
DNA database that found Golden State Killer is potential national security leak - mhb
https://www.technologyreview.com/s/614642/dna-database-gedmatch-golden-state-killer-security-risk-hack/
======
ascotan
I don't understand how this isn't a violation of HIPAA. Comparing a DNA upload
against the medical records of other people without their express written
consent seems to me to be wrong.

I think there is a legal issue here around wether uploading your medical data
to a 3rd party service allows that service to take ownership of your medical
data and allows them to do what they please with it.

DNA absolutely falls under PII (personally identifiable information). I can't
understand how a company to collect and use this information without (it
appears) any rules or regulations.

Not only is it a security risk and a privacy violation but it has implications
for every aspect of your life and the lives of your children and immediate
relatives. I can't understand how this can be run out of someone's house with
a part time volunteer staff with no security.

Mind Blown.

~~~
streb-lo
By creating a profile and uploading your DNA -- you're giving consent for your
DNA to be indexed.

Whether or not you should be requiring the consent of all people with similar
DNA is the real question -- but given Americans' obsession with individual
rights I don't see it changing. In their eyes, why shouldn't they be permitted
to upload and share their own DNA?

~~~
LadyCailin
I know it was a rhetorical question, but because of negative externalities.
Same reason I can’t dump pollution in the river that runs through my property,
because that polluted your property downstream.

~~~
ianai
That seems like a much better legal analogy. If anything, this should probably
be considered search and seizure without a warrant. That would make the
evidence inadmissible in court. Or we carve out searching DNA databases as
outside of that amendment. That actually makes more sense to me as even your
dna is no longer yours once it’s in the public domain on a hairbrush at the
dumpster. IANAL.

------
situational87
I'd imagine the major intelligence agencies have already started their own
genetic databases, right? Being able to track down everyone at a genetic level
is insanely valuable data from a national security perspective.

Given that the intelligence agencies regularly and aggressively hack every
telecom and networking company out there, it's pretty likely that they have
already hacked the commercial DNA databases, no? Why wouldn't they?

I'd like to think there is someone out there trying to protect my data, but
it's much more likely they are just aggregating everything into a single
genome DB that will inevitably get hacked or leaked.

~~~
ransom1538
"I'd imagine the major intelligence agencies have already started their own
genetic databases, right?"

The gig is up.

It's a law felons give their DNA in some jurisdictions. Felons have families.
Felons have great grand mothers. Felons have 2nd cousins. There are 6.1
million felons. I'd image the US is pretty much mapped out by now.

[https://www.legalmatch.com/law-library/article/mandatory-
dna...](https://www.legalmatch.com/law-library/article/mandatory-dna-sampling-
in-a-criminal-investigation.html)

~~~
reaperducer
Not just felons. _Everybody._

Some police agencies (NYC, for example) collect DNA samples on arrest. And if
you're found not guilty, the arrest was wrong, or whatever, they still keep
the DNA forever. [1]

But it's not like they conduct knock-and-spit dragnets. Oh, wait... [2]

Even worse is that social service agencies do it. Don't be born in California,
because the fact that you suddenly exist means the state gets your DNA. [3]

[https://www.nytimes.com/2019/08/16/nyregion/newyorktoday/nyp...](https://www.nytimes.com/2019/08/16/nyregion/newyorktoday/nypd-
dna-database.html)

[https://www.newsweek.com/police-dna-database-nypd-swab-
testi...](https://www.newsweek.com/police-dna-database-nypd-swab-testing-
collection-new-york-1326722)

[https://sanfrancisco.cbslocal.com/2018/05/08/california-
biob...](https://sanfrancisco.cbslocal.com/2018/05/08/california-biobank-
stores-baby-dna-access/)

~~~
devmunchies
I'm able to refuse the state/hospital in California to take blood samples,
right?

~~~
Lammy
No, if you try to refuse you get another misdemeanor charge while they wait
for a judge to sign the form compelling you to give a sample

