Long-Range Familial Searching Forensics

Good article on using long-range familial searching -- basically, DNA matching of distant relatives -- as a police forensics tool.

EDITED TO ADD (1/5): A smattering of papers on the topic.

Posted on January 2, 2019 at 9:29 AM • 19 Comments

Comments

de la BoetieJanuary 2, 2019 10:36 AM

The article didn't recognise the underhand familial matching that the UK police and Home Office were sometimes doing back prior to 2009. 4.5+M DNA records (out of a population of 60 odd million) were held indefinitely by police, including for those arrested but not charged, and also witnesses. Since a significant proportion of the population had been "done" in an unlawful way, it started to achieve their objective of having everyone effectively on the DNAD without public consent or law.

In 2008, this uncontrolled collection & retention was found to be illegal in a damning unanimous judgement by the ECHR.

According to

https://www.gov.uk/government/statistics/national-dna-database-statistics

4,969,251 were on this database in 2018 for England and Wales.

AlanSJanuary 2, 2019 12:38 PM

Some more substantial writings on this topic:

The case for such searches using GEDMatch. They duck the key privacy issues:
--Greytak, Ellen, David H. Kaye, Bruce Budowle, CeCe Moore, and Steven L. Armentrout. Privacy and Genetic Genealogy Data. (Fulltext) Science 361 (August 31, 2018): 857.1-857.

Discussion. (Felix discusses the ECHR ruling referenced by e la Boetie in the post above):
--Suter, S.M. All in the Family: Privacy and DNA Familial Searching. (PDF) Harv J Law Technol 23 (January 1, 2010): 309–99.
--Ralph, Felix. Convictions through Kith and Kin: Legal, Policy and Ethical Issues in DNA Familial Matching and Genetic Metadata. (Fulltext) Current Issues in Criminal Justice 29 (March 1, 2018): 243–58.

Free full text access doesn't appear to be available for these yet. The first one makes a critical point that under current US law the "abandonment doctrine" means that there is little protection against DNA searches:

At genealogy Web sites, users voluntarily upload (that is, abandon) familial data into commercial databases. Whether they are aware that their data are subject to police collection is, legally, irrelevant. Notwithstanding the clarity of the law, it is questionable whether it is good social policy to consider the uploading of genealogic data the same as abandoning DNA in a public space.
--Berkman, Benjamin E., Wynter K. Miller, and Christine Grady. Is It Ethical to Use Genealogy Data to Solve Crimes? Annals of Internal Medicine 169, no. 5 (September 4, 2018): 333.
--Syndercombe Court, Denise. Forensic Genealogy: Some Serious Concerns. Forensic Science International: Genetics 36 (September 1, 2018): 203–4.

gordoJanuary 2, 2019 7:12 PM

The genomes are "out of the bag."

From the Felix article cited by AlanS:

While the scientific accuracy of DNA familial matching is accepted, it should not be assumed that this equates to accuracy at the investigative level.


[. . .]

In the US, a statistical analysis by Saks and Koehler (2005, p. 892) of 86 DNA exoneration cases found that 63 per cent of wrongful convictions were caused by forensic science testing errors and 27 per cent by false or misleading evidence by scientific experts. By expanding the size, scope, function and reach of the DNA database there is an increased risk of miscarriages of justice."

http://www.austlii.edu.au/au/journals/CICrimJust/2018/4.html

Clive RobinsonJanuary 3, 2019 1:41 AM

@ AlanS, gordo,

With regards,

    You can’t take even a perfect science and put it into the dysfunction that is our criminal justice system..

Don't ever make the mistake of thinking it's even close to a "perfect science" because it's not, not by a very long way.

Many years ago now I worked out there was a serious hole in the testing methodology that would enable people to polute or make fake DNA sample with relative ease.

As usuall I got the "don't kill the golden goose" treatment. Then an Australian researcher followed the same thinking process and all of a sudden it was big news...

