Methodological Review
Privacy preserving processing of genomic data: A survey
Mete Akgün
⇑, A. Osman Bayrak, Bugra Ozer, M. Sßamil Sag˘ırog˘lu
Advanced Genomics and Bioinformatics Research Center (_IGBAM), Informatics and Information Security Research Center (B_ILGEM), The Scientific and Technological Research Council of Turkey (TÜB_ITAK), 41470 Gebze, Kocaeli, Turkey
a r t i c l e
i n f o
Article history:
Received 17 February 2015 Revised 25 May 2015 Accepted 29 May 2015 Available online 6 June 2015 Keywords:
Genomics Security Privacy
a b s t r a c t
Recently, the rapid advance in genome sequencing technology has led to production of huge amount of sensitive genomic data. However, a serious privacy challenge is confronted with increasing number of genetic tests as genomic data is the ultimate source of identity for humans. Lately, privacy threats and possible solutions regarding the undesired access to genomic data are discussed, however it is challeng-ing to apply proposed solutions to real life problems due to the complex nature of security definitions. In this review, we have categorized pre-existing problems and corresponding solutions in more understand-able and convenient way. Additionally, we have also included open privacy problems coming with each genomic data processing procedure. We believe our classification of genome associated privacy problems will pave the way for linking of real-life problems with previously proposed methods.
Ó 2015 Elsevier Inc. All rights reserved.
1. Introduction
With the official completion of Human Genome Project in 2003 [1]we have been introduced to importance of genomic informa-tion. Nowadays, whole genome sequence of complex organisms can now be determined in a short time with use of next-generation sequencing technologies. In recent years, advances in genome sequencing technology have significantly reduced genome sequencing costs although the predictions were on that the progress in sequencing technologies would follow Moore’s Law. Breakthroughs in both affordability and throughput of sequencing platforms have led sequencing technology to have faster pace than expected and it is now possible to collect, store, process and share genomic data. This expansion widened the use of sequencing for variety of purposes such as personalized genomic medicine, disease diagnosis and preventive treatment. Observing the progress between the first appearance of next-generation sequencing platforms and today, it can be foretold that, in the future big data coming out of sequencing platforms will determine the trends in the fields of health diagnostics and will be used more and more each upcoming year.
However, sequencing technology comes with burdens as it may create problems greater than its benefits which is commonly over-looked. A genome enables uniquely identification of its owner and
contains treasure of highly personal and sensitive information which corresponds to the biological identity of an individual. At this point, encrypting the name of genomic data owner will not be sufficient enough and identifying someone from anonymous genomic data has already been witnessed [2,3], opening a huge security gap for both the individual and the country.
In the literature, there are several solutions suggested for pri-vacy and security of electronic health records based on de-identification and aggregation methods. However, these solu-tions are not applicable to personal genomic data as genome itself is a ultimate identifier of an individual[4]. In the literature, there are only few surveys on genomic privacy. Erlich and Narayanan [5]give a general overview of genetic privacy breaching strategies including non-cryptographic strategies. Naveed et al. [6] give a review of state-of-the-art regarding computational protection methods in genomic privacy and the main challenges in this field. Unlike the previous surveys, in this review, we have categorized pre-existing problems and corresponding solutions in more under-standable and convenient way. Additionally at our review, we have also included open privacy problems coming with each genomic data processing procedure. We believe our classification of genome associated privacy problems will smooth the way of linking real-life problems with previously proposed methods.
2. Genomic background
The human genome is the complete set of genetic information of a living organism, which is composed of four different bases (A, C, G, T). Genetic information lies encoded inside of chromosomes http://dx.doi.org/10.1016/j.jbi.2015.05.022
1532-0464/Ó 2015 Elsevier Inc. All rights reserved. ⇑ Corresponding author.
E-mail addresses: [email protected] (M. Akgün), osman.bayrak@ tubitak.gov.tr(A.O. Bayrak),[email protected](B. Ozer),mahmut.sagiroglu@ tubitak.gov.tr(M. Sßamil Sag˘ırog˘lu).
Contents lists available atScienceDirect
Journal of Biomedical Informatics
and each chromosome contains genes which are responsible from variety of functions controlling the human body all together. Difference in the arrangement of these bases on each DNA strand leads to uniqueness between individuals’ genetic composition. Despite the potential of high diversity, most of the DNA Sequence is conserved across the whole human population. Only around %0.5 of each person’s DNA is different from the reference genome, owing to genetic variations [7]. Most common genetic variations in our body are Single Nucleotide Polymorphisms (SNP’s) which inform about patient’s susceptibility to several dis-eases proven by several Genome Wide Association Studies(GWAS). To exemplify; some mutations on BRCA genes greatly increase risk of developing breast cancer.
The unique genetic information, i.e. DNA of a person, can be retrieved from various sample sources; hair, skin, blood, saliva. After sample collection, the genetic material is extracted using DNA Extraction Kits and then sequenced using a sequencing plat-form. Most commonly used sequencing platform is Illumina Sequencers and output of Illumina sequencing platform is either short/long single-end or paired-end reads, each including nucleo-tides between 25 and 500 length from randomly partitioned gen-ome. At this point, the term ‘‘coverage’’ is defined which is the number of times a nucleotide is read during the sequencing pro-cess. Obtaining high coverage mainly helps users at reducing errors and make correct decision for every base in the sequence. It also implies the average number of reads representing a given nucleo-tide in the mapped sequence.
Regarding the ‘‘mapping of a sequence’’, a sequencing platform produces randomly ordered short reads. These reads are needed to be put in the correct order using a reference sequence (assembled by scientists) in order to further analyze genomic data of sequenced individual. The process of aligning short reads from whole genome to a reference genome is ‘‘sequence alignment (mapping)’’ and as a result of this procedure, 3.2 billion letters in the DNA sequence of an individual is mapped in computers (mostly on servers) for further analysis. It should be noted that this map-ping procedure requires high computing power, hence use of par-allel computing dramatically reduces the processing time. However at this step, one should be cautious to use insecure plat-forms such as public clouds to run this procedure, as genomic
privacy of the genome owner may get easily violated. After the mapping procedure, sequenced DNA is aligned to the reference genome which can be visualized and to better understand the con-cept, an aligned genome example is shown inFig. 1, in which hg19 mapped Illumina Hiseq2500 paired-end reads are shown with IGV tool[8,9].
