Hacker News new | past | comments | ask | show | jobs | submit login
A researcher needed three hours to identify me from my DNA (bloomberg.com)
212 points by pseudolus on April 12, 2019 | hide | past | favorite | 164 comments



Not the direct point of the article, but as an aside, it really concerns me how easy it is to find a mother's maiden name these days, considering how often it's used as at least a partial proof of identity.


Being able to identify someone over the phone or internet is an incredibly hard problem that I think more startups should be working on. It is a constant battle between security and customer convenience. It is very frustrating being locked out of your own account because a company can't identify you correctly. If you combine that with the fact that companies are rarely held accountable for these security violations and it isn't a surprise that they optimize for customer convenience.

The best systems I have seen are the ones that use your credit history to ask you several questions like "Which one these four streets have you lived on?" or "Which one of these four employers have you never worked for?", but even those are gameable with some research. There has to be some better solution out there.


> The best systems I have seen are the ones that use your credit history to ask you several questions like "Which one these four streets have you lived on?"...

At least with simple "mother's maiden name" type questions, you could, if you were concerned by its insecurity, choose to use a secret value. With the automation of the process, that is not an option, while the security value of this pseudo-secret information will be eroded by its inevitable over-use.


You do make a good point, but the made up answer option is basically just opting out of the system for both good and bad. In my experience, the mother's maiden name thing is rarely the primary identifier. It is usually used if the primary identifier like a password or passcode isn't known. So the question becomes in what instances would a person have a record/memory of the fake name but no record/memory of their password? The only situation I can imagine that happening is if the person reuses their fake name which defeats the whole point of doing this for the added security. The end result is that the secondary identification system has almost no value.


> So the question becomes in what instances would a person have a record/memory of the fake name but no record/memory of their password?

That is, indeed, the problem that these questions are supposed to avoid, but they only offer sort-of security to the extent that the information is sort-of confidential. Anything that the automated validation service can find from public sources can also be found by the black hats, and the more common these automated services become, the more worthwhile it will be for the black hats to similarly automate their search for them.

The end result is that real security that is based on something you know has to depend on secrets.


> So the question becomes in what instances would a person have a record/memory of the fake name but no record/memory of their password?

I have both recorded in password vault and both are random.

The benefit is it they've reset my password for some reason or it was hijacked. I've been able to recover accounts. Not because I forgot a password but because it was essentially a harder to change 2nd "secret"


For me (and I know others), the rule is to never give the correct answer to any of those questions (what was name of first pet? what elementary school?). That's how Sarah Palin was doxxed


> The best systems I have seen are the ones that use your credit history to ask you several questions

Given how bad the credit companies are at distinguishing me and my father (we share a name), I don't have much faith in this process either. What if you don't have a credit history?

Realistically most businesses don't have a need to pin an identity to a real-world person.


They come from other sources as well, such as insurance industry databases.


Those can be wrong though. I've been locked out of accounts because they said I incorrectly answered questions about myself (as if they know better than me) and it took weeks and multiple hand-written letters and a physical trip to an office to get it fixed.

The assumption that you have, that the system "just works" is awful. Because when it turns out the system actually doesn't work, it's a fucking clusterfuck just to get someone to listen to you because they don't believe you are who you say you are, and government issued ID is apparently insufficient.

And the government seems to think I am the same person as my deceased father and grandfather because we share a name, and holy fuck is it frustrating come tax season (I have never in my life had my taxes accepted the first try and have had to physically visit the IRS before) or any time anybody tries to do any sort of background check on me.


Curious about the taxes. Isn’t that why you provide SSN?


The credit history questions are a mixed bag. I've gotten questions like "Which make of car have you owned?" with choices of Toyota, Rolls Royce, Duesenberg, and Checker. It's not a hard guess.


Except when say 18 years ago, you stayed with a handful of friends that year because the bottom dropped out of development jobs and you can't recall every address you might have used.


Wouldn't a Google Auth type TOTP be ideal for over the phone? Is there anyone doing this?

It could be the same one I use for 2FA to the website. Or, an entirely offline flow would work too where they sent a dead-tree mail with the shared secret in QR code format.


I think that's one of the best solutions, but it would add a ton of customer service overhead for lost devices (if physical OTP generators are used), clock sync issues, device-specific quirks... And if we want to have a universal system for this rather than each service provider having their own one-off solution, someone would need to foot the bill.


