New Security Concerns about DTC Genetic Testing Raised

477
Biological specimen

Millions of people worldwide have used direct to consumer (DTC) genetic tests, and many more are expected to so. Some of these consumers are not seeking medical information, but just chasing down relatives they never knew about.

But fresh cautions have arisen from a recent University of California, Davis (UC Davis) study, which highlighted ways such data can be hacked. In addition, a memo was released, just before Christmas, by the US Defense Department advising service members to avoid such tests, because they pose certain “risks.”  The release of that memo was reported by Yahoo News and confirmed by the New York Times.

The UC Davis study looked specifically at DTC genealogy services that allow users to upload genetic data to search for potential relatives. Users are able to identify other users with genomes that share identical by state (IBS) regions. These services include MyHeritage, FamilyTreeDNA, and GEDMatch.

According to Professor Graham Coop and postdoctoral researcher Michael ‘Doc’ Edge at the UC Davis Department of Evolution and Ecology, say that someone with a bit of expertise in genetics and computing could design and upload DNA sequences that extract far more from these databases than just some lost cousins. An attacker could pull out the genetic information of most people in a database or identify people with specific genetic traits such as a higher risk of Alzheimer’s Disease. Their study is published in the latest online issue of Elife.

“People are giving up more information than they think they are,” when they upload to these publicly accessible sites, Coop said in a press release. Unlike credit card information, he pointed out, you can’t just cancel your old genome and get a new one.

In their study, Coop and his team described methods by which someone could learn database genotypes by uploading multiple datasets. For example, someone who uploads approximately 900 genomes could recover at least one allele at SNP sites across up to 82% of the genome of a median person of European ancestries. In databases that detect IBS segments using unphased genotypes, approximately 100 falsified uploads could reveal enough genetic information to allow genome-wide genetic imputation. The authors describe a proof-of-concept demonstration in the GEDmatch database, and suggest countermeasures to deter hackers.

Coop and Edge notified the database companies of the problem in July, 2019 to allow them time to put countermeasures in place before publishing a preprint in October. They note that the problems they describedo not affect for-profit DNA sequencing companies such as 23andMe, which require customers to submit a saliva sample for DNA analysis to get access to their genetic data. The public databases, however, allow anyone to upload DNA sequences and search for other users with matching sequences.

The US Defense Department memo, meanwhile, said that “Exposing sensitive genetic information to outside parties poses personal and operational risks to Service members.” The Dec. 20 memo was signed by Joseph D. Kernan, the undersecretary of defense for intelligence, and James N. Stewart, the assistant secretary of defense for manpower.

The memo says that some DNA kit companies have been targeting military personnel with discounts, especially around the holiday season. Yahoo News also reports that the memo “appears to have been distributed widely within the Defense Department.” But the memoprovides few details on how genetic profiles could endanger security, other than noting that potential “inaccuracies” in health information could pose a risk to military personnel, who are required to report medical issues.

The New York Times report, however, quoted Cmdr. Sean Robertson, a Pentagon spokesman, about specific risks to service members. “The unintentional discovery of markers that may affect readiness could affect a service member’s career, and the information from DTC genetic testing may disclose this information,” he said.

This site uses Akismet to reduce spam. Learn how your comment data is processed.