Worldwide, a usual clinical procedure for whole genome sequencing takes about 3 weeks and costs between $5000 and $10,000 depending on the country kit prices. Procedure starts with an individual going to one of the clinics where she can give a bio-logical sample (e.g. blood, saliva, etc.) from which her DNA is extracted. This biological sample is processed at sample processing unit which may be at the same location with the clinic or may be a different institution. After extracting the DNA from biological sam-ple, sample processing unit sends resulting DNA to the sequencing department which may be at the same location or located in a dif-ferent place. Because of lower sequencing costs, it is very common to send the collected samples abroad for sequencing. Sequencing is achieved through Next Generation Sequencing (also named as High Throughput Sequencing) platforms which produces digital output from chemical input. Starting from the stage of collecting sample from donor to the sequencing stage, DNA is in chemical form, hence privacy protection and security is achievable using routine physical precautions. However, after sequencing, DNA is digital-ized and this digital data is subject to standard and detailed bioin-formatics analysis. Thus, physical precautions are not sufficient to protect privacy and provide security as digital data can be easily copied, modified and shared. In order to better represent the big picture of genome sequencing and analysis process, steps are explained on an example depicted inFigs. 2a and 2b.
Corresponding data formats, sizes and analysis steps for a mostly-used Illumina Sequencing machine can be summarized as follows; start point is to extract reads from image files to base call-ing files (BCL). In fact, volume of the data to be analyzed decreases at every step and considering whole genome sequencing, image files take 12 TB of disk space and converting them into BCL format (600 GB) saves significant disk space. Soon after, BCL file is con-verted into FASTQ format which is platform independent, standard file format consisting of nucleotide sequences (reads) and quality values. These FASTQ files need to map to a reference genome so
Fig. 1. Aligned Reads; at the top of the figure, numbers represents the location of the reads on a specific chromosome. Graphic, standing below the location bar, depicts the coverage information. Below the coverage area, aligned reads are given using two different colors in order to specify the direction of paired-end reads which is also indicated by the arrows at the end of each read. The most colored bar standing at the bottom of the figure represents the reference genome and each color stands for a nucleotide. (For interpretation of the references to color in this figure legend, the reader is referred to the web version of this article.)
that they are informative about the genome. At this point, there are two options as data formats: although both formats offer the iden-tical data information, one of them keeps data in binary form therefore Binary Alignment/Map (BAM) files comprise smaller size. To exemplify, for a whole genome sequencing, Sequence
Alignment/Map (SAM) file is about 400 GB whereas BAM file for the same data is about 175 GB. After obtaining the aligned genome data, next step is finding variations (single nucleotide polymor-phism, nucleotide(s) deletions, and insertions) in the sequenced genome compared to the reference genome. In fact, all these Fig. 2a. Process of DNA sequencing and analysis – Part I.
variations are sensitive and crucial for determining biological dif-ferences (e.g. skin/eye color, gender), predisposition to certain dis-eases (e.g. breast cancer, prostate cancer), or social properties (e.g. ancestor tracking, race) of an individual.
As shown inFig. 2b, after sequencing and standard bioinformat-ics process, generated genome data might be given to an individual or an authority in several ways. Depending on the data owners request, data can be given in a hard drive or can be uploaded to a cloud in FASTQ, SAM, BAM, Variant Call Format (VCF) or any other format for further bioinformatics analysis. Perhaps with the upcoming developments in the smart-card, bioinformatics and preventive health-care technologies, standardization of smart-card practice in preventive health-care will be possible and each individual will possess their own variant information on their own smart-cards[10].
3. Privacy issues in genomic data processing
Digital genomic data is subject to several bioinformatics process which introduce risks of private information disclosure. Sequence alignment, querying private genomic data, and searching on a genomic database are main bioinformatics processes which may violate personal privacy if necessary countermeasures are not taken. For genomic data processing, possible security problem definitions and solutions for the corresponding problems are given for:
1. Sequence alignment on insecure environments (e.g., public clouds).
2. Querying on a private genomic data (e.g., inspection for pre-disposition to a specific disease).
3. Querying securely on a private genomic data (e.g., inspection for predisposition to a specific disease with a secret parameters).
4. Querying on a private genomic database (e.g., research on a database containing private genomic data).
5. Querying securely on a public database (e.g., research on a database with secret parameters).
6. Querying securely on a private genomic database (e.g., research on a private genomic database with secret parameters).
3.1. Secure DNA sequence alignment
Due to high and costly computational requirements, sequence alignment is very likely to be outsourced, probably to public clouds. Sending genomic data to a public cloud controlled by third party companies and processing the data in an environment which is publicly available to everyone may give rise to disclosure of pri-vate genomic data. In order to prevent privacy violation, secure sequence alignment mechanisms should be defined. For a privacy protecting sequence alignment, we may assume a scenario in which Alice wants to make a sequence alignment for whole gen-ome on a public cloud environment controlled by Bob. In this model Alice trusts neither other cloud users nor the Bob. Alice also assumes that any data processed on this infrastructure can be obtained by an adversary. Thus during the alignment process no valuable information about the reads itself should be revealed.
As a mechanism to protect the confidentiality of the alignment process, following terms are required:
1. Proposed scheme should not introduce a significant compu-tation overhead for sequence alignment. It is quite normal to expect some increase in computation resource demand as security comes at a price but this increase should be afford-able and acceptafford-able.
2. Pre and post processing (e.g. encrypting reads, decrypting results . . .) are likely to be done locally. Therefore, these pro-cesses should take acceptable time on ordinary computers. 3. Apart from exact matches, proposed mechanism should be
able to handle mismatches which can be:
(a) SNPs: Up to n SNPS (e.g. for average read length of 100 nucleo-tides, a read, containing up to 5 SNPs can be aligned correctly). (b) Insertions: Up to n nucleotide insertion (e.g. for average read length of 100 nucleotides, a read, containing up to 10 nucleo-tide insertion can be aligned correctly).
(c) Deletion: Up to n nucleotide deletion (e.g. for average read length of 100 nucleotides, a read, containing up to 10 nucleo-tide deletion can be aligned correctly).