Swedish banks already do this. They first implemnted their own systems with custom hardware (and before that banks mailed a physical scratch pad with codes) but then later together developed a mobile app (called Mobile BankID) which can be used for authentication.

So clearly it can be done. Swedish banks have been doing it for at least 20 years.


Yeah, I use something similar with my bank except theirs uses custom hardware and is challenge and response based.


https://www.jumio.com/

Their founder is going to jail but the tech was OK - take a photo of your ID with your phone and look into the camera. Do the faces match?


So, I can hold up a picture of the ID in front of the camera, and confirm that it's the same as the picture in the ID?

Cool!


These systems usually have blink detection, so you would at least have to scan the photo, convert to video, and blank out the eyes temporarily (blink detection tends to be quite crude).

Other systems require you to record a video of you saying a particular sentence which is then checked (presumably) by a human. And others require a video call to a real person.


I got pretty spooked when I opened my credit karma account and it asked me to verify if I had opened a store card a couple years ago, if I took out a loan, and a couple other questions about me.

None of them were true, because when I was first opening my credit karma account was when I first got a credit card; up to that point I had no credit history at all. When it asked me these questions, and I believe it implied one of the questions was true, I assumed my identity was stolen and got a report from transunion and equifax.

Turns out my identity was never stolen and credit karma was just being obtuse.


I’ll test this assertion. What’s my mother’s maiden name? (Now that I think about it, it shouldn’t be too hard to find.)

(And to your point, I literally had to provide it earlier this week to Chase’s fraud department.)


Klass?


That was pretty quick. Can I ask how you found it?


Not OP, but I found it by going to your HN profile, seeing your email listed there, searching that username, finding a GitHub profile with the same username, then using your first and last name plus your location (listed in your GitHub profile) to look you up. Your profile photo on GitHub gave me your approximate age (middle age, clearly not a teenager or a senior).

Searching your name and city+state in Google shows several websites that collect public records and show relatives. Some include age with names. The only people that showed up as relatives that were plausibly your parents (based on age) were two people: one with your same last name (probably your father), and one with a different name (Klass) (most likely your mother).


Thanks. I knew it was easy to get to my name from my HN provided info. I wasn’t sure how easy it was to get from there to my parents.

Having a pretty rare last name makes it really hard to stay anonymous, especially when you engage in public activities like entering road races, buying a home, and voting. Guess it’s a bit late to start using a pseudonym.

Edit: mylife is insane. I’ve googled myself in the past and this much information didn’t used to be so readily available in search results.

I don’t know how a right to disappear would even work when a bunch of the results are curated straight from public records.

Edit 2: I think if I cared more about this I’d have to engage in a prolonged disinformation campaign to muddy the search.


"Guess it’s a bit late to start using a pseudonym"

Actually, no. It only takes 2-3 years to disappear from most casual google searches. I know people always say 'the internet is forever' and for some things it might be, but I was suprised how much of my online traces just faded over time after I started being more careful with my identity.


I had a bit worse experience. I was a bit careless with posting personal info under a quite specific username I reused on multiple websites, it took me nearly 10 years and changing that username (you might also note that my usernames are more or less random) to finally not be able to google myself (which I consider to be the real test of anonymity). Various forums finally dying in 2010s were a great help.


I'm of two minds as to whether it's better to be wholly unique like my First Name/Last Name pairing is or to have a name like John Smith.

The worst is doubtless to share an uncommon but not unique name with someone who could plausibly be you who is controversial/a criminal/etc. Pre-Web I went to school with someone who shared a name with a very unpopular figure in the same city. My schoolmate got literal death threats left on his answering machine.


I ran across this a few years ago. I made the mistake of registering a .us domain with my home address. Found out the stupidity of that when my wife's ex, who has been out of her life for over 10 years at that point, sent us a wedding gift. We both have fairly unique names - there's only 1 of each of us with the same first/last name in the US. Makes me pretty paranoid about tying stuff to my real name now.


What was the wedding gift?


Nothing particularly odd, just some mixing bowls. But my wife threw it out when she got it.


These are essentially the same steps I took.


js1


It's also funny how you're supposed to submit such (ostensibly) personally identifying information to a website for them to know.

