DNA profiles can reveal a number of details about individuals, and even about their family members. There are laws in place that regulate the trade of gene data, which has become much simpler and cheaper to analyze today. However, these laws do not apply to an equally relevant type of genetic data, so-called microRNAs, even though these can also point to serious diseases. This means that anonymity needs to be strictly maintained in microRNA studies as well. Researchers from the Research Center for IT Security, CISPA, have now been able to show that a few microRNA molecules are sufficient to draw conclusions about study participants. The computer scientists will be presenting their means of attack, and appropriate countermeasures, at the Cebit computer fair in Hannover (Hall 6, Stand C47).

"Ever since American scientists successfully attacked a study in 2008, where just parts of the DNA were enough to identify participants, researchers have been debating if, and in what detail, we should be permitted to publish gene data," says Michael Backes, who is professor for Cryptography and IT Security at Saarland University, and the scientific director of the Competence Center for IT security, CISPA. "Luckily we don't have that problem in Germany, that health insurance companies can ask for more money from someone who is sick," says Pascal Berrang, who is researching aspects of data privacy in genetic data as part of his doctoral studies at CISPA. This is different in the United States, for instance, where there is already a flourishing trade in health data. Not even medical studies are safe, says Berrang.

The researchers from Saarbrücken, together with their colleagues Mathias Humbert and Praveen Manoharan, focused on analyzing data security issues for a specific kind of gene information, one that is now commonly used in medical research: microRNAs. These short molecules of ribonucleic acid have recently gained importance as new forms of biomarkers – biological identifiers that clearly indicate a patient's general health condition, or the presence of certain diseases, to physicians and researchers. MicroRNAs can therefore divulge even more details about a patient's condition than conventional DNA analysis, since the latter only yields the probability of the patient developing the disease in question. This aspect of microRNA analysis makes the Saarbrücken computer scientists' findings even more significant. Using two different attack techniques, they were able to break the anonymity of the test subjects in a microRNA study. "If the results were published, and a health insurance fund knew the microRNA profile of one of its members, it could deduce whether that patient was part of the study, and pinpoint individual diseases," Pascal Berrang says; that would be more than enough information.