3.1.1. Proposed solutions
Chen et al.[11]proposed an method that solves the problem of secure read mapping in a scalable way. The proposed solution is based on running the computing operations on hybrid clouds which includes both the company’s private cloud and the public commercial cloud. Their mapping methodology is based on the ‘‘seed-and-extend’’[12]method. It splits read mapping into two different tasks. The process of finding exact matching by using the keyed hash values is carried out on the public cloud and the process of extending exact matches to find right alignments is car-ried out on the private cloud. The proposed method only discloses to keyed hash values to the public cloud. Therefore, it provides privacy.
3.1.2. Open problems
The major disadvantage of the solution proposed by [11] in Section3.1.1is the need for private cloud to carry out alignments. Due to the high computational requirements and high volume of data, carrying out alignment operations on third party systems is seen as the most appropriate solution. It is still an open problem to carry out alignment process on commercial public clouds in a privacy-preserving and effective manner.
3.2. Query on private genomic data
The human genome contains essential and private information about a persons biology such that a genome information includes whether a person has a tendency towards developing a specific kind of disease. For personalized medicine and preventive health-care, an individual’s genome is queried against a list of known variations which will be used while calculating susceptibil-ity to variety of diseases like breast cancer, diabetes and Alzheimer. Paternity and ancestry tests also queries genomic data for deter-mining biological relationships among individuals. Overall, most of the genetic testing types like genetic compatibility, new born screening and pharmacogenomics fall into this category. As stated before, the disclosure of human genome has significant risks to personal privacy. For example, a person, carrying a mutation on a gene known to increase the likelihood of a particular cancer, may be denied by the health insurance company for the coverage. Therefore privacy preserving methods are needed for storing and accessing genomic data.
In this problem scenario, a patient, Alice, has a digital record of her DNA sequence and wants to take one of the genomic test stated before. This service is provided by another party, such as doctor Bob. Alice does not trust Bob and Bob’s computation infrastructure. Bob wants to run query on Alice’s genomic data to find out the sicknesses in Alice or whether Alice has a tendency to a particular disease. Bob queries Alice’s genome with publicly known disease markers which are composed of short DNA sequences with muta-tion informamuta-tion indicative of variety of diseases. In this scenario, Alice worries about her privacy and she does not want to share
her DNA profile with neither Bob or the health-care provider. These kind of disease tests may be applied over Internet or on site, thus both on-line and off-line solutions should be provided for the patients. One of the most promising method for solving this prob-lem seems to be privacy preserving string search algorithms. 3.2.1. Proposed solutions
In the work of [13], a privacy protecting method based on homomorphic encryption is proposed for genomic data. Ayday et al. evaluate that personal genomic data is quite sensitive to be left to individuals own and they propose to store personal genomic data in encrypted format, in a storage and processing unit which can be accessed by governmental institutions, non-profit organiza-tions or private companies such as cloud storage service providers. Encrypted genomic data are processed using homomorphic encryption and proxy re-encryption in medical tests.
Additionally, Ayday et al.[14]also proposed a system based on homomorphic encryption to protect individual’s privacy in disease risk tests for. Likewise[13], this work also proposes to use storage and processing unit to store sensitive data in encrypted form and disease risk tests are performed by authorized institutions using homomorphic encryption technique and secure integer compari-son. In this solution, a storage and processing unit (SPU) stores all the SNPs (approximately 40 million) of the patient. Ayday et al. solved the storage problem in[15] without sacrificing pri-vacy. They classify SNPs as real SNPs and potential SNPs, where real SNPs are set of SNPs observed in the patient. SPU stores the real SNPs instead of storing all SNPs. However, this constitutes a problem for privacy as SPU stores positions of the real SNPs in plain text. Ayday et al. solved this problem by storing the real SNPs along with some redundant content from the set of potential SNPs. 3.2.2. Open problems
As proposed solutions require high computing power and stor-age facility controlled by a third party, it is challenging to apply the proposed solutions on real-life problems. Moreover, solutions that do not require trusted third party will be faster and more practical. Additionally, results of genetic tests provide general informa-tion about SNPs which may include sensitive informainforma-tion. A mali-cious party can try to benefit from this information and violate the privacy of patient. Unfortunately, current solutions use simple policies and obfuscation methods to reduce the effect of violation. Thus, it cannot be concluded that proposed solutions provide the full extent protection of patient privacy. It is still an open question whether it is possible to provide the full extent protection for the cases where private genomic data is queried with publicly known markers.
3.3. Private query on private genomic data
This scenario looks similar to the previous one and operation is exactly the same. In this case, queries made against the genome should be kept secret to protect commercial rights of the operator. An institution or a physician may have developed a new method or identified new variations to perform the tests given in the previous scenario and wants to protect this method from illegal use.
In this problem scenario, a patient, Alice, has a digital record of her DNA sequence and wants take one of the genomic tests. This service is provided by another party, such as doctor, Bob. Alice wants to protect her privacy and does not trust Bob and Bob’s com-putation infrastructure. At the same time, Bob wants to keep his query confidential and does not trust neither Alice nor her device (e.g., smart-card and flash drive) containing Alice’s genomic data. Bob wants to run query on Alice’s genomic data to perform a geno-mic test. In this scenario, both Alice and Bob worry about
confidentiality of their data. Alice does not want to disclose her DNA profile while Bob wishes to keep his queries confidential. 3.3.1. Proposed attacks
Goodrich [16] showed that privacy-preserving protocols for genomic data may reveal significant information. One party can guess the private genomic data of another party using the protocol output by repetitively querying the another party. The severity of this attack is high because real world sized genomic data can be revealed with only a few number of queries.
3.3.2. Proposed solutions
Variety of solutions are proposed for ‘‘private query on private genomic data’’ problem. The first privacy preserving sequence comparison algorithm was proposed by Atallah et al. [17]. They modified the edit-distance protocol such that neither of the parties reveals anything about their private sequence to the other party. However the proposed protocol is impractical due to its intensive computational requirements[18]. Additionally, Szajda et al. [19] modifies distributed Smith-Waterman algorithm for privacy pre-serving sequence comparison. However, this solution provides weak privacy because its computation process leaks more informa-tion than its output according to[20].
