PerspectiveThe DNA Database Used to Find the Golden State Killer Is a National Security Leak Waiting to Happen

Published 1 November 2019

A private DNA ancestry database that’s been used by police to catch criminals is a security risk from which a nation-state could steal DNA data on a million Americans, according to security researchers. Antonio Regalado writes that spies could use a crowdsourced genetic ancestry service to compromise your privacy—even if you’re not a member.

A private DNA ancestry database that’s been used by police to catch criminals is a security risk from which a nation-state could steal DNA data on a million Americans, according to security researchers.

Antonio Regalado writes in MIT Technology Review that security flaws in the service, called GEDmatch, not only risk exposing people’s genetic health information but could let an adversary such as China or Russia create a powerful biometric database useful for identifying nearly any American from a DNA sample.

He adds:

GEDMatch, which crowdsources DNA profiles, was created by genealogy enthusiasts to let people search for relatives and is run entirely by volunteers. It shows how a trend toward sharing DNA data online can create privacy risks affecting everyone, even people who don’t choose to share their own information.

“You can replace your credit card number, but you can’t replace your genome,” says Peter Ney, a postdoctoral researcher in computer science at the University of Washington.

Ney, along with professors and DNA security researchers Luis Ceze and Tadayoshi Kohno, described in a reportposted online how they developed and tested a novel attack employing DNA data they uploaded to GEDmatch.

Using specially designed DNA profiles, they say, they were able to run searches that let them guess more than 90% of the DNA data of other users.

Razib Khan, a genomics researcher who is head of scientific content at Insitome, a service that interprets DNA for consumers, called the new security research a large-scale demonstration of weaknesses already known to enthusiasts.

Khan told Regalado that he has been aware of efforts to “scrape” GEDmatch, or collect more data than usual, and believes a larger attack to whisk away much of the data could already have occurred. “My guess is that almost certainly it’s already been done,” he says. “Governments are collecting data on people. You never know what they can use it for.”