Sweden, my genetic data and our collective inability to keep secrets

By jeltsch on Thu, 03/06/2025 - 21:15
A padlock in front of a DNA sequence

The UK has recently set a precedent, and the mighty Apple has caved into UK requirements. Apple is removing the possibility of switching on secure end-to-end encryption from UK-based devices. This means that the UK government has a backdoor into iPhone users' private communications via iCloud backup. Almost everybody knowledgeable thinks this is a bad idea because backdoors are usually more quickly cracked open by Russian or Chinese hackers than King Charles III can give his Royal Assent for the law to come into force (see e.g. the Financial Times reporting here).

Sweden wants to follow the UK against all experts' advice
The UK is one thing; they left the EU against their own interest, remember? On the other hand, the Swedes have always struck me as a sensible people, but now their government wants to follow the UK's example and outlaw secure communication. Not everybody in Sweden agrees that this is a good idea. Very notably, the Swedish Armed Forces have taken a stand against the government's plans, writing that the legislation could not be realized “without introducing vulnerabilities and backdoors that may be used by third parties.” It is not a secret who these third parties might be: Russia is probably at the top of the list. The problem with legislating technology is that most politicians do not understand technology.
Additionally, most politicians from the right political spectrum are also not very eager to learn or to get advice from experts. When it comes to end-to-end-encryption (E2EE) technology, you cannot have it both ways. "It’s either secure for everyone and from everyone, or it’s not truly secure for anyone," says Steve Gibson, a well-known and respected security expert. That's why companies that do not want to compromise the security of their users have no other option than to withdraw from countries that enforce such laws (https://www.theregister.com/2025/02/26/signal_will_withdraw_from_sweden). The argument for why E2EE should be outlawed is always the same: fighting crime. Of course, the cops' job was much easier if every room in everybody's home had 360° security cameras recording nonstop 24/7. Is this a good argument for starting mass surveillance of everybody's home?

Neither companies nor state organizations can keep data secret
In 2015, I participated in GeneRisk, a project to study the influence of genes on disease risk for many common diseases. As a GeneRisk study subject, I divulged not only my DNA but also lots of sensitive information. Do I believe that my data is secure? Only blue-eyed fools trust the official data protection blah blah. Without identifiable information, how could the GeneRisk project give me personalized advice based on my risk profile? This specific service has been discontinued since, but at the time, my risk profile was available on the internet on some database server, accessible behind "strong authentication", which is bypassed easily and which we all know to be insufficient. Also, the participation agreement form reveals that my data can be linked back to me since one question asked whether I would allow to be contacted if the analysis of my samples revealed something of importance for my health.

Security is porous; the pressure decides how much information leaks
A very superficial investigation of the security of my university's IT systems revealed that penetration from the outside is possible. Today's IT systems are so complex that inevitably, one or a few minor mistakes happen during the setup. The whole security chain is only as secure as the weakest link. Most people do not realize that cyber warfare is asymmetric warfare: The defender has to get everything right for the defence to hold, while the attacker only needs to find one unpatched hole. But the situation is actually much worse. We have roughly 35000 university employees in Finland. We know that spies from non-democratic countries have infiltrated our universities: The Guardian and Financial Times reporting about a recent case in Norway, Helsingin Sanomat reporting about a case in Finland. Unfortunately, the in-depth reporting is behind a paywall, but there is a short report by YLE. In an internal meeting at our university, we were told that there is not much the universities can do to prevent infiltration. Especially in Finland, we always had a large influx of Eastern talent. These people do not need to break into our secure IT infrastructure because they have legal access. Do you really think that none of the roughly 95,000 (1.7%) Russian-speaking individuals in Finland are admirers of Putin? Or that none of them would close their eyes for the right amount of money?

It's too late to safeguard my genetic data - others decided about it without my consent
I am pretty convinced that the NSA, the FSB, and the MSS have my genetic data, together with all other digital data that I have more or less voluntarily given to various state agencies. You probably remember that neither the US government nor Microsoft's C-level executives could be protected from the access of the talented nation-state-backed hackers from Russia, China or North Korea. As we speak, the whole US phone network is infiltrated by adverserial foreign actors, which the US seems to be unable to evict. Do you really think Finland does a better job of protecting its citizens in the digital realm? Coincidentally, Henna Virkkunen, the EU's commissioner for Technological Sovereignty, Security and Democracy is from Finland. So far, I have not been very impressed by what she's doing, or rather by her lack of proactivity. I fear that due to her background, she might lack a deep understanding of technology, but hopefully, she can make up for that by working together with the right people (= independent experts).

Many people use genealogical DNA tests (think 23andMe or MyHeritage). The 23andMe data has meanwhile surfaced on the dark web (https://en.wikipedia.org/wiki/23andMe_data_leak). Any DNA you leave behind at a crime scene is traceable back to you, even if you personally never used a service like 23andMe. It's enough that somebody in your wider family did. You share about 12.5% of your DNA with each of your cousins, and that's more than enough to identify you. How much should you be worried? I think most of us are not high-profile targets. We are too unimportant to become targets. Until we are not.