Troncoso-Pastoriza et al. [21] proposed a protocol for secure pattern matching by evaluating automata in an oblivious manner. The protocol is developed for privacy preserving DNA matching and provides security in semi-honest setting. It represents DNA matching problem in the form of regular expression. The proposed solution creates an automaton corresponding to query sequence. It carries out secure matching or searching by running run the automaton on genomic data. The communication complexity is lin-ear in the size of input alphabet and the number of states of the finite state machine. Blanton and Aliasgari [22] introduced improvements on Troncoso-Pastoriza et al.’s protocol[21]reducing communicating parties work. This work proposes a secure out-sourcing of computation protocol which uses external service pro-vider and modified multi-party protocol.
Jha et al.[18]presents privacy protecting implementations on genomic computations such as sequence comparisons and distance calculations using secure two-party communication protocol. They developed three protocols for edit distance. The first protocol uses Yao’s garbled circuits. The second protocol splits the circuit used in the first protocols into small garbled circuits and shares the result of each small circuit between participants. The third protocol merge the first and second protocol in order to overcome perfor-mance and scalability issues. The major drawback of this solution is its inability of dealing with large scale computations[20].
Bruekers et al.[23]proposed a solution in semi-honest attacker model for limited DNA-based operations like identity, ancestor and paternity tests including Short Tandem Repeats(STRs). The pro-posed solution provides protection for STR profiles. It is based on homomorphic encryption and its complexity highly depends on the number of errors to be tolerated.
Eppstein et al.[24]proposed a privacy preserving comparison method that run on compressed genomic data. They used a Privacy-enhanced Invertible Bloom Filter (PIBF) which is extended version of Invertible Bloom Filter (IBF)[25]. The proposed method matches two compressed DNA sequences by performing privacy preserving set-difference computation where complexity is pro-portional to the size of the set difference. The creation of Privacy-enhanced Invertible Bloom Filter depends on the querying scenarios. In the querying scenario in which the trusted third party is required, homomorphic encryption is utilized.
Franz et al. [26] propose a solution which utilizes Hidden Markov Models (HMMs) to evaluate complex queries on genomic data in a secure way. They consider the following scenario in their
study: there are a health care provider that stores a patient’s gen-ome and a service provider that makes a disease risk test using the patient’s genome. The health care provider wants to know the pre-disposition of the patient against a particular disease while pro-tecting the patient privacy. The service provider wants to protect its intellectual property that are used for the disease risk test. The proposed method aims to achieve both goal by running HMM forward algorithm with improved performance[27].
Considering human whole genome sequencing, Baldi al.[28] proposed protocols based on private set operations technique for personalized medicine, paternity and genetic compatibility tests. The main aim of this work is to provide privacy protecting mecha-nisms for individuals, who share their genomic data for getting ser-viced in order to receive genetic test service from authorized parties. Yet, there are two problems coming with proposed solu-tions. Firstly, when genetic data is used for personalized medicine purposes, a party having a specific DNA fingerprint can easily learn the sequence of another party by matching the previously obtained fingerprint. Secondly, a malicious party can learn genetic data of other party by making additional irrelevant queries as input to genetic compatibility test.
In order to test the real world applicability of privacy preserving personal genomic methods De Cristofaro et al.[29] developed a tool called GenoDroid which tests the viability of paternity, ances-try and personalized medicine tests. They focus on the following three methods; conditional oblivious transfer, garbled circuits and homomorphic encryption. The proposed tool has been imple-mented on the Android operating system. GenoDroid has some off-line non-interactive pre-processing phases running on a desktop or a laptop PC. Thus, it does not provide a complete mobile solution. De Cristofaro et al.[30]also proposed a protocol for privacy pre-serving substring-testing. The proposed solution hides the position and size of partial substrings, since these values can leak valuable information. They applied this protocol to the scenario of genomic testing where one party holds a copy of his digitized genome and the other party holds a DNA marker. The output of the protocol is only learned by the former party and no other information is learned by either of the parties or party.
Kerschbaum et al.[31]proposed a privacy-preserving genome matching scheme that can mitigate Goodrich’s attack[16]. Their solution detects similar inputs by combining secure computation of the edit distance and fuzzy commitments. They also proposed an efficient zero-knowledge proof protocol that ensures the avoid-ance of client detection.
3.3.3. Open problems
The proposed solutions for this problem scenario have some problems. As we described in Section3.3.2, some solutions have serious privacy problems and do not provide provable security. Almost all solutions are based on either partially or somewhat homomorphic encryption as fully homomorphic encryption has a long way to go before it can be efficient enough to be practical [32]. Using partially or somewhat homomorphic encryption might be practical for some genomic applications. Nevertheless, they are far from providing complete solution for this problem. It is open question whether it is possible to design secure and private solu-tion without using homomorphic encrypsolu-tion.
3.4. Query on private genomic database
It is assumed that, in near future, governmental institutions such as Ministry of Health will establish genomic databases for preventive health-care and personalized medicine purposes. It is likely that such database will comprise additional information about the data owner apart from genomic data such as; location, place and date of birth, physical attributes (e.g., eye and skin color,
height, and weight.), medical history, and biological relationship with other individuals. Researchers would like to take advantage of these genomic data by using their classification information (e.g. location of living, gender, age and place of birth). As it is essen-tial to permit researchers to use such databases for scientific advancements, database owners would allow scientists to query the database. Using specific parameters in a query and iterating the queries by changing the parameters, would easily result in revealing one or more individuals identity. Thus, privacy of the individuals, whose genomic and personal data resides in the data-base, should be guaranteed using privacy preserving methods.
In this problem scenario, a researcher Alice want to test an hypothesis using a genomic database. Bob, the database owner, does not trust Alice, as she would be trying to obtain private infor-mation from database using one or more queries. Bob also does not trust any of his employees and does not want them to be able to access sensitive data. As result of her query, Alice expects to receive a meaningful result to test her hypothesis, while Bob wants to preserve the privacy of the data-owners along with serving to the scientific world. A solution to this problem should provide pri-vacy protection by preventing an attacker to identify individuals from one or combined query results.
3.4.1. Proposed solutions
Canim et al.[33]proposed to use cryptographic hardware for secure storage, share and query of genomic data. As a tamper-proof hardware, secure co-processors are employed for processing genomic data owned by health organizations e.g. hospi-tals. Data reside, in encrypted form, in data storage servers which are assumed to be untrusted. Proposed solution only addresses the genomic data owned by health organizations and benefit from potentially expensive tamper-proof hardware. As the authors agree, the proposed protocol cannot provide privacy in the case where information is extracted from the query results.
