI's 2023 liveness-detection upgrade was the primary technical response.
  • Clearview AI faced enforcement in seven jurisdictions (Illinois BIPA, UK ICO, Italian Garante, Australian OAIC, French CNIL, Greek DPA, and Virginia/Vermont AG actions) by 2022.
  • NIST FRVT Part 3 (2019) found false-positive rate disparities up to 100 times higher for Black women than for White men across some vendor algorithms, directly informing Daubert admissibility challenges.
  • An automated facial recognition match is an investigative lead, not a standalone identification; INTERPOL's Expert Group (2022) and the ENFSI Working Group both hold this position.

Three cases from 2018 to 2023 mark inflection points in biometric forensics: the identification of Joseph James DeAngelo as the Golden State Killer through investigative genealogy and a DNA-to-biometric bridge; systematic attacks on India's Aadhaar biometric authentication system using cloned fingerprint overlays; and the global regulatory response to Clearview AI's mass-harvest of facial images for law enforcement identification purposes.

Together, these cases demonstrate that biometric forensics has expanded into domains that existing legal frameworks were not designed to govern. Genealogy databases connect a crime-scene DNA profile to a living relative's commercial ancestry kit; biometric enrolment systems face physical spoofing attacks that bypass liveness detection; facial recognition at scale enables identification across populations without individual enrolment. Each expansion raises distinct questions about admissibility, privacy, error rates, and the conditions under which biometric identification can serve as the basis for arrest, prosecution, or administrative denial.

The forensic practitioner encountering biometric evidence in casework today needs to understand not only the technical method but the regulatory and legal context in each jurisdiction, because that context will determine whether the evidence is admissible, whether it requires corroboration, and what disclosures the expert is obligated to make.

By the end of this topic you will be able to:

  • Explain how investigative genealogy was used to generate a suspect lead in the Golden State Killer case and why the STR confirmation sample, not the genealogical analysis, constituted the court evidence.
  • Describe the three documented physical spoofing variants used against Aadhaar biometric capture devices and the technical mitigations introduced by UIDAI in 2023.
  • Summarise the multi-jurisdictional regulatory enforcement actions taken against Clearview AI and the distinct legal basis applied in each jurisdiction.
  • Apply the NIST FRVT demographic false-positive disparity findings to an admissibility challenge under Daubert or equivalent standards.
  • Distinguish between an automated facial recognition match as an investigative lead and as direct identification evidence, citing the positions of INTERPOL and ENFSI.

The Golden State Killer: Investigative Genealogy as a Biometric Bridge

Between 1974 and 1986, Joseph James DeAngelo committed at least 13 murders, 50 rapes, and more than 100 residential burglaries across California. Investigators had a partial DNA profile from crime-scene evidence but no match in CODIS (the Combined DNA Index System) or any other law enforcement database. The case had gone cold for decades.

The genealogical breakthrough (2017-2018):

In 2017, Barbara Rae-Venter (a genealogist and retired intellectual property attorney) began working with investigator Paul Holes on a novel approach. Crime-scene DNA was uploaded to GEDmatch, a publicly accessible genealogy database, the same workflow covered in the DTC genealogy and GEDmatch policy topic. GEDmatch users submit genotyped results from consumer ancestry kits (23andMe, AncestryDNA, MyHeritage); the platform compares autosomal single-nucleotide polymorphism (SNP) profiles rather than the STR loci used in CODIS. SNP profiles reveal both close and distant familial relationships.

The crime-scene SNP profile matched multiple partial relatives on GEDmatch. Rae-Venter built family trees from these partial matches, tracing lineages forward through public genealogical records, obituaries, and social media. The goal was to identify candidates fitting the killer's known biological profile: male, born approximately 1940-1950, Californian. The tree-building process eliminated branches systematically until a small number of candidates remained. DeAngelo, a former Sacramento-area police officer, was identified as a candidate.

Confirmation and arrest:

Investigators placed DeAngelo under physical surveillance and obtained discarded biological material (DNA from a tissue and a door handle), producing a full STR profile matching the crime-scene evidence. He was arrested on 24 April 2018, pleaded guilty in 2020, and was sentenced to life imprisonment without parole.