~~~
devmunchies
How utterly depressing. Land of of free.

~~~
dsfyu404ed
A desire to control people for mostly petty reasons in order to better society
or some such is what led us here. You know what they say about the road to
hell.

------
mauvehaus
If you're interested in learning more about the power of genetic genealogy and
its real-world applications, I'd highly recommend the New Hampshire Public
Radio podcast Bear Brook [0].

It doesn't cover this particular attack, but it does discuss the way databases
were used to identify the victims of a murder that took place decades ago. In
that case, there was a lot of work done tracking down branches of family
trees, and asking living people to submit their DNA to these databases to help
fill in the gaps that prevented positive identification of the victims.

[0] [https://www.bearbrookpodcast.com/](https://www.bearbrookpodcast.com/)

------
justinclift
Wonder if it could also be used to determine matching likely organ donors, for
those needing an organ transplant?

If so, it potentially opens a world of other crappy possibilities too. :(

~~~
blitmap
For basic stuff, how about blackmailing those who gave up children for
adoption?

~~~
telesilla
That's less and less of a concern: firstly, there are far far fewer adoptions
this century due to both acceptance of being a single parent and because of
access to abortion and birth control. Secondly, it won't be long before every
adopted child learns about DNS testing in school and as soon as they are of
age (or can fake ID) they will find relatives [Source: have volunteered in the
field].

This will lead very quickly to no more anonymous adoptions. I'm in favour of
open adoption as studies have shown it's healthier for the child but that's my
own personal bias outside of the technology.

Edit : DNA testing...

~~~
Accujack
Only if those relatives have legitimate A records.

~~~
rolandog
And if they properly configured their MX records, they may be able to contact
them.

------
cryptozeus
I regret taking 23&me test, I don’t think my dna is in safe hands.

~~~
therealx
I wanted to have it done so badly, but now I'm with you. Anyone have a cost on
analyzing your DNA privately? Then the breach is just you+1, and you could use
a fake name (I know, I know, that isn't foolproof when DNA is involved)

~~~
virusduck
For what 23andme does, a couple hundred probably, maybe under 100 if you went
in with several people. You could have your whole genome sequenced, the
materials and service cost would be in the neighborhood of $7000 commercially.

Data analysis costs vary widely, depending on what you want.

~~~
eridan2
399 euro at DanteLabs: [https://www.dantelabs.com/products/whole-genome-
sequencing?v...](https://www.dantelabs.com/products/whole-genome-
sequencing?variant=30759474593927)

~~~
ccffpphh
That's awesome. Do they have a good track record of privacy? I read what they
have on their site, but I can't just take them at face value with something as
valuable as a whole genome.

------
Merrill
It should be very valuable for counterintelligence to check the legends of
enemy agents. If the DNA of the suspected agent identifies relatives that are
implausible given the provided back story, further investigation may reveal
that the legend is false.

It should also be valuable for screening candidates for security clearances.
Are the relatives named by the candidate related to the candidates DNA
relatives? If not, further investigation is warranted.

~~~
greedo
Then it would just be a matter of subverting the DNA entries (in the
database). Either in the public sources, or in opposition's database. Replace
the true DNA data with your agents actual data.

~~~
buckminster
You're an American agent in Moscow. They can easily get a real sample of your
DNA and run a match. Now they know your real relatives. How do you fake this?

Even if the CIA create a complete web of fake identities in the DNA database,
how do you stop a real relative uploading their DNA?

------
burneraccount12
This will be an unpopular opinion but we should index the DNA of every
citizen.

The two objections are 1) exposing genetic health info 2) foreign countries
can identify our spies.

For #1, I have news for you: insurance companies already build risk profiles
of you, DNA profiles are not going to tip the balance of your premiums against
what they already know. This ship has sailed. (and TBH if they didn't
insurance would likely be even more unaffordable and out-of-reach than it
already is)

For #2, I can't say.

But think of the benefits: how many more crimes would be solved? How many LESS
innocent people would go to prison for crimes they didn't commit?

Plastic straws, browsing history and DNA indexing are white people problems,
IMHO. Look at what it's like to be black in America in 2019: Botham Jean was
sitting in his own apartment, eating ice cream, watching a ball game when a
white off-duty Dallas police officer broke in and murdered him for no reason.

She'll be out of prison in 5 years.

The rise of body cams has the last 10 years has shown these types of incidents
happen more frequently than we ever wanted to admit.

How many people are hurt in real life by things like DNA indexing? Please. It
must be nice to be so rich to worry about frivolous non-problems like these. A
national DNA index could keep a lot of innocent (mostly minority) people out
of prison but oh no god forbid a white person be revealed to have a genetic
marker for Alzheimers and their insurance premiums go up. The horror.

