Dangerous liaisons: How relatives and friends give away your secrets

Your online privacy does not depend solely on you. We’ll tell you what your loved ones can give away. (Spoiler: It’s absolutely anything, even DNA.)

Increasingly, modern technologies are helping people’s secrets move into the public domain. There are many such examples, from massive leaks of personal data to the online appearance of private (and even intimate) photos and messages.

This post will leave aside the countless dossiers kept on every citizen in the databases of government and commercial structures — let’s naively assume that this data is reliably protected from prying eyes (although we all know it isn’t). We shall also discard the loss of flash drives, hacker attacks, and other similar (and sadly regular) incidents. For now, we’ll consider only user uploads of data on the Internet.

The solution would seem simple — if it’s private, don’t publish it. But people are not fully in control of all of their private data; friends or relatives can also post sensitive information about them, sometimes without their consent.

Public genes

The information that goes public might be close to the bone, quite literally. For example, your DNA might appear online without your knowledge. Online services based on genes and genealogy, such as 23andMe, Ancestry.com, GEDmatch, and MyHeritage, have been gaining in popularity of late (incidentally, MyHeritage suffered a leak quite recently, but that’s a topic for a separate post). Users voluntarily hand over a biomaterial sample to these services (saliva or a smear from the inside of the cheek), on which basis their genetic profile is determined in the lab. This can be used, for example, to trace a person’s ancestry or establish genetic predisposition to certain diseases.

Confidentiality is not on the agenda. Genealogical services work by matching profiles with ones already in their database (otherwise, family members will not be found). Users occasionally disclose information about themselves voluntarily for the same reason: so that relatives also using the service can find them. An interesting nuance is that clients of such services simultaneously publish the genealogical information of family members who share their genes. These relatives might not actually want people to track them down, especially based on their DNA.

The benefits of genealogical services are undeniable and have resulted in more than a few happy family reunions. However, it should not be forgotten that public genetic databases can be misused.

Brotherly love

At first glance, the problem of storing genetic information in a public database might seem contrived, with no practical consequences. But the truth is that genealogical services and biomaterial samples (a piece of skin, nail, hair, blood, saliva, etc.) can, under certain circumstances, help identify a person, without so much as a photograph.

The reality of the threat was highlighted in a study published in October in the journal Science. One of the authors, Yaniv Erlich, knows firsthand the ins and outs of this industry; he works for MyHeritage, which provides DNA analysis and family tree services.

According to the research, roughly 15 million people to date have undergone a genetic test and had a profile created in electronic form (other data indicate that MyHeritage alone has more than 92 million users). Focusing on the United States, the researchers predicted that public genetic data would soon allow any American with European ancestry (a very large proportion of those so far tested) to be identified by their DNA. Note that it makes no difference whether the subject initiated the test or whether it was done by a curious relative.

To show how easy DNA identification really is, Erlich’s team took the genetic profile of a member of a genome research project, punched it into the database of the GEDmatch service, and within 24 hours had the name of the owner of the DNA sample, writes Nature.

The method has also proved useful to law enforcers, who have been able to solve several dead-end cases thanks to genealogical online services.

How the DNA chain unmasked a criminal

This past spring, after 44 years of unsuccessful searching, a 72-year-old suspect in a series of murders, rapes, and robberies was arrested in California. He was fingered by genealogical information available online.

Lab analysis of biomaterial found at the crime scene resulted in a genetic profile that met the requirements of public genealogical services. Acting as regular users, the detectives then ran the file through the GEDmatch database and compiled a list of likely relatives of the criminal.

All of the matches — more than a dozen in all — were rather distant relatives (none closer than a second cousin). In other words, these people all had common ancestry with the criminal tracing back to the early nineteenth century. As described by the Washington Post, five genealogists armed with census archives, newspaper obituaries, and other data then proceeded to move from these ancestors forward in time, gradually filling in empty slots in the family tree.

