What is a Brain Computer Interface (BCI)?
Brain-computer interfaces (BCIs) are interfaces for recording and processing neurological data and turning these data into an output, e.g., a signal to control an external device [1].
BCIs can be categorized based on two dimensions:
- actions based on brain activity, and
- invasiveness [1].
The benefits or use-cases of BCIs are:
- diagnosing medical conditions (e.g., depression),
- modulating brain activity to deal with neurological conditions, and
- improving accessibility for individuals with a disability through connection to external support devices such as a robotic arm [1].
What is neurodata?
Neurodata is data about neurological activity [1]. Neurodata can be directly recorded, e.g., by a BCI, or indirectly recorded, e.g., an individual’s spinal cord [1]. Inferences on neurodata via AI/ML algorithms can infer an individual’s mood, physiological characteristics, and arousal [1]. Neurodata can personally identify an individual by itself or when paired with other data associated with the individual [1].
What are the privacy risks associated with BCIs?
The privacy risks include:
- Unauthorized access to personal information and inferences on such data,
- The ability to infer conclusions about an individual even beyond their mental thoughts to their specific biology and preferences,
- The use of neurodata, by itself or in association with other personally identifying information, in decision-making by third parties concerning the individual without the individual’s consent or knowledge, and
- Use of neurodata for marketing purposes and selling goods or services [1].
Additionally, neurodata raises legal risks concerning Health Insurance Portability and Accountability Act (HIPAA) and the General Data Protection Regulation (GDPR) [1]. Neurodata would fall under concerns because neurodata would fall under HIPAA’s definition of personally identifying information, thus requiring entities that process neurodata to also determine whether they are a covered entity (e.g., a physician or hospital) under HIPAA or a third party that must comply with certain HIPAA regulations because of a business relationship with a covered entity [1, 2]. Generally, HIPAA does not apply to wellness companies that manufacture wellness devices [1].
Neurodata is subjected to the GDPR in Europe because neurodata can be considered personal data (health data or biometric data), thus requiring lawful grounds for processing an individual’s neurodata [1].
Some additional concerns also arise when determining whether fault lies with the BCI device user or the BCI device (e.g., in the case of a malfunction) in an incident where a BCI device user causes harm to another person or property [5].
What are the Governance or Technical Solutions for Data Ownership and Privacy?
Some potential solutions to these privacy risks that can ensure data ownership for BCI device users include:
- Encryption: encrypt a user’s neurodata on the BCI device so that other people cannot decipher it. Additionally, the use of end-to-end encryption (E2EE) when neurodata is shared between a BCI device user and a third party or cloud server [1];
- Local-first software: ensuring that neurodata is stored locally on the user’s device, with permissions for cloud access from applications [5];
- Separation of data and compute (or edge computing): have BCI devices utilize edge computing so that BCI users do not need to share their data directly with a server (but can send their results to a cloud server) for inferences on their neurodata to be conducted with a AI/ML algorithm, [1, 3, 6];
- Access control layer: through blockchain technology, it is possible to use smart contracts to provide an access control and identity layer for neurodata that can prevent unwanted access of neurodata by third parties [3]; and
- Data cooperatives: BCI device users can create a cooperative to manage and govern their data, and can interact and provide a forum for stakeholders, including researchers, technologists, and users, to discuss ethical issues in sharing and using neurodata [6, 7]
References
- https://fpf.org/blog/bci-technical-and-policy-recommendations-to-mitigate-privacy-risks/
- https://fpf.org/blog/bcis-data-protection-in-healthcare-data-flows-risks-and-regulations/
- https://www.personal.ai/privacy
- http://learn.neurotechedu.com/introtobci/#ethics
- https://www.inkandswitch.com/local-first/
- https://polypoly.coop/en-de/FAQ/#polyPod
- https://www.midata.coop/en/cooperative/