Forensic labs are supposed to be independent of the investigating authorities. But as in all markets there is a dependency culture. If a lab is to stay in business it needs work, and there are only very limited sources of that. Therefore the various labs are chasing each other for the business. Which means that the labs have to make themselves attractive to the few sorces of income that there are.

In the UK where police funding has been striped back beyond the point where they are viable, police forces nolonger put out anywhere near as much work to the forensic labs as they used to.

Which means the labs are looking at implimenting the cheapest not the best testing techniques.

The way to make tests cheaper is to remove "defensive" steps. That is those that ensure the test has not be contaminated in various supposadly improbable ways.

However if you are looking to polute or make fake results these improbable ways are the way you would go about it as a first step.

So the testing in practice is not "perfect science" in anything other than wishful thinking.

In fact when you get to study it's history in forensics and strip off the hype, you see the improbable claims made about it at various points etc. It all suddenly starts to look not just incredibly gruby but down right dirty.

AlanS January 3, 2019 12:38 PM

@Clive

I have not read Murphy's book but from what I have read about it, I take that to be one of her main points.

Point taken about forensics labs. In Massachuessts a number of state chemists in crime labs have been found to been much more interersted in  recreational use of the samples they were testing than providing valid evidence for legal proceedings. Apparenetly there was next to no oversight of their work. As a result, over the last few years hundreds of  prosecutions have been tossed. 

I come at the genetics part from an interest in the use of medical tests for detection, prevention and prediction. Even when the process is much cleaner, it is far from a "perfect science". Many medical tests, genetic and otherwise, are really not that good. If you are going to take some of these tests you better have a grasp of concepts such analytical and clinical validity, test specificity and sensitivity, and clinical utility (many docs do not). There's a naive assumption on the part of many that knowing more is always a good thing that will inform better decision-making. The reality is that there are lots of pressures driving misinformed and unnecessary testing which in turn drives further poor-quality and often harmful clinical decisions. Genetic testing is becoming more problematic as companies like 23andMe are aggressively pushing DTC tests with TV ads etc. I think I may have even seen OTC kits in my local pharmacy. It's scary even before the clueless user uploads the results onto GEDMatch. 

Clive RobinsonJanuary 3, 2019 3:48 PM

@ AlanS,

Genetic testing is becoming more problematic as companies like 23andMe are aggressively pushing DTC tests with TV ads etc. I think I may have even seen OTC kits in my local pharmacy. It's scary even before the clueless user uploads the results onto GEDMatch.

Not being a person who would have Genetic Tests carried out for any reason (and actively discoraging others) a thought does occur...

Is there a gene or combination of genes such "clueless user uploads" have in common?

After all people search for blue eye and blond hair genes[1] amongst many others, which begs the question are there "gulibility" or "risk unapreciating" genes?

Maybe there is a "sufficient paranoia" gene. It's kind of wierd that as I get older the actions I would not do decades ago that marked me down in others eyes as "totaly paranoid" 1, have kept me out of trouble in that time and 2, appear increasingly normal these days...

Though I must admit the more I dig into DNA techniques the more worried I become. Because the potential in there for harm to society just increases year on year. Yet the scientists involved appear to have little or no consideration of this...

[1] Jokey as the search for "blue eyes and blond hair genes" sounds, there is serious investigatory research work that you don't hear about much. It is as dangerous if not more so as this familial genetic tracing. Put simply if you can identify genes for physical appearence you could make an "identikit" image from a DNA sample. If this becomes sufficiently accurate then it could be tied into "crowd facial recognition" systems that are becoming more and more prevalent.

Likewise the opposit may be possible in that an image of somebody could be turned back into DNA markers etc, though this appears a lot less likely currently.

gordoJanuary 3, 2019 7:44 PM

@ AlanS, Clive Robinson,

Though the below article doesn't talk about bio-printers and the title of our host's latest book, it's not far off.