3.4.2. Open problems
Canim et al.’s solution[33]is very efficient. However, the size of query is limited to the size of tamper-evident hardware’s memory. Therefore, this solution needs some improvements in order to accommodate larger queries.
3.5. Private query on a public genomic database
Scientists draw upon variety of public databases containing information about health-care data, protein structure and gene ontology. Sometimes these researchers do not want to reveal test parameters or even the idea behind their hypotheses. As an exam-ple think of a scientist from academia and a researcher at pharma-ceutical company who are conducting research on same databases and on same topics. Both would like to keep their studies confiden-tial from each other before publishing or patenting their findings due to competing financial interests. As a result it is critical protect the rights of query-owners in order to avoid plagiarism.
3.5.1. Proposed solutions
Up to authors’ best knowledge, there is not any proposed solu-tion specifically aimed to solve this type of problem. Nevertheless, this problem may be considered as a sub-problem of ‘‘Private Query on Private Genomic Data’’ and therefore provided solutions for the latter problem may be directly applied to this problem. 3.6. Private query on private genomic database
In a similar way with the previous problem, researchers may want to use databases containing private genomic data to conduct a research. In this case, the querier desires to protect her academic
or commercial interests by keeping her hypothesis confidential which can be easily deducted from database queries. For this case, the database operator is obliged to protect privacy of the genomic data owners as (probably) enforced by the law. Therefore along with the confidentiality of queries, any private information resid-ing in the database should be protected as well.
In this scenario, a scientist Alice working in a university aims to study an illness caused by genetic disorder using a private genomic database operated by Bob. Alice does not trust Bob and would like to conceal the hypothesis represented in the database query. At the same time, Bob does not trust Alice and want to protect privacy of individuals whose sensitive genomic data reside in the database. Thus, a proposed solution should provide mechanisms to protect not only the confidentiality of queries and their results but also the privacy of genomic data owners.
3.6.1. Proposed solutions
A large part of the human genome is identical among human-kind and regions which are unique to a single individual is relatively small. Based on this information, Wang et al.[20] pro-posed a computation method that separates sensitive parts of a genomic data. They consider the problem of comparing a query sequence from a reference genome with its homologous gene sequences from all genomes in a personal genome database. They proposed a framework in which a computation task is distributed between Data Provider (DP) and Data Consumer (DC). DP performs calculations on sensitive parts of the genome while DC works on the rest. Thereby, sensitive information such as SNPs which can be used to identify individuals are not disclosed to DC.
Ignatenko and Petkovic[34]proposed a solution for searching and matching DNA sequence in a private DNA database. The pro-posed solution represents DNA sequences as context trees that are used as index information for privacy-preserving matching and similarity searching. The context trees are built using the universal compression technique called context-tree weighting (CTW)[35]. 3.6.2. Open problems
The major problem of Wang et al.’s solution[20]is determining sensitive and non-sensitive parts of genomic data. Some non-sensitive parts of genomic data may be considered sensitive in the future. Furthermore, some parts of sensitive genomic data are public information and they may be used by an attacker in order to retrieve other sensitive parts.
3.7. Privacy-preserving data sharing for genome-wide association studies
Genome-wide association study (GWAS), also known as whole genome association study (WGAS) determines associations between common genetic variations and specific traits. It produces aggregate statistics by examining single nucleotide polymor-phisms (SNPs) from thousands of individuals. Aggregate statistics are used to find associations between a SNP and a disease[36]. 3.7.1. Proposed attacks
For many years, the sharing of aggregate statistics has not been seen as a threat for the participant’s privacy, because they are col-lected from many individuals. Homer et al.[37]presented a frame-work for accurately and robustly detecting the presence of an individual with known genotype in a complex DNA mixture. They measure the distance of the individual from a reference and a test population. Moreover, they construct a t-test using these dis-tance metrics and identify the previously unknown individuals. Several subsequent studies[38–40]tried to make improvements on the statistical power of Homer et al.’s method. Sankaraman et al.[38]presented an upper bound on the power of detection.
The researchers can be use Sankaraman et al.’s results as a guide-line to make a limited number of SNPs available publicly without compromising privacy.
Homer et al.’s attack requires large set of statistics in order to detect individuals. Wang et al.[41]show that individuals can be detected from small set of statistics. They proposed two attacks. The first one can be detect an individual from a couple of hundreds of statistics by using the correlations among different SNPs. The second one can disclose the identity of hundreds of participants.
Zhou et al.[42]tested identification attack and recovery attack on different data sets. They found that it is very difficult to extract significant information from these data sets. Cai et al.[43]proposed the first practical attack that can detect specific individuals for GWAS data. They also point out that the number of detected indi-viduals increases, as the number of published genotype increases. 3.7.2. Proposed solutions
In the literature, there are studies that use differential privacy methodology[44] in order to protect the privacy of individuals. These studies utilize differential privacy by adding random noise to aggregate statistics.
Uhler et al.[45]proposed a privacy preserving method for the release of GWAS data. They utilized the differential privacy for the release of aggregate minor allele frequencies and the release of differentially-private statistics without compromising an indi-vidual’s privacy.
Johnson and Shmatikov[46] proposed an algorithmic frame-work for GWAS data. Their algorithms performs privacy preserving computation of the number and location of SNPs that are signifi-cantly associated with the disease, p-values for any statistical test between a given SNP and the disease, the block structure of corre-lations, any measure of correlation between SNPs. They perform these privacy preserving computations by injecting random noise into the statistics.
Yu et al.[36]extended Uhler et al.’ method[45]by considering release of differentially-private statistics by allowing for arbitrary number of cases and controls. They also consider the situation where data for the cases or the controls are known to the attacker. Yu and Ji [47] presented a new explication of differentially-private statistics that helps to conceptualize the Hamming distance score. They also proposed a new method for finding the hamming distance score with sensitivity 1.
Jiang et al.[48]show that the use of current perturbation tech-nique is unlikely for the sharing of entire human genomic data. Furthermore, their result show that the top-K most significant SNVs among all SNVs across the genome can be released in privacy-preserving manner when K is small (e.g., 5–10).
Zhao et al.[49]proposed a method for data selection. The pro-posed method helps data owner create differentially private pilot data by leveraging the linkage disequilibrium in the human gen-ome to preserve both the utility of the data and the privacy of the patients. The proposed method does not offer a guarantee to assistance in exploring disease markers. It helps researchers to select the most useful dataset for their needs.
