Major Biometric Casework: Golden State Killer and Clearview AI
The biometric case studies that shape contemporary policy + admissibility: the Golden State Killer 2018 case as the genealogy-biometric paradigm shift, Aadhaar-linked fraud casework across Indian banking + welfare delivery (the cloned-fingerprint biometric-bypass cases, the rubber-pad and silicone-overlay attacks, the response from UIDAI's liveness-detection upgrades), and the Clearview AI face-recognition controversies (the 2020 New York Times exposé, the US Illinois BIPA + Vermont + Virginia litigation, the UK ICO + Italy Garante + Australia OAIC enforcement actions, the implications for face-recognition admissibility in court).
Last updated:
Three cases from 2018 to 2023 define the current boundaries of biometric forensics casework. In 2018, investigative genealogy via GEDmatch identified Joseph James DeAngelo as the Golden State Killer; the court evidence was a conventional STR profile from discarded DNA, not the genealogical search itself. Systematic silicone-overlay attacks on India's Aadhaar welfare authentication system prompted UIDAI's mandatory liveness-detection upgrade in 2023. Clearview AI's mass harvest of approximately three billion facial images for law enforcement use triggered regulatory enforcement in seven jurisdictions between 2021 and 2022, and accelerated judicial scrutiny of automated facial recognition as standalone identification evidence.
Three cases from 2018 to 2023 define the current frontier of biometric forensics: the Golden State Killer solved through investigative genealogy and a DNA-to-biometric bridge; systematic cloned-fingerprint attacks on India's Aadhaar welfare authentication system; and the global regulatory enforcement response to Clearview AI's mass facial image harvest used for law enforcement identification.
Key takeaways
- The Golden State Killer identification used GEDmatch genealogy as an investigative lead; the court evidence was a standard STR profile from discarded DNA, not the genealogical analysis itself.
- Aadhaar biometric fraud used silicone or rubber-pad overlays at the capture device, not server-side attacks; UIDAI's 2023 liveness-detection upgrade was the primary technical response.
- Clearview AI faced enforcement in seven jurisdictions (Illinois BIPA, UK ICO, Italian Garante, Australian OAIC, French CNIL, Greek DPA, and Virginia/Vermont AG actions) by 2022.
- NIST FRVT Part 3 (2019) found false-positive rate disparities up to 100 times higher for Black women than for White men across some vendor algorithms, directly informing Daubert admissibility challenges.
- An automated facial recognition match is an investigative lead, not a standalone identification; INTERPOL's Expert Group (2022) and the ENFSI Working Group both hold this position.
Three cases from 2018 to 2023 mark inflection points in biometric forensics: the identification of Joseph James DeAngelo as the Golden State Killer through investigative genealogy and a DNA-to-biometric bridge; systematic attacks on India's Aadhaar biometric authentication system using cloned fingerprint overlays; and the global regulatory response to Clearview AI's mass-harvest of facial images for law enforcement identification purposes.
Together, these cases demonstrate that biometric forensics has expanded into domains that existing legal frameworks were not designed to govern. Genealogy databases connect a crime-scene DNA profile to a living relative's commercial ancestry kit; biometric enrolment systems face physical spoofing attacks that bypass liveness detection; facial recognition at scale enables identification across populations without individual enrolment. Each expansion raises distinct questions about admissibility, privacy, error rates, and the conditions under which biometric identification can serve as the basis for arrest, prosecution, or administrative denial.
The forensic practitioner encountering biometric evidence in casework today needs to understand not only the technical method but the regulatory and legal context in each jurisdiction, because that context will determine whether the evidence is admissible, whether it requires corroboration, and what disclosures the expert is obligated to make.
By the end of this topic you will be able to:
- Explain how investigative genealogy was used to generate a suspect lead in the Golden State Killer case and why the STR confirmation sample, not the genealogical analysis, constituted the court evidence.
- Describe the three documented physical spoofing variants used against Aadhaar biometric capture devices and the technical mitigations introduced by UIDAI in 2023.
- Summarise the multi-jurisdictional regulatory enforcement actions taken against Clearview AI and the distinct legal basis applied in each jurisdiction.
- Apply the NIST FRVT demographic false-positive disparity findings to an admissibility challenge under Daubert or equivalent standards.
- Distinguish between an automated facial recognition match as an investigative lead and as direct identification evidence, citing the positions of INTERPOL and ENFSI.