So it literally only works for this purpose the first time you do it, now it's not private anymore (even if it was to begin with). Now it's on file just waiting to be leaked.

For example, how many of us are suckers who have submitted scans of our passport and drivers license to a website like coinbase.com?

It's only a matter of time until https://haveibeenpwned.com/ lets you type in your DL/passport number and it'll tell you how many scans it found in data dumps.


Just don't answer those questions "truthfully. What I mean is I use 1password to store my credentials. So whenever a site asks me to provide 3 security questions and answer I will usually select 3 random questions (especially ones that don't apply to me like "where did you meet your wife", well i'm not married), then provide an answer like "dog bow rainbow toss three". Even if one place is breached and hackers find my "mothers maiden name", it's about as useful as a one time access token.


You should consider using a real-looking answer.

Someone doing social engineering may answer "It was a bunch of random characters/words, I'm sorry I don't have it in front of me" and have that accepted. If they don't accept it, hang up and try again with another rep until someone does.

Picking a random real place off Wikipedia (different for each website, and store that in 1password) avoids this.


Would this work with a real wikipedia word. Oops I can't remember call back.


It's a question of effort, really. The bad guys get infinite tries; support only needs one person to fuck up once.

My hope would be their training largely prevents "oops I can't remember" getting through, but I suspect you'd eventually get someone quitting tomorrow who doesn't care, or someone having an off day.


I always try to use a real looking answer. This site makes it easy to pick:

https://www.randomlists.com/


Mother's maiden name is documented to have been in use for authentication at least as far back as 1882, and even then it was known to be a weakness [1, §3].

[1] Stephen M. Bellovin. 'Frank Miller: Inventor of the One-Time Pad'. Cryptologia 35(3), pp. 203–222, 2011. DOI: 10.1080/01611194.2011.583711


You should be giving gibberish answers to those anyway. They're probably stored as plaintext, but on the off chance they're not, treat them as a backup password and don't answer the question honestly.


For anything that involves human interaction for the verification, this doesn't really work.

I generate random strings for these and store them in my password manager. On several occasions I've called companies for whatever reason and they've asked these questions to verify my identity. When I say "oh it's a random string let me open my password manager to confirm it" they often reply with "oh it's ok, you're right it's gibberish" and consider me verified.


You can generate a pronouceable password based on dictionary words for such cases and get something that you can say over the phone like `leaf-auto-drunk-horse-zebra`. This is supported by any modern password manager.


I've taken to making them say "this is not random (insert password here)". Still haven't seen if that actually works in practice.


You’re probably still better off with reasonable but fake answers. First pet was named October, your parents met in Tennessee City, etc.


Had the same experience with blizzard support a while ago. Now I follow the above poster's advice and use it as a secondary password, but make it pronounceable at least.


Yeah, I shouldn't have said 'gibberish' but rather random words / lies.

Just don't answer the questions basically.


Would an attacker know that you're the kind of person to type in gibberish?

Also, you don't need to type gibberish. If your mothers maiden name is Jones, you can enter her maiden name as Steenberger and store that in your password manager.


An attacker wouldn't have to know you are the kind of person who puts gibberish... "oh, shoot... sometimes I make up a fake name but sometimes I put gibberish... I can't remember which I used here"


You can always use a fake name/city/etc and store that in your pm.


My Dad did this exactly and it ended up turning into a 2hr call with the credit card company when he inevitably forgot his bullshit answers.


I have thought for a while that the old 'what is your porn name?' joke of combining first pet's name and mother's maiden name was probably originally invented by con artists looking to gather info.


I don't think it was invented by them, but I'm sure it's been used extensively by them since then. I think it was just someone that thought it was funny.


Given the use of pets names and maiden names as common authentication tokens for money, that it is a kind of weird joke to start with and that it doesn't really have a punchline and can easily fall flat, it stinks of grifter patter.

Though it isn't as bad as; 'You can't cheat an honest man'. You hear someone saying that, you start counting your fingers before you shake hands and check them again as soon as your done.


This has always been a funny "secret" to me since I have a hyphenated last name – gee, my last name is "Dolan-Gavitt", I'll give you two guesses what my mother's maiden name is.


Yeah... my mom's maiden name is her current last name (didn't change her name when she got married) and my middle name as well.

