“You can replace your credit card number, but you can’t replace your genome,” says Peter Ney, a postdoctoral researcher in computer science at the University of Washington. Ney, along with professors and DNA security researchers Luis Ceze and Tadayoshi Kohno, described in a report posted online how they developed and tested a novel attack employing DNA data they uploaded to GEDmatch. Using specially designed DNA profiles, they say, they were able to run searches that let them guess more than 90% of the DNA data of other users. The founder of GEDmatch, Curtis Rogers, confirmed that the researchers alerted him to the threat during the summer.
“The same attack wouldn’t work on other genealogy sites, like 23andMe, because they don’t permit data uploads,” the report notes. “Others, like MyHeritage, do allow uploads but don’t give users as much information about their matches.”“The problem with GEDmatch is the browser is too good, and searches too deeply,” says Erlich. “If I were them, I would remove it, fix it, then put it back.”