TL;DR: Forensic genetic genealogy (FGG) uses consumer DNA databases to solve crimes, including crimes committed by people who never submitted DNA themselves. If a distant relative tested, police may be able to identify you through shared genetics. The 23andMe bankruptcy in March 2025 raised alarm about what happens to DNA data when companies fail. States are beginning to require warrants for DNA database searches, but federal law lags. Meanwhile, DOJ policy restricts FGG to violent crimes, but local police may not follow federal guidelines. Your genetic privacy depends on your relatives' choices, not just yours.
How Forensic Genetic Genealogy Works
The technique that caught the Golden State Killer:[1]
- Crime scene DNA: Police extract DNA from evidence
- Database upload: DNA profile is uploaded to genealogy databases (GEDmatch, FamilyTreeDNA)
- Match partial relatives: System identifies distant cousins who share DNA segments
- Build family trees: Genealogists trace family trees backward to find common ancestors
- Trace forward: Work forward through descendants to identify potential suspects
- Confirm with direct sample: Police obtain suspect's DNA to confirm match
This works because you share DNA with relatives. A 3rd or 4th cousin who tested can lead investigators to you, even if you've never used any DNA service.
The DNA Database Landscape
CODIS (Government)
FBI's Combined DNA Index System. 21+ million profiles. Requires arrest/conviction in most states. Not accessible to genealogists.
23andMe
12+ million profiles. Requires court order for law enforcement. March 2025 bankruptcy raised data fate questions.
AncestryDNA
20+ million profiles. Requires court order. No known genetic genealogy cooperation with police.
GEDmatch
~1 million profiles. Now opt-in for law enforcement. Previously default-open. Used in Golden State Killer case.
The Consent Problem
Your genetic privacy isn't just about your choices:
- Familial exposure: One relative's DNA test exposes the genetic patterns of the entire family
- You can't consent for relatives: Your cousin's decision affects your privacy without your input
- Historical reach: DNA samples from decades ago (newborn screening, medical tests) may still exist
- Compound databases: Even opt-out databases can be cross-referenced with opt-in ones
If just 2-3% of a population is in genealogy databases, most people can be identified through relatives. We may already be past that threshold in the US.
The 23andMe Bankruptcy Crisis
In March 2025, 23andMe filed for bankruptcy, triggering immediate concern:[2]
- 12+ million genetic profiles potentially subject to sale or acquisition
- Privacy policies may not survive corporate ownership changes
- New owners could change data sharing terms
- Users urged to delete data before acquisition finalizes
When DNA companies fail, what happens to the database? The answer depends on bankruptcy proceedings, acquisition terms, and laws that don't fully address this scenario.
Emerging State Protections
States are beginning to regulate genetic genealogy searches:[3]
- Montana (June 2025): Requires search warrant for government access to consumer DNA databases unless user waived privacy rights
- Maryland: Requires judicial approval for forensic genealogy searches
- Texas Genomic Act (September 2025): Creates private right of action: individuals can sue over genetic data violations
- Virginia: Restricting FGG to violent crimes with judicial oversight
But most states have no specific protections. And enforcement varies.
Federal Policy
The DOJ has interim guidelines for federal investigations:[4]
- FGG restricted to violent crimes (homicide, sexual assault) or public safety threats
- All traditional investigative leads (including CODIS) must be exhausted first
- FGG generates investigative leads, not sole basis for arrest
- Must use databases that allow law enforcement use
But: Local and state police aren't bound by DOJ policy. They may use FGG for any crime with no oversight.
The Genomic Data Protection Act was introduced in March 2025, but hasn't passed. No comprehensive federal genetic privacy law exists.
What DNA Reveals
DNA isn't just about identity. It reveals:
- Health predispositions: Cancer risks, neurological conditions, genetic diseases
- Ancestry: Ethnic background often more detailed than you know
- Family secrets: Unknown siblings, paternity questions, adoption histories
- Physical characteristics: Hair/eye color, facial features (increasingly accurate)
- Behavioral tendencies: Controversial and often inaccurate, but companies sell this
Once this information is in a database, you lose control of it.
Emerging Concerns
Newborn Screening
Blood spots collected from every newborn. States retain them for varying periods. Law enforcement interest is growing.
AI Integration
AI analyzing genetic data could enable profiling and prediction at scale we can't currently imagine.
Fourth Amendment Gaps
Courts disagree on whether relatives' DNA sharing waives your privacy expectations.
Mission Creep
Started with serial killers. Now used for property crimes. Where does it end?
What You Can Do
Think Before Testing
Consider whether the ancestry curiosity is worth permanent genetic database inclusion.
Read Privacy Policies
Understand what data is retained, who can access it, and under what circumstances.
Opt Out of Law Enforcement
GEDmatch and FamilyTreeDNA have opt-in/opt-out settings. Check and configure them.
Request Data Deletion
If you've tested, most companies allow deletion requests. Submit them before any corporate changes.
Talk to Family
Their testing affects your privacy. Have honest conversations about what genetic sharing means.
Support Legislation
Push for warrant requirements and meaningful consent requirements for genetic searches.
The Bottom Line
Forensic genetic genealogy has solved horrific crimes, including decades-old cold cases. That's genuine value. But the same capability enables mass genetic surveillance without individual consent.
Your privacy depends not on your choices, but on whether any of your hundreds of genetic relatives submitted DNA to a database. If 2-3% of a population tests, most of that population becomes identifiable.
The 23andMe bankruptcy highlighted what happens when DNA companies fail. Privacy policies are corporate promises; they don't survive acquisitions.
State laws are emerging to require warrants, but coverage is patchy. Federal law doesn't adequately address genetic privacy. Courts are still figuring out whether you have Fourth Amendment protection when your cousin voluntarily shared family DNA.
DNA is the ultimate biometric: permanent, inherited, and maximally identifying. Once it's in a database, you can't take it back. Think carefully before contributing yours.