Direct-to-consumer genetic test services ─ like GEDmatch, MyHeritage and FamilyTreeDNA ─ where users can upload their DNA data to, for example, find relatives, are vulnerable to ‘genetic hacking’. This warning comes from two research groups, Michael Edge and Graham Coop, from the University of California, Davis, as well as from Peter Ney et al., representing the University of Washington.
Genetic Testing Booming Business
At-home DNA test kits have become enormously popular. Most people find it appealing to find out more about their ancestry and genealogical relationships, or to estimate their ethnic mix. On top of that, direct-to-consumer DNA tests can nowadays easily be done from the comfort of a person’s own home and at an affordable price. It is therefore no wonder that genetic testing is a booming business.
After years of being more of a niche product, at-home DNA test kits have definitely gone mainstream. It is estimated that the global DNA testing market, including healthcare and rapid DNA testing, will grow from around $2 billion in 2018 to $22 billion in 2024. Every year, many millions of people take genetic tests for purposes other than medical information, such as genetic ancestry testing.
Lots of Data Uploaded
Most at-home DNA test kits come with a simple questionnaire, instructions to collect a DNA sample, a guide for how to register the DNA test kit and return it to the company, and a brief explanation of what to expect in terms of results. No names are included when sending back the test kit. Also, the results that arrive in the mail are anonymous, so as to protect the person’s privacy.
Some direct-to-consumer genetic test services, however, allow people to upload genetic information to find out more about their family history and, for example, to find relatives. Such databases are also used by governments to track criminals through DNA matches.
Often, with explicit or implicit consent, relatives’ full names and sometimes even contact details are uploaded onto these databases. In 2019, over 26 million people enrolled in the databases of the five largest companies alone.
Information Vulnerable to Hackers
In their paper, researchers Michael Edge and Graham Coop of the University of California, Davis, state that this data is vulnerable to hackers. The problem does not apply to commercial DNA sequencing companies, where users have to submit saliva to gain access to their genetic data. With public databases, on the other hand, the vulnerabilities are numerous.
“Even someone with little special expertise in the field of genetics and computer technology could design and upload DNA sequences that extract much more information from the database than just genealogical data.”
In this way, an attacker could retrieve genetic information from people in the database or identify people who have specific genetic traits, such as susceptibility to Alzheimer’s. “People also tend to give much more information than they realize, when they upload data to publicly accessible sites. And unlike credit card information, a person can’t just cancel their old genome and get a new one”, Graham Coop added.
Peter Ney et al. from the Paul G. Allen School of Computer Science & Engineering, University of Washington stated: “Security is a difficult problem for internet companies in every industry, and genetic genealogy is no different. The choice to share data is a personal decision, and anytime users share data there is always a potential risk of data security issues.”
Genetic Test Services to Clarify Vulnerabilities
Both research groups shared their information with leading genetic test services and have offered potential countermeasures. “We would like the services to clarify their vulnerabilities and how they’re addressing them”, Graham Coop added.
“We have a number of recommendations for genetic genealogy services”, said Peter Ney. “These suggestions are not meant to be comprehensive, necessary, or sufficient for security. Rather, these recommendations provide a starting point for thinking about secure system design. We encourage more future research into the design of secure genetic genealogy services.”
So far, the researchers have had a mixed response.