
The two biggest genetic genealogy sites are hoping to introduce major new security measures to protect the DNA of millions of people, following recent concerns over risks to genetic privacy.
Anyone who takes a direct-to-consumer DNA test with a company such as 23andMe can download the raw data and upload it to third parties, often to help them find relatives.
Researchers last week showed how attackers could upload faked DNA profiles to create family matches for users of one leading genetic genealogy site, GEDmatch. Another study raised wider concerns about genetic privacy being compromised on similar services.
Advertisement
Now two of the biggest third party sites – MyHeritage, which has 3 million users, and FamilyTreeDNA, which has 2 million – have told èƵ they want to address the issue.
Paul Maier at FamilyTreeDNA says both services are willing to use encryption keys and cryptographic signing of customer’s raw data files, which would mark them as genuine and prevent these faked attacks. But he says that for the measures to be effective, it would require the DNA testing firms such as AncestryDNA to also adopt them. “If there’s agreement on their end, this solves the [privacy] concern,” he says.
In , Yaniv Erlich at MyHeritage called for the establishment of cryptographic signatures by DNA testing firms, with a unique encrypted key created and applied to each test. Genetic genealogy sites could then reject any DNA test results without a signature.
He is working with other academic groups on the creation of an open source code for the approach, but says they are a few months off having a working solution. If it were adopted across direct-to-consumer DNA firms and third party sites, he says it would be a “very strong step forward”.
GEDmatch, a site with about 1 million users, told èƵ that it was “very interested” in the use of cryptographic signatures.
Michael Edge and Graham Coop at the University of California, Davis, recently that cryptographic signatures identifying the source of DNA data uploads would be a key way of addressing genetic privacy concerns. “Such a procedure would allow upload services to know the source of the files they analyze and to disallow uploaded datasets produced by non-approved entities and user-modified datasets,” they wrote.
It remains unclear whether the direct-to-consumer DNA testing companies will sign up to the approach. 23andMe says it warns users of risks if they download their data and upload it to third parties, but did not comment on the idea of using cryptographic signatures and encryption keys. AncestryDNA did not respond to requests for comment.