Proceedings on Privacy Enhancing Technologies 2015; 2015 (2):99–114

Mathias Humbert*, Kévin Huguenin, Joachim Hugonot, Erman Ayday, and Jean-Pierre Hubaux

De-anonymizing Genomic Databases UsingPhenotypic TraitsAbstract: People increasingly have their genomes se-quenced and some of them share their genomic data on-line. They do so for various purposes, including to findrelatives and to help advance genomic research. An indi-vidual’s genome carries very sensitive, private informa-tion such as its owner’s susceptibility to diseases, whichcould be used for discrimination. Therefore, genomicdatabases are often anonymized. However, an individ-ual’s genotype is also linked to visible phenotypic traits,such as eye or hair color, which can be used to re-identifyusers in anonymized public genomic databases, thusraising severe privacy issues. For instance, an adversarycan identify a target’s genome using known her pheno-typic traits and subsequently infer her susceptibility toAlzheimer’s disease. In this paper, we quantify, basedon various phenotypic traits, the extent of this threatin several scenarios by implementing de-anonymizationattacks on a genomic database of OpenSNP users se-quenced by 23andMe. Our experimental results showthat the proportion of correct matches reaches 23% witha supervised approach in a database of 50 participants.Our approach outperforms the baseline by a factor offour, in terms of the proportion of correct matches, inmost scenarios. We also evaluate the adversary’s abil-ity to predict individuals’ predisposition to Alzheimer’sdisease, and we observe that the inference error can behalved compared to the baseline. We also analyze theeffect of the number of known phenotypic traits on thesuccess rate of the attack. As progress is made in ge-nomic research, especially for genotype-phenotype asso-ciations, the threat presented in this paper will becomemore serious.

Keywords: Privacy; Genomics; De-anonymization;Graph matching

DOI 10.1515/popets-2015-0020Received 2015-02-15; revised 2015-04-23; accepted 2015-05-15.

*Corresponding Author: Mathias Humbert: EPFL,Lausanne, Switzerland, E-mail: mathias.humbert@epfl.chKévin Huguenin: LAAS-CNRS, Toulouse, France, E-mail:kevin.huguenin@laas.frJoachim Hugonot: EPFL, Lausanne, Switzerland, E-mail:joachim.hugonot@epfl.ch

1 IntroductionDue to the decreasing cost of genome sequencing,more and more people have their genotypes sequenced.The most popular direct-to-consumer service provider,23andMe,1 has already genotyped more than 800,000individuals’ DNA. This new availability of genomic datais paving the way for revolutionary medical progress.Among other benefits, access to genomic data en-ables personalized medicine (e.g., personal drug dosing)and early diagnosis of severe genetic diseases (such asAlzheimer’s or Parkinson’s). In order to help researchprogress (typically genome-wide association studies)and benefit from personalized treatment, a significantnumber of genotyped individuals share their genomicdata online (on platforms like OpenSNP2 [13] or Per-sonal Genome Project3 ) or on semi-public databases(e.g., at hospitals or national research institutions).

However, genomic data carries very sensitive infor-mation about its owner, such as a predisposition to cer-tain diseases, future physical conditions, and kinship,which could lead to discrimination or familial tragediesif it is not properly and securely handled [3, 37]. Thegenomic-privacy issue is exacerbated by the fact thatgenomic data is non-revocable and highly correlated be-tween close relatives [18]. As a consequence, whetherpublicly or semi-publicly disclosed, genomic data is of-ten shared without identifying information (e.g., name).However, it has been shown that quasi-identifying at-tributes (such as ZIP code, or birth date) can be usedin order to re-identify participants, notably in the Per-sonal Genome Project [34]. In this case, the backgroundknowledge (or auxiliary information) needed for the at-tack was obtained through voter lists. More recently, re-searchers have de-anonymized Y-chromosome short tan-

Erman Ayday: Bilkent University, Ankara, Turkey, E-mail:erman@cs.bilkent.edu.trJean-Pierre Hubaux: EPFL, Lausanne, Switzerland, E-mail: jean-pierre.hubaux@epfl.ch

1 https://www.23andme.com/2 https://opensnp.org3 http://www.personalgenomes.org/

De-anonymizing Genomic Databases Using Phenotypic Traits 100

dem repeats (STRs) by using (as auxiliary information)notably Y-chromosome genealogical websites that pro-vide the surname of male individuals corresponding tothe genomic data [14]. This attack relies upon the com-parison of Y-chromosome STRs that are currently notincluded in the genotypes provided by most direct-to-consumer genetic testing providers (such as 23andMe).

In this paper, we propose new de-anonymization at-tacks4 that make use of only the most common pieceof genomic information that is output today by ma-jor direct-to-consumer providers: the single nucleotidepolymorphims (SNPs). The attack relies upon the factthat our SNPs are intrinsically linked to our pheno-typic traits (such as eye color, blood type, or geneticdiseases) and that genomic research progress providesus with more information about these links. For in-stance, the relationship between SNPs and phenotypesis increasingly used in forensics for reconstructing facialcomposites from DNA information [7, 8].5 Therefore,if an adversary has access to phenotypic traits (e.g.,visible traits) of an identified individual, he can useknown correlations between phenotypic traits and ge-nomic data to identify the genotype of this individualin a genomic database and to infer other sensitive infor-mation (such as predispositions to severe diseases) byusing the de-anonymized genomic data, as illustrated inFigure 1. The adversary also has access to anonymizedgenotypes through a collaborative genome-sharing plat-form (such as the Personal Genome Project) and wantto de-anonymize them by relying upon phenotypic in-formation gathered on online social networks (OSNs).The matching between OSNs and genomic profiles is(even) easier if, for example, the ZIP code is availablewith the genomic profiles, thus enabling the OSN pro-files to be filtered before the matching attack. The ad-versary might also want to match different online iden-tities, e.g., OpenSNP profiles that contain genomic datawith PatientsLikeMe6 profiles that contain phenotypicinformation (mainly health condition, such as diseases).

4 These belong to identity tracing attacks in the categoriza-tion proposed by Erlich and Narayanan [10]. The novelty of theattack presented in this paper lies in the observed data (i.e.,phenotypic traits) and the considered probabilistic relationships(i.e., genotype-phenotype), as we describe below.5 Such techniques are used in practice; for instance the po-lice department of Columbia, SC, USA, recently released DNA-based facial composites generated with the Parabon Snapshot™DNA Phenotyping Service [31].6 https://www.patientslikeme.com/

e.g., risk of contracting Alzheimer’s disease

Phenotypic traits of the target(s) known to the adversary

DNA database obtained by the adversary

A G C

T C G

A G T

T C A

C G T

G C A

Fig. 1. Illustration of the identification attack: The adversaryidentifies the genotypes of a target individual from some of hervisible phenotypic traits and uses the de-anonymized genotype toinfer her susceptibility to Alzheimer’s disease.

More specifically, we study two de-anonymizationattacks: (i) the identification attack, where the adver-sary wants to identify the genotype (among multiplegenotypes) that corresponds to a given phenotype, and(ii) the perfect matching attack, where the adversarywants to match multiple phenotypes to their corre-sponding genotypes. We rely upon analytical tools formaximizing the matching likelihood in both attacks, andwe assume two types of background knowledge: one thatmakes use of existing genetic knowledge from the asso-ciation between SNPs and phenotypic traits (unsuper-vised approach), and another that learns the genomic-phenotypic statistical relationships from datasets con-taining both data types (i.e., genomic and phenotypic).Our experimental results show, with a database of 80participants, in the identification attack, a proportionof 13% correct matches in the supervised case, and 5%in the unsupervised case. These results constitute a sig-nificant improvement: they outperform the consideredbaseline by a factor of eight and three, respectively.When the database size decreases to 10, the attacksuccess increases to around 44% in the unsupervisedcase, and 52% in the supervised case. We also evaluatethe adversary’s ability to predict the predisposition toAlzheimer’s disease of the database participants. With10 participants, the average error of the adversary ishalved when using the identification attack.