~~~
opwieurposiu
DNA can be synthesized for $2 a gene. DNA tests as used in crime labs only
check dozens/hundreds of genes to make a match. With a database of everyone's
DNA, anyone can be framed for anything.

[https://www.chemistryworld.com/news/synthetic-gene-cost-
slas...](https://www.chemistryworld.com/news/synthetic-gene-cost-slashed-
to-2/3008491.article)

~~~
krick
This is interesting. But can I know ahead which genes will be tested? Is it
always the same set?

Basically, I'm asking: is this _really_ true? Given a drop of your blood I can
frame you today for anything plausible for under a $1000? It's kind of
difficult to believe.

~~~
bradknowles
Yup, it's always the same SNPs.

They can only test a relatively small group of SNPs, and they chose the ones
that (at the time) believed differed the most from one person to the next, so
as to maximize the probability of being able to distinguish between
individuals.

But if you've got everyone's DNA, then you can calculate those SNPs for
everyone, and then easily create kits that would allow you to frame anyone you
want just by leaving behind samples of "their" DNA at the crime scene of
choice.

~~~
Obi_Juan_Kenobi
DNA fingerprinting does not utilize SNPs; it uses RFLPs.

------
stef25
[https://www.gedmatch.com/login1.php](https://www.gedmatch.com/login1.php)

That url smells like amateurism, hopefully I'm wrong

EDIT login1.php does a POST to login2.php and site still runs php5. I'd
imagine this site's already been hit with every scanner under the sun.

~~~
40four
Oh no... that's the website !? PHP 5.6 has been end of life for going on a
year now. I mean I get it. It's a small team of volunteers. They don't have
the resources to manage something like this.

The attitude of the founder is very concerning. He doesn't seem to grasp how
serious managing over a million DNA records is, even after experts and
researchers try to tell him.

The should temporarily pull the site down, or at least disable the search
until work can be done, as Mr. Ney suggested to them. The site isn't a money
maker, what would be the harm?

------
Nasrudith
How is it a national security leak? Bad certainly but wolf has been cried so
many times around "national security" that replacing it with "because reasons"
or similiar would cause no loss of meaning.

~~~
Loughla
>wolf has been cried so many times

I'm not sure this is the analogy you want to use. The wolf ended up eating the
boy in the end of that story, didn't it?

~~~
SamBam
So that's exactly the analogy they wanted to use. The point is that "national
security threats" can be a serious danger, but if you claim something small is
a "national security threat" too many times then it starts to lose its meaning
and urgency.

~~~
DataWorker
What if the threats are all very real but human nature is to grow fatigued by
warnings and become ever more complacent even when the wolf is at the door?

~~~
SamBam
cf. climate change.

------
frandroid
> called the new security research a large-scale demonstration of weaknesses
> already known to enthusiasts.

"Already known". So when the hell are they going to take their service down
until they find a way to secure it??

------
djmips
What if some adversary wanted to create a tailor made biological weapon that
only affected people with a certain genetic profile?

~~~
jonlucc
It's an interesting idea, but for a whole bunch of biological reasons, I
suspect it would be exceedingly difficult if not impossible.

First, we don't actually have the ability (as far as I'm aware) to use a
particular genetic sequence to activate some drug that would work
systemically. Second, we don't have the ability (as far as I'm aware) to
recognize an identifying sequence, then do DNA damage elsewhere in a life-
sustaining gene. Lastly, it takes so long to identify the output of a gene
(protein, siRNA, rRNA, or whatever) and make a drug targeting that output that
even if you were able to target a coding region, it would be far faster to
kill them by more traditional means.

