In a corner of my Google Drive sits my own whole-genome sequencing (WGS) data, downloaded a while back and left untouched. I thought about putting it somewhere public — but I’m still hesitating. The reason for that hesitation is this story.

Genome data released for research carries no names. The IDs are anonymous codes like NA12878, and personal information is presumed erased. Yet a 2013 Science paper by Gymrek et al. showed that this anonymity is thinner than it looks. Using nothing but the genomic sequence and a few pieces of metadata carelessly attached alongside it, the authors recovered participants’ actual surnames and identities.

The key: two things that flow down the same paternal line

The core idea is surprisingly simple. Two things are passed together from father to son:

  • The Y chromosome — carried only by males, handed down the paternal line almost unchanged.
  • The surname — in many cultures, likewise inherited father → son.

As a result, there is a statistical correlation between the short-repeat markers on the Y chromosome — Y-STRs (Y-chromosome Short Tandem Repeats) — and the surname. Men sharing a surname are likely to share a similar Y-STR haplotype, because they share paternal ancestry.

📝 What is a Y-STR haplotype? An STR is a stretch of DNA where a short unit repeats many times, like GATA GATA GATA …, and the number of repeats varies from person to person. Counting those repeat numbers at several STR positions on the Y chromosome and listing them out gives a set of numbers (e.g. DYS391=10, DYS389=13, …) — that is a Y-STR haplotype. It acts like a fingerprint of the paternal line; the more markers you test, the higher the resolution.

One more ingredient made the attack possible: genetic genealogy databases (Ysearch, SMGF, and the like), where hobbyist genealogists voluntarily upload their own Y-STR profiles alongside their surnames. In effect, a public lookup table linking “this Y-STR pattern → this surname” already existed on the open internet.

📝 Ysearch and SMGF Both were Y-STR genealogy databases that were actually public at the time of the paper.

  • SMGF (Sorenson Molecular Genealogy Foundation): a nonprofit project started around 1999 by businessman James LeVoy Sorenson and BYU’s Scott Woodward. It collected over 100,000 DNA samples from around the world, paired with family pedigrees, and made them searchable. It was later acquired by Ancestry.com, and the public database was taken down around 2015.
  • Ysearch: a free, public Y-STR database operated by the testing company FamilyTreeDNA, where users uploaded their own profiles alongside their surnames. It was shut down in 2018 amid privacy concerns.

The telling twist: both databases were later closed, in part because of the very risk this paper exposed.

How the tracing works

The re-identification the paper demonstrated has three steps.

  1. Extract the Y-STR profile — compute the Y-STR marker pattern from a publicly available male genome sequence.
  2. Query for the surname — query that pattern against a genetic genealogy database, estimate the time to the most recent common ancestor, and obtain the most likely surname candidate.
  3. Triangulate — combine the recovered surname with metadata released alongside the data, such as age and state of residence. Surname + age + state is enough to narrow down and pinpoint an individual using public records and search engines.

The striking part: the entire process relied on free, publicly accessible internet resources. No privileged access, no hacking required.

Results

Using this method, the researchers actually traced anonymous genome participants and their relatives to real identities. Starting from Y-STRs of 911 individuals, the projected surname-recovery success rate within the U.S. was about 12%. Because breaking one genome also exposes paternal relatives who share the Y chromosome, the blast radius extends beyond the individual.

And the final piece that clinched each identification was not the genomic sequence itself, but the age and location information sitting innocuously beside it — a particularly uncomfortable detail.

Aftermath

Right after the paper appeared, the U.S. NIH moved quasi-identifying metadata such as age to controlled access in public repositories like dbGaP. The comfortable assumption that “anonymized genomes are safe” collapsed, and it forced a rethink of consent and governance in genomic data sharing. The paper has since become a standard reference in genomic privacy research.


Reference: Gymrek, M., McGuire, A. L., Golan, D., Halperin, E., & Erlich, Y. (2013). Identifying Personal Genomes by Surname Inference. Science, 339(6117), 321–324. doi:10.1126/science.1229566