It really is a pretty outdated and sexist system, really.


I would have no idea what your mother's maiden name is? With only your post as a reference point, I would assume that you're a woman married to a man, and then assume Dolan is your paternal last name, and Gavitt is your married last name.

Encountering men with hyphenated last names is uncommon enough (for me) that I don't know the rules for that, so if that's the case, I don't know either.


It's semi-common (or was, in the 80s) for couples who didn't want to change either of their names to instead give their kids a hyphenated name with both the mother's and the father's name. So my mother's maiden name is... Dolan.


In the UK it is on the birth record database that is publicly available to anybody.

If you know the person's name and roughly when they were born (which you can get from the age) and where, you can get the Mothers Maiden name easily.

I found mine here https://www.freebmd.org.uk/cgi/search.pl in a couple of clicks.


This is a handy site - https://www.freebmd.org.uk/cgi/search.pl

But looking up myself (and my brother) I noticed that the record date is a month or two past the actual month. So for me being born in March seeing myself listed as June and in my Brothers case seeing September listed as December. Well, makes me wonder if they had backlogs back then. But most happy it is that way, I know my actual birth certificate has the correct date (still have the original) and those are accessible in some form or another. Just mindful that not all records are that accurate.


The summaries are recorded per quarter. Hence the Mar, Jun, Sep, Dec dates


Very tangential note: a url like /cgi/search.pl certainly brings back nostalgic memories! Good old days of cgi-bin and perl scripts.


Doesn't that simply highlight how unfit for that purpose it is (along with things like Social Security numbers in the US)?


In Sweden we have ”Mobilt bankid” which is a digital identification that you download from your bank and then assign a password to it. After this has been completed you can identify yourself through an official app. Most serious organizations asks you to identify yourself through this app when handling business over the phone.


Ja och nej.

BankId is a 2FA mechanism that proves that you are who you say you are. Before you can download the mobile app (Mobilt BankId) and assign a password, the bank must issue you a card with a certificate on it (BankID på kort[0,1]).

You use this card to then validate the Mobilt BankId, since it creates a chain-of-custody for identity, as it were.

In other words, someone with your personnummer on-hand can't just download Mobilt BankId and then assign their own password because they're lacking the physical evidence [read: the BankId på kort], which prevents them from falsely representing that they are you.

How Mobilt BankId works with BankId is that it houses a certificate (much the same as BankId på Kort) and leverages the same auth prompting mechanisms for challenge/response to authenticate the user. Essentially, it "replaces" the kort but only in the sense that the kort is required to be physically present in the system. With the Mobilt BankId app, the certificate is always present.

Sorry for the long-winded explanation but it isn't as simple as downloading the app and assigning a password and don't want people to get the wrong idea. :(

[0] - https://www.bankid.com/en/om-bankid/detta-ar-bankid

[1] - https://support.bankid.com/sv/bankid/bankid-pa-kort


It was never a secret to begin with.


Exactly, it was how she identified herself for years.


My mom never changed her last name, I always thought this "security" question was pretty absurd.


I am guessing that most standard and reliable (i.e. you know the answer and it's not going to change) questions are vulnerable to discovery by a halfway determined attacker. That said, there are probably questions/answers that historically would have required at least some degree of serious investigation to uncover that are now often trivially discoverable.


DNA would actually be a great way of doing identity. As long as you're alive, your DNA can be checked. And it's not really feasible for someone else to fake.

You also don't lose it or forget it, like you would password or 2FA device.


You also can't change it, though, if someone gets a hold of it. Someone with a bit of your blood could impersonate you forever, and you wouldn't be able to stop them.


I'm envisioning actually drawing blood to check identity, not asking for a blood sample.


That would make online login a little tricky...


My kids will have their mother's name as their last name, so what do they do, use their father's, uh, bachelor name?


Seems like it shows up on nearly every married woman's Facebook profile.


That would be HER maiden name, not her mothers.


I think he was referring to the mother's facebook page.


Perhaps. My anecdotal experience does not show a high ratio of women on facebook who are also friends with their mothers. I have also noticed older seem to list their maiden name less frequently.

However, I do agree that in general several "security questions" that are meant to be hard-to-guess data points are actually easy to find the answer to frequently. Maiden names, and school names/cities/mascots, are often found in online profiles in one way or another.

