Privacy and DNA databases – a new PII concern

Science magazine has published a study by genetics researchers, 'Identifying Personal Genomes by Surname Inference', that concludes “that surnames can be recovered from personal genomes by profiling short tandem repeats on the Y chromosome (Y-STRs) and querying recreational genetic genealogy databases.”

The existing US databases are primarily designed to allow users to find the surnames of men (it is currently an issue focusing on the Y chromosome specific to men) with the same DNA pattern; that is, potential relatives or ancestors. The research, however, demonstrates that “The propagation of information through shared male lines amplifies the range of identification, allowing ~135,000 records to potentially target several million U.S. males.”

Meanwhile, the UK government is proposing to allow a DNA database of the entire population to be built within the NHS but without consent. This is primarily designed for medical research. People would have a right to object but not to stop their data being used. “But it is a big mistake to allow private medical records and personal genetic information to be data-mined by private companies [the researchers] without people's knowledge or consent,” warns Dr Helen Wallace, directory of GeneWatch UK. “Storing whole genomes in medical records will allow every individual and their families to be identified and tracked. Medical and genetic data will also be exploited for personalised marketing.”

GeneWatch warns that a person's DNA can be obtained easily from a beer glass, coffee cup or toothbrush. Anyone who could get that DNA sequenced could search it against stored variant files and identify the individual, either directly (if they have access to the medical record in the NHS or the de-identifying system) or indirectly by the clues stored in their public records. 

It is the ease with which ‘the clues stored in their public records’ can be used to identify both individuals and their relatives that is the subject of the US study. A UK national database is intended to be anonymous, but Professor Ross Anderson has already warned that genuine anonymity is difficult if not impossible. Andy Green of Varonis takes a pure ‘infosec’ view of the issue: “I’m wondering how truly secure those DNA files are," he blogged yesterday, "and whether there are already hackers looking to get that data using the same techniques and exploits they use to snatch credit card numbers.”

What’s Hot on Infosecurity Magazine?