3.7.3. Open problems
The above studies are impractical because they needs a large amount of noise in order to satisfy the differential privacy for a small number of SNPs[5]. It is an open question whether there is a data sharing method that needs smaller amounts of noise on GWAS data in order to satisfy differential privacy.
3.8. Unclassified solutions
Ayday et al.[50]proposed a method in which researchers can observe aligned raw genomic data of patients without breaking
privacy. Despite available variant calling algorithms researchers should investigate real DNA reads before determining the variants on patient’s genome, as sequencing platforms can make reading errors and reliability of the variant calling algorithms is still dis-cussed. In the proposed solution, short reads are encrypted by cer-tificated institution which performs sequencing and stores the data at the biobank. The main purpose of the proposed system is trans-mission of short reads in a certain range to the medical unit with-out revealing the details of the biobank. Furthermore, this system prevents medical unit from obtaining some particular parts of required short reads by masking encrypted short reads. However, this solution has some privacy problems. As a threat to proposed solution, a malicious employee can access the medical unit’s data-base and give an additional access rights to request owners. As a result, whole genome information can easily be covered by several iterative queries. Furthermore, the masking and key manager can learn the locations of important insertions and deletions that give critical information about patient’s health.
The personal health record system, PING, is designed to store personal genomic data securely and efficiently[51]. The proposed system also supports the secure and private sharing of genomic data. The authors suggested use of secure array mechanism that allows individual storage and efficient access to each individual item. They try to safeguard a certain level of privacy for genomic data by using policy files, where users can determine which parts of their genomic data are accessible. As a problem to this solution, a person or institution that calculates the disease risk have free access to disease-associated genomic data, which may be a victim of privacy violation.
4. Conclusion
Every year sequencing and bioinformatics are becoming more important with increasing number of genetic tests such as; pater-nity, non-invasive prenatal diagnosis, new-born screening, allergy and disease tendency tests. Individuals are sequenced for variety of reasons and undesired access to these sensible genomic infor-mation may cause serious privacy violations in the future. Despite the breakthroughs in medicine and health sciences reached by the use of sequencing technology, lack of privacy pre-serving methods may create problems greater than its benefits. In order to ease and summarize the corresponding problems com-ing with privacy leak in genomic data, we have classified existcom-ing security problems and solutions in a more convenient and under-standable way. Moreover we have also included the open problems belonging to each category we defined.
In the upcoming years, with advances in genome sequencing technology privacy of sensitive genomic data will become all the more vital given the fast growing volume of available genetic tests. Conflict of interest
None declared.
Appendix A. Technical glossary
De-identification: This is the process of removing identity information from a data set, to prevent inference of a per-son’s identity. De-identification is widely used in medical research where medical statistics of patients are collected and shared for research purposes.
Homomorphic encryption: This is an encryption scheme where computations can be made on cipher-text (encrypted plain-text) and decryption of resulting cipher-text would be equal to result of computations made on the plain-text.
Homomorphic encryption schemes show great promise of use in cloud computing environments as homomorphic encryption enables applying operations on encrypted information.
Provable security: This type of security usually refers to mathematical proofs and provable security definitions. Overall, it is used for any type of proven security which depends on attacker’s abilities.
Differential privacy: Differential privacy, previously denoted as indistinguishability, defines the notion of privacy in statistical databases, where sensitive information like medical records reside. These databases employing privacy preserving methods, make statistical data available to public domain by removing any sensitive information related to the users.
Keyed hashes: A hash function is a one way mechanism to calculate a fixed length message digest from variable length input messages. It is practically infeasible to find two mes-sages whose digests are same. Hash functions are publicly available and anyone who knows a message, can compute its digest. A keyed hash mechanism improves the normal hash procedure and introduces secret key usage in message digest calculation process. Therefore, only that secret key holders are allowed to compute keyed hash of a message. Yao’s garbled circuit: This is a specific type of a secure
party computation which provides methods for multi-ple participants to compute a function f without revealing information about the inputs to each other. Yao’s garbled cir-cuit is a two party protocol.
Zero-knowledge proof protocol: This is a method for prov-ing a statement, on which no information is disclosed except the information about correctness of the statement.
References
[1] A.E. Guttmacher, F.S. Collins, Welcome to the genomic era, N. Engl. J. Med. 349 (10) (2003) 996–998, http://dx.doi.org/10.1056/NEJMe038132. pMID: 12954750.
[2] L. Sweeney, A. Abu, J. Winn, Identifying participants in the personal genome project by name (A re-identification experiment), CoRR abs/1304.7605, 2013. [3]M. Gymrek, A.L. McGuire, D. Golan, E. Halperin, Y. Erlich, Identifying personal
genomes by surname inference, Science 339 (6117) (2013) 321–324. [4]B.A. Malin, Technical evaluation: an evaluation of the current state of genomic
data privacy protection technology and a roadmap for the future, JAMIA 12 (1) (2005) 28–34.
[5]Y. Erlich, A. Narayanan, Routes for breaching and protecting genetic privacy, Nat. Rev. Genet. (2014).
[6] M. Naveed, E. Ayday, E.W. Clayton, J. Fellay, C.A. Gunter, J. Hubaux, B.A. Malin, X. Wang, Privacy and security in the genomic era, CoRR abs/1405.1891, 2014. [7]J.C. Venter, M.D. Adams, E.W. Myers, P.W. Li, R.J. Mural, G.G. Sutton, H.O. Smith, M. Yandell, C.A. Evans, R.A. Holt, J.D. Gocayne, P. Amanatides, R.M. Ballew, D.H. Huson, J.R. Wortman, Q. Zhang, C.D. Kodira, X.H. Zheng, L. Chen, M. Skupski, G. Subramanian, P.D. Thomas, J. Zhang, G.L.G. Miklos, C. Nelson, S. Broder, A.G. Clark, J. Nadeau, V.A. McKusick, N. Zinder, A.J. Levine, R.J. Roberts, M. Simon, C. Slayman, M. Hunkapiller, R. Bolanos, A. Delcher, I. Dew, D. Fasulo, M. Flanigan, L. Florea, A. Halpern, S. Hannenhalli, S. Kravitz, S. Levy, C. Mobarry, K. Reinert, K. Remington, J. Abu-Threideh, E. Beasley, K. Biddick, V. Bonazzi, R. Brandon, M. Cargill, I. Chandramouliswaran, R. Charlab, K. Chaturvedi, Z. Deng, V.D. Francesco, P. Dunn, K. Eilbeck, C. Evangelista, A.E. Gabrielian, W. Gan, W. Ge, F. Gong, Z. Gu, P. Guan, T.J. Heiman, M.E. Higgins, R.-R. Ji, Z. Ke, K.A. Ketchum, Z. Lai, Y. Lei, Z. Li, J. Li, Y. Liang, X. Lin, F. Lu, G.V. Merkulov, N. Milshina, H.M. Moore, A.K. Naik, V.A. Narayan, B. Neelam, D. Nusskern, D.B. Rusch, S. Salzberg, W. Shao, B. Shue, J. Sun, Z.Y. Wang, A. Wang, X. Wang, J. Wang, M.-H. Wei, R. Wides, C. Xiao, E.A. Yan, Chunhua, The sequence of the human genome, Science 291 (5507) (2001) 1304–1351.