Legal aftermath by jurisdiction:

  • United States: The FBI issued interim guidelines in 2019 limiting genealogical database searches to violent felonies and unidentified remains, with a prior CODIS search required. California's AB 1706 (2021) codifies consent requirements and restricts searches to certain offence categories.
  • United Kingdom: The National DNA Database Strategy Board's Forensic Genealogy Working Group published guidance in 2022. Searches of commercial databases are not currently lawful without the database provider's consent and Home Office authorisation.
  • India: No equivalent framework exists. The DNA Technology (Use and Application) Regulation Bill, intermittently before Parliament since 2019, would create a statutory DNA data bank and address genealogical applications, but has not been enacted.
Crime-scene DNA (STR +SNP profile)CODIS search: no match(cold case)GEDmatch SNP upload(autosomal comparison)Family-tree build frompartial relativematchesCandidate identified:Joseph James DeAngeloPhysical surveillance:discarded tissue +door handleFull STR profile:matches crime-sceneDNAInvestigative leadonlyCourt evidence (guiltyplea 2020)GENEALOGY TRACK (lead generation)CONFIRMATION TRACK
Golden State Killer identification pipeline: GEDmatch SNP genealogy generated the suspect candidate (investigative lead only); a separate STR profile from discarded DNA was the court evidence that established guilt.

Aadhaar Biometric Authentication and the Fingerprint Spoofing Problem

Aadhaar, administered by the Unique Identification Authority of India (UIDAI), is the world's largest biometric identity programme. As of 2024, approximately 1.3 billion Indian residents have enrolled, providing 10-fingerprint scans, iris images, and a facial photograph linked to a 12-digit UID. Authentication is used across:

  • Hundreds of government welfare delivery systems (Public Distribution System, MGNREGA wage payments, direct benefit transfers)
  • The banking sector under the eKYC (electronic Know Your Customer) framework

Attack vectors (approximately 2016 onward):

Three physical spoofing variants were documented across Rajasthan, Jharkhand, Bihar, and Andhra Pradesh:

A 2022 investigative report by The Wire and Reporters' Collective documented at least 50,000 Aadhaar-linked welfare fraud incidents in Jharkhand alone where biometric authentication had been bypassed.

UIDAI response (2023): Mandatory liveness detection (measuring blood flow response, ridge flexibility, and electrical skin resistance at the biometric reader) required for Authentication Service Agencies from 2023, plus fingerprint minutiae quality checks that flag implausibly uniform ridge patterns characteristic of silicone overlays.

Evidentiary implications: Aadhaar authentication logs record the UID, time, device ID, and biometric modality, but not whether the biometric was genuine or spoofed. Indian courts in several sessions-court matters have required supplementary expert evidence on liveness detection capability before treating an Aadhaar authentication record as proof of physical presence.

Comparative context:

  • UK: The Identity Documents Act 2010 and Biometric Residence Permit system operate in a different context, but liveness detection requirements were incorporated into the UK Biometric Strategy (2022) for border document verification.
  • US: NIST FRVT includes a Presentation Attack Detection component evaluating vendor systems against artefact-based spoofing. NIST SP 800-76 addresses biometric data quality standards for Homeland Security applications.
Enrolee presentsfinger at AUAdeviceBiometric capture(attack point:overlay spoofing)UIDAIauthenticationserver: quality +liveness checkYes / NoauthenticationresponseRubber-pad or silicone overlay defeats capture-level checkLiveness detection (2023 upgrade) aims to catch artefact-based spoof
Aadhaar biometric authentication chain: spoof attacks target the biometric capture device; liveness detection and quality checks at the authentication server are the primary mitigations.

Clearview AI: Mass Facial Biometric Harvest and the Law Enforcement Market

Clearview AI was founded in New York in 2017 by Hoan Ton-That and Richard Schwartz. The company built a facial recognition database by scraping images from social media platforms (Facebook, Instagram, Twitter, YouTube, LinkedIn), public news sites, and other publicly accessible websites, associating each image with the originating URL, user handle, or page metadata. By 2020, the database contained approximately three billion images, growing to an estimated 50 billion by 2024. The system allowed a subscriber to upload a photograph of an unknown face and receive a ranked list of database images showing faces with high visual similarity, along with the source URLs.

