
A researcher needed three hours to identify me from my DNA - pseudolus
https://www.bloomberg.com/news/articles/2019-04-12/a-researcher-needed-three-hours-to-identify-me-from-my-dna
======
btgeekboy
Not the direct point of the article, but as an aside, it really concerns me
how easy it is to find a mother's maiden name these days, considering how
often it's used as at least a partial proof of identity.

~~~
slg
Being able to identify someone over the phone or internet is an incredibly
hard problem that I think more startups should be working on. It is a constant
battle between security and customer convenience. It is very frustrating being
locked out of your own account because a company can't identify you correctly.
If you combine that with the fact that companies are rarely held accountable
for these security violations and it isn't a surprise that they optimize for
customer convenience.

The best systems I have seen are the ones that use your credit history to ask
you several questions like "Which one these four streets have you lived on?"
or "Which one of these four employers have you never worked for?", but even
those are gameable with some research. There has to be some better solution
out there.

~~~
packet_nerd
Wouldn't a Google Auth type TOTP be ideal for over the phone? Is there anyone
doing this?

It could be the same one I use for 2FA to the website. Or, an entirely offline
flow would work too where they sent a dead-tree mail with the shared secret in
QR code format.

~~~
organsnyder
I think that's one of the best solutions, but it would add a ton of customer
service overhead for lost devices (if physical OTP generators are used), clock
sync issues, device-specific quirks... And if we want to have a universal
system for this rather than each service provider having their own one-off
solution, someone would need to foot the bill.

~~~
jeltz
Swedish banks already do this. They first implemnted their own systems with
custom hardware (and before that banks mailed a physical scratch pad with
codes) but then later together developed a mobile app (called Mobile BankID)
which can be used for authentication.

So clearly it can be done. Swedish banks have been doing it for at least 20
years.

------
gfiorav
I was honestly baffled to see the proliferation of DNA analysis companies...
aren't people concerned about the importance of the data they're giving out?
AND you pay to give them that data... leaves me speechless.

How accustomed we've become to giving our privacy away.

~~~
inciampati
Your DNA is no more your private property than your or your grandmother's
face.

It's just not that big a deal. You shed your DNA everywhere. Knowing it isn't
more useful than information about your life that is already collected and
used to manipulate you all the time. It's one of the weaker forms of personal
information available.

~~~
vbuwivbiu
excuse me one's body and its DNA is most definitely one's property

~~~
ada1981
What about the hair you leave behind on the subway? Or when you spit on the
field during an ultimate frisbee game?

I can’t take your hair off your head, but I can take it off the ground.

~~~
wolco
Or your breathe you push out of your lungs.

~~~
ada1981
Exactly.

------
anderspitman
I wonder if DNA will actually become less usable in convictions as a result of
these sorts of developments. With it being easier to identify an individual
based on DNA at a crime scene, eventually someone is going to be accused and
turn out to have an ironclad alibi proving they couldn't have done the crime,
even though their DNA was present.

~~~
tejtm
Hopefully, because at this point incriminating fragments can already be
bought.

[https://www.idtdna.com/pages/products/custom-dna-rna/dna-
oli...](https://www.idtdna.com/pages/products/custom-dna-rna/dna-oligos)

~~~
folli
To coat an entire crimescene with synthesized oligos will be prohibitively
expensive.

~~~
tejtm
True if you did it that way. Which is why you would buy (or make) one and PCR
the rest. Besides if it aligns with the authorities goals it would not take
much.

------
drugme
This may be a good moment to get a refresh on this question:

Can anyone recommend a sequencing service that offers some semblance of a
reasonably solid privacy guarantee (in exchange, of course, for a suitable
fee)?

Your inputs will be very dearly appreciated.

~~~
Real_S
At GeneInfoSec we are working on a method that will allow all sequencing
services to encrypt DNA molecules themselves. With this molecular encryption
even your sequencing service will not have access to your genetic data.