At the same time, I'm not sure the risk is as large as it seems. These security questions help prevent bulk identity theft and add a friction point to the process, they are certainly not equal alternatives to real 2FA, but they are also less "brute forceable".


I was honestly baffled to see the proliferation of DNA analysis companies... aren't people concerned about the importance of the data they're giving out? AND you pay to give them that data... leaves me speechless.

How accustomed we've become to giving our privacy away.


Speechless? Really? You don't understand why someone would be interested in learning about their health risks or their ancestry?

Unless you have secret illegitimate children or you left DNA behind at a crime scene, using DNA analysis services can only benefit you.


I bet insurance companies would pay handsomely to know all your genetic health risks before they insure you. I am none of the things you described but think having our genetic information out there is not a good idea. Call it a gut feeling but I listen to my gut.


I prefer to listen to facts, not intestines. And, in fact, it is illegal for insurance companies to do what you suggest.


And the facts would also show that it was only just recently that Canada was the last G7 country to pass laws preventing insurance companies from doing it. And if you also read more on the topic it is suggested that as genetic testing becomes cheaper and more reliable perhaps in the future this topic will need to be re-examined. So I stand by my gut and it says I would rather keep my dna private. Just in case they change the law in the future.


Until someone comes to power that doesn't like your particular ethnic group


Can outline what health risk you can learn about in a useful manner with a consumer genetic test?

Also since 23andMe is selling data to pharmaceutical companies, they very much benefit from your DNA.


The speechless part is because of how recklessly some people give out information that an insurance company could use against you for example... specially when these companies make no mention of respecting your privacy in their terms.

I considered using these under a fake name, but from reading the article, it seems like that wouldn’t be enough.

I do see the appeal that this indformation has for individuals, of course.


Yes. Everyone has a remarkable inability to ask the question 'Who benefits?' when they engage with a service. Like Facebook, with consumer genetic tests you give up whole lot to get back very little. You are the product.


I shed hair. I don’t really have any meaningful control over my dna anyway.


I see your point... but it’s hard to believe someone would stalk you to grab your hair and sell it to a company.

If you give a company your dna voluntarily and agree to the terms permitting them sell it though... different story.


Your DNA is no more your private property than your or your grandmother's face.

It's just not that big a deal. You shed your DNA everywhere. Knowing it isn't more useful than information about your life that is already collected and used to manipulate you all the time. It's one of the weaker forms of personal information available.


In the US, you do have certain rights to your image. I cannot use an identifiable photograph of you for marketing or advertising without your permission. (That's why, for example, a lot of conference registrations require you to affirmatively agree that photos or videos of you may be used for marketing purposes.)

But pretty much any other use of a photo in a public place is fair game if it doesn't misrepresent you in some way.


Not all states recognize such a right. But most media organizations are based or operate in states like California that do recognize it.


31 states recognize such a right, but the extent of the protections involve vary considerably. In some states, it only protects your name and likeness, while others extend it all the way to things like "stage persona." California naturally has the highest degree of protection, given that it's the center of the entertainment industry.


> Knowing it isn't more useful than information about your life that is already collected and used to manipulate you all the time.

"Doing bad things isn't a big deal because of all the other bad things already being done." is not a good justification:

Should an individual feel free to "dox" you with impunity because Google and Facebook have been doing it to you for years anyway?


I'm imagining a dumpster diving industry arising where people find hair scraps and sell them to insurance companies


Agreed, "My DNA is my personal property," is a weak argument.

"My DNA is my personally-identifying data," is a better one.

The question of what rights we have to our personally identifiable information is not yet answered fully, and the debate is an important one (e.g. consider GDPR and the "right to be forgotten").

Data's worth is recognized today by those who are harvesting it from us. The mountains of data which only a few multinational corporations can gather and store in globally-distributed data centers are imperative to machine learning and the artificial intelligences they are making, which will soon direct a great many of our daily conveniences at potentially great profit to them.

So it is important for us to today define what rights we demand to such a valuable resource, which is created solely by, and living within, the only item any of us has true natural possession of: our very bodies.


>Agreed

Do not forget that op argues it isn't that big of a deal.

>Data's worth is recognized today by those who are harvesting it from us.

There is a lot more case-based, abstract, and long-term worth to privacy that is often unrecognized.


