Conference PaperPDF Available

Brain-Computer Interface Applications: Security and Privacy Challenges


Abstract and Figures

Brain-Computer Interfaces (BCI) are becoming increasingly popular in medical and non-medical areas. Unfortunately , manufacturers of BCI devices focus on application development, without paying much attention to security and privacy related issues. Indeed, an increasing number of attacks to BCI applications underline the existence of such issues. For example, malicious developers of third-party applications could extract private information of users. In this paper, we focus on security and privacy of BCI applications. In particular, we classify BCI applications into four usage scenarios: 1) neuromedical applications, 2) user authentication, 3) gaming and entertainment, and 4) smartphone-based applications. For each usage scenario, we discuss security and privacy issues and possible countermeasures.
Content may be subject to copyright.
Brain-Computer Interface Applications:
Security and Privacy Challenges
QianQian Li
University of Padua, Italy
Ding Ding
University of Padua, Italy
Mauro Conti
University of Padua, Italy
Abstract—Brain-Computer Interfaces (BCI) are becoming in-
creasingly popular in medical and non-medical areas. Unfor-
tunately, manufacturers of BCI devices focus on application
development, without paying much attention to security and
privacy related issues. Indeed, an increasing number of attacks
to BCI applications underline the existence of such issues. For
example, malicious developers of third-party applications could
extract private information of users.
In this paper, we focus on security and privacy of BCI applica-
tions. In particular, we classify BCI applications into four usage
scenarios: 1) neuromedical applications, 2) user authentication, 3)
gaming and entertainment, and 4) smartphone-based applications.
For each usage scenario, we discuss security and privacy issues
and possible countermeasures.
Index Terms—brain-computer interfaces; BCI applications;
neuromedical; gaming; security; privacy; smartphone
Brain-computer interfaces (BCI) are interfaces that collect
data related to users’ brain activities through sensors and
transfer this data to computers. In BCI systems, the brain
does not use peripheral nerves in order to give orders to
our body. Instead, the orders are captured directly by BCI
devices and encoded into electro-physiological signals. These
signals become commands that can control external devices and
computer applications. For example, in order to control a cursor,
signals are transmitted directly from the brain to the application
that moves the cursor, rather than taking the “route” through
peripheral nerves from the brain to the hand to move a mouse.
This technology makes it easier for a human to communicate
with computers or external devices, such as prosthetic devices
(especially for the patients with severe neuromuscular disor-
ders). With the development of intelligentization, BCI technol-
ogy has been pervasive in several fields of our life, such as,
neuromedical field, authentication, gaming, entertainment, and
marketing. Unfortunately, BCI manufacturers are developing
devices and applications without taking much the security and
privacy issues into account. Using such devices, individuals’
private information could be stolen by malicious third party
Figure 1 shows the working of brain-computer interfaces.
First, the brain neural signals are captured by BCI devices
(step 1): this process is named signal acquisition. After signal
acquisition, BCI systems transform these analog signals into
digital signals (step 2). Then, using signal processing, the
features are extracted and classified (step 3 and step 4). Then,
the signal output is sent to BCI applications (step 5).
Brain-Computer Interface
Signal Processing
BCI Applications
2 4
feedback to user
Fig. 1: Working of Brain-Computer Interfaces.
BCI systems could be classified into three main groups: 1)
invasive system [1], 2) partial invasive system, and 3) non-
invasive system. An invasive system requires physical implants
of electrodes into the grey matter of the brain by neurosurgery,
which makes it possible to measure local field potentials. A
partial invasive system (e.g., electrocorticography - ECoG) is
applied to inside of the skull but outside of the grey matter. A
non-invasive system (e.g, electroencephalography - EEG, and
functional Magnetic Resonance Imaging - fMRI) is the most
frequently used neuron signal capturing method. This system
is applied to outside of the skull, just applied on the scalp. It
records the brain activities inside of the skull, and on the surface
of the brain membranes. Both EEG and fMRI give different
perspectives and enable us to “look” inside of the brain [2].
Note that, invasive and partial invasive systems are prone
to scar tissue, and they are difficult to operate. Furthermore,
both of them are quite expensive. Although EEG signals can be
effected by noise and signal distortion, they are easily measured
and have good temporal resolution. Therefore, the most widely
used method for recording brain activity in BCI systems is
EEG. EEG-based devices directly measure electrical potentials
produced by brain’s neural synaptic activities. Five waves from
human brain activities that could be captured by EEG devices
are as follows: 1) gamma waves are in the frequency range of
31Hz and up, and are associated with arousal and excitement
activity of our brain; 2) beta waves are in the frequency range
of 12-30Hz, and are related with action and concentration; 3)
alpha waves are in the frequency range of 8-12Hz, which reflect
relaxation and disengagement; 4) theta waves ranging from 4 to
7Hz, are linked to inefficiency and daydreaming; 5) delta waves
ranging from 0.5 to 4Hz, are the slowest waves and occur when
a user is in hypnoidization.
