DNA testing services have become all the rage in the past few years, with services like Ancestry.com and 23andMe pledging to inform people about their genetic makeup and ethnic heritage. Such services also play a social networking function, as they alert you to potential relatives you didn’t know exist. Indeed, services such as GEDmatch explicitly provide such a service.
From experience, these services seldom come up with much in the way of meaningful connections, but nonetheless, a new study from the University of Washington raises the prospect of genetic impersonation by thieves who are able to extract our genetic markers.
“People think of genetic data as being personal—and it is. It’s literally part of their physical identity,” the researchers say. “This makes the privacy of genetic data particularly important. You can change your credit card number but you can’t change your DNA.”
Security risks
The researchers created a research account on the GEDmatch website, and uploaded a range of experimental genetic profiles that had been created by mixing genetic data from a range of anonymous profiles. Each profile was given an ID that was then used in the matching process.
The researchers tested whether the graphical ‘likeness indicator’ used by the site could be used by thieves to learn the DNA sequence within a region of the target’s profile. They did this by using the four profiles they had created to use in a comparison with a target account. By gauging the matches that came back, they were able to deduce the specific sequence of DNA in that region for the target.
“Genetic information correlates to medical conditions and potentially other deeply personal traits,” the researchers say. “Even in the age of oversharing information, this is most likely the kind of information one doesn’t want to share for legal, medical, and mental health reasons. But as more genetic information goes digital, the risks increase.”
Of course, this potential vulnerability was only able to expose a section of our DNA, but could it go further? Another feature of GEDmatch is a graphic that shows how much of our DNA is shared with the other person. The graphic shows green for a complete match, yellow for a half match, and so on.
DNA profiling
To test this, the team created 20 profiles that were used in further comparisons with target profiles. Based upon the percentage match they returned, they were able to extract particular bits of information about the target. Indeed, for five test targets, they were able to extract over 90% of the target’s unique DNA sequences with extreme accuracy.
“So basically, all the adversary needs to do is upload these 20 profiles and then make 20 one-to-one comparisons to the target,” the researchers say. “They could write a program that automatically makes these comparisons, downloads the data, and returns the result. That would take 10 seconds.”
The researchers believe it’s a fairly straightforward process then to create a fake profile using the data they extract to produce a false relative for the target, such as a false child. Indeed, when this ‘child’ was compared with the target in GEDmatch, the software did indeed suggest a parent-child relationship.
“If GEDmatch users have concerns about the privacy of their genetic data, they have the option to delete it from the site,” the researchers explain. “The choice to share data is a personal decision, and users should be aware that there may be some risk whenever they share data. Security is a difficult problem for internet companies in every industry.”
As with any good white hat hacker, the team shared their findings with GEDmatch prior to publishing their study, and are working with the company to resolve these issues, but it’s not clear whether a suitable patch has been made yet. It does remind us that while DNA data does present a multitude of potential benefits, it is certainly not without risk, and we need to be aware of those risks to ensure we don’t come unstuck.