In the perfect matching attack, the proportion ofcorrect matches is slightly better than in the identifica-tion attack: 16% in the supervised case and 8% in theunsupervised case. For a database of size 10, this pro-portion increases to 65% and 58%, respectively. Withthis size, the proportion of correct match is around

De-anonymizing Genomic Databases Using Phenotypic Traits 101

four times higher than the baseline for both supervisedand unsupervised approaches. We also evaluate the im-pact of the distinguishability between two individuals onthe success of the perfect matching attack. Our resultsclearly show that the more distinguishable two individ-uals are, the more likely their genomic (or phenotypic)data will be de-anonymized. This leads us to concludethat the threat on genomic privacy posed by our de-anonymization attacks will become even more seriousin the near future, when more SNP-trait associationinformation is discovered by genomic researchers, andavailable to the adversary. Finally, we propose variouscountermeasures for mitigating the performance of de-anonymization attacks against genomic databases.

The rest of the paper is organized as follows. InSection 2, we introduce the important concepts used inthe paper. In Section 3, we describe the system andadversarial model, including various examples of de-anonymization attacks. In Section 4, we present the an-alytical model and techniques that we will use for de-anonymizing genomic data. In Section 5, we thoroughlyevaluate the performance of the proposed attacks by re-lying upon real data. In Section 6, we suggest differentmechanisms for reducing the genomic-privacy risks. InSection 7, we summarize the related work, before con-cluding in Section 8.

2 BackgroundIn this section, we introduce relevant notions aboutgenotypes, phenotypes and their relationship, which willbe helpful for the understanding of the rest of the paper.

The human genome is encoded in double strandedDNA molecules consisting of two complementary poly-mer chains. Each chain consists of simple units callednucleotides. Each nucleotide is assigned a letter fromthe set {A,C,G,T}, and a human genome consists ofapproximately three billion pairs of letters.

Approximately 99.5% of any two individuals’genomes are exactly the same, and the remaining 0.5%is referred to as the genetic variation. The most com-mon genetic variant (position in the genome that holdsa nucleotide that varies between individuals) in the hu-man population is the single nucleotide polymorphism(SNP).

In general, there are two different alleles (nu-cleotides) observed at a given SNP position: (i) the ma-jor allele is the most frequently observed nucleotide, and(ii) the minor allele is the rare nucleotide. Thus, each

SNP is assigned a minor and a major allele frequency,among which the minor allele frequency is the smaller ofthe two. Furthermore, each SNP position includes twoalleles (i.e., two nucleotides) and everyone inherits oneallele of every SNP position from each of her parents.If an individual receives the same allele from both par-ents, her SNP is said to be homozygous. Her SNP ishomozygous major if it inherits two major alleles, andhomozygous minor if it inherits two minor alleles. If aSNP inherits a different allele from each parent’s SNP(one minor and one major), it is called heterozygous.

Today, there are approximately 50 million approved(by the research community) SNPs in the human pop-ulation [29] and each individual carries on average 4million variants (i.e., SNPs carrying at least one minorallele) out of this 50 million. DNA encodes the proteinssynthesized by an organism. As these proteins affect ourphysical appearance (e.g., Melanosomal proteins influ-ence the color of an individual’s skin), an individual’sDNA is linked to her phenotypic traits. Therefore, SNPshave a direct influence on our physical attributes (e.g.,hair color, eye color, blood type) but also on our predis-positions to various diseases. The fact that two monozy-gotic twins look almost alike provides clear evidenceof the influence of DNA on our physical (notably vis-ible) attributes. The relationship between genotype andphenotype is generally determined by association stud-ies over a population that is split into case and con-trol groups. Each SNP contributes to the disease sus-ceptibility (or physical attribute) in a different amountand the contribution amount of each SNP is determinedthrough these association studies. Furthermore, some ofthe SNPs contribute to the development of a disease,whereas some are protective. Note that environmentalfactors can have more influence than SNPs on the de-velopment of certain phenotypic traits, especially thosethat are related to diseases.

In the rest of the paper, we call genotype, respec-tively phenotype, the set (or vector) of SNPs, respec-tively of (phenotypic) traits. Also, we use the adjectivegenomic, respectively phenotypic, to mention anythingrelated to the genotype and the phenotype, respectively.

3 System and Adversarial ModelThe adversary is assumed to have access to two distinctdatasets: (i) a set G = {g1,g2, ...,gn} of genotypes ofn different individuals, where gi = (gi,1, . . . , gi,s) is avector containing the SNP values of individual i, with

De-anonymizing Genomic Databases Using Phenotypic Traits 102

gi,j = {0, 1, 2}7 and (ii) a set P = {p1,p2, ...,pm} ofphenotypes of m individuals, where pi = (pi,1, . . . , pi,t)is a vector containing the values of phenotypic traits ofi. Note that pi,j ∈ Pj , where Pj is the set of values traitj can take. For instance, if trait j represents eye color,we could have Pj = {“brown”,“blue”,“green”}. The ge-nomic dataset can be gathered online, on platforms suchas 1000 Genomes Project, the Personal Genome Project,OpenSNP, or be leaked to the adversary through a ma-jor security breach, e.g., of a medical database. The phe-notypic traits can be collected online, via online socialnetworks (OSNs) (e.g., Facebook, PatientsLikeMe), orby having access to medical databases, or even by learn-ing about them in real life. Not all participants haveall their s SNP values known, or all t traits accessible.We consider the general problem where some auxiliaryinformation is provided possibly with the phenotypicdata (e.g., name), and some other auxiliary informa-tion goes potentially with the genomic data (e.g., ZIPcode). These auxiliary sets are assumed to be disjoint,thus are not used for matching both datasets. Therefore,in order to learn more information about the partici-pants in these separate databases (e.g., de-anonymizethe genomic data), the adversary seeks to link the ge-nomic dataset with the phenotypic dataset by relyingonly upon the genomic-phenotypic statistical relation-ships.

This system and adversarial model enable us to rep-resent various attack scenarios. For instance, this modelcan represent a curious entity (e.g., an insurer) whowants to identify the genotype of a targeted individualin a database, knowing some of his phenotypic traits(e.g., gathered on an OSN), in which case m = 1. It canalso model a curious entity that has access to a datasetof anonymized genotypes online indicating some risks tocertain severe diseases and who wants to know to whomthey belong in order to discriminate them (access to in-surance, or price of premiums). It can also represent thesituation of a curious person (e.g., an hospital IT staff)who has access to a database with patients’ diseases andanother database with patients’ anonymized genomes,and who wants to de-anonymize these genomes. It canalso be that the adversary has access to an identifiedgenotype on OpenSNP and wants to use it to iden-tify the corresponding user on PatientsLikeMe (wherepotentially all medical conditions, their evolution and

7 the value 0 represents a homozygous major SNP (e.g., AA),1 a heterozygous SNP (AT), and 2 a homozygous minor SNP(TT).

treatments are available). Note that the adversary canuse side information such as the individuals’ ZIP code orthe age to narrow down the set of possible individuals inthe genomic database; this would result into, typically,a few hundreds of individuals at most. Another possibleattack (not considered in this paper), which relies on thesame line of reasoning as the aforementioned attacks, isto directly infer a individual’s genotype based on someof her phenotypic traits and on the genotype-phenotyperelationships.

In this work, we consider two types of backgroundknowledge available to the attacker for linking the ge-nomic and phenotypic datasets. In the first model, weassume the adversary to have access to a genomic knowl-edge database that stores information about the rela-tions between genomic and phenotypic data (e.g., SNPe-dia8 ). Such databases typically depict qualitative rela-tionships between SNPs and phenotypic traits. In thesecond model, we consider a stronger adversary whohas access to population statistics about the genomic-phenotypic relations. This represents the scenario wherethe adversary can construct his knowledge from an ex-isting dataset that contains both genomic and pheno-typic data about participants. The former model willbe referred to as the unsupervised approach, whereasthe latter model will be referred to as the supervisedapproach. Note finally that population allele frequen-cies of SNPs are publicly accessible, thus are also partof the background knowledge.

