Wednesday, May 2, 2018

Will your DNA become a liability

A very interesting news article was published this week about the Golden State Serial killer being tracked down with Genetic Testing DNA information.

Turns out that law enforcement had a solid lead that required getting a genetic testing lab to cough up the goods.  Ultimately the information was actually used to clear an innocent person that was on the suspect list.... so really.. a good ending.

In case you aren't aware, numerous Genetic DNA labs exists that help identify your hereditary diseases, ancestry details and many other pretty cool things.

Take a look at 23andme and you can get a good idea on the cool things you too can find out about with just a spit sample.

The problem is how the information is handled, and more importantly, how it could be accessed in the futur.

If your raw DNA results get deleted and can't possibly be pulled back it would be less of an issue, but the nature of genetic DNA testing is that it requires a lot of information for the purpose of correlation.  So in short, they cannot delete anything, the strength of the entire analysis is based on raw numbers.

So in this case, we have a happy ending.  A serial killer was identified.  I doubt that anyone is going to complain about that.

But it does open the door to various abuses by law enforcement, and causes a major ethical ripple in the world of Genetic DNA testing.

I propose to you the following very simple problem.

You order a simple DNA test for $200.

It highlights you're are likely to have a certain disease.

You contract a new life insurance policy and you didn't mention the DNA testing results.

You have probably just broken the law, as most insurance forms will ask "are you aware of anything else we should know about", or something along those lines.

What if you even forgot that the 10 page report mentioned your predisposition to a disease name you didn't even recognize or understand....... your insurance is still technically invalid.

So if the genetic DNA lab suffered a data breach or was purchased by an insurance company and you had dropped dead of that unlucky disease.... the insurance company would not have to pay up since after all, you lied on the insurance form.

Now the likelihood of any of this taking place in our lifetime is maybe nil.

Ask a conspiracy theorist and you will get an ear full about how citizens are voluntarily paying to get genetic testing done and giving up their DNA information to the government.

What if big corporations have access to genetic information?  Could this information be used to their advantage?   If one thing has been proven time and time again, is that information is power, and power involves abuses.

Time will tell.

So from a security professionals point of view, I would recommend that anyone getting genetic testing stick to one basic rule.  Do not provide your real name and birthdate.  It simply isn't required for the DNA testing.

However.... you did pay for the test with that credit card..... so don't go killing anyone and expecting your entire DNA thing to be air tight  ;-)

If you want the full details about the case, this Buzzfeed article really covers it to a good degree.

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

No comments:

Post a Comment

----- ENGLISH FOLLOWS Un cas intéressant d'exposition de données à l'UDA. Le site web comprenait une seule ligne de texte qui pouvai...