The Golden State Killer: Investigative Genealogy as a Biometric Bridge
Between 1974 and 1986, Joseph James DeAngelo committed at least 13 murders, 50 rapes, and more than 100 residential burglaries across California. Investigators had a partial DNA profile from crime-scene evidence but no match in CODIS (the Combined DNA Index System) or any other law enforcement database. The case had gone cold for decades.
The genealogical breakthrough (2017-2018):
In 2017, Barbara Rae-Venter (a genealogist and retired intellectual property attorney) began working with investigator Paul Holes on a novel approach. Crime-scene DNA was uploaded to GEDmatch, a publicly accessible genealogy database, the same workflow covered in the DTC genealogy and GEDmatch policy topic. GEDmatch users submit genotyped results from consumer ancestry kits (23andMe, AncestryDNA, MyHeritage); the platform compares autosomal single-nucleotide polymorphism (SNP) profiles rather than the STR loci used in CODIS. SNP profiles reveal both close and distant familial relationships.
The crime-scene SNP profile matched multiple partial relatives on GEDmatch. Rae-Venter built family trees from these partial matches, tracing lineages forward through public genealogical records, obituaries, and social media. The goal was to identify candidates fitting the killer's known biological profile: male, born approximately 1940-1950, Californian. The tree-building process eliminated branches systematically until a small number of candidates remained. DeAngelo, a former Sacramento-area police officer, was identified as a candidate.
Confirmation and arrest:
Investigators placed DeAngelo under physical surveillance and obtained discarded biological material (DNA from a tissue and a door handle), producing a full STR profile matching the crime-scene evidence. He was arrested on 24 April 2018, pleaded guilty in 2020, and was sentenced to life imprisonment without parole.
Legal aftermath by jurisdiction:
- United States: The FBI issued interim guidelines in 2019 limiting genealogical database searches to violent felonies and unidentified remains, with a prior CODIS search required. California's AB 1706 (2021) codifies consent requirements and restricts searches to certain offence categories.
- United Kingdom: The National DNA Database Strategy Board's Forensic Genealogy Working Group published guidance in 2022. Searches of commercial databases are not currently lawful without the database provider's consent and Home Office authorisation.
- India: No equivalent framework exists. The DNA Technology (Use and Application) Regulation Bill, intermittently before Parliament since 2019, would create a statutory DNA data bank and address genealogical applications, but has not been enacted.
Aadhaar Biometric Authentication and the Fingerprint Spoofing Problem
Aadhaar, administered by the Unique Identification Authority of India (UIDAI), is the world's largest biometric identity programme. As of 2024, approximately 1.3 billion Indian residents have enrolled, providing 10-fingerprint scans, iris images, and a facial photograph linked to a 12-digit UID. Authentication is used across:
- Hundreds of government welfare delivery systems (Public Distribution System, MGNREGA wage payments, direct benefit transfers)
- The banking sector under the eKYC (electronic Know Your Customer) framework
Attack vectors (approximately 2016 onward):
Three physical spoofing variants were documented across Rajasthan, Jharkhand, Bihar, and Andhra Pradesh:
A 2022 investigative report by The Wire and Reporters' Collective documented at least 50,000 Aadhaar-linked welfare fraud incidents in Jharkhand alone where biometric authentication had been bypassed.
UIDAI response (2023): Mandatory liveness detection (measuring blood flow response, ridge flexibility, and electrical skin resistance at the biometric reader) required for Authentication Service Agencies from 2023, plus fingerprint minutiae quality checks that flag implausibly uniform ridge patterns characteristic of silicone overlays.
Evidentiary implications: Aadhaar authentication logs record the UID, time, device ID, and biometric modality, but not whether the biometric was genuine or spoofed. Indian courts in several sessions-court matters have required supplementary expert evidence on liveness detection capability before treating an Aadhaar authentication record as proof of physical presence.
Comparative context:
- UK: The Identity Documents Act 2010 and Biometric Residence Permit system operate in a different context, but liveness detection requirements were incorporated into the UK Biometric Strategy (2022) for border document verification.
- US: NIST FRVT includes a Presentation Attack Detection component evaluating vendor systems against artefact-based spoofing. NIST SP 800-76 addresses biometric data quality standards for Homeland Security applications.