4 De-anonymization AttacksWe present here in detail the formalization of two de-anonymization attacks. First, assuming the adversaryknows the phenotypic traits of a targeted individual, itwants to identify the target’s genotype among n othergenotypes in a dataset. We refer to this as the identifica-tion attack. Second, assuming the adversary has accessto one genomic and one phenotypic dataset containingthe same n individuals, it wants to match genotypes totheir corresponding phenotypes. We refer to this as theperfect matching attack.

In the identification attack, the adversary needs torank the n genotypes it has access to by decreasing valueof the phenotype likelihood given each possible geno-type. If k ≤ t traits of target x are observed, and if the

8 http://www.snpedia.com/

De-anonymizing Genomic Databases Using Phenotypic Traits 103

number of SNPs j available in the n genotypes vary be-tween 1 and s, the adversary chooses the genotype githat maximizes the following likelihood:

P(px |gi) = P(px,1, . . . , px,k | gi,1, . . . , gi,j) , (1)

where 1 ≤ j ≤ s. Under reasonable assumptions, thislikelihood can be simplified as follows:

P(px,1, . . . , px,k | gi,1, . . . , gi,j) 'k∏l=1

P(px,l | gi,1, . . . , gi,j)

=k∏l=1

P(px,l | {gi,r}r∈Rl)

'k∏l=1

∏r∈Rl

P(px,l | gi,r),(2)

where Rl is the set of SNPs that are relevant to traitl. The first equality in (2) is an approximation that fol-lows from the conditional independence between phe-notypic traits given the genotype.9 The second equal-ity comes from the independence between the traitsand the SNPs that do not affect these traits; and thelast equality is an approximation. This approximationis made essentially because the relationships betweentraits and genotypes are provided on SNPedia in sin-gle SNP-single trait combinations, like P(px,l | gi,r). Wekeep the same conditional probabilities in the super-vised case for consistency and efficiency in the learningphase. We intend to learn the exact conditional prob-abilities P(px,l | {gi,r}r∈Rl) in a supervised approach infuture work.

Note that, in case a relevant SNP gi,r is missing insome of the n genotypes, the probability P(px,l | gi,r)then becomes P(px,l). The prior probability of the phe-notypic trait can be computed by relying upon the lawof total probability:

P(px,l) =∑

∀gi,r∈{0,1,2}

P(px,l | gi,r) P(gi,r), (3)

where P(gi,r) is provided by public population statis-tics. Note that in (3), for presentation simplicity, weconsidered the case where only one SNP is relevant tothe phenotypic trait. The formula generalizes straight-forwardly to more relevant SNPs.

In the perfect matching attack, the goal of the ad-versary is to assign precisely one genotype to one phe-notype, such that the resulting n assignments maximize

9 Note that we make the assumption that the environment doesnot create dependencies between traits.

w1,2 := logP(p2 |g1) = logt∏

l=1

∏

r∈Rl

P(p2,l | g1,r)

G1g1

G2g2

...

Gngn

P1p1

P2p2

...

Pn pn

w1,1

w1,n

w2,1w2,2

w2,n

w n,1

wn,2 wn,n

Fig. 2. Complete weighted bipartite graph with n vertices on thelefthand side representing the individuals’ genotypes and n othervertices on the righthand side representing their phenotypes. Theweight wi,j is the log-likelihood of phenotype pj given genotypegi.

the product of the likelihoods∏ni=1 P

(pσ(i) |gi

)over all

n! assignments σ between size-n sets G and P. Hence,the assignment σ∗ that maximizes likelihood is

σ∗ = arg maxσ

n∏i=1

t∏l=1

∏r∈Rl

P(pσ(i),l | gi,r

). (4)

Simply put, this problem is finding a perfect matchingon a weighted bipartite graph, with n vertices on oneside representing the n different genotypes, and n ver-tices on the other side representing the n phenotypes, asshown in Figure 2. A weight is assigned to every edge ofthe complete bipartite graph. We define the weight wi,jbetween a genotype vertex Gi and a phenotype vertexPj as the log-likelihood between between genotype giand phenotype pj :

wi,j := log P(pj |gi) = logt∏l=1

∏r∈Rl

P(pj,l | gi,r), (5)

and we solve the following optimization problem:

σ∗ = arg maxσ

n∑i=1

wi,σ(i) (6)

= arg maxσ

n∑i=1

logt∏l=1

∏r∈Rl

P(pσ(i),l | gi,r

)(7)

= arg maxσ

logn∏i=1

t∏l=1

∏r∈Rl

P(pσ(i),l | gi,r

)(8)

The formulation in (8) enables us to maximize thesum of the weights instead of their product. Many exist-ing algorithms can find the solution to this optimization

De-anonymizing Genomic Databases Using Phenotypic Traits 104

problem in polynomial time. Here we use the blossomalgorithm that finds the maximum weight assignmentin O(n3) [11]. We choose this algorithm because it hasthe smallest complexity and it can be applied to gen-eral graphs. The construction of the bipartite graph, i.e.,computation of its weights, takes O(tn2), given that thenumber of relevant SNPs per phenotypic trait is con-stant. Finally, as the logarithmic function is monoti-cally increasing, the optimal assignment σ∗ derived in(8) must be the same as the one in (4). Note that maxi-mum weight assignment algorithms have also been usedin different contexts, such as the de-anonymization oflocation traces [32] and of users of anonymous commu-nications [35].

Note that, in the case the set of phenotypic traitsor SNPs disclosed by individuals is not the same, wesimply assign a constant c to the conditional probabilityP(pj,l | gi,r) of those whose SNP r or trait l is unknown.This will not change the assignment as this constant willbe present in the weights of the n edges connected tothe genotype vertex Gi (if SNP r is missing) or to thephenotype vertex Pj (if trait l is missing).

We quantify the success of our attacks with differ-ent metrics. The proportion of pairs correctly matchedreflects the correctness of the de-anonymization attacksin general. In the identification attack target at individ-ual j, the proportion of correct matches is equal to 1 if

j = arg maxi

P(pj |gi) (9)

and 0 otherwise. In the perfect matching attack, we mea-sure the proportion of correct matches, i.e. the ratio be-tween the number of pairs correctly matched (i.e., whereσ∗(i) = i), and the total number of matched pairs n.

In the identification attack, we also evaluate the er-ror of the adversary that tries to infer the susceptibilityto a certain disease d. To do so, we compute the aver-age distance between the actual value of the SNPs ofthe individual j and the SNP values of the individual ithat most likely matches the phenotype. We sum overall SNPs that contribute to disease d (whose indices arein set D), and normalize by the number of such SNPscontributing to d and by the maximum L1 distance be-tween two SNPs (which is equal to 2):

12 |D|

∑k∈D

‖gi,k − gj,k‖1 (10)

Note that if the target’s phenotype is correctly mappedto the corresponding genotype, the error is null.

5 EvaluationIn this section, we report on our data-driven evaluationof the de-anonymization attacks presented in the previ-ous section. First, we describe our dataset (its collection,processing and statistics), then we present and analyzethe results of our evaluation.

5.1 Dataset Collection and Processing

In order to evaluate the success of the de-anonymizationattack presented in the previous section, we collecteda dataset of genomic-phenotypic data from OpenSNPin late 2014. OpenSNP is an online platform whereusers can upload their raw genotype data obtained fromdirect-to-consumer genetic testing companies such as23andMe and FTDNA. Together with their genotypes,users can share the values of some of their phenotypictraits. Although the different traits are specified byOpenSNP (e.g., eye color), the value of the traits aremanually specified by the users in free-text. We down-loaded a raw dump of OpenSNP genomic-phenotypicdata in October 2014. We filtered out bogus data (e.g.,duplicated, corrupted, empty genotype or phenotype)and, for the sake of homogeneity, we focused on the ge-nomic data obtained from 23andMe. This left us withthe data of 818 individual users out of 1137 entries inthe raw dump. Note that for some users, the values ofsome SNPs and phenotypic traits are not known; thisis because some SNPs are not tested by 23andMe andbecause users specify only a subset of the phenotypictraits that appear on OpenSNP.