Clearview sold access to law enforcement agencies primarily in the United States. A January 2020 investigation by the New York Times (Kashmir Hill) revealed that more than 600 law enforcement agencies had used the system, including federal agencies such as the FBI and DHS, and hundreds of local police departments. The article also noted that Clearview had provided access to private companies, including a bank and a retail chain, though this was later restricted.

The regulatory and legal response was extensive and multi-jurisdictional.

In the United States, Illinois was the most significant state-level forum. The Illinois Biometric Information Privacy Act (BIPA) (740 ILCS 14), enacted in 2008, requires informed written consent before collecting biometric identifiers (including facial geometry scans) and prohibits the sale of biometric data. A class action filed in Illinois state court in 2020 (Thornley v. Clearview AI) alleged BIPA violations. Vermont and Virginia filed state attorney general actions. In 2022, Clearview settled the ACLU's BIPA suit, agreeing to stop selling access to private companies and limiting law enforcement sales to US federal agencies and state or local agencies in states without biometric privacy laws.

Outside the US, enforcement was more unambiguous. The UK Information Commissioner's Office (ICO) issued a preliminary enforcement notice in 2021 and a final notice in May 2022 ordering Clearview to delete all images of UK persons from its database and imposing a fine of 7.5 million GBP. The Italian data protection authority (Garante per la Protezione dei Dati Personali) issued an order in March 2022 prohibiting Clearview from processing Italian residents' data and fining the company 20 million euros. The Australian Information Commissioner (OAIC) found in November 2021 that Clearview had breached the Privacy Act 1988 by collecting facial images without consent and using them for a commercial purpose; the Commissioner ordered Clearview to delete Australian personal information. The French CNIL (Commission Nationale de l'Informatique et des Libertés) imposed a 20 million euro fine in 2022. The Greek DPA issued a 20 million euro fine in the same period.

JurisdictionLegal basisEnforcement actionOutcome
United States (Illinois)BIPA (740 ILCS 14): informed consent required for biometric identifiersThornley class action; ACLU suit2022 settlement: no private-company sales; federal law enforcement only in non-BIPA states
United KingdomUK GDPR + Data Protection Act 2018; ICO enforcementICO final notice May 20227.5m GBP fine; order to delete UK persons' images from database
ItalyGDPR Art. 9 (biometric data as special category); Garante enforcementGarante order March 202220m euro fine; prohibition on processing Italian residents' data
AustraliaPrivacy Act 1988 (Cth) Australian Privacy PrinciplesOAIC determination November 2021Order to cease collection and delete Australian personal information
FranceGDPR; CNIL enforcementCNIL decision 202220m euro fine

Facial Recognition in Court: Admissibility Challenges after Clearview AI

The Clearview AI controversy accelerated a pre-existing debate about the admissibility of facial recognition evidence in criminal proceedings. The admissibility question has three layers: the reliability of the algorithm, the reliability of the human who reviews the algorithm's output, and the lawfulness of the underlying data collection. The parallel debate over probabilistic reporting frameworks in fingerprint evidence is covered in Statistical Individualization: FRStat, Likelihood Ratios and the Post-NAS Debate.

On algorithmic reliability, the US NIST FRVT programme has provided the most systematic public benchmarking. FRVT Part 3 (Demographic Effects, 2019) found statistically significant false-positive rate disparities across demographic groups in most tested algorithms, with false-positive rates for Black women up to 100 times higher than for White men in some vendors' systems. This finding has been cited in US federal and state pre-trial Daubert hearings to challenge the reliability of specific vendor outputs.

In New Jersey v. Arteaga (Appellate Division, 2023), a challenge to facial recognition evidence was partially successful; the appellate court reversed the lower court's denial of discovery and remanded, holding that the defendant was entitled to detailed information about the NYPD facial recognition system used to identify him, including source code and error rates. In the UK, the Court of Appeal in R v. Atkins and Atkins (2009) had addressed facial mapping evidence (a different, pre-deep-learning methodology) and held that such evidence was admissible but required careful judicial direction about its limitations. The arrival of deep-learning facial recognition systems has led the Crown Prosecution Service to issue supplementary guidance in 2023 noting that AI-generated facial recognition outputs should be treated as investigative tools requiring human corroboration, not standalone identification evidence.

