TL;DR: Forensic genetic genealogy (FGG) uses consumer DNA databases to solve crimes, including crimes committed by people who never submitted DNA themselves. If a distant relative tested, police may be able to identify you through shared genetics. The 23andMe bankruptcy in March 2025 raised alarm about what happens to DNA data when companies fail. States are beginning to require warrants for DNA database searches, but federal law lags. Meanwhile, DOJ policy restricts FGG to violent crimes, but local police may not follow federal guidelines. Your genetic privacy depends on your relatives' choices, not just yours.

How Forensic Genetic Genealogy Works

The technique that caught the Golden State Killer:[1]

  1. Crime scene DNA: Police extract DNA from evidence
  2. Database upload: DNA profile is uploaded to genealogy databases (GEDmatch, FamilyTreeDNA)
  3. Match partial relatives: System identifies distant cousins who share DNA segments
  4. Build family trees: Genealogists trace family trees backward to find common ancestors
  5. Trace forward: Work forward through descendants to identify potential suspects
  6. Confirm with direct sample: Police obtain suspect's DNA to confirm match

This works because you share DNA with relatives. A 3rd or 4th cousin who tested can lead investigators to you, even if you've never used any DNA service.

The DNA Database Landscape

CODIS (Government)

FBI's Combined DNA Index System. 21+ million profiles. Requires arrest/conviction in most states. Not accessible to genealogists.

23andMe

12+ million profiles. Requires court order for law enforcement. March 2025 bankruptcy raised data fate questions.

AncestryDNA

20+ million profiles. Requires court order. No known genetic genealogy cooperation with police.

GEDmatch

~1 million profiles. Now opt-in for law enforcement. Previously default-open. Used in Golden State Killer case.

The 23andMe Bankruptcy Crisis

In March 2025, 23andMe filed for bankruptcy, triggering immediate concern:[2]

  • 12+ million genetic profiles potentially subject to sale or acquisition
  • Privacy policies may not survive corporate ownership changes
  • New owners could change data sharing terms
  • Users urged to delete data before acquisition finalizes

When DNA companies fail, what happens to the database? The answer depends on bankruptcy proceedings, acquisition terms, and laws that don't fully address this scenario.

Emerging State Protections

States are beginning to regulate genetic genealogy searches:[3]

  • Montana (June 2025): Requires search warrant for government access to consumer DNA databases unless user waived privacy rights
  • Maryland: Requires judicial approval for forensic genealogy searches
  • Texas Genomic Act (September 2025): Creates private right of action: individuals can sue over genetic data violations
  • Virginia: Restricting FGG to violent crimes with judicial oversight

But most states have no specific protections. And enforcement varies.

Federal Policy

The DOJ has interim guidelines for federal investigations:[4]

  • FGG restricted to violent crimes (homicide, sexual assault) or public safety threats
  • All traditional investigative leads (including CODIS) must be exhausted first
  • FGG generates investigative leads, not sole basis for arrest
  • Must use databases that allow law enforcement use

But: Local and state police aren't bound by DOJ policy. They may use FGG for any crime with no oversight.

The Genomic Data Protection Act was introduced in March 2025, but hasn't passed. No comprehensive federal genetic privacy law exists.

What DNA Reveals

DNA isn't just about identity. It reveals:

  • Health predispositions: Cancer risks, neurological conditions, genetic diseases
  • Ancestry: Ethnic background often more detailed than you know
  • Family secrets: Unknown siblings, paternity questions, adoption histories
  • Physical characteristics: Hair/eye color, facial features (increasingly accurate)
  • Behavioral tendencies: Controversial and often inaccurate, but companies sell this

Once this information is in a database, you lose control of it.

Emerging Concerns

Newborn Screening

Blood spots collected from every newborn. States retain them for varying periods. Law enforcement interest is growing.

AI Integration

AI analyzing genetic data could enable profiling and prediction at scale we can't currently imagine.

Fourth Amendment Gaps

Courts disagree on whether relatives' DNA sharing waives your privacy expectations.

Mission Creep

Started with serial killers. Now used for property crimes. Where does it end?

What You Can Do

Think Before Testing

Consider whether the ancestry curiosity is worth permanent genetic database inclusion.

Read Privacy Policies

Understand what data is retained, who can access it, and under what circumstances.

Opt Out of Law Enforcement

GEDmatch and FamilyTreeDNA have opt-in/opt-out settings. Check and configure them.

Request Data Deletion

If you've tested, most companies allow deletion requests. Submit them before any corporate changes.

Talk to Family

Their testing affects your privacy. Have honest conversations about what genetic sharing means.

Support Legislation

Push for warrant requirements and meaningful consent requirements for genetic searches.

The Bottom Line

Forensic genetic genealogy has solved horrific crimes, including decades-old cold cases. That's genuine value. But the same capability enables mass genetic surveillance without individual consent.

Your privacy depends not on your choices, but on whether any of your hundreds of genetic relatives submitted DNA to a database. If 2-3% of a population tests, most of that population becomes identifiable.

The 23andMe bankruptcy highlighted what happens when DNA companies fail. Privacy policies are corporate promises; they don't survive acquisitions.

State laws are emerging to require warrants, but coverage is patchy. Federal law doesn't adequately address genetic privacy. Courts are still figuring out whether you have Fourth Amendment protection when your cousin voluntarily shared family DNA.

DNA is the ultimate biometric: permanent, inherited, and maximally identifying. Once it's in a database, you can't take it back. Think carefully before contributing yours.

References

  1. Criminal Legal News - Forensic Genetic Genealogy Overview
  2. The Record - 23andMe Bankruptcy and Data Fate
  3. Future of Privacy Forum - State Genetic Privacy Laws
  4. DOJ - Interim Policy for Forensic Genetic Genealogy
  5. GovTech - Genetic Data Regulation Landscape