To obtain statistical association data between SNPsand phenotypic traits, which is used to assign thegenotype-phenotype compatibility scores {wi,j} to theedges of the bipartite graph, we followed two differ-ent approaches: (1) an unsupervised approach in whichonly qualitative association data, such as (rs7495174:AG, “blue eyes more likely”), is available, typically fromknowledge databases populated by experts, and (2) asupervised approach in which the SNP-trait associa-tions are learned from existing annotated datasets inthe form of aggregated statistics such as the propor-tion of individuals with brown eyes and a value CCfor SNP rs8028689. In the unsupervised approach, de-scribed in Section 5.2.1, we relied on the qualitative as-sociation data from SNPedia, based on which we defineprobabilistic association models for the relevant SNP-trait pairs (according to SNPedia). In the supervised

De-anonymizing Genomic Databases Using Phenotypic Traits 105

approach, described in Section 5.2.2, we computed theassociation statistics on a subset of the annotated Open-SNP data, but only for the SNP-trait pairs noted asrelevant on SNPedia. We also collected from SNPediageneral information about the distribution of the SNPvalues, for the considered SNPs, across the world pop-ulation. This information is used as prior distributionin the identification attack when a SNP value is notspecified (see Formula 3).

Based on the list of SNPs tested by 23andMe, thelist of traits specified on OpenSNP (and the propor-tion of users who specified a value for these traits) andthe association data available on SNPedia, we narroweddown the sets of SNPs and traits considered in our eval-uation. In the unsupervised case, we obtained a list of8 phenotypic traits (deriving from 6 high-level Open-SNP traits, e.g., the “group O”, “group AB or B” and“rhesus” traits all deriving from the blood type) with21 associated SNPs and the form of the sexual chromo-somes (i.e., XX or XY). In the supervised case, as wedo not need qualitative association information (whichare learned from the data—we only use relevance asso-ciation information), we considered another 4 traits and14 additional SNPs. The complete list of the traits andSNPs we considered is given in Table 1.

As on OpenSNP the values of the phenotypic traitsare provided by the users in free-text, the phenotypicdata had consistency issues (e.g., due to the use of dif-ferent capitalization schemes) and subjectivity issues.For instance, the variety of eye colors was quite highin our dataset, with more than fifty distinct values, in-cluding very precise information such as “green withamber burst and gray outer ring”. In addition, some ofthe phenotypic values used on OpenSNP differed fromthose used on SNPedia. Therefore, we manually trans-lated each possible phenotypic value from OpenSNP toone of the values used on SNPedia, thus narrowing downthe set of possible values and reducing the subjectivityof the provided information. Figure 3 shows, in the formof pie charts, the distribution of some of the phenotypicvalues across our final dataset.

To build our final dataset, we further screened theusers based on the following criteria: At least 75% of thephenotypic traits and SNPs considered in the unsuper-vised case are specified,11 the SNPs associated with thesusceptibility to Alzheimer’s disease are specified (i.e.,

10 according to Fitzpatrick’s scale (see https://en.wikipedia.org/wiki/Fitzpatrick_scale).11 by specified, we mean specified with a valid value.

rs7412 and rs429358), no two users have the same ge-nomic or phenotypic information across all the consid-ered SNPs and traits. The reason behind the last crite-rion is that two individuals with the exact same genomicor phenotypic values cannot be distinguished from eachother based on the considered SNPs and traits. Notethat when the number of considered SNPs and traitsincreases, so does the uniqueness of the individuals.12

There exist more than one set of individuals that sat-isfy these criteria, as an individual can be replaced withanother individual with the same genomic informationbut different phenotypic information (and vice versa).Therefore, we considered such 20 distinct subsets (of80 individuals)–totaling 94 unique individuals; in ourevaluation, we present the results aggregated over thedifferent subsets.

5.2 Experimental Settings and Results

We evaluate the different de-anonymization attacks de-scribed in Section 4 in various scenarios, both with anunsupervised and a supervised approach for learningthe SNP-trait associations. To do so, we implementedthe aforementioned attacks in Python; for the graphmaximum-weight matching algorithm, we made use ofthe implementation from the NetworkX13 library. Wequantify the success of the attack with respect to thetwo following metrics: (1) the proportion of correctlyidentified individuals and (2) the accuracy of the sus-ceptibility score (wrt. Alzheimer’s disease) computedfrom the genotypes matched to the individual’s phe-notype (in the identification attack). Note that for thesusceptibility metric, we focus on Alzheimer’s diseaseand SNPs rs7412 and rs429358 that significantly af-fect an individual’s chance of having Alzheimer’s by theage of 80 [18].

5.2.1 Unsupervised Case

Based on the qualitative association information ob-tained from SNPedia, we define a probabilistic model

12 To build our dataset, we removed only 14 individuals foruniqueness reasons (most of the removed individuals were sobecause they specified too few SNPs/phenotypes). Keeping suchduplicates in our dataset would slightly degrade the performanceof the attacks. Note that, as the number of SNPs/phenotypesincreases, profiles will become unique.13 https://networkx.github.io/

De-anonymizing Genomic Databases Using Phenotypic Traits 106

(a) Sex (b) Eye color (c) Blood type (d) Earwax type (e) Skin color*

Fig. 3. Distribution of some of the phenotypic values for the considered traits in our final dataset. Traits marked with a ’*’ are consid-ered only in the supervised case.

for the SNP-trait compatibility scores (representing theconditional probabilities of traits given SNPs). Table 2(see page 114) shows sample probabilistic associationmodels. We first distinguish between the associationsthat are (quasi-)deterministic, specifically those relatedto the sex and the blood types and those that are non-deterministic (i.e., for which the genotype influences thephenotype but not with certainty). For the determinis-tic associations, we introduce a parameter α (close to1; α = 1− 10−6 in our evaluation) and we set the com-patibility score to α for the correct SNP-trait associa-tion and 1 − α for the incorrect ones.14 For instanceP(“male” |XY) = α and P(“male” |XX) = 1 − α (seeTable 2a, page 114 for the example of blood type). If noassociation information about a specific SNP value-traitvalue pair is provided, we use a uniform distribution. Forexample, we can see in Table 2a that, if SNP rs505922has value CT, it does not affect the blood type accord-ing to the association information available on SNPe-dia. For the non-deterministic associations, we sort thek possible values and we use a geometric scale (thatbecomes linear by using the log-likelihood) to translatethe qualitative scale into a quantitative one: We set thecompatibility score to βk for the most compatible valueof the trait, β2

k for the second most compatible valueand βkk for the less compatible value, where βk is thesolution of the equation x + x2 + · · · + xk = 1 as thescores must sum to 1 (see Table 2b, page 114).

5.2.2 Supervised Case

In the supervised case, we build the SNP-trait associ-ation models based on the data (we estimate the con-

14 We need all the probabilities to be non-zero for algorithmicreasons.

ditional probabilities on the entire dataset, i.e., the 94unique individuals, as the dataset is too small to per-form a proper cross-validation). For each SNP-trait pairlisted in Table 1, we set the compatibility scores to theproportions observed in our dataset. For instance, in thecase “O” vs. “Not O” blood type trait, we compute theproportion of individuals with SNP value CC for theSNP rs505922 who have a blood type “O”. By doingso, we build matrices of compatibility scores with thesame format as in the unsupervised case. The rest ofthe identification/perfect matching attack is the samein the unsupervised and supervised cases.

