Genotype Extraction and False Relative Attacks: Security Risks to Third-Party Genetic Genealogy Services Beyond Identity Inference
A popular use of consumer genetic testing is the discovery of new genetic relatives. This type of analysis, known as genetic genealogy, is often performed by third-party web services that aggregate consumer genetic data from different companies to make relative inferences. These third-party services have important implications for genetic privacy because of the amount of genetic data they store – sometimes exceeding millions of genetic profiles – and the recent use of genetic genealogy in new domains like criminal investigations. In our study we experimentally demonstrated that poor API design by genetic genealogy services can lead to significant security and privacy issues. To understand these risks we constructed artificial genetic data files using publicly available genetic sources and uploaded them to the leading third-party genetic genealogy service. We ran a number of experiments that showed how these files could be used in data extraction attacks to uncover private genetic markers from other users in the database. In a second set of experiments we showed how artificial genetic data could be constructed to imply false genetic relationships in the database. An open question is whether these artificial genetic data files could be used by an attacker to avoid identification, especially in a criminal investigation. Since experiments were performed on a live service, significant thought went into study design to ensure that all experiments could be done ethically.
Peter Ney is a postdoctoral researcher in Computer Science at the University of Washington where he works with Prof. Tadayoshi Kohno and Prof. Luis Ceze. He is leading a research effort to study how increasing computerization and automation in the biotechnology sector is creating new cyber-security threats. He has previously studied the security of consumer genetic services and was the first to demonstrate that molecular information, like DNA, can be a possible vector for malware. He has also worked to understand the state of cell phone security and has built and deployed measurement systems designed to detect rogue base stations. He completed his Ph.D. in Computer Science at the University of Washington and holds bachelor’s degrees from the University of Wisconsin-Madison.