Currently several companies produce BCI devices, for dif-
ferent purposes, ranging from clinical-grade BCI devices to
consumer-grade BCI devices. Table I lists the main features of
three common devices, while Figure 2 shows the appearances
of these devices.
TABLE I: Comparision of BCI devices.
Device Price Electrodes Resolution Interface
BioSemi Active [3] $12000 256 24 bits Wired
Emotiv EPOC [4] $399-499 14 14 bits Wireless
NeuroSky [5] $50-150 1 8 bits Wireless
(a) Biosemi Active (b) Emotiv EPOC (c) NeuroSky
Fig. 2: BCI devices.
Contribution: In this paper, we discuss the main security
and privacy challenges of brain-computer interfaces with re-
spect to BCI applications. Because of the importance of private
information in our brain (i.e., all of our knowledge, ranging
from passwords to our habits), it is vital to prevent them from
being leaked to attackers. We list the security and privacy
challenges of BCI applications and then discuss their possible
Organization: The rest of this paper is organized as
follows. In Section II, we revise the main BCI applications
(i.e., neuromedical applications, authentication, gaming and
entertainment, and smartphone-based applications), and for
each application scenario we discuss the key security and
privacy challenges together with possible countermeasures. We
conclude this paper in Section III.
In this section, we classify BCI applications into four dif-
ferent application scenarios according to their usage purpose
(i.e., neuromedical applications, authentication, gaming and
entertainment, and smartphone-based applications). For each
application scenario, we provide a description, as well as pos-
sible attacks (either already doable, or envisaged to be possible
in the near future). Finally, for each application scenario we
also discuss possible countermeasures.
A. Neuromedical Applications
Since BCI technology makes it easier for a human to
communicate with external devices or computers, it is widely
used in the neuromedical area to help patients to control their
body through BCI devices instead of nerves. BCI technology
can help patients, especially with serve neurological disorders,
e.g., Parkinson disease. Several neural implantable devices [6]
will be available in the near future. Because of being closely
related with health, security and privacy concerns become
especially necessary to be taken into consideration. An example
of neuromedical applications that might be exposed to attacks
is prosthetic limb application [7], for which, in what follows,
we list possible attacks and countermeasures.
Attacks:As a representative case of neuromedical applica-
tions, prosthetic limb application allows physicians to connect
wirelessly to adjust settings of neural implant devices. If com-
plete brain neural signals are transmitted, an attack can intercept
the transmission, save brain neural signals, and decompose the
raw signals to obtain private information. We underline that
these attacks are possible even when information is transmitted
in an encrypted format [8]. Furthermore, attacker could try
to control prosthetic limbs of patients and give dangerous
movement to patients. Under this condition, an attacker does
not need to be physically in the proximity of the victim. Instead,
the attacker only needs to have attack hardware placed near the
patient. Another possible scenario is the case in which patients
are attackers who might modify settings on their own prosthetic
limbs. They might just want to override mechanical safety
settings to gain extra strength or interfere with limb feedback
to eliminate the ability of feeling pain.
Countermeasures:There are some appropriate safeguards
in the design of the neuromedical applications which can
be deployed in the coming years. For these neuromedical
applications used to give treatment for patients, it is clear
that the main countermeasures should focus on preventing life-
threatening attacks. Also, we should protect private feelings
and emotions of patients from being leaked to attackers. In
addition, these applications should prevent attackers from re-
motely eavesdropping on the wireless signals and collecting
private information about patients’ activities. The communica-
tion between neural implantable devices and patients must be
kept confidential. Furthermore, if they are in sensitive condition
such as depression, trying to prevent wireless attackers from
detecting the presence of these implant devices is effective to
protect safety. In the future, more effective countermeasures
should be proposed to guarantee that neuromedical applications
are not only safe and effective, but also these applications are
robust enough to prevent attacks.
B. User Authentication
Authentication is a process that ensures and confirms a
user’s identity. It plays an important role in security systems.