A huge circle of distant but living relatives of the perpetrator was formed. Discarding those who did not fit the age, sex, and other criteria, the investigators eventually homed in on the suspect. The detective team then followed him, got hold of an object with a DNA sample on it, and matched it against the material found at the crime scene many years before. The DNA in the samples was the same, and 72-year-old Joseph James DeAngelo was arrested.

The case spotlighted the main benefit of genealogical online public services over the DNA databases of law-enforcement agencies from the viewpoint of investigators. The latter databases store information only on criminals, whereas the former are full of noncriminal users who cast a virtual net over their relatives.

Now imagine that a person is wanted not by the law, but by a criminal group — maybe an accidental witness or a potential victim. The services are public, so anyone can use them. Not so good.

Incriminating tags

DNA-based searches using public services are still fairly niche. Besides creating genetic profiles, a more common way for well-meaning friends and relatives to inadvertently reveal your whereabouts to criminals, law-enforcement agencies, and the world at large is through the ubiquitous practice of tagging photos, videos, and posts on social media.

Even if no ill-wishers are looking for you, these tags can cause embarrassment. Let’s say a carefree lab technician decides to upload photos from a lively staff party and tags everyone in it, including a distinguished professor. The photos immediately and automatically pop up on the latter’s page, undermining his authority in the eyes of students.

A careless post such as this could well lead to dismissal or worse for the person tagged. By the way, any information in social networks can readily form the missing link in the type of search described above, using the public databases of genealogical services.

How to configure tagging

Social networks allow users to control tags and mentions of themselves to varying degrees. For example, Facebook and VK.com let you remove tags from photos published by others and limit the circle of people who can tag you or view materials with tags of you. Facebook users can keep the photos they upload from being seen by friends of people tagged in them, and the VK.com privacy settings let users create a white list of users allowed to view photos with tagged individuals.

Curiously, Facebook not only encourages users to tag friends through hints generated by face-recognition technology (this feature can be disabled in the account settings), but also helps to control their privacy: The social network sends a notification if that technology spots you in someone else’s pic.

As for Instagram, this is what it has to say on the matter: All people, except those you have blocked, can tag you in their photos and videos. That said, the social network lets you choose whether photos with you tagged appear on your profile automatically or only after your approval. You can also specify who can view these posts in your profile.

Despite these functions offering partial control over where and when you pop up, the potential threats are still numerous. Even if you slap a ban on people tagging you in pictures, your name (including a link to the page) might still be mentioned in the description or comments on a photo. That means that the photo is still linked to you, and keeping track of such leaks is near impossible.

With friends like these

Friends and relatives aren’t the only ones who might give away your secrets to third parties. Technologies themselves can also do it, for example, because of the peculiarities of the recommendations system.

VK.com suggests friending people with whom users have mutual friends in the social network. Meanwhile, the Facebook algorithm is far more active in its search for candidates, sometimes recommending fellow members of a particular group or community (school, university, organization). In addition, the friend-selection process employs users’ contact information uploaded to Facebook from mobile devices. However, Facebook does not disclose all of the criteria by which its algorithm selects potential friends, and sometimes you may be left guessing about how it knows about your social connections.

How does this relate to privacy? Here’s an example. In a particularly awkward case, the system recommended unacquainted patients of a psychiatrist to each other — and one of them even divined what they had in common. Health-related data, especially psychiatric, is among the most sensitive there is. Not many would voluntarily agree to it being stored on social media.

Similar cases were cited in a US Senate Committee appeal to Facebook following the Senate hearing in April 2018 on Facebook users’ privacy. In its response, the company did not comment on cases involving patients, listing only the abovementioned sources of information for its friend-suggestion algorithm.

What next?

The Internet already stores far more social and even biological information about us than we might imagine. And one reason we can’t always control it is simply that we don’t know about it. With the advance of new technologies, it is highly likely that the very concept of private data will soon become a thing of the past — our real and online selves are becoming increasingly intertwined, and any secret on the Internet will be outed sooner or later.

However, the problem of online privacy has been raised lately at the level of governments worldwide, so perhaps people can still find a way to fence themselves off from nosy outsiders.