Clearview AI: Mass Facial Biometric Harvest and the Law Enforcement Market
Clearview AI was founded in New York in 2017 by Hoan Ton-That and Richard Schwartz. The company built a facial recognition database by scraping images from social media platforms (Facebook, Instagram, Twitter, YouTube, LinkedIn), public news sites, and other publicly accessible websites, associating each image with the originating URL, user handle, or page metadata. By 2020, the database contained approximately three billion images, growing to an estimated 50 billion by 2024. The system allowed a subscriber to upload a photograph of an unknown face and receive a ranked list of database images showing faces with high visual similarity, along with the source URLs.
Clearview sold access to law enforcement agencies primarily in the United States. A January 2020 investigation by the New York Times (Kashmir Hill) revealed that more than 600 law enforcement agencies had used the system, including federal agencies such as the FBI and DHS, and hundreds of local police departments. The article also noted that Clearview had provided access to private companies, including a bank and a retail chain, though this was later restricted.
The regulatory and legal response was extensive and multi-jurisdictional.
In the United States, Illinois was the most significant state-level forum. The Illinois Biometric Information Privacy Act (BIPA) (740 ILCS 14), enacted in 2008, requires informed written consent before collecting biometric identifiers (including facial geometry scans) and prohibits the sale of biometric data. A class action filed in Illinois state court in 2020 (Thornley v. Clearview AI) alleged BIPA violations. Vermont and Virginia filed state attorney general actions. In 2022, Clearview settled the ACLU's BIPA suit, agreeing to stop selling access to private companies and limiting law enforcement sales to US federal agencies and state or local agencies in states without biometric privacy laws.
Outside the US, enforcement was more unambiguous. The UK Information Commissioner's Office (ICO) issued a preliminary enforcement notice in 2021 and a final notice in May 2022 ordering Clearview to delete all images of UK persons from its database and imposing a fine of 7.5 million GBP. The Italian data protection authority (Garante per la Protezione dei Dati Personali) issued an order in March 2022 prohibiting Clearview from processing Italian residents' data and fining the company 20 million euros. The Australian Information Commissioner (OAIC) found in November 2021 that Clearview had breached the Privacy Act 1988 by collecting facial images without consent and using them for a commercial purpose; the Commissioner ordered Clearview to delete Australian personal information. The French CNIL (Commission Nationale de l'Informatique et des Libertés) imposed a 20 million euro fine in 2022. The Greek DPA issued a 20 million euro fine in the same period.
| Jurisdiction | Legal basis | Enforcement action | Outcome |
|---|---|---|---|
| United States (Illinois) | BIPA (740 ILCS 14): informed consent required for biometric identifiers | Thornley class action; ACLU suit | 2022 settlement: no private-company sales; federal law enforcement only in non-BIPA states |
| United Kingdom | UK GDPR + Data Protection Act 2018; ICO enforcement | ICO final notice May 2022 | 7.5m GBP fine; order to delete UK persons' images from database |
| Italy | GDPR Art. 9 (biometric data as special category); Garante enforcement | Garante order March 2022 | 20m euro fine; prohibition on processing Italian residents' data |
| Australia | Privacy Act 1988 (Cth) Australian Privacy Principles | OAIC determination November 2021 | Order to cease collection and delete Australian personal information |
| France | GDPR; CNIL enforcement | CNIL decision 2022 | 20m euro fine |
Facial Recognition in Court: Admissibility Challenges after Clearview AI
The Clearview AI controversy accelerated a pre-existing debate about the admissibility of facial recognition evidence in criminal proceedings. The admissibility question has three layers: the reliability of the algorithm, the reliability of the human who reviews the algorithm's output, and the lawfulness of the underlying data collection. The parallel debate over probabilistic reporting frameworks in fingerprint evidence is covered in Statistical Individualization: FRStat, Likelihood Ratios and the Post-NAS Debate.
On algorithmic reliability, the US NIST FRVT programme has provided the most systematic public benchmarking. FRVT Part 3 (Demographic Effects, 2019) found statistically significant false-positive rate disparities across demographic groups in most tested algorithms, with false-positive rates for Black women up to 100 times higher than for White men in some vendors' systems. This finding has been cited in US federal and state pre-trial Daubert hearings to challenge the reliability of specific vendor outputs.
In New Jersey v. Arteaga (Appellate Division, 2023), a challenge to facial recognition evidence was partially successful; the appellate court reversed the lower court's denial of discovery and remanded, holding that the defendant was entitled to detailed information about the NYPD facial recognition system used to identify him, including source code and error rates. In the UK, the Court of Appeal in R v. Atkins and Atkins (2009) had addressed facial mapping evidence (a different, pre-deep-learning methodology) and held that such evidence was admissible but required careful judicial direction about its limitations. The arrival of deep-learning facial recognition systems has led the Crown Prosecution Service to issue supplementary guidance in 2023 noting that AI-generated facial recognition outputs should be treated as investigative tools requiring human corroboration, not standalone identification evidence.