Using EEG brain signals as authentication measure has been
proposed in many literatures and proved to be effective. Au-
thors in [9] aim at authenticating users, based on brainwave
signals. In particular, they use single-channel EEG signals to
do authentication. In this authentication system, BCI devices
record brainwave signals when a subject performs a custom
task (e.g., singing, breathing or finger movement). Then, brain
signals are wirelessly transmitted to a computer application
which collect and process this data. Their authentication system
analyses the similarity between such brain data and training
data to authenticate subjects. The authors show that their
proposed authentication mechanism has the same accuracy
as multi-channel EEG authentication, about 99% accuracy.
Similar to [9], authors in [10] take EEG brainwave features
as neural passwords to do authentication. The entire process
is performed automatically, without human supervision. The
authors use an algorithm that automatically extracts neural
events corresponding to an individual’s blinking, jaw-clenching,
and eye-rolling activities. The results show that accuracy of this
authentication method ranges from 67% to 95% with single-
trial inputs.
Attacks:Using EEG brainwaves to authenticate might
result in risks for the privacy of users. For example, authors
in [11] propose an authentication system that verifies an indi-
vidual EEG signal when a subject performs a custom task (e.g.,
singing, breathing or finger movement). They also design an
attack model by impersonating the thoughts of subjects. The
authors make deliberate attacks from thought impersonators
to test the robustness of the authentication system. Similar
to [12], an adversary can attack the authentication system via
synthetic EEG signals, using EEG generative model based on
the historical EEG data from a subject can also attack the
authentication system [13].
Countermeasures:To mitigate the authentication attacks
mentioned about, a possible way is to reduce authentication
error rate. For example, we can enlarge the number of partici-
pants, use recruited attackers, and integrate the data processing
methodology with a real-time authentication framework to
achieve reduced authentication error rate. Moreover, another
possible method to enhance the robustness of authentication
is by leveraging multidimensional method [14]. For exam-
ple, using multiple authentication signals (e.g., the signals of
singing, breathing, or being shocked). Besides, we can combine
the existing authentication methods on smartphone device to
perform multidimensional authentication.
C. Gaming and Entertainment
With the development of BCI technology, there are several
BCI games available in entertainment industry [15] [16] [17].
The principle of most BCI games works in a way similar to
P300-speller. In this kind of games, an amplitude peak in the
EEG signal is detected at more or less 300ms after a stimulus.
In the game P300-speller, stimuli are alphanumeric characters
shown on the screen. The characters are arranged in a matrix
where rows and columns flash on a screen in a rapid succession.
According to the being spelled word, users choose one character
using eyes from the screen. Through analyzing peaks occurring
in the brainwaves, authors get the spelled word. Another game
named Snake [18] is also based on the same principle of P300-
speller. In this game, a snake can move in three directions:
forward, left and right. The goal is to locate and eat apples
on a map. Eating apples makes the snake grow in length, and
becomes as large as possible. For the sake of having speed in
the game, moving forward is automatic, and both turning left
or right is controlled by the user via EEG signals.
Attacks:Brain-computer interfaces are becoming increas-
ingly popular in the gaming and entertainment industries. Mar-
tinovic et al. [19] highlight the existence of side-channel attacks
by malicious third-party games on BCI devices. Similar to
smartphone games, third-party BCI games depend on common
APIs to access BCI devices. Thus, such APIs supply unre-
stricted access to raw EEG signals for BCI games. Furthermore,
such games have complete control over the stimuli that can be
presented to users. As a consequence, attackers can display the
contents and read their corresponding EEG signals. The content
might be videos, pictures, or numbers, which users see when
they playing games. Therefore, attackers can specifically design
some videos and images shown to users in order to maximize
the amount of leaked information. In particular, the impact of
exploiting or mishandling BCI devices is difficult to estimate.
Authors in [19] demonstrate BCI games could be exploited to
extract individuals’ private information, such as 4-digit PINs,
bank information, date of birth and location of residence, using
users’ recorded EEG signals.
Countermeasures:Authors in [20] identify security and
privacy issues arising from possible misuse or inappropriate use
of “Brain Malware” information. In particular, they propose
an interdisciplinary approach to enhance the security of BCI
systems by the aid of several experts from different areas, such
as neuroscientists, neural engineers, ethicists, as well as legal,
security and privacy experts.
Authors in [21] propose a tool named “BCI Anonymizer”
to prevent the side-channel extraction of users’ private in-
formation. The basic idea of the “BCI Anonymizer” is to
remove private information from raw EEG signals before this
information is stored and transmitted. “BCI Anonymizer” could
be implemented either in hardware or in software, as a part
of BCI devices, but not as part of any external network or
computational platform. Moreover, the “BCI Anonymizer” can
generate an anonymized neural signals to replace the removed
signals that represent private information. However, authors
in [21] do not provide a clear method to distinguish the
difference between users’ private information and commands
to applications.