5.2.3 Results

We first look at the success of an identification attackthat targets a single phenotype in a genomic databasecomposed of multiple genotypes (at most 80, i.e., thesize of our subsets of distinct individuals). This scenariocorresponds to the case where an adversary knows thatthe genotype of a specific individual (whose traits arepartially known to the adversary) is present in a givenpublic database; and the adversary tries to identify thegenotype of the targeted individual. In this experiment,we assume that all the phenotypic traits of the targetedindividual are known to the adversary—the effect of thenumber of known traits is analyzed in a different ex-periment described below. We evaluate the success ofthe adversary for different values of the size of the ge-nomic database, and we show the results, aggregatedover all the individuals from the 20 subsets, in Figure 4.It can be observed that, unsurprisingly, the supervisedapproach achieves better results than the unsupervisedapproach, and also that the more genotypes there are,the higher the correct-match ratio between the super-vised and unsupervised approach is. Indeed, when n in-creases, the proportion of correct matches in the super-

De-anonymizing Genomic Databases Using Phenotypic Traits 107

vised approach is more than twice as high (i.e., twice asbad, in terms of privacy) as the one in the unsupervisedapproach. For instance, for a database of 80 genomes,the proportion of correct matches is around 13% in thesupervised case vs. 5% in the unsupervised case. In or-der to gain insight on the performance of the attack onlarger databases, we ran experiments with n=210 (thiswas made possible by lowering the admission thresholdto 55% of specified SNPs/phenotypes, to the detrimentof the quality of the data); we obtained a proportionof 5.2% of correct matches for the identification attackin the supervised case. Overall, the performance of theidentification attack is relatively high, in absolute val-ues and compared to a simple baseline that picks uni-formly at random among the individuals of the samesex: The proportion of correct matches of this baselineis 1.6%. We chose this baseline as it is the straight-forward genomic-oblivious approach: Once the adver-sary has ruled out the genotypes that do not match thetarget’s sex, it has no further information to discrim-inate the remaining genotypes. For a database size of10 (which corresponds, for instance, to a scenario wherean adversary tries to identify the genotype of an indi-vidual among DNA samples collected in a room), theproportion of correct matches is around 44% in the un-supervised case (52% in the supervised case), whereasthe baseline only achieves 13% of correct matches. Notethat the results are relatively high in the unsupervisedcase, despite the fact that it relies solely on rough asso-ciation data provided by the SNPedia knowledge base.The result of this approach outperforms by more thanthree times the baseline and the performance of the su-pervised approach is four times better than the base-line. Our non-optimized implementation of the perfect-matching attack took 2.7 seconds (on average) to com-plete on a high-end laptop for n = 80.

For the susceptibility score of Alzheimer’s disease,the baseline score consists in the expected distance be-tween the actual values of SNPs rs7412 and rs429358 ofthe target and the probabilistic distribution of these twoSNPs computed over the same gender population as thetarget. For a database of size 10, the inaccuracy of thesusceptibility score is divided by two between the base-line and our identification attack (dropping from 16%to 8% in the unsupervised case, and from 15% to 7%).This demonstrates that the identification attack can besuccessfully used to infer private information from anindividual’s (identified) genotype, especially with smallgenomic databases for which the proportions of correctmatches are relatively high.

0

20

40

60

80

100

0 10 20 30 40 50 60 70 80

Pro

p. of

corr

ect

mat

ch [

%]

# of genotypes

all traitsbaseline (sex)

0

20

40

60

80

100

0 10 20 30 40 50 60 70 80

Acc

ura

cy o

f th

e sc

ore

[%

]

# of genotypes

all traitsbaseline (prob.)

(a) unsupervised

0

20

40

60

80

100

0 10 20 30 40 50 60 70 80

Pro

p. of

corr

ect

mat

ch [

%]

# of genotypes

all traitsbaseline (sex)

0

20

40

60

80

100

0 10 20 30 40 50 60 70 80

Acc

ura

cy o

f th

e sc

ore

[%

]

# of genotypes

all traitsbaseline (prob.)

(b) supervised

Fig. 4. Performance of the identification attack for a single indi-vidual in a genomic database in the (a) unsupervised and (b) su-pervised cases, with respect to the proportion of correct matches(left) and the accuracy of the susceptibility score for Alzheimer’sdisease (right). The size of the database varies from 1 to 80.

In the case of an identification attack that targets asingle phenotype, the genotypes in the database can besorted by decreasing order of likelihood. The matchedgenotype is the first in the sorted list. To gain insightinto the performance of the identification attack, welook at the rank of the target individual’s genotype inthe sorted list, for different values of the size of the ge-nomic database. The experimental probability densityfunction and the cumulative distribution function of therank are depicted in Figure 5, for different sizes of thegenomic database (i.e., {10,20,40}). It can be observedthat in the cases where the target individual’s genotypeis not in first position, which corresponds to an incor-rect match, it often appears at the very beginning of thesorted list of genotypes. For example, in the supervisedcase with a genomic database of size 20, the target indi-vidual’s genotype appears in the first 2 elements of thelist in 65% of the cases and in the first 5 (out of 20) in86% of the cases. Again, the results are better in the su-pervised case, especially when the number of genotypesincrease.

We now consider the perfect matching attack inwhich the adversary tries to match n genotypes to n

phenotypes. We first look at the success of the attack interms of the number of phenotypes that are matched tothe correct genotypes for different sizes of the genomic-phenotypic database (as in Figure 4), and we show the

De-anonymizing Genomic Databases Using Phenotypic Traits 108

0

20

40

60

80

100

2 4 6 8 10

Pro

po

rtio

n [

%]

Rank

10 genotypes

5 10 15 20

Rank

20 genotypes

PDFCDF

5 10 15 20 25 30 35 40

Rank

40 genotypes

PDFCDF

(a) unsupervised

0

20

40

60

80

100

2 4 6 8 10

Pro

po

rtio

n [

%]

Rank

10 genotypes

5 10 15 20

Rank

20 genotypes

PDFCDF

5 10 15 20 25 30 35 40

Rank

40 genotypes

PDFCDF

(b) supervised

Fig. 5. Rank of the target individual’s genotype in the list ofgenotypes of size {10,20,40}, sorted by decreasing order of com-patibility in the (a) unsupervised and (b) supervised cases.

0

20

40

60

80

100

0 10 20 30 40 50 60 70 80

Pro

p.

of

corr

ect

mat

ch [

%]

# genotypes/phenotypes

all traits

(a) unsupervised

0

20

40

60

80

100

0 10 20 30 40 50 60 70 80

Pro

p.

of

corr

ect

mat

ch [

%]

# genotypes/phenotypes

all traits

(b) supervised

Fig. 6. Performance of the perfect-matching attack for the geno-types/phenotypes of 2 to 80 individuals in the (a) unsupervisedand (b) supervised cases, with respect to the proportion of cor-rect matches.

results in Figure 6. It can be observed that the per-formance is very similar to the one of the identifica-tion attack, with an even slightly higher proportionof correct matches. For instance, for databases of 80genomes/phenotypes, the proportion of correct matchesis around 16% in the supervised case vs. 8% in the unsu-pervised case. For a database size of 10, the proportionof correct matches is around 58% in the unsupervisedcase (65% in the supervised case). We see here, too,that the supervised approach outperforms the unsuper-vised attack, and we note that the more participantsthere are in the databases, the higher the success ratio(which tends to 2 when n increases) between the two ap-proaches is. This means that the more participants thereare in both databases, the more relevant and helpful isthe supervised approach.

We now look at the effect of the level of knowledgeof the adversary about the target individual (numberof phenotypic traits known) on the performance of theperfect matching attack. To do so, we sort the differentphenotypic traits by increasing “levels of intimacy”. Byintimacy, we mean the closeness between the adversaryand the targeted individuals needed for the adversaryto know a specific trait of the target. For instance, thesex of an individual is often common knowledge, whilethe earwax type is very intimate information. The eyecolor and the hair type and color also require a lowlevel of intimacy as they can be observed on a picture,posted on a online social network for instance. We sortthe different traits by increasing levels of intimacy asshown in Table 1. We acknowledge the fact that thisordering is somewhat arbitrary and arguable; however,it is needed to represent the knowledge of the adver-sary as a one-dimensional variable. We plot the results,in the form of boxplots showing the first, second (i.e.,median) and third quartiles as well as the confidence in-tervals and the average (red solid line), in Figure 7, fora genomic-phenotypic database of 10 individuals. Thelabels on the x-axis are cumulative: the label “Skin”means that the adversary knows the sex and the skincolor of the target individuals. Note that in the unsu-pervised case, some of the traits are not used. It can beobserved that the performance increases with the ad-versary’s level of knowledge. We also notice that (quasi-)deterministic traits (e.g., blood type) provide substan-tial improvements in the proportion of correct matches.In the supervised case, the adversary achieves a perfor-mance of almost 40% success with only visible pheno-typic traits that can be observed on a picture. The smalldecreases in performance in the unsupervised case arecaused by the noise in our dataset and the limited reli-able association information available on SNPedia. Fi-nally, we note that in both unsupervised and supervisedapproaches, the proportion of correct matches with allphenotypes is around four times higher than the propor-tion with the sex information only (which constitutes abaseline).