In India, the use of automated facial recognition systems (AFRS) in law enforcement has expanded through deployments by Delhi Police, Telangana Police, and others. The National Automated Facial Recognition System (NAFRS) was proposed by the National Crime Records Bureau (NCRB) in 2019 and has been progressively deployed. Indian courts have not yet produced a settled body of admissibility case law on AFRS outputs; the BSA 2023 does not address algorithmic identification tools specifically, but the Supreme Court's data-privacy reasoning in Justice K.S. Puttaswamy v. Union of India (2017) and the Aadhaar judgments establishes a constitutional framework under which unrestricted facial recognition surveillance would require statutory authorisation and proportionality justification.
Biometric Data Protection: Legal Frameworks Across Jurisdictions
The legal frameworks governing biometric data have diverged significantly across jurisdictions in the period from 2018 to 2024.
The European Union treats biometric data as a special category under GDPR Article 9, requiring explicit consent or an enumerated legal basis (national security, vital interests, substantial public interest) for processing. The EU AI Act (2024) classifies real-time biometric identification systems in publicly accessible spaces as high-risk AI systems, requiring conformity assessments, and bans real-time remote biometric identification by law enforcement in public spaces except under a judge-issued warrant in specific circumstances.
The United States has no federal biometric privacy statute. State-level legislation has been the primary regulatory mechanism. Illinois's BIPA (2008) is the most comprehensive and the most litigated. Texas (Capture or Use of Biometric Identifier Act, 2009) and Washington (Biometric Privacy Law, 2017) followed. The Biometric Data Privacy Act at federal level has been introduced multiple times without passing. The FTC has used its authority over unfair or deceptive trade practices to bring enforcement actions against companies collecting biometric data without adequate disclosure.
India's Digital Personal Data Protection Act 2023 (DPDP Act) treats biometric data as personal data but does not explicitly create a biometric special category equivalent to GDPR Article 9. The UIDAI Act 2016 and the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act 2016 provide a sector-specific framework for Aadhaar biometric data with prohibitions on sharing or misusing Aadhaar biometric data (section 29). The Supreme Court in the Puttaswamy Aadhaar judgment (2018) upheld the Aadhaar framework with limitations, including striking down section 57 which had allowed private companies to mandate Aadhaar authentication.
The UK Data Protection Act 2018, implementing UK GDPR, treats biometric data used for identification as a special category (schedule 1, condition 1). The Surveillance Camera Code of Practice (2021) governs facial recognition cameras in public spaces and requires prior publication of the surveillance zone, a privacy impact assessment, and consultation with the Surveillance Camera Commissioner. The Metropolitan Police's use of retrospective facial recognition (matching CCTV images against the Police National Database) has been subject to judicial review; the Court of Appeal in Bridges v. Chief Constable of South Wales Police (2020) found the existing deployment unlawful on the grounds that the criteria for inclusion in the watch list were not sufficiently defined by law.
Cross-Cutting Themes: Error Rates, Spoofing, and the Future of Biometric Evidence
Three cross-cutting themes unite the Golden State Killer, Aadhaar fraud, and Clearview AI cases and define the contested terrain for biometric evidence going forward.
Error rates and demographic disparities apply to every biometric modality. NIST FRVT found false-positive disparities in facial recognition. A 2021 NIST study of latent fingerprint algorithms (NIST ELFT) found accuracy variation across demographic groups in latent fingerprint searches, though smaller in magnitude than in facial recognition. UIDAI's own audit data, published in 2023, reported that liveness detection upgrades reduced biometric authentication fraud rates but that the false-rejection rate for elderly rural populations (whose fingerprints can be degraded by manual labour) increased. Any expert tendering biometric identification evidence should be prepared to state the measured false-positive and false-rejection rates for the specific algorithm and population relevant to the case.
Spoofing and liveness detection create an ongoing arms race. The Aadhaar silicone-overlay attacks prompted UIDAI's 2023 liveness-detection upgrade; within months, researchers at several Indian academic institutions had demonstrated that ridge flexibility tests could be defeated with softer silicone formulations. In facial recognition, "deepfake" images and printed-photo attacks are evaluated annually in the NIST Presentation Attack Detection tests. The ISO/IEC 30107 series (Biometric Presentation Attack Detection) provides the international standard for liveness detection; the 2023 revision added requirements for adversarial testing.