D. Smartphone-based Applications
The application scenario we want to consider in this section
is actually mainly driven by a specific emerging and pervasive
technology, i.e., smartphones. Along with the advances in
smartphone capabilities, there is an increasing interest in using
smartphone by individuals in their daily life. BCI are used in
conjunction with this technology (smartphone). Recently, some
BCI applications based on smartphone have been proposed in
many literatures.
Authors in [22] implement a brain-controlled address book
dialing app, which works in a way similar to P300-speller.
Instead of showing characters in P300-speller, the dialing app
shows a sequence of photos of contacts from the address book.
Therefore, the user can easily select a person whom she or he
wishes to dial. Authors in [23] measure a subject’s attention
and meditation level through EEG signals when a subject is
playing a game. Authors compare the difference among all
the subjects’ EEG signals, according to subjects’ age and
gender. Their results show that, in the POKOPANG game, the
average attention level of men is lower than that of women,
while the meditation level is reversed. As a result, authors
infer that women are more interested in POKOPANG game.
Air Brain system [24] is a portable EEG telemetry system.
Different from other portable EEG monitoring systems, in order
to have more storage space, this way, the stored data can be
accessed from everywhere. To achieve this, the system uses
3G network of smartphone to transfer data. Air Brain system
enables subjects to measure EEG signals immediately after
subjects start walking. Furthermore, the system is able to detect
eye closing by measuring changes of aplha wave.
Attacks:The smartphone-based BCI applications are
prone to attacks that originate in the mobile device itself.
Therefore, most of the possible attacks on smartphone issues
could also be considered as security and privacy issues of
smartphone-based BCI applications. These applications can
access private data which is acquired from BCI devices and
stored in smartphones or SD card. This data can be illegally
transferred by a malware to a remote server (e.g., privilege
escalation attacks [25]). Developers of malwares can analyse
the private signals and attack the users of BCI devices. Attacks
to smartphone applications also apply to smartphone-based BCI
Countermeasure:Given that we are considering BCI
applications in conjunction with a specific technology (smart-
phone), here countermeasures are mostly the ones typical for
generic smartphone security. Useful security approaches could
be the ones that track the flow of information. For example,
TaintDroid [26] proposes a model that can track not only the
way applications access sensitive data, but also the way appli-
cations use such data. FlowDroid [27] proposes an innovative
and accurate static taint analysis for applications in Android
platform, allowing proper analysis to handle callbacks invoked
by the Android framework. In addition to the aforementioned
approaches, fine-grained context-based access control [28] is
another effective way to limit the leakage of private data.
These mitigations are possible only by modifying Android’s
permission model, e.g., Android’s internal middleware layer.
In this paper, we survey some common brain-computer
interfaces (BCI) applications, and their possible security and
privacy issues. Moreover, we consider four different application
scenarios: 1) neuromedical applications, 2) user authentication,
3) gaming and entertainment, and 4) smartphone-based appli-
cations. For each scenario we provide the description of current
state-of-the-art technologies, potential attacks that might threat
each scenario, and envisaged countermeasures.
Mauro Conti is supported by a European Marie Curie Fellow-
ship (N. PCIG11-GA-2012-321980). This work is also partially
supported by the Italian MIUR PRIN Project TENACE (N.
20103P34XC), and the University of Padua PRAT 2014 Project
on Mobile Malware.
[1] J. R. Wolpaw, N. Birbaumer, W. J. Heetderks et al., “Brain-computer
interface technology: a review of the first international meeting,IEEE
transactions on rehabilitation engineering, vol. 8, no. 2, pp. 164–173,
[2] J. Kropotov, Quantitative EEG, event-related potentials and neurotherapy.
Academic Press, 2010.
[3] (2015, July) Biosemi. [Online]. Available:
[4] (2015, July) Emotiv epoc. [Online]. Available:
[5] (2015, July) Neurosky. [Online]. Available:
[6] T. Denning, Y. Matsuoka, and T. Kohno, “Neurosecurity: security and
privacy for neural devices,Neurosurgical Focus, vol. 27, no. 1, p. E7,
[7] A. B. Schwartz, X. T. Cui, D. Weber, and D. W. Moran, “Brain-
controlled interfaces: Movement restoration with neural prosthetics,
Neuron, vol. 52, no. 1, pp. 205 – 220, 2006.
