DNA Testing Site Used To Catch Criminals Is Vulnerable to Identity Fraud, Study Finds

Services that allow people to submit a sample of their DNA—typically saliva—in order to obtain information about their genetic ancestry or find biological relatives have spiked in recent years. In February, MIT Technology Review reported that some 26 million people had take at-home DNA tests from companies such as 23andMe, AncestryDNA or Family Tree DNA. Some genetic genealogy aficionados have even taken the trend a step further, using third-party site GEDMatch to upload their raw genome and compare DNA across different services for free.

However, a study released on October 29 by researchers from the University of Washington found that GEDMatch site users could be vulnerable to several security risks—including fraudsters impersonating genetic relatives.

For the study, the researchers created an account on GEDMatch and uploaded several "experimental genetic profiles" that were created from mixing and matching genetic data from multiple anonymous profiles. In a real situation, a user would upload their own DNA sample (or perhaps that of a close family member who had taken a DNA test) and compare it to other users in the GEDMatch database.

They found that it was theoretically possible, by means of comparing their fabricated DNA genomes to each other to see how they were "related," to determine the entire genetic sequence of a user.

Peter Ney, the research study's lead author, said that a person with malicious intent could write a program that could do this very thing, and also create a fake DNA sequence that GEDMatch might inadvertently perceive as a person's real relative.

"They could write a program that automatically makes these comparisons, downloads the data and returns the result," Ney said. "That would take 10 seconds."

The researchers said that uncovering such weaknesses was important so that users would know the risks they may be taking when they take a DNA test.

"When we have a new technology, whether it is smart automobiles or medical devices, we as a society start with 'What can this do for us?' Then we start looking at it from an adversarial perspective," Tadayoshi Kohno, co-author of the study, said. "Here we're looking at this system and asking: 'What are the privacy issues associated with sharing genetic data online?'"

GEDMatch has made headlines in the past for its use by police to find criminals using DNA evidence. Recently, law enforcement has begun using DNA taken from crime scenes to identify perpetrators. By uploading anonymous samples to public genealogy sites and identifying confirmed relatives of DNA provider, detectives can home in on viable suspects

This technique was used to track down a man suspected to be the Golden State killer, who is believed to have killed 13 people and committed 50 rapes in the 1970s and 80s, as well as the suspected NorCal serial rapist, who allegedly assaulted 10 women between 1991 and 2006. Both men were arrested and charged using DNA evidence from GEDMatch.

GEDMatch co-founder Curtis Rogers told Newsweek that the website is concerned with protecting users' privacy and welcomes the findings from the University of Washington as more knowledge that can be used to accomplish that goal.

"We implemented procedures prior to the study and have other ideas in the pipeline," Rogers said. "This study gives us incentive to finalize possible new procedures."

GEDMatch updated its terms of service and privacy policy on May 18, in part to reflect privacy concerns some users raised after suspected criminals were found using the site. Users now have the option of selecting how they want their DNA to be categorized when they upload the raw data from a genetic genealogy service. Users can totally "opt-in" or "opt-out" of allowing their DNA to be used for law enforcement purposes. The DNA can also be set to "private," which means it cannot be compared to the DNA of other users at all.

Users can also totally delete all of their information from the GEDMatch database if they so choose, Rogers reiterated in an email to Newsweek.

Prenatal Testing for Genetic Mutations
Amniotic fluid cells are karyotyped in the cytogenetics laboratory at Quest Diagnostics Nichols Institute outside San Juan Capistrano, California. Ann Johansson/Getty
DNA Testing Site Used To Catch Criminals Is Vulnerable to Identity Fraud, Study Finds | Tech & Science