DNA Testing Kits & The Security Risks in Digitized DNA
By Candice Lanier December 7, 2018

According to Peccoud Lab, which specializes in synthetic biology informatics at Colorado State University, Cyberbiosecurity is a specialty that deals with understanding and mitigating new biological security risks emerging at the interface between biosecurity and cybersecurity.


[. . .]

Researchers at the Center for the Study of Weapons of Mass Destruction at the National Defense University point out that both researchers and bio-industrial companies store and use genomic data on computers, local area networks and/or cloud services and transfer the data between users over email or other sharing technologies. Hence, it is “exposed at many touch points throughout their use to the risks and vulnerabilities common to cyberspace such as hacking, data theft, sabotage, and unauthorized access. In most cases, only minimal encryption or other cybersecurity safeguards are used to secure genomic data at these touch points in the information life cycle.”

https://www.bleepingcomputer.com/news/security/dna-testing-kits-and-the-security-risks-in-digitized-dna/

From the July 2018 paper at the last hyperlink in the above article (said paper can also be found here: https://wmdcenter.ndu.edu/Publications/Publication-View/Article/1569559/the-digitization-of-biology-understanding-the-new-risks-and-implications-for-go/ ):

Human Genomic Data

• As understanding of the human genome
advances, it may lower the bar to creation
of “precision maladies”, or engineered
agents that target individuals or
populations.
• Although privacy and biosecurity are
distinct issues which require different
solutions, both exist on a continuum of risk.
A breach of privacy could eventually lead
to a security concern depending on the
context.
...

That dynamic reminds me of what Mr. Schneier says regarding expertise in the cybersecurity realm:

An aphorism I often use in my talks is "expertise flows downhill: today's top-secret NSA programs become tomorrow's PhD theses and the next day's hacking tools."

https://www.schneier.com/blog/archives/2018/12/massive_ad_frau.html

---

In sum, and to put it lightly, one could say that our collective lack of privacy hygiene leads to "unintended consequences" well beyond "the code."

War GeekJanuary 4, 2019 11:08 AM

Clearly, the rich will all start using personal incinerators for their trash just to make sure that junior still doesn't go to jail for whatever is flustering the little people.

albertJanuary 4, 2019 12:33 PM

Never underestimate the need for prosecutors to bump up their conviction rates. Familial DNA is just another tool in the toolbox. Once you got the DNA of the perp, you can drag family members into the case. Their database entries are already there, with their permission as a matter of record.

Someday soon, science will discover that criminality can be deduced from family genetic profiling. This is the Holy Grail of genetic forensics. Naturally, these huge databases will need AI systems to search and evaluate. If the computer says you're prone to criminal behavior, you'll be the first person of interest in the case.

. .. . .. --- ....

AJWMJanuary 4, 2019 12:48 PM

There's a naive assumption on the part of many that knowing more is always a good thing that will inform better decision-making.

Yeah. There's an old maxim in programming, "never test for an error condition you're not prepared to handle". While the wisdom of that is debatable, there's no question that in medicine, etc, there are a lot of tests done whose results, one way or the other, will have no effect on treatment. I routinely ask this of my doctor when she wants to add something to the battery of tests that I get annually.

It's refreshing that recently the recommendation for a PSA test for males over a certain age has been dropped, because said males are more likely to die of old age than any detected prostate cancer progresses to that point.

Another issue is that various forensic tests are inaccurate either because they throw out data (fingerprint matching is a big one here; many database searches compare few enough data points that false positives can and have occurred even between different individuals with the same name -- what a nightmare) or because they amplify trace signals to meaninglessness.

The latter is particularly relevant with DNA testing. It is now so sensitive that if you, say, shook hands with a perp and he later grasped a doorknob at the crime scene, investigators could pick up your DNA from that doorknob. The DNA replication (part of the testing process) multiplies everything.