[8] M. Conti, L. V. Mancini, R. Spolaor, and N. V. Verde, “Can’t you hear
me knocking: Identification of user actions on android apps via traffic
analysis,” in DASP, 2015, pp. 297–304.
[9] J. Chuang, H. Nguyen, C. Wang, and B. Johnson, “I think, therefore i am:
Usability and security of authentication using brainwaves,” in Financial
Cryptography and Data Security, 2013, pp. 1–16.
[10] A. Rajagopal, A. C. Nguyen, and D. M. Briggs, “Neuropass: A secure
neural password based on EEG,” in Biomedical Engineering, 2013.
[11] B. Johnson, T. Maillart, and J. Chuang, “My thoughts are not your
thoughts,” in Proceedings of the 2014 ACM UbiComp: Adjunct Publi-
cation, 2014, pp. 1329–1338.
[12] P. E. McSharry, G. D. Clifford, L. Tarassenko et al., “A dynamical
model for generating synthetic electrocardiogram signals,” Biomedical
Engineering, vol. 50, no. 3, pp. 289–294, 2003.
[13] S. T. Archer and B. D. Pless, “Stimulation signal generator for an
implantable device,” Feb. 10 2004, uS Patent 6,690,974.
[14] T. Naik and S. Koul, “Multi-dimensional and multi-level authentication
techniques,” International Journal of Computer Applications, vol. 75,
no. 12, pp. 17–22, 2013.
[15] C. M¨
uhl, H. G¨
ok, D. Plass-Oude Bos, M. E. Thurlings et al., “Bacteria
hunt: A multimodal, multiparadigm bci game,” University of Genua, 2010.
[16] M. Congedo, M. Goyat, N. Tarrin, and G. e. a. Ionescu, “Brain invaders:
a prototype of an open-source p300-based video game working with the
openvibe platform,” in 5th International BCI, 2011, pp. 280–283.
[17] A. Finke, A. Lenhardt, and H. Ritter, “The mindgame: a p300-based
brain–computer interface game,” Neural Networks, vol. 22, no. 9, pp.
1329–1333, 2009.
[18] E. A. Larsen, “Classification of eeg signals in a brain-computer interface
system.” Norwegian University, 2011.
[19] I. Martinovic, D. Davies, M. Frank, D. Perito, T. Ros, and D. Song, “On
the feasibility of side-channel attacks with brain-computer interfaces,” in
USENIX Security 12, 2012, pp. 143–158.
[20] T. Bonaci, R. Calo, and H. J. Chizeck, “App stores for the brain: Privacy
& security in brain-computer interfaces,” in Science, Technology and
Engineering, 2014 IEEE International Symposium, 2014, pp. 1–7.
[21] H. Chizeck and T. Bonaci, “Brain-computer interface anonymizer,”
Aug. 14 2014, US Patent App. 14/174,818. [Online]. Available:
[22] A. Campbell, T. Choudhury, S. Hu, H. Lu et al., “Neurophone: brain-
mobile phone interface using a wireless eeg headset,” in Proceedings of
the second ACM SIGCOMM workshop, 2010, pp. 3–8.
[23] J.-Y. Kim and W.-H. Lee, “Eeg signal feature analysis of smartphone
game user,ASTL, vol. 39, pp. 14–19, 2013.
[24] K. Honda and S. N. Kudoh, “Air brain: the easy telemetric system with
smartphone for eeg signal and human behavior,” in Proceedings of the
8th BodyNets, 2013, pp. 343–346.
[25] L. Davi, A. Dmitrienko, A.-R. Sadeghi, and M. Winandy, “Privilege
escalation attacks on Android,” pp. 346–360, 2011.
[26] W. Enck, P. Gilbert, S. Han, and V. e. a. Tendulkar, “Taintdroid: an
information-flow tracking system for realtime privacy monitoring on
smartphones,” ACM TOCS, vol. 32, no. 2, p. 5, 2014.
[27] S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, and et al., “Flowdroid: Precise
context, flow, field, object-sensitive and lifecycle-aware taint analysis for
android apps,” in ACM SIGPLAN Notices, 2014, pp. 259–269.
[28] M. Conti, B. Crispo, E. Fernandes, and Y. Zhauniarovich, “Crˆ
epe: A
system for enforcing fine-grained context-related policies on android,”
Information Forensics and Security, vol. 7, no. 5, pp. 1426–1438, 2012.
... Nevertheless, they can be employed in the metaverse for various purposes. BCIs allow controlling external objects with the mind (e.g., avatars), mental spelling, authentication with brain waves, or video games and entertainment [17]. Furthermore, they are widely used for cognitive and emotional assessment and cognitive augmentation, where users can improve their mental skills, being useful for metaverse applications [29]. ...