I agree with you completely.


Just because there are dozens of other pieces of personal information that are collected by the powers that be and used to manipulate people doesn’t mean they all are justified.


excuse me one's body and its DNA is most definitely one's property


Just like your finger prints, height or face. It is uniquely yours but not your property. It's your set of attributes.


None of which are actually "uniquely yours", because everything we know to date about fingerprints or faces or DNA is that there is a low probability of collision with someone else having those same attributes, but it's not zero probability.

Somewhere, somewhen, there is likely to be another person who has a face, or fingerprints, or snippet of DNA that cannot be distinguished from yours within the accuracy of the tools we have today.


There was actually a podcast by Radiolab recently that discusses how and why this is not the case. It's counterintuitive for sure, but pretty interesting.

https://www.wnycstudios.org/story/asking-friend


What about the hair you leave behind on the subway? Or when you spit on the field during an ultimate frisbee game?

I can’t take your hair off your head, but I can take it off the ground.


What about the image of my face I left behind on the subway, or on the field during an ultimate frisbee game? Sure you can keep my image on your camera, or photo print, but you may not profit from it, because it isn't your property.


Or your breathe you push out of your lungs.


Exactly.


Which must mean that you're a thief if you've ever brushed past me on the street. Give my DNA back.


I wonder if DNA will actually become less usable in convictions as a result of these sorts of developments. With it being easier to identify an individual based on DNA at a crime scene, eventually someone is going to be accused and turn out to have an ironclad alibi proving they couldn't have done the crime, even though their DNA was present.


DNA as evidence already has a lot of issues:

https://www.theatlantic.com/magazine/archive/2016/06/a-reaso...


Hopefully, because at this point incriminating fragments can already be bought.

https://www.idtdna.com/pages/products/custom-dna-rna/dna-oli...


To coat an entire crimescene with synthesized oligos will be prohibitively expensive.


True if you did it that way. Which is why you would buy (or make) one and PCR the rest. Besides if it aligns with the authorities goals it would not take much.



somehow I prefer when there's no silver bullet, it forces society to take time and think deep.. well ideally


If someone downloads my DNA from 23andMe, they can't really plant it at a crime scene can they?

Even if they could synthesize DNA from that information, they'd need to mix it with SOMETHING to show that it's not planted. Is the information collected by 23andMe even close to accurate enough to do something like this?


In the article Someone1234 commented in sibling apparently the innocent suspect's DNA was on the victim (they think maybe because she rode in his cab).


This may be a good moment to get a refresh on this question:

Can anyone recommend a sequencing service that offers some semblance of a reasonably solid privacy guarantee (in exchange, of course, for a suitable fee)?

Your inputs will be very dearly appreciated.


At GeneInfoSec we are working on a method that will allow all sequencing services to encrypt DNA molecules themselves. With this molecular encryption even your sequencing service will not have access to your genetic data.


How does this work? Are you mutating the sequences in some random, but reversible way?


With unique molecular tags, random mutation and PCR, various cryptographic methods can be applied. But random mutation and PCR are not necessary for some relatively simple use cases. Reversible mutation is not used, but the information concealed through mutation is recoverable with the decryption keys.


The real lesson is that your DNA was never a secret at all. Almost the entirety of it is shared with many people (your family) and you literally leave it everywhere you go. Don't assume any of it will be kept hidden.


That's exactly why we need laws restricting what can be done with it without our consent.


That's not gonna happen. "You have to get the consent of your family members before you can share your DNA" is totally nonviable.


That's not what I said. The laws I am referring to would restrict the people with whom you share your DNA (23 and me, for example).


That's one logical way to with that, and (IMAO) the exact wrong way.


Are there countermeasures to this? What if I upload a stranger's DNA with my identity? Or my DNA with a stranger's identity?


If you read the article you'll note that the key problem is not what the author did, it's what her relatives did - uploading their own DNA. It is trivial to discover relatives by DNA match, so using a set of DNA samples you can easily construct a social graph based on family relations. If you can then identify any point in that graph, you can identify individuals. The countermeasures therefore consist of things like: 1) don't add your DNA to a database and 2) Don't allow your family to add their DNA to a database.


> Don't allow your family to add their DNA to a database.

IE, DNA is my personal property, hence, I own my family. Come off it.