Genealogy-biometric convergence will expand as consumer DNA databases grow. GEDmatch had approximately 1 million profiles when used in the Golden State Killer case in 2017 to 2018; it had grown to over 1.6 million by 2024. FamilyTreeDNA, which opened its database to law enforcement in 2019, adds a further 2 million profiles. A 2018 study in Science (Erlich et al.) estimated that a database of 3 million US profiles would allow identification of approximately 60% of individuals of Northern European descent through third-cousin or closer matches. The same study's methodology applies to the Indian population once a sufficiently large SNP database of Indian ancestry profiles exists.
- Investigative lead generationAFRS match, GEDmatch genealogical candidate, or Aadhaar authentication log. Document the tool, version, database size, and configuration. Note that this is an investigative lead, not an identification.
- Human expert reviewA qualified facial image comparison expert (UK: NPIA-accredited; US: IAI-certified facial comparison specialist; India: CFSL-qualified) independently reviews the candidate match using validated methodology. Documents observations and conclusion.
- Corroboration gatheringPhysical surveillance, discarded DNA (as in DeAngelo), cell-site records, documentary evidence. Biometric lead alone is not sufficient for arrest in most frameworks.
- Chain-of-custody documentationFor Aadhaar authentication logs: full device ID, AUA code, authentication timestamp, biometric modality, and liveness check result. For AFRS output: query image provenance, database version hash, algorithm version.
- Error-rate disclosureBefore expert testimony: obtain the vendor's published NIST FRVT or IREX results for the specific algorithm version and note any demographic false-positive disparities relevant to the subject's demographic group.
- Court admissibility assessmentApply the governing standard: Daubert (US), Criminal Procedure Rules Part 19 (UK), BSA 2023 s.39 (India). Prepare to address algorithm reliability, examiner qualifications, and data-collection lawfulness.
- Investigative genealogy
- A technique that searches consumer ancestry DNA databases using crime-scene SNP profiles to identify candidate relatives of an unknown contributor, then uses genealogical research to identify specific individuals. Used in the Golden State Killer case 2017-2018.
- GEDmatch
- A publicly accessible genealogy database allowing users to upload consumer ancestry DNA kit results for comparison. Used in the Golden State Killer investigation; now owned by Verogen (Qiagen).
- Presentation attack (biometric)
- An attempt to deceive a biometric capture device using an artefact (silicone overlay, printed photograph, 3D mask) rather than a genuine biometric sample. Governed by ISO/IEC 30107.
- Liveness detection
- A biometric system component that distinguishes a live biological sample from an artefact-based spoof. Methods include blood-flow detection, ridge flexibility measurement, and challenge-response tests.
- BIPA
- Illinois Biometric Information Privacy Act (740 ILCS 14, 2008). Requires informed written consent before collecting biometric identifiers and prohibits their sale. The most litigated US biometric privacy statute; cited against Clearview AI in Thornley v. Clearview AI.
- Clearview AI
- A US-based facial recognition company that scraped approximately 3 billion facial images from publicly accessible websites to build a law enforcement identification database. Subject to regulatory enforcement in the UK, Italy, Australia, France, and Greece.
- NIST FRVT
- US National Institute of Standards and Technology Face Recognition Vendor Test; the primary public benchmark for facial recognition algorithm accuracy, including demographic false-positive disparity testing.
- Aadhaar
- India's national biometric identity programme, administered by UIDAI. Links a 12-digit UID to 10 fingerprints, iris scans, and a facial photograph for approximately 1.3 billion enrolled residents.
- GDPR Article 9
- The EU General Data Protection Regulation provision classifying biometric data used for unique identification as a special category requiring explicit consent or an enumerated legal basis.
- NAFRS
- National Automated Facial Recognition System; India's NCRB-administered national facial recognition platform for law enforcement, progressively deployed from 2020 onward.
In the Golden State Killer investigation, what was the role of the GEDmatch genealogical search in the legal proceedings against Joseph James DeAngelo?
Can Indian police legally use GEDmatch or commercial DNA ancestry databases to identify suspects?
Is Clearview AI still allowed to operate in the United Kingdom?
Why is Aadhaar still used for welfare payments despite documented fingerprint spoofing attacks?
Test yourself on Fingerprint Sciences with free, timed mocks.
Practice Fingerprint Sciences questionsSpotted an error in this page? Report a correction or read our editorial standards.