Finally, we analyze the distinguishability betweenindividuals and its effect on the performance of the at-tack. To do so, we introduce the notion of dissimilar-ity between any two individuals. We express this dis-similarity as the minimum value between the Hammingdistance on the phenotypes of the individuals and theHamming distance on their genotypes. As there arefewer phenotypic traits than SNPs, this metric mostoften represents the dissimilarity between two pheno-types. Figure 8 shows how the proportion of correct

De-anonymizing Genomic Databases Using Phenotypic Traits 109

0

20

40

60

80

100

SexSkin

Hair color + type

Eye color

Freckling + tan

Lactose int. + asthma

Blood type

Earwax type

Pro

p. of

corr

ect

mat

ch [

%]

Phenotypic information

unsupervised, n=10

(a) unsupervised

0

20

40

60

80

100

SexSkin

Hair color + type

Eye color

Freckling + tan

Lactose int. + asthma

Blood type

Earwax type

Pro

p. of

corr

ect

mat

ch [

%]

Phenotypic information

supervised, n=10

(b) supervised

Fig. 7. Performance of the perfect-matching attack for the geno-types/phenotypes of 10 individuals vs. the level of phenotypicknowledge of the adversary about the target individual in the(a) unsupervised and (b) supervised cases, with respect to theproportion of correct matches.

matches evolves with the dissimilarity (distance) be-tween two individuals. We clearly notice that the lesssimilar two individuals are, the more likely they areto be de-anonymized correctly. This means that thegenomic-privacy situation will be worsened if the adver-sary considers more traits and SNPs. Note that, whendistance is 1, we get 100% correct matches in the su-pervised case because of the small number of samples inour dataset (only a few pair samples have a distance of1, compared to thousands for higher distances).

Our results demonstrate the serious de-anonymization threat currently posed to individualssharing their SNPs in genomic databases. Our identi-fication and perfect matching attacks outperform thegenomic-oblivious baselines by three to four times.Our evaluation also brings up an important pointthat is that the more distinguishable (genetically orphenotypically) two individuals are, the more likelythey are to be de-anonymized. This clearly means thatthe more SNP-trait associations there are, the moresuccessful will the de-anonymization attacks will be.And it is very likely that, with the progress of genomicresearch, knowledge databases like SNPedia will growin size and precision, thus enabling successful attacksagainst larger databases.

5.3 Limitations

The purpose of our evaluation is to assess the poten-tial of the attacks described in the paper. Although theresults provided in the previous section are sufficientto demonstrate that the threat is real, our evaluation

0

20

40

60

80

100

1 2 3 4 5 6 7 8 9

Pro

po

rtio

n [

%]

Distance

(a) unsupervised

0

20

40

60

80

100

1 2 3 4 5 6 7 8 9 10 11 12 13 14

Pro

po

rtio

n [

%]

Distance

(b) supervised

Fig. 8. Performance of the perfect-matching attack with thegenotypes/phenotypes of two individuals vs. the distance (or dis-similarity) between these two individuals in the (a) unsupervisedand (b) supervised case, with respect to the proportion of cor-rect matches. The stairstep lines represent the proportion of pairsof individuals (in our dataset) with a given distance. The super-vised approach contains higher distance between two individualsbecause it considers more traits than the unsupervised one.

and our datasets still have some limitations that we dis-cuss below. A first limitation is the limited size of ourdataset (although the size of the dataset used in ourevaluation corresponds to practical attack scenarios),which is caused by the low quality of the OpenSNPdataset in terms of the proportion of specified pheno-typic traits. As part of future work, we intend to col-lect larger datasets and perform further experiments onthem. Another limitation is the fact that, in our su-pervised approach, we estimated the conditional prob-abilities on the entire dataset. The main reason for thisis that splitting the dataset into training and testingsets would have further reduced the number n of geno-types/phenotypes considered in the evaluation of theattack. As part of future work, we will study the effectof the training set size on the performance of the attackby taking a rigorous cross-validation approach in thesupervised case. Moreover, in order to assess the extentto which the results of the supervised approach can begeneralized to other datasets, we intend to collect mul-tiple datasets and run the supervised attack, trained ona given dataset, on a different one.

6 CountermeasuresThere are various techniques that can be reliedupon for reducing the risk of de-anonymizationthrough genotype-phenotype matching. First of all, up-stream protection of genomic data by cryptographicmeans would dramatically thwart any attempt to de-anonymize this data [4]. It has been proposed to use

De-anonymizing Genomic Databases Using Phenotypic Traits 110

homomorphic encryption and private set intersection forproviding personalized medical tests while preservingprivacy of genomic data [5, 6]. Although encryption ofgenomic data does not reduce much utility and efficiencyin healthcare, such cryptographic techniques probablyadd too much overhead in genomic research [21].

A simpler method for preventing de-anonymizationattacks is to split the genomic data into several sub-sets, making sure that there is no linkage disequilib-rium (i.e., probabilistic dependencies between differentSNPs of the same genome) between these subsets, sothat the records of the different datasets cannot eas-ily be matched. In this way the adversary could notlink the various parts of genomic data with each other,thus dramatically reducing the performance of the de-anonymization attacks. Nevertheless, any associationstudy between phenotypes and genotypes could still becarried out, but on smaller parts of the genome.

Another simple technique for thwarting de-anonymization attacks is to selectively share the SNPs;in particular hide those related to phenotypic traits.By removing the SNPs associated with visible traits,we could already significantly decrease the risk of de-anonymization attack that relies on pictures, e.g., gath-ered on online social networks.

Although the use of noise on aggregated statisti-cal results in the context of genome-wide associationstudies (for ensuring differential privacy) has not pro-vided very good utility [20, 36], the addition of noisedirectly on genomic data could be more successful. Fol-lowing the idea of geo-indistinguishability proposed inthe context of location privacy [2], we could add somenoise to the genomic data such that the mechanism pro-vides enough indistinguishability between different ge-nomic sequences. As illustrated in Figure 8, the moredistinguishable two genotypes are, the more likely theyare to be de-anonymized. However, we should controlthe amount of noise added such that it does not reducemuch the accuracy of statistical outcomes and/or per-sonal utility, depending on the use case. We intend tostudy and evaluate in detail some of the aforementionedprivacy-preserving mechanisms in future work.

7 Related WorkAnonymization was one of the first mechanisms pro-posed to protect the genomic privacy of participants ingenetic databases. Unfortunately, the removal of quasi-identifying attributes (e.g., birth date or ZIP code) has

been proven ineffective for protecting the anonymity ofparticipants in such databases [12, 15, 16].

For instance, genomic variants on the Y-chromosome being correlated with last names (formales), these can be inferred using public genealogydatabases. With further effort (e.g., using voter regis-tration forms) the complete identity of the individualcan also be revealed [14]. Also, unique features inpatient-location visit patterns in a distributed health-care environment can be used in publicly availablerecords to link the genomic data to the identity ofthe individuals [25]. Furthermore, it is shown thatPersonal Genome Project (PGP) participants can beidentified based on their demographics, without usingany genomic information [34].

The identity of a participant of a genomic studycan also be revealed by using a second sample, that is,part of the DNA information from the individual andthe results of the corresponding clinical study [9, 12,17, 19, 39]. For this reason, even a small set of SNPsof the individual might be sufficient as the second sam-ple. For example, it is shown that as few as 100 SNPsare enough to uniquely distinguish one individual fromanother [23]. Homer et al. [17] prove that the presenceof an individual in a case group can be determined byusing aggregate allele frequencies and his DNA profile.Homer’s attack demonstrates that it is possible to iden-tify a participant in a GWAS study by analyzing theallele frequencies of a large number of SNPs. Wang etal. [39] show a higher risk where individuals can actuallybe identified from a relatively small set of statistics suchas those routinely published in GWAS papers. In par-ticular, they show that the presence of an individual inthe case group can be determined based upon the pair-wise correlation (i.e., linkage disequilibrium) among asfew as a couple of hundred SNPs. Whereas the method-ology introduced in [17] requires on the order of 10,000SNPs (of the target individual), this new attack requiresonly on the order of hundreds of SNPs.