In India, the use of automated facial recognition systems (AFRS) in law enforcement has expanded through deployments by Delhi Police, Telangana Police, and others. The National Automated Facial Recognition System (NAFRS) was proposed by the National Crime Records Bureau (NCRB) in 2019 and has been progressively deployed. Indian courts have not yet produced a settled body of admissibility case law on AFRS outputs; the BSA 2023 does not address algorithmic identification tools specifically, but the Supreme Court's data-privacy reasoning in Justice K.S. Puttaswamy v. Union of India (2017) and the Aadhaar judgments establishes a constitutional framework under which unrestricted facial recognition surveillance would require statutory authorisation and proportionality justification.

Cross-Cutting Themes: Error Rates, Spoofing, and the Future of Biometric Evidence

Three cross-cutting themes unite the Golden State Killer, Aadhaar fraud, and Clearview AI cases and define the contested terrain for biometric evidence going forward.

Error rates and demographic disparities apply to every biometric modality. NIST FRVT found false-positive disparities in facial recognition. A 2021 NIST study of latent fingerprint algorithms (NIST ELFT) found accuracy variation across demographic groups in latent fingerprint searches, though smaller in magnitude than in facial recognition. UIDAI's own audit data, published in 2023, reported that liveness detection upgrades reduced biometric authentication fraud rates but that the false-rejection rate for elderly rural populations (whose fingerprints can be degraded by manual labour) increased. Any expert tendering biometric identification evidence should be prepared to state the measured false-positive and false-rejection rates for the specific algorithm and population relevant to the case.

Spoofing and liveness detection create an ongoing arms race. The Aadhaar silicone-overlay attacks prompted UIDAI's 2023 liveness-detection upgrade; within months, researchers at several Indian academic institutions had demonstrated that ridge flexibility tests could be defeated with softer silicone formulations. In facial recognition, "deepfake" images and printed-photo attacks are evaluated annually in the NIST Presentation Attack Detection tests. The ISO/IEC 30107 series (Biometric Presentation Attack Detection) provides the international standard for liveness detection; the 2023 revision added requirements for adversarial testing.

Genealogy-biometric convergence will expand as consumer DNA databases grow. GEDmatch had approximately 1 million profiles when used in the Golden State Killer case in 2017 to 2018; it had grown to over 1.6 million by 2024. FamilyTreeDNA, which opened its database to law enforcement in 2019, adds a further 2 million profiles. A 2018 study in Science (Erlich et al.) estimated that a database of 3 million US profiles would allow identification of approximately 60% of individuals of Northern European descent through third-cousin or closer matches. The same study's methodology applies to the Indian population once a sufficiently large SNP database of Indian ancestry profiles exists.