... Users' safety -Attacks against the brain. Apart from affecting the simulation, attacks can aim to damage users' physical integrity directly [17]. While using BCIs, particularly those used for neurostimulation, attackers could aim to overstimulate targeted brain regions or inhibit them by disrupting the regular activity of the brain. ...
Full-text available
The metaverse has gained tremendous popularity in recent years, allowing the interconnection of users worldwide. However, current systems used in metaverse scenarios, such as virtual reality glasses, offer a partial immersive experience. In this context, Brain-Computer Interfaces (BCIs) can introduce a revolution in the metaverse, although a study of the applicability and implications of BCIs in these virtual scenarios is required. Based on the absence of literature, this work studies, for the first time, the applicability of BCIs in the metaverse, analyzing the current status of this integration based on different categories related to virtual worlds and the evolution of BCIs in these scenarios in the medium and long term. This work also presents a demonstration of what current BCI solutions can provide to the metaverse. It uses a metaverse consisting in driving a car within a simulation, using VR, a steering wheel and pedals, and a BCI for neural data acquisition. Four use cases are selected, focusing on cognitive and emotional assessment of the driver, detection of drowsiness, and driver authentication while using the vehicle. Then, it offers an analysis of BCI trends in the metaverse, also identifying future challenges that the intersection of these technologies will face. Finally, it reviews the concerns that the use of BCIs in virtual world applications could generate according to different categories: accessibility, user inclusion, privacy, cybersecurity, physical safety, and ethics.
Wearable and Implantable Medical Devices (WIMDs) and Physiological Closed-loop Control Systems (PCLCS) are crucial elements in the advancing field of the Internet of Medical Things (IoMT). Enhancing the safety and reliability of these devices is of utmost importance as they play a significant role in improving the lives of millions of people every year. Medical devices typically have an alert system that can safeguard patients, facilitate rapid emergency response, and be customized to individual patient needs. However, false alarms are a significant challenge to the alert mechanism system, resulting in adverse outcomes such as alarm fatigue, patient distress, treatment disruptions, and increased healthcare costs. Therefore, reducing false alarms in medical devices is crucial to promoting improved patient care. In this study, we investigate the security vulnerabilities posed by WIMDs and PCLCS and the problem of false alarms in closed-loop medical control systems. We propose an implementation-level redundancy technique that can mitigate false alarms in real-time. Our approach, FAMID, utilizes a cloud-based control algorithm implementation capable of accurately detecting and mitigating false alarms. We validate the effectiveness of our proposed approach by conducting experiments on a blood glucose dataset. With our proposed technique, all the false alarms were detected and mitigated so that the device didn’t trigger any false alarms.
Brain–Computer Interface (BCI) technology is a promising research area in many domains. Brain activity can be interpreted through both invasive and noninvasive monitoring devices, allowing for novel, therapeutic solutions for individuals with disabilities and for other non-medical applications. However, a number of ethical issues have been identified from the use of BCI technology. In previous work published in 2020, we reviewed the academic discussion of the ethical implications of BCI technology in the previous 5 years by using a limited sample to identify trends and areas of concern or debate among researchers and ethicists. In this chapter, we provide an overview on the academic discussion of BCI ethics and report on the findings for the next phase of this work, which systematically categorizes the entire sample. The aim of this work is to collect and synthesize all the pertinent academic scholarship into the ethical, legal, and social implications (ELSI) of BCI technology. We hope this study will provide a foundation for future scholars, ethicists, and policy makers to understand the landscape of the relevant ELSI concepts and pave the way for assessing the need for regulatory action. We conclude that some emerging applications of BCI technology—including commercial ventures that seek to meld human intelligence with AI—present new and unique ethical concerns.KeywordsBrain–computer interface (BCI)Brain–machine interface (BMI)Ethical, legal, and social issues (ELSI)NeuroethicsScoping review