~~~
jamesrcole
I took the question to include the future. Will it become possible? How soon
could it become possible?

~~~
logfromblammo
Once the cat's out of the bag, it will be an arms race between biological
attack and biological defense. Rich people and politically connected people
will be vaccinated against the murder-viruses. And those are the only ones
worth spending more than a brick of ammo to kill.

It's far easier to take an already-deadly disease that kills indiscriminately,
modify it to have shorter incubation time and higher kill rate (so it burns
itself out before going pandemic) and shoot it at a target on a spitball or
with a Bulgarian umbrella, while they're on their way to meet with everyone
else you want to kill.

Either way, that's still leaving biological evidence all over the crime scene,
and has the potential to kill a lot of people you weren't specifically
targeting. So the preferred methods of assassination will likely continue to
be poisons, firearms, and explosives for a long time to come.

~~~
bulgarianjourno
This however, does mean that genetically targeted genocides would be
possible...

~~~
logfromblammo
Already possible with guns, bombs, and poison. Already _accomplished_ with
guns, bombs, and poison.

------
habnds
An interesting example of technology and the tech that defeats it evolving
together, a friend with leukemia who received a bone marrow transplant was
told that a DNA test using a blood sample would identify him as a woman, the
person who donated the marrow.

~~~
onychomys
Hey, a free pass to go become a serial killer!

------
rootusrootus
So what I'm getting is that the ship has sailed, it's too late to prevent the
spread of DNA information, and what we should focus on now is risk mitigation,
legal and otherwise.

------
neonate
[http://archive.is/wn2Gu](http://archive.is/wn2Gu)

------
MuffinFlavored
Does this mean a serial killer basically did 23AndMe and that's how he got
caught?

~~~
stef25
No, a relative of his did.

Police matched the killer's DNA with one of his relatives' DNA in the DB,
started digging in his family and found someone matching the profile of the
killer.

Police then watched him and got his DNA from a can he threw away to give them
the exact DNA match.

------
nickthemagicman
What can be done with this data?

~~~
stef25
Say you arrested someone and wanted to establish family ties like find their
brother, determine if they belong to a certain clan etc. If those ties were in
that DB, you could find them with that data.

~~~
nickthemagicman
I see. Rubber Hose decryption on a family member type stuff. That's
terrifying.

------
jacquesm
The word 'potential' superfluous in the title.

------
Railsify
Seems like this database plus a sufficiently advanced version of the CRISPR
process would allow nation state or companies to manufacture DNA that collided
with the DNA of real people, very scary.

------
DoctorOetker
so ... every nation state is in a race to sponsor full DNA sequencing of
adversary populations... free DNA sequencing for all!

------
GnarfGnarf
"risk exposing people’s genetic health information..."

Genealogy DNA tests only use 0.07% of a person's DNA (that's 0.0007 or seven
ten-thousandths). Plus it's in the non-coding or "junk" zone of the
chromosomes. Not much opportunity to figure out people's health issues from
that little DNA.

~~~
sct202
Plus, there are issues with false positives with the consumer grade testing.
[https://www.nature.com/articles/gim201838](https://www.nature.com/articles/gim201838)

~~~
eddyg
Companies like 23andMe regularly improve their technology and offer upgrades
to get improved results. On this page [0], you can scroll down to "23andMe
Health Reports by Chip Version" and select "See All" to see the changes.

[0] [https://customercare.23andme.com/hc/en-
us/articles/218392668...](https://customercare.23andme.com/hc/en-
us/articles/218392668-Upgrading-to-23andMe-s-Newest-Platform)

(I'm not saying that their aren't false positives, just that improvements are
being made as technology improves.)

