Here we first describe our methods to infer (quantify) private information from summary statistics in meta-analysis QC. We will then analyze QC sub-procedures in detail and pro- pose ways to mitigate the aforementioned privacy risks, using distributed computing and cryptography.

III.2.1 Privacy Inference Attacks

The summary statistics exposed in meta-analysis QC are vulnerable to multiple types of privacy breaching attacks, which we introduce below.

III.2.1.1 Study Participation Status Inference from Allele Frequencies.

Allele frequency can be leveraged to distinguish participants from non-participants in GWAS [69]. Effect allele frequency (EAF), which is routinely shared for meta-analysis QC, is vulnerable to such risk. To illustrate this, for each target individuali, we measure the devi- ations of his genome (denotedY_i) from two different allele frequency references: the study mixture (the EAF shared in QC; denotedStd), and a pubic reference panel (e.g., the 1000 Genome Project [29] or HapMap [54]; denoted as Ref). We then accumulate such devia- tions over many SNPs (indexed by j), leading to distinct distributions of attack score for study participants and non-participants. For individualiand SNPj, the distance measure is defined as [69]:

D(Y_i,j) =|Y_i,j−Re f_j| − |Y_i,j−Std_j|, (III.1) where Re f_j and Std_j denote the allele frequencies for SNP j from public reference and study mixture, respectively. To quantify the differences in distribution of the deviations, we take a one-sampled t-test across allM SNPs and derive the risk score for each target individuali[69]:

T(Y_i) = E(D(Y_i)) SD(D(Y_i))/√

M (III.2)

whereE(.) denotes the expectation, andSD(.) is the standard deviation.

III.2.1.2 Inference of Exact Traits and Study Participation Status.

GWAS summary results, such as effect size estimates and direction of the effect, can be leveraged to breach privacy of target individuals (e.g., recovering quantitative eQTL traits [77]). This works well especially when GWAS regression overfit to the data (i.e., fit- ting too well). Specifically, given the regression estimates (denotedβ_j for each SNPj) and the target individual’s genotypes (i.e., predictor X_i,j for SNP j), we can predict the corre- sponding response variable for Individuali(i.e., the sensitive trait; denotedY_i) as averaged

across many SNPs [77]:

Y_i= n M

M j=1

∑

β_j(Xi,j−Re f_j), (III.3) whereRef_j denotes the public reference panel (for SNP j), ndenotes the total number of individuals,Mis the number of SNPs.

For dichotomous traits, we design a different attack score (or inferred trait; in the range between 0 and 1):

Y_i=1/{1+exp[−n M

M

∑

j=1

β_j(X_i,j−Re f_j)]} (III.4) The direction of the effect can also reveal much private information, such as recovery of quantitative traits [77]. The inference approach is based on the aforementioned attacks on effect size estimates, such that:

S_i= 1 M

M

∑

j=1

sign(β)sign(X_i,j−Re f_j), (III.5)

wheresign(.) corresponds to the sign of the data.

III.2.2 QC practice and adversarial scenarios.

We focus on the common scenario of conducting GWA meta-analysis across multiple co- horts in consortia. Such a collaborative study typically involves the following entities: i) multiple local sites who possess (private) individual-level data and contribute (summary) data to the joint study, ii) a coordinating center (i.e., the central authority) who is responsi- ble for coordination, data consolidation and management, and joint analysis/computations (e.g., QC and meta-analysis).

In GWA meta-analysis, the primary target of protection is the privacy of individual study participants, including sensitive attributes such as disease (participation) status and quantitative traits of disease-related measurements.

By assessing privacy, our ultimate goal is to identify and protect procedures in which private information is disclosed to potentially malicious parties – it could be another partic-

ipating site in the consortia who wants to peek into others’ data, or a breached coordinating center or participating site who wants to infer personal sensitive information from genome, or even a malicious insider/employee at the coordinating center who hopes to gain sensitive information about all sites and their study participants. Therefore, we consider genome pri- vacy to be violated if: i) sensitive individual-level genome information is directly revealed to unintended parties (e.g., other sites in or outside the consortia, including the coordinat- ing center); ii) summary statistics of studies are disclosed elsewhere (e.g., other sites or the coordinating center) which prove to be directly linkable to private information about individual participants (examples include a large body of inference attacks on genetic pri- vacy [43, 69, 78, 134, 77, 124]).

III.2.3 Major QC procedures.

We present a high-level overview of the typical QC workflow for meta-analysis in Fig- ure III.2. Most QC procedures deal with data quality problems at one the following three levels: i) site-specific QC which mainly checks and cleans data files from each site; ii) cross-site-level QC which contrasts diagnostic summary statistics or plots across different sites to identify site-level issues, and iii) post-study-level QC which mainly verifies meta- analysis result reliability through heterogeneity tests,.

Current QC practice relies on one centralized entity such as a Coordination Center (or other analysis organizations) to perform all the procedures, even though this entity is not fully trusted to host privacy sensitive data, such as individual genomes (protection of individual raw data is a major reason advocating meta-analysis in the community). There is a common belief that summary statistics for QC maintain individual privacy. Here we analyze the summary statistics disclosed at various levels of QC, their privacy implications, and our proposed protections.

Figure III.1: Meta-analysis QC pipeline.

Figure III.2: The meta-analysis QC workflow and disclosed summary statistics. Each site performs their respective GWAS, after which result files are submitted to the Coordinating Center for QC and meta-analysis. The QC process is invoked through a series of layers:

File QC, Cross-study QC, and Post-analysis QC. During the process, various summary statistics are disclosed beyond their originating sites.

III.2.3.1 Site-specific QC.

This goal of site-specific QC is mainly to perform a series of local checks on various quality issues. Common checks include: removing monomorphic SNPs or SNPs with incomplete or inaccurate information, requiring a minimum sample size per study and a minimum number of minor alleles contributing to an SNP for each participating study, filtering by imputation quality using a threshold, and so on.