Cyberbiosecurity is an emerging field that brings together diverse professionals, including biologists, computer scientists, anti-terrorism experts, and policy makers to research the growing intersection between cybersecurity and the biosciences. Cyberneurosecurity is the nascent subfield that is particularly focused on the issues related to neuroscience and cybersecurity. Internet-enabled Brain–Computer Interfaces (BCIs) like the futuristic Neuralink Link devices (Neuralink, 2023) which is expected to be on the market within a decade create numerous ethical and policy issues that are one of the chief concerns of cyberneurosecurity.These issues can relate to (1) privacy and misappropriation resulting from the interception of neural signals that could disclose behaviors and inclinations; (2) the inoperability of associated devices like prosthetics that could result from the obfuscation or manipulation of neural signals; (3) the potential physical and cognitive and existential harms that result from receiving hacked signals in the brain and/or the hijacking of neural signals sent from the brain for medical purposes; or (4) self-hacking by the user themselves for their own putative benefits.These and others are issues that cyberneurosecurity must engage. In response to these concerns, researchers need to devise standards, policies, and best practices to prevent malicious hackers from manipulating the technology. Practitioners need to develop tools to stress-test and assess the cyber-readiness of various BCIs, especially the increasing number of healthcare devices that employ AI that could obscure or magnify harmful hacks due in part to the lack of transparency and explainability of AI systems (Zhang et al., Ann Transl Med 8(11):712, 2020, Olsen et al., J Neural Eng 18(4):046053, 2021, Aggarwal and Chugh, Arch Comput Methods Eng 29:3001–20, 2022). BCI manufacturers need to ultimately implement industry-wide standards to protect the privacy, security, and safety of their users, and governments may need to develop regulatory oversight to promote these and other aspects of cyberneurosecurity.KeywordsCyberbiosecurityCyberneurosecurityNeurorightsNeurohypeBrain–computer interfaces (BCI)
Brain–Computer Interface (BCI) technology is a promising and rapidly advancing research area. It was initially developed in the context of early government-sponsored futuristic research in biocybernetics and human–machine interaction in the United States (US) [1]. This inspired Jacques Vidal to suggest providing a direct link between the inductive mental processes used in solving problems and the symbol-manipulating, deductive capabilities of computers, and to coin the term “Brain-Computer Interface” in his seminal paper published in 1973 [2]. Recent developments in BCI technology, based on animal and human studies, allow for the restoration and potential augmentation of faculties of perception and physical movement, and even the transfer of information between brains. Brain activity can be interpreted through both invasive and noninvasive monitoring devices, allowing for novel, therapeutic solutions for individuals with disabilities and for other non-medical applications. However, a number of ethical and policy issues have been identified in context of the use of BCI technology, with the potential for near-future advancements in the technology to raise unique new ethical and policy questions that society has never grappled with before [3, 4]. Once again, the US is leading in the field with many commercial enterprises exploring different realistic and futuristic applications of BCI technology. For instance, a US company named Synchron recently received FDA approval to proceed with first-in-human trials of its endovascularly implanted BCI device [5].
A brain–computer interface (BCI) establishes a direct communication pathway between the human brain and a computer. It has been widely used in medical diagnosis, rehabilitation, education, entertainment, and so on. Most research so far focuses on making BCIs more accurate and reliable, but much less attention has been paid to their privacy. Developing a commercial BCI system usually requires close collaborations among multiple organizations, e.g., hospitals, universities, and/or companies. Input data in BCIs, e.g., electroencephalogram (EEG), contain rich privacy information, and the developed machine learning model is usually proprietary. Data and model transmission among different parties may incur significant privacy threats, and hence, privacy protection in BCIs must be considered. Unfortunately, there does not exist any contemporary and comprehensive review on privacy-preserving BCIs. This article fills this gap, by describing potential privacy threats and protection strategies in BCIs. It also points out several challenges and future research directions in developing privacy-preserving BCIs.
Full-text available
Authenticating users of computer systems based on their brainwave signals is now a realistic possibility, made possible by the increasing availability of EEG (electroencephalography) sensors in wireless headsets and wearable devices. This possibility is especially interesting because brainwave-based authentication naturally meets the criteria for two-factor authentication. To pass an authentication test using brainwave signals, a user must have both an inherence factor (his or her brain) and a knowledge factor (a chosen pass-thought). In this study, we investigate the extent to which both factors are truly necessary. In particular, we address the question of whether an attacker may gain advantage from information about a given target's secret thoughts.
Full-text available
Recently, studies on different applications using measured brain waves have been increasingly progressing. It started out with studying brain waves of a monkey to control an arm with a motor. Then it is applied for raising children's attention or understanding a patient situation. This paper deals with measuring the attention and meditation of EEG signal when a smartphone game user is playing. A survey will be conducted that measures the EEG signals for the smartphone game users while playing the game for analysis. The results will be depending on the memory and expressions of game users when solving hard problems during the game.