~~~
folli
How does this work? Are you mutating the sequences in some random, but
reversible way?

~~~
Real_S
With unique molecular tags, random mutation and PCR, various cryptographic
methods can be applied. But random mutation and PCR are not necessary for some
relatively simple use cases. Reversible mutation is not used, but the
information concealed through mutation is recoverable with the decryption
keys.

------
runaway
The real lesson is that your DNA was never a secret at all. Almost the
entirety of it is shared with many people (your family) and you literally
leave it everywhere you go. Don't assume any of it will be kept hidden.

~~~
dhimes
That's exactly why we need laws restricting what can be done with it without
our consent.

~~~
exolymph
That's not gonna happen. "You have to get the consent of your family members
before you can share your DNA" is totally nonviable.

~~~
dhimes
That's not what I said. The laws I am referring to would restrict the people
with whom you share your DNA (23 and me, for example).

------
tantalor
Are there countermeasures to this? What if I upload a stranger's DNA with my
identity? Or my DNA with a stranger's identity?

~~~
astazangasta
If you read the article you'll note that the key problem is not what the
author did, it's what her relatives did - uploading their own DNA. It is
trivial to discover relatives by DNA match, so using a set of DNA samples you
can easily construct a social graph based on family relations. If you can then
identify any point in that graph, you can identify individuals. The
countermeasures therefore consist of things like: 1) don't add your DNA to a
database and 2) Don't allow your family to add their DNA to a database.

~~~
3JPLW
But a fake entry in the database would result in a negative match. Thus the
researcher would (at least at first) eliminate you as a possible candidate.

Of course, uploading fake DNA with your real name would have other
implications — your relatives that upload their own DNA and look for matches
might suspect infidelity on the part of your parents... and relatives of the
"fake DNA" might think the same of their father/grandfather/etc.

~~~
bilbo0s
That's the sort of thing a detective would work out relatively quickly though.
If you share none of your mother's DNA, the only possible explanation would be
adoption. And if your mother, for whatever reason, told the detective you were
not adopted. Then that detective would have their suspect.

So if you tried that, the stranger would have to be a very carefully selected
family member in any case. Someone from your mother's side, same gender, not
likely to submit his/her DNA, AND not likely to be in DNA databases already
due to prior arrests. (Also, it goes without saying that they can't be
adopted.)

But even taking all these precautions, I'm pretty sure a detective would still
work it all out.

~~~
bradyd
> If you share none of your mother's DNA, the only possible explanation would
> be adoption.

Not necessarily. There was a case where a DNA test of a woman's children
showed that they did not share any of her DNA. Social Services was threatening
to take them away from her. When she had another child, they court ordered an
officer to be present during the birth and collect DNA from both of them at
that time. Even still the DNA "proved" she was not the mother. It was only
after another similar case was discovered that they were able to determine
that she was a chimera, basically that she was her own twin, and had two
different DNA strands.

[https://abcnews.go.com/Primetime/shes-
twin/story?id=2315693](https://abcnews.go.com/Primetime/shes-
twin/story?id=2315693)

~~~
bilbo0s
Yeah, but if your mother is not a chimera, they're gonna nail you right out of
the box unless the fake DNA comes from a member of your mother's side of the
family.

------
alvalentini
I thought that DNA identification wasn't ironclad despite being used in
criminal investigation.

