Updated version of @DocEdge85’s preprint on the potential for upload attacks on genetic genealogy databases, detailing various hacks. Big addition, we did a proof-of-concept demo of a simple method for obtaining peoples’ genotypes from GEDmatch 1/n
biorxiv.org/content/10.110…

@DocEdge85 GEDmatch seems to use long runs of compatible genotypes between individuals (kits) to call genetic relatedness, identity by state (phase-unaware IBS calling). These runs of IBS can broken by a single opposite-homozygous genotype, e.g see user videos 2/n

@DocEdge85 On this basis we knew that GEDmatch was likely open to an `IBS baiting’ attack, uploading 2 fake kits with opposite-homozygote genotypes at target SNP surrounded by regions of heterozygous SNPs (which will at least half-match all other genotypes). See

https://twitter.com/DocEdge85/status/1186645493792870400

3/n

@DocEdge85 We alerted GEDmatch to this in July, as well as pointing out that their chromosome browser may also leak a lot of information via its SNP visualizations. @_peterney et al also contacted them at a similar time, and we both independently posted preprints in Oct (after 90 days). 4/n

@DocEdge85 @_peterney Late Nov we attempted mock IBS baiting hack. We used only artificial kits (for targets and baits) & restricted it to the `research’ branch of GEDmatch (so we never interacted w. other people’s data nor violated T&C). We also verified this plan with UC Davis IRB and GEDMatch 5/n

@DocEdge85 @_peterney Our bait kits (B1 & B2) had het. & missing genos around target to bait IBS caller. We could tell if target was homozy. by which bait it IBS matched (eg. T1=B1 but not B2), & if it was heterozy if matched both baits (T2 vs B1 & B2). Image compiled from GEDmatch browser 6/n

@DocEdge85 @_peterney This baiting worked easily across four targeted regions on chromosome 22. We set up our baits to not match outside these regions & we saw no other IBS in genome-wide. Baiting could likely easily be extended to extract more genotypes genome-wide 7/n

@DocEdge85 @_peterney Note that this only needs GEDmatch to return IBS locations to extract genotypes, & doesnt need images. The images reveal even more info. GEDmatch seems to have jittered SNP positions (trying to block @_peterney-style attack?) but incomp genos in our baits are still visible 8/n

@DocEdge85 @_peterney GEDmatch allows you to use their 1-to-1 IBS caller on any of their >1 million kits if you know the kit number. Kit numbers are open to scraping from their website, as are the (often real) names and emails of the people uploading kits. 9/n

@DocEdge85 @_peterney @_peterney’s et al’s paper (@uw_cse_seclab @TechPolicyLab @luisceze @yoshi_kohno) nicely, independently showed how GEDmatch’s visualization algorithm of IBS matches could be exploited

https://twitter.com/blueyedgenes/status/1189756886498701313

10/n

@DocEdge85 @_peterney @uw_cse_seclab @TechPolicyLab @luisceze @yoshi_kohno They also independently described a method very similar to IBS baiting in their section VII, showing that it worked in GEDmatch as of summer / early fall. So this attack isn't hard to come up with, once you realize that only opposite homozy block IBS runs 11/n

@DocEdge85 @_peterney @uw_cse_seclab @TechPolicyLab @luisceze @yoshi_kohno We redesigned our original attack slightly as GEDmatch had put in place some counter-measures in response to our & @_peterney et al's initial emails, but these were ultimately not too hard to surmount. 12/n

@DocEdge85 @_peterney @uw_cse_seclab @TechPolicyLab @luisceze @yoshi_kohno Also, the countermeasures that are in place appear to apply only as blocks of new uploads. This means that previously uploaded kits designed for baiting-style attacks may be grandfathered in as potential backdoors 13/n

@DocEdge85 @_peterney @uw_cse_seclab @TechPolicyLab @luisceze @yoshi_kohno GEDmatch has now put in place reCaptcha to try & block bots on some of their form pages, which may prevent a large-scale attack to obtain many profiles. But they haven’t implemented simple measures, eg only returning long IBS, that would also improve their genealogy service. 14/n

@DocEdge85 @_peterney @uw_cse_seclab @TechPolicyLab @luisceze @yoshi_kohno GEDmatch returns much shorter IBS than users need. Also folks don't need a SNP-level view of other peoples' genomes for genetic genealogy (especially for any random user in the database). These issues make it far too easy to obtain other peoples' genotypes. 15/n

@DocEdge85 @_peterney @uw_cse_seclab @TechPolicyLab @luisceze @yoshi_kohno Our last successful attempt to upload and analyze bait kits worked as of Dec 15th, i.e. after @VerogenBio took over GEDmatch. 16/n

@DocEdge85 @_peterney @uw_cse_seclab @TechPolicyLab @luisceze @yoshi_kohno @VerogenBio .@DocEdge85's original thread outlining the concepts behind these potential privacy attacks on genetic genealogy databases

https://twitter.com/DocEdge85/status/1186645459617513472

17/n

@DocEdge85 @_peterney @uw_cse_seclab @TechPolicyLab @luisceze @yoshi_kohno @VerogenBio & @DocEdge85's previous thread discussing why GEDmatch seemed particularly vulnerable to these attacks on genetic privacy. 18/n

https://twitter.com/DocEdge85/status/1187059909633773568