You cannot claim to be concerned about individual privacy when your recommendation for how to protect your privacy is to intimately examine your family member's actions and then actively attempt to prevent them from doing something that is -- according to your ethics -- their right.


I didn't make a single ethical claim, I just suggested what needs doing if your goal is to remain unidentified by DNA. If it wasn't clear my reply was a bit tongue in cheek, since obviously you cannot control what your family does.


But a fake entry in the database would result in a negative match. Thus the researcher would (at least at first) eliminate you as a possible candidate.

Of course, uploading fake DNA with your real name would have other implications — your relatives that upload their own DNA and look for matches might suspect infidelity on the part of your parents... and relatives of the "fake DNA" might think the same of their father/grandfather/etc.


That's the sort of thing a detective would work out relatively quickly though. If you share none of your mother's DNA, the only possible explanation would be adoption. And if your mother, for whatever reason, told the detective you were not adopted. Then that detective would have their suspect.

So if you tried that, the stranger would have to be a very carefully selected family member in any case. Someone from your mother's side, same gender, not likely to submit his/her DNA, AND not likely to be in DNA databases already due to prior arrests. (Also, it goes without saying that they can't be adopted.)

But even taking all these precautions, I'm pretty sure a detective would still work it all out.


> If you share none of your mother's DNA, the only possible explanation would be adoption.

Not necessarily. There was a case where a DNA test of a woman's children showed that they did not share any of her DNA. Social Services was threatening to take them away from her. When she had another child, they court ordered an officer to be present during the birth and collect DNA from both of them at that time. Even still the DNA "proved" she was not the mother. It was only after another similar case was discovered that they were able to determine that she was a chimera, basically that she was her own twin, and had two different DNA strands.

https://abcnews.go.com/Primetime/shes-twin/story?id=2315693


Yeah, but if your mother is not a chimera, they're gonna nail you right out of the box unless the fake DNA comes from a member of your mother's side of the family.


Anonymously submitting someone else's DNA would obviously leave you safe from being identified.


Upload your consciousness to a synthetic body and live the rest of your life DNA-free?


Like your face or fingerprints, DNA is just going to be one of those immutable features of identification.


GATTACA is seeming more and more like our future.


You just made me realize the deeper meaning in the name of that movie! (initials of the bases of DNA)


Gosh dang. Mind blown. One of my favorite movies and I just got something more out it.

Don't keep anything for the swim back.


I thought that DNA identification wasn't ironclad despite being used in criminal investigation.


I'm fairly certain the non-ironclad part is in the handling and processing (testing labs screw up quite often), not in the actual methodology or ability to accurately identify individuals.


Collection of evidence is also another likely place to make a mistake. The issue is that a non-pristine sample taken from a public place (like a crime scene) may have multiple DNA profiles represented in it. I'm not highly familiar with the technology but I've read that techniques like PCR that "amplify" the DNA collected from the original sample by synthesizing copies of the DNA can further exacerbate the issue.

> One of the biggest strengths of PCR(e) for DNA typing is the degree to which DNA can be amplified. Starting with a single DNA molecule, millions or billions of DNA molecules can be synthesized after 32 cycles of amplification. This level of sensitivity allows scientists to extract and amplify DNA from minute or degraded samples and obtain useful DNA profiles. In this context, the sensitive nature of PCR works in a lab's favor, but it can cause problems if great care is not taken to avoid contaminating the reaction with exogenous DNA.

https://www.promega.com/~/media/Files/Resources/Profiles%20I...

> Because extremely small samples of DNA can be used as evidence, greater attention to contamination issues is necessary when identifying, collecting, and preserving DNA evidence. DNA evidence can be contaminated when DNA from another source gets mixed with DNA relevant to the case.

https://www.ncjrs.gov/nij/DNAbro/evi.html


This is not at all surprising. They have a database with everyones genes mapping out most of the world at this point (at least some relatives). This is why all of us should be afraid of the future and why the U.S. needs similar laws to the GDPR in the EU.

Hell, with just a few comments I can identify people/alts on HN (or other social media sites)...

https://twitter.com/AustinGWalters/status/104189476543920128...

[1] https://metacortex.me/


to me the biggest surprise is the fact it took 3 hours.


The PCR probably took 2 hours out of that.