~~~
mdorazio
I'm fairly certain the non-ironclad part is in the handling and processing
(testing labs screw up quite often), not in the actual methodology or ability
to accurately identify individuals.

~~~
porpoisemonkey
Collection of evidence is also another likely place to make a mistake. The
issue is that a non-pristine sample taken from a public place (like a crime
scene) may have multiple DNA profiles represented in it. I'm not highly
familiar with the technology but I've read that techniques like PCR that
"amplify" the DNA collected from the original sample by synthesizing copies of
the DNA can further exacerbate the issue.

> One of the biggest strengths of PCR(e) for DNA typing is the degree to which
> DNA can be amplified. Starting with a single DNA molecule, millions or
> billions of DNA molecules can be synthesized after 32 cycles of
> amplification. This level of sensitivity allows scientists to extract and
> amplify DNA from minute or degraded samples and obtain useful DNA profiles.
> In this context, the sensitive nature of PCR works in a lab's favor, but it
> can cause problems if great care is not taken to avoid contaminating the
> reaction with exogenous DNA.

[https://www.promega.com/~/media/Files/Resources/Profiles%20I...](https://www.promega.com/~/media/Files/Resources/Profiles%20In%20DNA/802/Identifying%20and%20Preventing%20DNA%20Contamination%20in%20a%20DNA%20Typing%20Laboratory.ashx)

> Because extremely small samples of DNA can be used as evidence, greater
> attention to contamination issues is necessary when identifying, collecting,
> and preserving DNA evidence. DNA evidence can be contaminated when DNA from
> another source gets mixed with DNA relevant to the case.

[https://www.ncjrs.gov/nij/DNAbro/evi.html](https://www.ncjrs.gov/nij/DNAbro/evi.html)

------
lettergram
This is not at all surprising. They have a database with everyones genes
mapping out most of the world at this point (at least some relatives). This is
why _all of us_ should be afraid of the future and why the U.S. needs similar
laws to the GDPR in the EU.

Hell, with just a few comments I can identify people/alts on HN (or other
social media sites)...

[https://twitter.com/AustinGWalters/status/104189476543920128...](https://twitter.com/AustinGWalters/status/1041894765439201281)

[1] [https://metacortex.me/](https://metacortex.me/)

~~~
KON_Air
to me the biggest surprise is the fact it took 3 hours.

~~~
asdff
The PCR probably took 2 hours out of that.

------
tyingq
Do places like 23&me just take you at your word on who you are, and that you
sent the right DNA?

~~~
asdff
I wouldn't think they tie names to sample. You can't do that with DNA samples
in a hospital, and I would hope 23 and me's policies mirrors HIPAA (would be
aggressively irresponsible and a legal time bomb if not). You certainly don't
need names to do analysis.

~~~
tyingq
I was curious, so I looked:

 _" When you purchase our Services or create a 23andMe account and register
your kit, we collect Personal Information, such as your name, date of birth,
billing and shipping address, payment information (e.g., credit card) and
contact information (e.g. email, phone number and license number)."_

[https://www.23andme.com/about/privacy/#jump-link-content-
the...](https://www.23andme.com/about/privacy/#jump-link-content-the-
information-we-collect)

They are asking for some unusual stuff like DOB and license number.

------
ada1981
I was disappointed the only example they gave for misusing data was that
celebrity dead beat dads might be exposed.

>> As DNA databases grow, so too does the potential for abuse. “Misuse of
surreptitious DNA is potentially a big problem,” says Debbie Kennett,
genealogist and author. “You can imagine celebrities and politicians being
stalked to get illicit DNA samples for paternity testing without consent.” <<

Certainly, there must be worse outcomes than some powerful men running the
risk of being shown to be someone’s dad?

~~~
porpoisemonkey
It's along the same lines but DNA sequencing has very serious consequences in
countries that have a history of strict filial piety such as China.

In these countries a family is not just the basis for raising children -
families can often act as a sort of "corporation" where everyone is
cooperating to enhance the wealth and future prospects of the group.

There was a lot of confusion around family relationships during WWII with the
occupation of the Japanese and again after WWII with the Chinese Communist
Revolution as children were adopted when their parents went missing or were
killed in the war.

If people inside a family are found not to be related to one another there's a
serious potential for the social fabric to start breaking down.

~~~
Ensorceled
Widespread paternity testing will destroy the social fabric of China?

That's quite a stretch.

~~~
exolymph
"destroy" might be an overstatement, but reproduction is _very_ important to
people and changes in its dynamics have large ripple effects

look at birth control for an example