[8]J.T. Robinson, H. Thorvaldsdóttir, W. Winckler, M. Guttman, E.S. Lander, G. Getz, J.P. Mesirov, Integrative genomics viewer, Nat. Biotechnol. 29 (1) (2011) 24–26.
[9]H. Thorvaldsdóttir, J.T. Robinson, J.P. Mesirov, Integrative genomics viewer (IGV): high-performance genomics data visualization and exploration, Briefings Bioinform. (2012).
[10] M. Akgün, B. Ergüner, A.O. Bayrak, M.S. Sagiroglu, Human genome in a smart card, in: HEALTHINF, 2014, pp. 122–126.
[11] Y. Chen, B. Peng, X. Wang, H. Tang, Large-scale privacy-preserving mapping of human genomic sequences on hybrid clouds, in: NDSS, 2012.
[12]R.A. Baeza-Yates, C.H. Perleberg, Fast and practical approximate string matching, Inf. Process. Lett. 59 (1) (1996) 21–27.
[13] E. Ayday, J.L. Raisaro, J.-P. Hubaux, Privacy-Enhancing Technologies for Medical Tests Using Genomic Data, Tech. rep., 2012.
[14] E. Ayday, J.L. Raisaro, M. Laren, P. Jack, J. Fellay, J.-P. Hubaux, Privacy-preserving computation of disease risk by using genomic, clinical, and environmental data, in: Proceedings of USENIX Security Workshop on Health Information Technologies (HealthTech ’13), 2013.
[15] E. Ayday, J.L. Raisaro, J.-P. Hubaux, Personal use of the genomic data: privacy vs. storage cost, in: IEEE Global Communications Conference, Exhibition and Industry Forum GLOBECOM, 2013.
[16] M. Goodrich, The mastermind attack on genomic data, in: 30th IEEE Symposium on Security and Privacy, 2009, pp. 204–218.
[17] M.J. Atallah, F. Kerschbaum, W. Du, Secure and private sequence comparisons, in: Proceedings of the 2003 ACM Workshop on Privacy in the Electronic Society, WPES ’03, ACM, New York, NY, USA, 2003, pp. 39–44, http:// dx.doi.org/10.1145/1005140.1005147.
[18] S. Jha, L. Kruger, V. Shmatikov, Towards practical privacy for genomic computation, in: IEEE Symposium on Security and Privacy, 2008, SP 2008, 2008, pp. 216–230.http://dx.doi.org/10.1109/SP.2008.34.
[19] D. Szajda, M. Pohl, J. Owen, B.G. Lawson, Toward a practical data privacy scheme for a distributed implementation of the smith-waterman genome sequence comparison algorithm, in: Proceedings of the Network and Distributed System Security Symposium, NDSS 2006, San Diego, California, USA, 2006.
[20]R. Wang, X. Wang, Z. Li, H. Tang, M.K. Reiter, Z. Dong, Privacy-preserving genomic computation through program specialization, in: Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS ’09, ACM, New York, NY, USA, 2009, pp. 338–347.
[21]J.R. Troncoso-Pastoriza, S. Katzenbeisser, M. Celik, Privacy preserving error resilient dna searching through oblivious automata, in: Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS ’07, ACM, New York, NY, USA, 2007, pp. 519–528.
[22]M. Blanton, M. Aliasgari, Secure outsourcing of dna searching via finite automata, in: Proceedings of the 24th Annual IFIP WG 11.3 Working Conference on Data and Applications Security and Privacy, DBSec’10, Springer-Verlag, Berlin, Heidelberg, 2010, pp. 49–64.
[23] F. Bruekers, S. Katzenbeisser, K. Kursawe, P. Tuyls, Privacy-Preserving Matching of DNA Profiles, Cryptology ePrint Archive, Report 2008/203, 2008. [24] D. Eppstein, M.T. Goodrich, P. Baldi, Privacy-enhanced methods for comparing
compressed dna sequences, CoRR abs/1107.3593, 2011.
[25]D. Eppstein, M.T. Goodrich, Straggler identification in round-trip data streams via newton’s identities and invertible bloom filters, IEEE Trans. Knowl. Data Eng. 23 (2) (2011) 297–306.
[26]M. Franz, B. Deiseroth, K. Hamacher, S. Jha, S. Katzenbeisser, H. Schröder, Towards secure bioinformatics services (short paper), in: Proceedings of the 15th International Conference on Financial Cryptography and Data Security, FC’11, Springer-Verlag, Berlin, Heidelberg, 2012, pp. 276–283.
[27]S.R. Eddy, Profile hidden Markov models, Bioinformatics 14 (9) (1998) 755– 763.
[28]P. Baldi, R. Baronio, E. De Cristofaro, P. Gasti, G. Tsudik, Countering Gattaca: efficient and secure testing of fully-sequenced human genomes, in: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS ’11, ACM, New York, NY, USA, 2011, pp. 691–702.
[29]E. De Cristofaro, S. Faber, P. Gasti, G. Tsudik, GenoDroid: are privacy-preserving genomic tests ready for prime time?, in: Proceedings of the 2012 ACM Workshop on Privacy in the Electronic Society, WPES ’12, ACM, New York, NY, USA, 2012, pp 97–108.