In another recent study [12], Gitschier shows that acombination of information, from genealogical registriesand a haplotype analysis of the Y-chromosome collectedfor the HapMap Project, enables the prediction of thelast names of a number of individuals from the HapMapdatabase. Thus, releasing (aggregate) genomic data iscurrently banned by many institutions due to this pri-vacy risk. In [40], Zhou et al. study the privacy risks ofreleasing aggregate genomic data. They propose a risk-scale system for classifying aggregate data and a guidefor the release of such data.

De-anonymizing Genomic Databases Using Phenotypic Traits 111

Several papers have studied phenotype predictionfrom genomic data, notably as a means of tracing iden-tity. A thorough review of methods for predicting pheno-types from genomic data is provided in [22]. Two stud-ies show that age prediction is feasible from DNA in-formation derived from blood samples [30, 41]. Severalgenome-wide studies report the influence of genomicdata on height [1], body mass index (BMI) [26], eyecolor [38], and facial shape [8, 24]. Although variabili-ties of phenotypic traits is currently explained to a smallextent by genomic differences, the aforementioned pa-pers clearly demonstrate that genetic knowledge aboutthe relationship between phenotype and genomic datais quickly expanding. Therefore, we can expect that thematching attack evaluated in this paper would becomesuccessful with many more individuals in the future.

De-anonymization attacks have been used to jeop-ardize the anonymity of participants in other con-texts. A de-anonymization attack against a large Net-flix database successfully re-identified Netflix recordsof known users by relying upon IMDB as backgroundknowledge [27]. Narayanan and Shmatikov also pro-pose de-anonymizing users of an online social network(Twitter in their case) by making use of another on-line social network (Flickr) as the source of auxiliaryinformation [28]. Another attack shows that locationtraces could be de-anonymized by relying upon thesocial graphs of the traces’ owners [33]. In the con-text of anonymous communication, perfect matching at-tacks have been proven effective to de-anonymize mixingrounds [35].

Our work differs from previous work as it studies de-anonymization attacks against genomic or phenotypicdatasets by leveraging the associations between the ge-nomic and phenotypic data. Moreover, it relies onlyupon the most common variants currently provided bythe major direct-to-consumer genetic testing providers,thus upon the variants that are most accessible online.Finally, it provides a thorough evaluation of the factorsthat play a role in the success of the de-anonymizationattacks, and it paves the way for more investigations onthe risky relationship between genomic data and phe-notypes.

8 Conclusion and Future WorkIn this work, we have thoroughly evaluated two newde-anonymization attacks, by making use of two typesof background knowledge. We observe that the super-

vised approach outperforms the unsupervised approach,and that the success ratio between the two approachesincreases with the number of participants, tending totwo with 80 participants. We also notice that the pro-portion of correct matches of our identification attackis three to eight times higher than the baseline. Wehave demonstrated a decrease of 50% of inference er-ror on the predisposition to Alzheimer’s disease with adatabase of size 10. We notice a slight and unexpectedincrease of correct matches in the perfect matching at-tack compared to the identification attack. In particular,the proportion of perfect correct matches reaches 16%with the supervised approach. Our results clearly showthe extent of the threat of de-anonymization attacksthat rely upon genomic-phenotypic statistical relation-ships. Finally, our results demonstrate that the moredistinguishable two individuals are, the more success-ful the perfect matching is. This leads us to concludethat the matching risk will continuously increase withthe progress of genomic knowledge, which raises seriousquestions about the genomic privacy of participants ingenomic datasets. We should also recall that, once anindividual’s genomic data is identified, the genomic pri-vacy of all his close family members is also potentiallythreatened.

In future work, we intend to enhance the matchingalgorithm and performance of the de-anonymization at-tacks by learning the conditional probabilities of traitsgiven all their relevant SNPs together as well as thejoint probabilities for correlated SNPs, in the super-vised approach. We also plan to implement the privacy-preserving mechanisms proposed as countermeasures,and study their effectiveness. Finally, we will evaluatethe performance of the attacks on larger datasets.

9 AcknowledgmentsParts of this work were carried out while KévinHuguenin and Erman Ayday were with EPFL.

References[1] H. L. Allen, K. Estrada, G. Lettre, S. I. Berndt, M. N. Wee-

don, F. Rivadeneira, C. J. Willer, A. U. Jackson, S. Vedan-tam, S. Raychaudhuri, et al. Hundreds of variants clus-tered in genomic loci and biological pathways affect humanheight. Nature, 467(7317):832–838, 2010.

[2] M. E. Andrés, N. E. Bordenabe, K. Chatzikokolakis, andC. Palamidessi. Geo-indistinguishability: Differential privacy

De-anonymizing Genomic Databases Using Phenotypic Traits 112

for location-based systems. In CCS’13: Proc. of the 2013ACM Conf. on Computer and Communications Security,pages 901–914, 2013.

[3] E. Ayday, E. De Cristofaro, J. Hubaux, and G. Tsudik. Thechills and thrills of whole genome sequencing. IEEE Com-puter Magazine, 2015.

[4] E. Ayday, J. L. Raisaro, U. Hengartner, A. Molyneaux, andJ.-P. Hubaux. Privacy-preserving processing of raw genomicdata. In DPM’13: Proc. of the 8th Int’l Workshop on DataPrivacy Management, pages 133–147, 2013.

[5] E. Ayday, J. L. Raisaro, J.-P. Hubaux, and J. Rougemont.Protecting and evaluating genomic privacy in medical testsand personalized medicine. In WPES’13: Proc. of the 12thACM Workshop on Privacy in the Electronic Society, pages95–106, 2013.

[6] P. Baldi, R. Baronio, E. De Cristofaro, P. Gasti, andG. Tsudik. Countering GATTACA: Efficient and securetesting of fully-sequenced human genomes. In CCS’11: Proc.of the 18th ACM Conf. on Computer and CommunicationsSecurity, pages 691–702, 2011.

[7] P. Claes, H. Hill, and M. D. Shriver. Toward DNA-based fa-cial composites: Preliminary results and validation. ForensicScience International: Genetics, 13:208–216, 2014.

[8] P. Claes, D. K. Liberton, K. Daniels, K. M. Rosana, E. E.Quillen, L. N. Pearson, B. McEvoy, M. Bauchet, A. A. Zaidi,W. Yao, et al. Modeling 3D facial shape from DNA. PLoSGenetics, 10(3):e1004224, 2014.

[9] D. Clayton. On inferring presence of an individual in a mix-ture: a bayesian approach. Biostatistics, 11(4):661–673,2010.

[10] Y. Erlich and A. Narayanan. Routes for breaching and pro-tecting genetic privacy. Nature Reviews Genetics, 15(6):409–421, 2014.

[11] Z. Galil. Efficient algorithms for finding maximum matchingin graphs. ACM Computing Surveys (CSUR), 18(1):23–38,1986.

[12] J. Gitschier. Inferential genotyping of Y chromosomes inLatter-Day Saints founders and comparison to Utah sam-ples in the HapMap project. American Journal of HumanGenetics, 84(2):251–258, 2009.

[13] B. Greshake, P. E. Bayer, H. Rausch, and J. Reda. open-SNP–A Crowdsourced Web Resource for Personal Genomics.PLoS ONE, 9(3):e89204, Mar. 2014.

[14] M. Gymrek, A. L. McGuire, D. Golan, E. Halperin, andY. Erlich. Identifying personal genomes by surname infer-ence. Science, 339(6117):321–324, 2013.

[15] M. Gymrek, A. L. McGuire, D. Golan, E. Halperin, andY. Erlich. Identifying personal genomes by surname infer-ence. Science, 339(6117):321–324, 2013.