  1. Investigative lead generation
    AFRS match, GEDmatch genealogical candidate, or Aadhaar authentication log. Document the tool, version, database size, and configuration. Note that this is an investigative lead, not an identification.
  2. Human expert review
    A qualified facial image comparison expert (UK: NPIA-accredited; US: IAI-certified facial comparison specialist; India: CFSL-qualified) independently reviews the candidate match using validated methodology. Documents observations and conclusion.
  3. Corroboration gathering
    Physical surveillance, discarded DNA (as in DeAngelo), cell-site records, documentary evidence. Biometric lead alone is not sufficient for arrest in most frameworks.
  4. Chain-of-custody documentation
    For Aadhaar authentication logs: full device ID, AUA code, authentication timestamp, biometric modality, and liveness check result. For AFRS output: query image provenance, database version hash, algorithm version.
  5. Error-rate disclosure
    Before expert testimony: obtain the vendor's published NIST FRVT or IREX results for the specific algorithm version and note any demographic false-positive disparities relevant to the subject's demographic group.
  6. Court admissibility assessment
    Apply the governing standard: Daubert (US), Criminal Procedure Rules Part 19 (UK), BSA 2023 s.39 (India). Prepare to address algorithm reliability, examiner qualifications, and data-collection lawfulness.
Key terms
Investigative genealogy
A technique that searches consumer ancestry DNA databases using crime-scene SNP profiles to identify candidate relatives of an unknown contributor, then uses genealogical research to identify specific individuals. Used in the Golden State Killer case 2017-2018.
GEDmatch
A publicly accessible genealogy database allowing users to upload consumer ancestry DNA kit results for comparison. Used in the Golden State Killer investigation; now owned by Verogen (Qiagen).
Presentation attack (biometric)
An attempt to deceive a biometric capture device using an artefact (silicone overlay, printed photograph, 3D mask) rather than a genuine biometric sample. Governed by ISO/IEC 30107.
Liveness detection
A biometric system component that distinguishes a live biological sample from an artefact-based spoof. Methods include blood-flow detection, ridge flexibility measurement, and challenge-response tests.
BIPA
Illinois Biometric Information Privacy Act (740 ILCS 14, 2008). Requires informed written consent before collecting biometric identifiers and prohibits their sale. The most litigated US biometric privacy statute; cited against Clearview AI in Thornley v. Clearview AI.
Clearview AI
A US-based facial recognition company that scraped approximately 3 billion facial images from publicly accessible websites to build a law enforcement identification database. Subject to regulatory enforcement in the UK, Italy, Australia, France, and Greece.
NIST FRVT
US National Institute of Standards and Technology Face Recognition Vendor Test; the primary public benchmark for facial recognition algorithm accuracy, including demographic false-positive disparity testing.
Aadhaar
India's national biometric identity programme, administered by UIDAI. Links a 12-digit UID to 10 fingerprints, iris scans, and a facial photograph for approximately 1.3 billion enrolled residents.
GDPR Article 9
The EU General Data Protection Regulation provision classifying biometric data used for unique identification as a special category requiring explicit consent or an enumerated legal basis.
NAFRS
National Automated Facial Recognition System; India's NCRB-administered national facial recognition platform for law enforcement, progressively deployed from 2020 onward.
Practice
Question 1 of 5· 0 answered

In the Golden State Killer investigation, what was the role of the GEDmatch genealogical search in the legal proceedings against Joseph James DeAngelo?

Can Indian police legally use GEDmatch or commercial DNA ancestry databases to identify suspects?
No clear statutory framework currently permits this in India. The DNA Technology (Use and Application) Regulation Bill, if enacted, would create a regulated DNA data bank for law enforcement purposes, but it does not address commercial ancestry databases. The Supreme Court's Puttaswamy ruling (2017) on the right to privacy and the DPDP Act 2023 would both require a statutory basis and a proportionality justification for any compelled access to a commercial DNA database. Indian investigators who wished to use genealogical database techniques would need a legislative framework that does not yet exist.
Is Clearview AI still allowed to operate in the United Kingdom?
Following the ICO's May 2022 enforcement notice, Clearview was ordered to delete all images of UK persons from its database and was prohibited from processing UK personal data. The company has stated it no longer operates in the UK. The 7.5 million GBP fine was overturned on appeal in October 2023 by the First-tier Tribunal on jurisdictional grounds; the ICO counter-appealed and the Upper Tribunal reinstated the fine in October 2025. The ICO's enforcement remains the most significant single national regulatory action against the company outside the EU.
Why is Aadhaar still used for welfare payments despite documented fingerprint spoofing attacks?
The UIDAI and the Government of India have argued that the spoofing-related fraud rate is substantially lower than the corruption and leakage rate that Aadhaar-based authentication replaced in welfare delivery systems. UIDAI's published data suggests that direct benefit transfer linkage to Aadhaar reduced ghost beneficiary fraud by an estimated 900 billion rupees across schemes. The 2023 liveness detection upgrade was the primary technical response to spoofing. The policy trade-off between inclusion risk (genuine beneficiaries denied due to false rejection) and fraud risk (payments to imposters through spoofing) remains a contested empirical and policy question.

Test yourself on Fingerprint Sciences with free, timed mocks.

Practice Fingerprint Sciences questions

Found this useful? Pass it along.

Share

Spotted an error in this page? Report a correction or read our editorial standards.

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.