04:54 PM
Connect Directly

Bacteria Trail Betrays Identity Of Computer Users

Raising new privacy concerns, research shows that the DNA signatures of bacteria transferred to objects by human touch can be used for identification.

Scientists at the University of Colorado at Boulder have found that the bacteria trail left behind on objects like computer keyboards and mice can analyzed and used to help identify users of those devices.

"Your body is coated with bacteria inside and out," says CU-Boulder assistant professor Noah Fierer in a video on YouTube. "You're basically a walking microbial habitat. And we found that the diversity of bacteria just on the skin surface is really pretty incredible. You habor hundreds of different bacteria species just on your palm, for example. We've also found that everybody is pretty unique. So of those let's say hundred or so bacteria species, very few are of them are shared between individuals."

What Fierer and his colleagues have demonstrated in a new study is that the distinctive combination of bacteria each of us carries and distributes can be used to help identify what we've touched.

Such work may one day help link individuals to malicious computer use or other crimes.

The study, "Forensic identification using skin bacterial communities," appears in the March 15 Proceedings of the National Academy of Sciences. It describes how the researchers swabbed bacterial DNA from the keys of three personal computers and matched them to the bacteria on the fingertips of the owners of the keyboards. It also details a similar test conducted on computer mice that had not been touched for over 12 hours.

The study indicates that the technique is 70% to 90% accurate and Fierer expects that accuracy will improve as the technique is refined. Until accuracy is extremely high, the technique is most likely to be useful as a way to augment more established forensic techniques, like fingerprinting and DNA identification.

"There's still a lot of work we need to do to assess the validity of the technique and how well we can recover bacteria from surfaces and how well we can match objects to the individual how touched that object," Fierer explains in the video.

In a University of Colorado at Boulder news release, Fierer said that the new technique raises bioethical issues, including privacy. "While there are legal restrictions on the use of DNA and fingerprints, which are 'personally-identifying,' there currently are no restrictions on the use of human-associated bacteria to identify individuals," he said.

Fierer was not immediately available to comment.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest September 7, 2015
Some security flaws go beyond simple app vulnerabilities. Have you checked for these?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-09
Simple Streams (simplestreams) does not properly verify the GPG signatures of disk image files, which allows remote mirror servers to spoof disk images and have unspecified other impact via a 403 (aka Forbidden) response.

Published: 2015-10-09
The Telephony component in Apple OS X before 10.11, when the Continuity feature is enabled, allows local users to bypass intended telephone-call restrictions via unspecified vectors.

Published: 2015-10-09
IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly sanitize applet URLs, which allows remote attackers to inject applets into the .appletTrustSettings configuration file and bypass user approval to execute the applet via a crafted web page, possibly related to line breaks.

Published: 2015-10-09
IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly determine the origin of unsigned applets, which allows remote attackers to bypass the approval process or trick users into approving applet execution via a crafted web page.

Published: 2015-10-09
The Safari Extensions implementation in Apple Safari before 9 does not require user confirmation before replacing an installed extension, which has unspecified impact and attack vectors.

Dark Reading Radio
Archived Dark Reading Radio
What can the information security industry do to solve the IoT security problem? Learn more and join the conversation on the next episode of Dark Reading Radio.