It also applies to things like testing currency for cocaine (unless freshly minted, it probably has some) or sniffing for nitrates (explosives). If you walked across a newly fertilized lawn in the last day or so your shoes could set off the detectors.

AJWMJanuary 4, 2019 12:53 PM

Put simply if you can identify genes for physical appearence you could make an "identikit" image from a DNA sample. If this becomes sufficiently accurate then it could be tied into "crowd facial recognition" systems that are becoming more and more prevalent.

Not to make light of that real risk, but a DNA test won't tell you a thing about whether the subject uses hair dye or wears tinted contact lenses.

However, it can tell you things about face shape and skin tone.

Jonathan WilsonJanuary 4, 2019 3:30 PM

I wonder how easy it is for the police to get access to private DNA databases like the one created by Ancestry DNA and whether the people using these services know how their DNA may be used in the future...

DavidJanuary 5, 2019 4:35 AM

What happens if we get to the point that synthetic DNA can be placed at a crime scene? Police officers and politicians have track record of setting people up.

Jumping FrogJanuary 5, 2019 4:58 AM

I think Bruce's last blog post on the subject was How DNA Databases Violate Everyone's Privacy. I had caught an NPR article around that time on the subject, Easy DNA Identifications With Genealogy Databases Raise Privacy Concerns which said

In a paper published Thursday in the journal Science, the researchers projected that they could identify third cousins and more closely related relatives in more than 60 percent of people of European descent. (They chose this group because most people in their database have that ancestry.)...In another part of the study, the researchers went even further to see if they could do the same thing with other DNA databases. They were able to use their techniques to identify a supposedly anonymous woman whose DNA was stored in the 1,000 Genomes Project, a National Institutes of Health research database.
The NIH 1000 Genone Project caught my eye, since in 1993 I and other family members participated in a Johns Hopkins genetics study partially funded by the NIH. The partial government funding entitled the NIH to data and results of the study. Did any of this make its way into the 1000 genones (and is it really 1000 genomes or thousands or more or as many as they can collect?) I participated as a good deed to further medical science and was told that identities were protected by case file numbers, although if one had a case file number, the file could be opened and the name revealed. I forgot that no good deed goes unpunished. I may have posted on this previously, but I feel that JHU misrepresented by ommission the uses of data from the study, and I'm somewhat annoyed. I've inquired once or twice of JHU and NIH about the subject with no response. I sure they're just too busy doing science, as they wouldn't simply ignore requests for information from study participants. Also I don't recall reading any documents, but I'm sure I must have signed something when I participated.

Clive RobinsonJanuary 5, 2019 12:09 PM

@ David,

What happens if we get to the point that synthetic DNA can be placed at a crime scene?

You can already do it if you wish. It was what I was refering to above by "pollute the evidence".

Overly simply the way a DNA test starts is,

0, Biologicals are put on/in crime scene.
1, Swab a crime scene.
2, Take the swab sample and add the biologicals to enzymes that chop it up into short lengths.
3, Then jubject it to a replication process to make sufficient copies to make the following stages viable.

As noted above by @AJWM above,

It is now so sensitive that if you, say, shook hands with a perp and he later grasped a doorknob at the crime scene, investigators could pick up your DNA from that doorknob. The DNA replication (part of the testing process) multiplies everything.

So just having your DNA from a prepared surface (clean glass, soda can, etc) it can be added as is to a crime scene, a little relabling of swabs and your DNA turns up in a dent in the wall or table or other object that can be identified as having been at the scene of the crime in a way that makes it look like the DNA was left by you at the time.

We know this works but from a slightly different direction. A person ordering for a forensics lab went from "DNA free swabs" to "sterile swabs" because they were probably a lot less expensive and looked the same... Apparent they spent some time looking for a very clever "serial killer". Brfore they found the person who's DNA they were looking for working as a technician at the factory that made the swabs...

