In what could be an exceptionally personal form of identity theft, University of Washington researchers have determined that a popular genealogy website is vulnerable to security risks which could compromise the information people share about their genetic makeup.
In findings posted on Tuesday, UW scientists looked into GEDmatch, a third-party site where users can compare their DNA sequences to others who have uploaded test results. Using only a small number of comparisons, a malicious user could extract someone’s sensitive genetic markers or even construct a fake genetic profile to impersonate another user’s relative, the UW found.
“People think of genetic data as being personal — and it is. It’s literally part of their physical identity,” said Peter Ney, a postdoctoral researcher in the Paul G. Allen School of Computer Science & Engineering and lead author of the study. “This makes the privacy of genetic data particularly important. You can change your credit card number but you can’t change your DNA.”
GEDmatch is part of a wave of popular services such as 23andMe, Ancestry.com and MyHeritage which make it easier for people to learn about their ethnic heritage and genetic makeup. GEDmatch has also caught the attention of law enforcement agencies around the country, and has been credited with helping to solve decades-old cold cases, including one in Seattle earlier this year. An “opt in” change to the public database of DNA profiles has slowed that work, Buzzfeed News reported last weekend.
UW researchers looked for flaws in GEDmatch security by creating an account and uploading experimental genetic profiles that they created by mixing and matching genetic data from multiple databases of anonymous profiles. The team designed specific tests (detailed in full by UW News) to determine whether an adversary could learn through a target’s profile whether or not the target has a mutation that makes them susceptible to a disease. Researchers also looked into whether an adversary could acquire a target’s entire profile.
“Genetic information correlates to medical conditions and potentially other deeply personal traits,” said co-author Luis Ceze, a professor in the Allen School. “Even in the age of oversharing information, this is most likely the kind of information one doesn’t want to share for legal, medical and mental health reasons. But as more genetic information goes digital, the risks increase.”
The UW team shared their findings with GEDmatch, which is reportedly working to resolve the issues. Ney said users concerned about privacy of their genetic data have the option to just delete it from the site.
“The choice to share data is a personal decision, and users should be aware that there may be some risk whenever they share data,” Ney said. “Security is a difficult problem for internet companies in every industry.”
The UW research was accepted at the Network and Distributed System Security Symposium and will be presented in February in San Diego.