Brain Computer Interfaces (BCIs)

What is a Brain Computer Interface (BCI)?

Brain-computer interfaces (BCIs) are interfaces for recording and processing neurological data and turning these data into an output, e.g., a signal to control an external device [1].

BCIs can be categorized based on two dimensions:

1. actions based on brain activity, and
2. invasiveness [1].

The benefits or use-cases of BCIs are:

1. diagnosing medical conditions (e.g., depression),
2. modulating brain activity to deal with neurological conditions, and
3. improving accessibility for individuals with a disability through connection to external support devices such as a robotic arm [1].

What is neurodata?

Neurodata is data about neurological activity [1]. Neurodata can be directly recorded, e.g., by a BCI, or indirectly recorded, e.g., an individual’s spinal cord [1]. Inferences on neurodata via AI/ML algorithms can infer an individual’s mood, physiological characteristics, and arousal [1]. Neurodata can personally identify an individual by itself or when paired with other data associated with the individual [1].

What are the privacy risks associated with BCIs?

The privacy risks include:

1. Unauthorized access to personal information and inferences on such data,
2. The ability to infer conclusions about an individual even beyond their mental thoughts to their specific biology and preferences,
3. The use of neurodata, by itself or in association with other personally identifying information, in decision-making by third parties concerning the individual without the individual’s consent or knowledge, and
4. Use of neurodata for marketing purposes and selling goods or services [1].

Additionally, neurodata raises legal risks concerning Health Insurance Portability and Accountability Act (HIPAA) and the General Data Protection Regulation (GDPR) [1]. Neurodata would fall under concerns because neurodata would fall under HIPAA’s definition of personally identifying information, thus requiring entities that process neurodata to also determine whether they are a covered entity (e.g., a physician or hospital) under HIPAA or a third party that must comply with certain HIPAA regulations because of a business relationship with a covered entity [1, 2]. Generally, HIPAA does not apply to wellness companies that manufacture wellness devices [1].

Neurodata is subjected to the GDPR in Europe because neurodata can be considered personal data (health data or biometric data), thus requiring lawful grounds for processing an individual’s neurodata [1].

Some additional concerns also arise when determining whether fault lies with the BCI device user or the BCI device (e.g., in the case of a malfunction) in an incident where a BCI device user causes harm to another person or property [5].

What are the Governance or Technical Solutions for Data Ownership and Privacy?

Some potential solutions to these privacy risks that can ensure data ownership for BCI device users include:

1. Encryption: encrypt a user’s neurodata on the BCI device so that other people cannot decipher it. Additionally, the use of end-to-end encryption (E2EE) when neurodata is shared between a BCI device user and a third party or cloud server [1];
2. Local-first software: ensuring that neurodata is stored locally on the user’s device, with permissions for cloud access from applications [5];
3. Separation of data and compute (or edge computing): have BCI devices utilize edge computing so that BCI users do not need to share their data directly with a server (but can send their results to a cloud server) for inferences on their neurodata to be conducted with a AI/ML algorithm, [1, 3, 6];
4. Access control layer: through blockchain technology, it is possible to use smart contracts to provide an access control and identity layer for neurodata that can prevent unwanted access of neurodata by third parties [3]; and
5. Data cooperatives: BCI device users can create a cooperative to manage and govern their data, and can interact and provide a forum for stakeholders, including researchers, technologists, and users, to discuss ethical issues in sharing and using neurodata [6, 7]

References

1. https://fpf.org/blog/bci-technical-and-policy-recommendations-to-mitigate-privacy-risks/
2. https://fpf.org/blog/bcis-data-protection-in-healthcare-data-flows-risks-and-regulations/
3. https://www.personal.ai/privacy
4. http://learn.neurotechedu.com/introtobci/#ethics
5. https://www.inkandswitch.com/local-first/
6. https://polypoly.coop/en-de/FAQ/#polyPod
7. https://www.midata.coop/en/cooperative/