[16] E. C. Hayden. Privacy protections: The genome hacker.Nature, 497:172–174, 05 2013.

[17] N. Homer, S. Szelinger, M. Redman, D. Duggan, andW. Tembe. Resolving individuals contributing trace amountsof DNA to highly complex mixtures using high-density SNPgenotyping microarrays. PLoS Genetics, 4, Aug. 2008.

[18] M. Humbert, E. Ayday, J.-P. Hubaux, and A. Telenti. Ad-dressing the concerns of the Lacks family: Quantificationof kin genomic privacy. In CCS’13: Proc. of the 20th ACMConf. on Computer and Communications Security, pages1141–1152, 2013.

[19] H. K. Im, E. R. Gamazon, D. L. Nicolae, and N. J. Cox.On sharing quantitative trait GWAS results in an era ofmultiple-omics data and the limits of genomic privacy.American Journal of Human Genetics, 90(4):591–598, 2012.

[20] A. Johnson and V. Shmatikov. Privacy-preserving dataexploration in genome-wide association studies. In KDD’13:Proc. of the 19th ACM Int’l Conf. on Knowledge Discoveryand Data mining, pages 1079–1087, 2013.

[21] M. Kantarcioglu, W. Jiang, Y. Liu, and B. Malin. A cryp-tographic approach to securely share and query genomicsequences. IEEE Trans. on Information Technology inBiomedicine, 12(5):606–617, 2008.

[22] M. Kayser and P. de Knijff. Improving human forensicsthrough advances in genetics, genomics and molecular biol-ogy. Nature Reviews Genetics, 12(3):179–192, 2011.

[23] Z. Lin, A. B. Owen, and R. B. Altman. Genomic researchand human subject privacy. Science, 305(5681):183, Jul2004.

[24] F. Liu, F. van der Lijn, C. Schurmann, G. Zhu, M. M.Chakravarty, P. G. Hysi, A. Wollstein, O. Lao, M. de Brui-jne, M. A. Ikram, et al. A genome-wide association studyidentifies five loci influencing facial morphology in euro-peans. PLoS Genetics, 8(9):e1002932, 2012.

[25] B. A. Malin and L. Sweeney. How (not) to protect ge-nomic data privacy in a distributed network: using trail re-identification to evaluate and design anonymity protectionsystems. Journal of Biomedical Informatics, 37(3):179–192,2004.

[26] A. K. Manning, M.-F. Hivert, R. A. Scott, J. L. Grimsby,N. Bouatia-Naji, H. Chen, D. Rybin, C.-T. Liu, L. F. Bielak,I. Prokopenko, et al. A genome-wide approach accountingfor body mass index identifies genetic variants influencingfasting glycemic traits and insulin resistance. Nature Genet-ics, 44(6):659–669, 2012.

[27] A. Narayanan and V. Shmatikov. Robust de-anonymizationof large sparse datasets. In SP’08: Proc. of the 29th IEEESymp. on Security and Privacy, pages 111–125, 2008.

[28] A. Narayanan and V. Shmatikov. De-anonymizing social net-works. In SP’09: Proc. of the 30th IEEE Symp. on Securityand Privacy, pages 173–187, 2009.

[29] http://www.ncbi.nlm.nih.gov/projects/SNP/.[30] X.-l. Ou, J. Gao, H. Wang, H.-s. Wang, H.-l. Lu, and H.-y.

Sun. Predicting human age with bloodstains by sjTRECquantification. PloS ONE, 7(8):e42412, 2012.

[31] A. Pollack. Building a face, and a case, on DNA. http://www.nytimes.com/2015/02/24/science/building-face-and-a-case-on-dna.html, Feb. 2015.

[32] R. Shokri, G. Theodorakopoulos, J.-Y. Le Boudec, and J.-P.Hubaux. Quantifying location privacy. In SP’11: Proc. of the32nd IEEE Symp. on Security and Privacy, pages 247–262,2011.

[33] M. Srivatsa and M. Hicks. Deanonymizing mobility traces:Using social network as a side-channel. In CCS’12: Proc.of the 19th ACM Conf. on Computer and CommunicationsSecurity, pages 628–637, 2012.

[34] L. Sweeney, A. Abu, and J. Winn. Identifying participants inthe personal genome project by name. 04/24/2013 2013.

[35] C. Troncoso, B. Gierlichs, B. Preneel, and I. Verbauwhede.Perfect matching disclosure attacks. In PETS’08: Proc. ofthe 8th Privacy Enhancing Technologies Symp., pages 2–23,

De-anonymizing Genomic Databases Using Phenotypic Traits 113

2008.[36] C. Uhler, A. Slavkovic, and S. E. Fienberg. Privacy-

preserving data sharing for genome-wide association studies.Journal of Privacy and Confidentiality, 5(1), 2013.

[37] http://www.vox.com/2014/9/9/5975653/with-genetic-testing-i-gave-my-parents-the-gift-of-divorce-23andme. Lastvisited: Feb. 2015.

[38] S. Walsh, F. Liu, K. N. Ballantyne, M. van Oven, O. Lao,and M. Kayser. IrisPlex: a sensitive DNA tool for accurateprediction of blue and brown eye colour in the absence ofancestry information. Forensic Science International: Genet-ics, 5(3):170–180, 2011.

[39] R. Wang, Y. F. Li, X. Wang, H. Tang, and X. Zhou. Learn-ing your identity and disease from research papers: informa-tion leaks in genome wide association study. CCS’09: Proc.of the 16th ACM Conf. on Computer and CommunicationsSecurity, pages 534–544, 2009.

[40] X. Zhou, B. Peng, Y. F. Li, Y. Chen, H. Tang, andX. Wang. To release or not to release: Evaluating informa-tion leaks in aggregate human-genome data. ESORICS’11:Proc. of the 16th European Conf. on Research in ComputerSecurity, pages 607–627, 2011.

[41] D. Zubakov, F. Liu, M. Van Zelm, J. Vermeulen, B. Oos-tra, C. Van Duijn, G. Driessen, J. Van Dongen, M. Kayser,and A. Langerak. Estimating human age from T-cell DNArearrangements. Current Biology, 20(22):R970–R971, 2010.

Table 1. List of phenotypic traits and associated SNPs consideredin the evaluation. Fields marked with a ‘*’ are considered only inthe supervised case.

High-level trait Trait Relevant SNPSex Sex (“male”, “female”) sexual chrom.

Skin color* Type10 (“II: white”, etc.) rs26722rs1667394rs16891982

Hair type Curliness (“straight”, rs7349332“wavy”, “curly”, etc.) rs11803731

rs17646946Hair color Blond (“yes”, “no”) rs12821256

rs35264875Eye color Brown (“yes”, “no”) rs916977

rs1129038rs1800401rs2238289rs2240203rs3935591rs4778241rs7183877rs8028689rs12593929

Blue (“yes”, “no”) rs1800407rs7495174

Freckling* Density (“light”, etc.) rs1042602Ability to tan* Ability (“yes”, rs1015362

“moderate”, “no”) rs2228479rs1805009

Asthma* Presence (“yes”, “no”) rs5067rs689465rs2278206rs2303067rs7216389rs11569562

Lactose tolerance* Tolerance (“yes”, “no”) rs182549rs4988235rs41380347rs41525747

Blood type Rhesus (“+”, “-”) rs590787(e.g., “AB+”) Has B (“yes”, “no”) rs7853989

Has O (“yes”, “no”) rs505922rs8176719

Earwax Type (“dry”, “wet”, etc.) rs17822931

De-anonymizing Genomic Databases Using Phenotypic Traits 114

Table 2. Sample probabilistic association models: P(trait | SNP)for each relevant SNP-trait pair.

(a) Model for a quasi-deterministicassociation with two trait values.

Blood typers505922 “O” “Not O”CC 1 − α α

CT 0.5 0.5TT α 1 − α

(b) Model for an association with three traitvalues (β3 is such that β3+β2

3+β33 = 1).

Hair curlinessrs11803731 “straight” “waivy” “curly”AA β3

3 β23 β3

AT 0.33 0.33 0.33TT β3 β2

3 β33