èƵ

Privacy of hundreds of thousands of genetic volunteers may be at risk

A team was able to uncover a dog's DNA in a research database - and it could mean the privacy of people who volunteer for genetic studies is at risk
Blood samples
Researchers use large DNA databases to conduct genome-wide association studies
Bloomberg/Getty

The privacy of people who add their DNA to research databases may be vulnerable to hackers, who could exploit the information published in genome studies to identify an individual’s genetic code.

Genetics researchers are inadvertently publishing information that can theoretically be pieced together to identify someone’s DNA held in a research or commercial database, say Daphne Ezer at the Alan Turing Institute in London and her colleagues. Her team simulated how attackers could identify a person’s genetic code, and used this method to find a single dog’s genetic material in a DNA database.

Genome-wide association studies (GWAS) identify genes thatare associated with personal traits or disease. Researchers use large databases containing the DNA of hundreds of thousands ofpeople to conduct these studies and detect subtle DNA differences between participants.

Ezer’s team showed how, under some circumstances, a hacker could use the information about an individual’s traits published in GWAS to recover that person’s genetic information – known as a reconstruction attack.

“You might even be able to identify an individual with just two studies performed on the same database, if a small number of people are included in one study but not another,” says Ezer.This could happen if, for example, some participants skipasurvey question or join onestudy later than the other, which Ezer’s teamdescribe as a“potentially common” scenario.

In these cases, attackers can use algorithms to predict the genetic details of an individual in one of the studies by combining information from both. The team showed this is possible by finding the genetic information of a single dog in the Cornell Dog Genome database.

To protect volunteers’ genetic privacy when publishing the results of a study, the team suggests that researchers try scrambling the data to make itnoisier, or conceal some identifiable information.

Because the study involved dogs, we don’t know if a similar attack would identify people fromtheir genetic information. But if used with the technique that exposed a potential vulnerability in the genealogy testing website GEDMatch in October 2019, “itcould potentially be used toreveal the identities of individualparticipants”, says DavidBaranger, a neurogenetics researcher at the University ofPittsburgh in Pennsylvania.

The UK Biobank, which holds500,000 genomes in itsdatabase, says researchers areprohibited from trying to identifya participant in this way. “We are not aware of any such incident where this has occurred,” says a spokesperson.

“Researchers treat the privacy ofparticipants in projects such asthe UK Biobank very seriously,” says David Curtis at University College London.

bioRxiv

Topics: DNA / Genetics / Privacy