[30]E. De Cristofaro, S. Faber, G. Tsudik, Secure genomic testing with size- and position-hiding private substring matching, in: Proceedings of the 12th ACM Workshop on Privacy in the Electronic Society, WPES ’13, ACM, New York, NY, USA, 2013, pp. 107–118.
[31] F. Kerschbaum, M. Beck, D. Schönfeld, Inference control for privacy-preserving genome matching, CoRR abs/1405.0205, 2014.
[32] M. Naehrig, K. Lauter, V. Vaikuntanathan, Can homomorphic encryption be practical?, in: Proceedings of the 3rd ACM Workshop on Cloud Computing Security Workshop, CCSW ’11, ACM, New York, NY, USA, 2011, pp 113–124, http://dx.doi.org/10.1145/2046660.2046682.
[33]M. Canim, M. Kantarcioglu, B. Malin, Secure management of biomedical data with cryptographic hardware, Trans. Info. Tech. Biomed. 16 (1) (2012) 166– 175.
[34] T. Ignatenko, M. Petkovic, AU2EU: privacy-preserving matching of DNA sequences, in: D. Naccache, D. Sauveron (Eds.), Information Security Theory and Practice, Securing the Internet of Things, Lecture Notes in Computer Science, vol. 8501, 2014, pp. 180–189.
[35] F.M.J. Willems, Y. Shtarkov, T. Tjalkens, The context-tree weighting method: basic properties, IEEE Trans. Inf. Theory 41 (3) (1995) 653–664, http:// dx.doi.org/10.1109/18.382012.
[36]F. Yu, S.E. Fienberg, A.B. Slavkovic, C. Uhler, Scalable privacy-preserving data sharing methodology for genome-wide association studies, J. Biomed. Inform. (0) (2014).
[37]N. Homer, S. Szelinger, M. Redman, D. Duggan, W. Tembe, J. Muehling, J.V. Pearson, D.A. Stephan, S.F. Nelson, D.W. Craig, Resolving individuals contributing trace amounts of DNA to highly complex mixtures using high-density SNP genotyping microarrays, PLoS Genet. 4 (8) (2008) e1000167. [38] S. Sankararaman, G. Obozinski, M.I. Jordan, E. Halperin, Genomic privacy and
limits of individual detection in a pool, Nat. Genet. 41 (9) (2009) 965–967, http://dx.doi.org/10.1038/ng.436.
[39] K.B. Jacobs, M. Yeager, S. Wacholder, D. Craig, P. Kraft, D.J. Hunter, J. Paschal, T.A. Manolio, M. Tucker, R.N. Hoover, G.D. Thomas, S.J. Chanock, N. Chatterjee, A new statistic and its power to infer membership in a genome-wide association study using genotype frequencies, Nat. Genet. 41 (11) (2009) 1253–1257,http://dx.doi.org/10.1038/ng.455.
[40] P.M. Visscher, W.G. Hill, The limits of individual identification from sample allele frequencies: theory and statistical analysis, PLoS Genet. 5 (10) (2009) e1000628,http://dx.doi.org/10.1371/journal.pgen.1000628.
[41] R. Wang, Y.F. Li, X. Wang, H. Tang, X. Zhou, Learning your identity and disease from research papers: information leaks in genome wide association study, in: Proceedings of the 16th Springer Conference on Computer and Communications Security, CCS ’09, ACM, New York, NY, USA, 2009, pp. 534– 544,http://dx.doi.org/10.1145/1653662.1653726.
[42] X. Zhou, B. Peng, Y. Li, Y. Chen, H. Tang, X. Wang, To release or not to release: evaluating information leaks in aggregate human-genome data, in: V. Atluri, C. Diaz (Eds.), Computer Security – ESORICS 2011, Lecture Notes in Computer Science, vol. 6879, Springer, Berlin, Heidelberg, 2011, pp. 607– 627,http://dx.doi.org/10.1007/978-3-642-23822-2-33.
[43] R. Cai, Z. Hao, M. Winslett, X. Xiao, Y. Yang, Z. Zhang, S. Zhou, Deterministic identification of specific individuals from GWAS results, Bioinformatics.http:// dx.doi.org/10.1093/bioinformatics/btv018.
[44]C. Dwork, Differential privacy, in: M. Bugliesi, B. Preneel, V. Sassone, I. Wegener (Eds.), Automata, Languages and Programming,, Lecture Notes in Computer Science, vol. 4052, Springer, Berlin, Heidelberg, 2006, pp. 1–12. [45]C. Uhler, A.B. Slavkovic, S.E. Fienberg, Privacy-preserving data sharing for
genome-wide association studies, J. Privacy Confidentiality 5 (1) (2013) 137– 166.
[46] A. Johnson, V. Shmatikov, Privacy-preserving data exploration in genome-wide association studies, in: Proceedings of the 19th Springer SIGKDD International Conference on Knowledge Discovery and Data Mining, KDD ’13, ACM, New York, NY, USA, 2013, pp. 1079–1087, http://dx.doi.org/10.1145/ 2487575.2487687.
[47] F. Yu, Z. Ji, Scalable privacy-preserving data sharing methodology for genome-wide association studies: an application to iDASH healthcare privacy protection challenge, BMC Med. Inf. Decis. Making 14 (S-1) (2014) S3,http:// dx.doi.org/10.1186/1472-6947-14-S1-S3.
[48] X. Jiang, Y. Zhao, X. Fang, B. Malin, S. Wang, L. Ohno-Machado, H. Tang, A community assessment of privacy preserving techniques for human genomes, BMC Med. Inf. Decis. Making 14 (S-1) (2014) S1,http://dx.doi.org/10.1186/ 1472-6947-14-S1-S1.
[49] Y. Zhao, X. Wang, X. Jiang, L. Ohno-Machado, H. Tang, Choosing blindly but wisely: differentially private solicitation of dna datasets for disease marker discovery, J. Am. Med. Inform. Assoc. 22 (1) (2015) 100–108,http://dx.doi.org/ 10.1136/amiajnl-2014-003043.
[50] E. Ayday, J.L. Raisaro, U. Hengartner, A. Molyneaux, J.-P. Hubaux, Privacy-preserving processing of raw genomic data, in: 8th Data Privacy Management (DPM 2013) International Workshop (in conjunction with ESORICS 2013), 2013.
[51]B. Adida, I. Kohane, Geneping: secure, scalable management of personal genomic data, BMC Genomics 7 (1) (2006) 1–10.