But you can go further. It is no secret how and with what stages 2&3 above are carried out and you can relatively easily obtain them. Further you could with a little care and undergrad level knowledge do the replication process to a sample of DNA you have got from somebody in the past.

Having made as much of the replicated parts as you think you need, you can spray it around a crime scene you have taken care not to leave your DNA at.

The forensics people attend the scene, they swab up (step 1) the replicated parts you have left all over the place. It goes through the replication process again and the fake signal just gets amplified yet again...

This idea is far from new and it's what I got told to "not kill the golden goose" over. As I said an australian researcher realised the same thing and published it back in 2003 and it was "big news" for a while (@Bruce our host bloged it at the time).

There are a number of way to stop this parts attack in that you can add an extra stage befor 2 where you filter the sample to remove any parts of DNA or raise a flag about the contamination. However this is an expensive step which takes up time amongst other resources. So is one of the first things that would get the chop in a cost cutting measure... After all apart from the lab who would know and they certainly are not going to tell...

But these days you don't even have to go that way. There are other things you can do... The actual DNA test results you see with those columns of blobs are images of the filtering process.

It works by using a conductive jell and drops of the solution containg replicated DNA parts are put in at one side of the plate and an electric voltage is applied for a period of time. The lighter the parts are the faster they travel through the jell, hence the individual bands are a whole load of parts of nearly the same weight.

The same process can be used to "harvest" DNA parts of the same weight... Thus with the image of somebodies DNA test you can build somebodies DNA profile from other DNA samples that have the same weights...

There are also other tricks where you can "build DNA" from parts that has been developed in more recent times. The state of the art a few years ago was building self replicating DNA...

So yes in theory you could build somebodies DNA just from having a copy of their DNA test results. However it would still be simpler to just build their profile from parts of several other peoples divided and replicated DNA...

https://www.schneier.com/blog/archives/2009/08/fabricating_dna.html#c388645

https://mobile.abc.net.au/news/2017-03-31/sacking-of-was-leading-dna-scientist-27-criminal-cases-in-doubt/8403618?pfmredir=sm

https://io9.gizmodo.com/5543843/scientists-create-artificial-life---synthetic-dna-that-can-self-replicate

https://www.iflscience.com/plants-and-animals/scientists-create-selfreplicating-molecules-to-explain-how-life-began/

vas pupJanuary 5, 2019 12:50 PM

@all:
"You can’t take even a perfect science and put it into the dysfunction that is our criminal justice system."
Yes, I agree. We should rename Department of Justice to Department of Law to better reflect on the status quo.
None of the single evidence: testimony of witness or victim including DNA or other scientific expertise could be taken as sufficient prove of guilt or otherwise.
Only constellation of ALL evidence could be and MUST be taken as source of verdict.
System is rigged to the core by plea bargain and confession as a crown of evidence.
There are multiple sources of false confession (read any book on forensic psychology). So, in good criminal justice system the task of prosecutors is to find the truth as close as possible which describes the crime - event in the past with all features which could not be changed by plea bargain or false confession, not to close the case.
That is the shortest way to disqualification of all prosecutorial side.
By the way, judge don't give a (bleep) on plea bargain and could reject it, but confession could not be erased.
Is it justice? You may do your own logical conclusion.

Burnt ToastJanuary 9, 2019 3:24 PM

Familial DNA presents a unique challenge to privacy and 4th amendment protections. The situation where a family member can share their DNA and by doing so expose other family members to identification is interesting. I've asked my family not to share their DNA info, but I can't actually prevent anyone. Maybe the easy fix would be to have a separate consent that says whether or not DNA data can be shared for such purposes as criminal investigations. Nobody should allow their DNA into any database until such time as privacy concerns can be addressed in law. That will be never, so basically, just don't share DNA info, and don't let family share it either. I'd bet in 20 years most children born in the U.S. will be DNA tested at birth. We may be the last generations to be able to exist with any DNA privacy, or the possibility of remaining anonymous, so long as we stay away from felony charges.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.