DNA testing services like 23andMe, Ancestry.com and MyHeritage are making it easier for people to learn about their ethnic heritage and genetic makeup.

People can also use genetic testing results to connect to potential relatives by using third-party sites, like GEDmatch, where they can compare their DNA sequences to others in the database who have uploaded test results.

But a less happy ending is also possible. Researchers at the University of Washington have found that GEDmatch is vulnerable to multiple kinds of security risks. An adversary can use only a small number of comparisons to extract someone’s sensitive genetic markers. A malicious user could also construct a fake genetic profile to impersonate someone’s relative.

The team posted its findings Oct. 29. The researchers have also had this research accepted at the Network and Distributed System Security Symposium and will present these results in February in San Diego.

“People think of genetic data as being personal — and it is. It’s literally part of their physical identity,” said lead author Peter Ney, a postdoctoral researcher in the UW Paul G. Allen School of Computer Science & Engineering. “This makes the privacy of genetic data particularly important. You can change your credit card number but you can’t change your DNA.”

An animation of a genetic pedigree where a child falsely claims to be related to the father
UW researchers found that an adversary can use only a small number of comparisons on GEDmatch to extract sensitive genetic markers for someone and construct a fake genetic profile to impersonate someone’s relative.

Shown here is a genetic pedigree outline of two parents with two kids. Then another child (red) falsely claims to be related to the father.Rebecca Gourley/University of Washington

The mainstream use of genetic testing results for genealogy is a relatively recent phenomenon. The initial benefits may have obscured some underlying risks, the researchers say.

“When we have a new technology, whether it is smart automobiles or medical devices, we as a society start with ‘What can this do for us?’ Then we start looking at it from an adversarial perspective,” said co-author Tadayoshi Kohno, a professor in the Allen School. “Here we’re looking at this system and asking: ‘What are the privacy issues associated with sharing genetic data online?’”

To look for security issues, the team created a research account on GEDmatch. The researchers uploaded experimental genetic profiles that they created by mixing and matching genetic data from multiple databases of anonymous profiles. GEDmatch assigned these profiles an ID that people can use to do one-to-one comparisons with their own profiles.

For the one-to-one comparisons, GEDmatch produces graphics with information about how much of the two profiles match. One graphic is a bar for each of the 22 non-sex chromosomes.

Each bar changes length depending on how similar the two profiles are for that chromosome. A longer bar shows that there are more matching regions, while a series of shorter bars means that there are short regions of similarity interspersed with areas that are different.