USA will n-e-v-e-r get something like GDPR.

Lobbying has corrupted US democracy, freedom, privacy, and legislation to the point that these may never recover. The moment something GDPR-like will be drafted, those snakes (large corporations & lobbies) will do their best (aka bribe $$$$$$$$$$$$) to stop this. (for those who don't like the word bribe, feel free to replace with 'donate' - but imho paying someone elected to change their mind and go against the people's interests, is pure bribery-fraud)

Once a USA-GDPR moves in (which will never happen), people will start to wake up and smell the coffee, and realize that the threat is real. That awakening will lead to another issue.

The 3-leter-agencies (whether in the Light or in the Dark) will also fight this tooth and nail. Now they have a sweet deal. They spy on everyone, people are stupid/naive/careless enough to publicise every-thing they do/eat/say. In a USA-GDPR scenario where civilians will start 'thinking' again, agencies will have to try harder (aka increased budget/spending) to hoard the same amount of information.


We just got the CCPA (effective Jan 1, 2020), which basically GDPR, in some ways stronger.

It's "California only", but companies have little choice but to implement it for the entire US (much like car manufacturers building all US cars to meet Cali emission standards).


Do places like 23&me just take you at your word on who you are, and that you sent the right DNA?


I wouldn't think they tie names to sample. You can't do that with DNA samples in a hospital, and I would hope 23 and me's policies mirrors HIPAA (would be aggressively irresponsible and a legal time bomb if not). You certainly don't need names to do analysis.


I was curious, so I looked:

"When you purchase our Services or create a 23andMe account and register your kit, we collect Personal Information, such as your name, date of birth, billing and shipping address, payment information (e.g., credit card) and contact information (e.g. email, phone number and license number)."

https://www.23andme.com/about/privacy/#jump-link-content-the...

They are asking for some unusual stuff like DOB and license number.


For the most part...yes.

Also: This means there is enormous potential to pollute their signal with tons of false noise. I hope(dangerous word) that this has already happened, or is in progress.


You can use the DNA itself to hack the machines directly: https://www.technologyreview.com/s/608596/scientists-hack-a-...


I was disappointed the only example they gave for misusing data was that celebrity dead beat dads might be exposed.

>> As DNA databases grow, so too does the potential for abuse. “Misuse of surreptitious DNA is potentially a big problem,” says Debbie Kennett, genealogist and author. “You can imagine celebrities and politicians being stalked to get illicit DNA samples for paternity testing without consent.” <<

Certainly, there must be worse outcomes than some powerful men running the risk of being shown to be someone’s dad?


It's a great example if they want regulation in the industry. Showing how something can threaten powerful men's positions is a great way to get it buried in regulation or downright outlawed. In the US, we're lucky not enough of them understood the potential power of the internet until it was too late.


Not a biologist, but I'd imagine that's because we currently can answer "is this DNA likely the same as that other DNA" with some degree of reliability, but anything more (except for some very specific diseases) is still not quite here yet. I'd also imagine all this is changing very quickly.

Happy to be corrected by someone with actual knowledge of course.


It's along the same lines but DNA sequencing has very serious consequences in countries that have a history of strict filial piety such as China.

In these countries a family is not just the basis for raising children - families can often act as a sort of "corporation" where everyone is cooperating to enhance the wealth and future prospects of the group.

There was a lot of confusion around family relationships during WWII with the occupation of the Japanese and again after WWII with the Chinese Communist Revolution as children were adopted when their parents went missing or were killed in the war.

If people inside a family are found not to be related to one another there's a serious potential for the social fabric to start breaking down.


Widespread paternity testing will destroy the social fabric of China?

That's quite a stretch.


"destroy" might be an overstatement, but reproduction is _very_ important to people and changes in its dynamics have large ripple effects

look at birth control for an example


AFAIK, the family unit there is not so strictly around genetic lineage. I could adopt a child in with the intention of having him be my successor. He is my son then, without the genetic lineage.


Hell, in Japan at least they even do that adopting adults.

https://en.wikipedia.org/wiki/Japanese_adult_adoption


Yes, this is a very strange example in deed, feels like there are no better arguments (I'd go for the insurance or the Hitler cards personally.)


possibly celebrity (or otherwise) children being found to have been from the wrong father




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: