My dog ate my homework; CIA and DNA

When we talk about CIA in a security context, we are referring to Confidentiality, Integrity, and Availability. This article presents a nice overview with some examples of the terminology. While these terms may seem self-explanatory, let’s see how they work in practical terms.

When we think about confidentiality, we usually think that something will only be accessible by a select audience. Things like medical data and financial details are usually viewed as confidential. We don’t want just anyone to have access to this information. When it comes to integrity, we want our data to be accurate; think in terms of credit reports. Loss of data integrity can have important consequences. Availability rears its head when we don’t have a cell phone signal or wifi connection, or our ISP is experiencing difficulties.

What happens when the proverbial dog-eating-homework scenario plays out? Well, confidentiality is certainly enforced. No one is getting at that data, not even the intended recipient (the teacher). This is confidentiality at its worst. The integrity of the data is lost (digested, at least partially.). Some data recovery might be possible, but it is unlikely and I certainly wouldn’t want to try.  Of course, availability is zero so that is bad as well.

CIA for DNA?

How does CIA apply when it comes to DNA? DNA went from being unknown to being a key factor in identifying individuals and genetic characteristics. DNA can play a part in disease prediction. Currently, several companies offer to tell you about your ancestry via an analysis of your DNA. While this may seem like a good idea, there are some security considerations to bear in mind. This article points out one key issue.

You may have heard of HIPAA (Health Insurance Portability and Accountability Act). Perhaps the most noticeable result of this law is the fact that each year you have to fill out a new release form at your medical provider’s office, authorizing access to your medical information. In most cases, you have to give explicit permission for your spouse to have access to your data. If you don’t, even in an emergency, data may not be readily available to even family members. We appreciate this and it serves a good purpose. It prevents just anyone from getting private information about our health. The law sees to that.

DNA Can Be Used Against You

Unfortunately, DNA testing companies are NOT health care providers and as such are not covered by the law. They can share your information as they see fit. They aren’t obligated to take the same data protection precautions as medical providers. Like other keepers of personal data, the cloud is where many of these companies keep their data, and as such, it is subject to hackers and the same mistakes as have been the cause of many other data breaches.

As the article mentioned, even if you haven’t tested your DNA, your relatives may have tested theirs. This does provide a link to yours. Exposing your DNA even partially is a loss of confidentiality; it provides incorrect availability and thus is a problem.

This article on phenotyping discusses research into the use of DNA mapping to create the face of the person. If you think it is far off in the future to be able to do this, read this article. Not to sound like Chicken Little, but let’s follow this down the road a little into the future.

Deepfake software has become more available, better at what it does, and even progressing towards the ability to do a convincing job of recreating someone’s voice, saying things they never said. Bad guys have used this technology to scam one business out of a large sum of money by faking a voice well enough to convince a CEO to wire transfer money.

Is It Worth the Trouble?

As the ability to take DNA data and recreate a face improves and becomes more widespread, data breaches at DNA testing companies will give the bad guys the tools to recreate faces of potential identity theft victims. The New York Times article mentions the possible use of phenotyping to identify a perpetrator when DNA is found at a crime scene. While this is a positive use of the tech, the corruption of the tech is almost a certainty.

The takeaway that I see here is that as technology advances, it is certain that the bad guys will take advantage of it. The more information about us is out there, the more resources are available to use against us. Data correlation of leaked data from breaches allows a much more targeted attack. It also allows bad guys to pick targets more selectively. Future abuse of DNA data will probably facilitate identity theft. While I can understand the desire to learn about ancestors, entrusting the very essence of who we are to those who are not legally bound to protect it sounds risky at best. Even if they protect it beyond legal requirements, breaches happen. We need to understand that every time we give someone information about ourselves, we risk giving that data to everyone.