Conference Paper
Full-text available
While smartphone usage become more and more pervasive, people start also asking to which extent such devices can be maliciously exploited as "tracking devices". The concern is not only related to an adversary taking physical or remote control of the device, but also to what a passive adversary without the above capabilities can observe from the device communications. Work in this latter direction aimed, for example, at inferring the apps a user has installed on his device, or identifying the presence of a specific user within a network. In this paper, we move a step forward: we investigate to which extent it is feasible to identify the specific actions that a user is doing on mobile apps, by eavesdropping their encrypted network traffic. We design a system that achieves this goal by using advanced machine learning techniques. We did a complete implementation of this system and run a thorough set of experiments, which show that it can achieve accuracy and precision higher than 95% for most of the considered actions.
While the brain is ruled to a large extent by chemical neurotransmitters, it is also a bioelectric organ. The collective study of Quantitative ElecrtoEncephaloGraphs (QEEG ? the conversion of brainwaves to digital form to allow for comparison between neurologically normative and dysfunctional individuals), Event Related Potentials (ERPs - electrophysiological response to stimulus) and Neurotherapy (the process of actually retraining brain processes to) offers a window into brain physiology and function via computer and statistical analyses of traditional EEG patterns, suggesting innovative approaches to the improvement of attention, anxiety, mood and behavior. The volume provides detailed description of the various EEG rhythms and ERPs, the conventional analytic methods such as spectral analysis, and the emerging method utilizing QEEG and ERPs. This research is then related back to practice and all existing approaches in the field of Neurotherapy - conventional EEG-based neurofeedback, brain-computer interface, transcranial Direct Current Stimulation, and Transcranial Magnetic Stimulation ? are covered in full. Additionally, software for EEG analysis is provided on CD so that the theory can be practically utilized on the spot, and a database of the EEG algorithms described in the book can be combined with algorithms uploaded by the user in order to compare dysfunctional and normative data. While it does not offer the breadth provided by an edited work, this volume does provide a level of depth and detail that a single author can deliver, as well as giving readers insight into the personl theories of one of the preeminent leaders in the field. Features & Benefits: provide a holistic picture of quantitative EEG and event related potentials as a unified scientific field. present a unified description of the methods of quantitative EEG and event related potentials. give a scientifically based overview of existing approaches in the field of neurotherapy provide practical information for the better understanding and treatment of disorders, such as ADHD, Schizophrenia, Addiction, OCD, Depression, and Alzheimer's Disease CD containing software which analyzes EEG patterns and database sample EEGs / Reader can see actual examples of EEG patterns discussed in book and can upload their own library of EEGs for analysis.
Conference Paper
With the embedding of EEG (electro-encephalography) sensors in wireless headsets and other consumer electronics, authenticating users based on their brainwave signals has become a realistic possibility. We undertake an experimental study of the usability and performance of user authentication using consumer-grade EEG sensor technology. By choosing custom tasks and custom acceptance thresholds for each subject, we can achieve 99% authentication accuracy using single-channel EEG signals, which is on par with previous research employing multi-channel EEG signals using clinical-grade devices. In addition to the usability improvement offered by the single-channel dry-contact EEG sensor, we also study the usability of different classes of mental tasks. We find that subjects have little difficulty recalling chosen “pass-thoughts” (e.g., their previously selected song to sing in their mind). They also have different preferences for tasks based on the perceived difficulty and enjoyability of the tasks. These results can inform the design of authentication systems that guide users in choosing tasks that are both usable and secure.
Today's smartphones are a ubiquitous source of private and confidential data. At the same time, smartphone users are plagued by carelessly programmed apps that leak important data by accident, and by malicious apps that exploit their given privileges to copy such data intentionally. While existing static taint-analysis approaches have the potential of detecting such data leaks ahead of time, all approaches for Android use a number of coarse-grain approximations that can yield high numbers of missed leaks and false alarms. In this work we thus present FlowDroid, a novel and highly precise static taint analysis for Android applications. A precise model of Android's lifecycle allows the analysis to properly handle callbacks invoked by the Android framework, while context, flow, field and object-sensitivity allows the analysis to reduce the number of false alarms. Novel on-demand algorithms help FlowDroid maintain high efficiency and precision at the same time. We also propose DroidBench, an open test suite for evaluating the effectiveness and accuracy of taint-analysis tools specifically for Android apps. As we show through a set of experiments using SecuriBench Micro, DroidBench, and a set of well-known Android test applications, FlowDroid finds a very high fraction of data leaks while keeping the rate of false positives low. On DroidBench, FlowDroid achieves 93% recall and 86% precision, greatly outperforming the commercial tools IBM AppScan Source and Fortify SCA. FlowDroid successfully finds leaks in a subset of 500 apps from Google Play and about 1,000 malware apps from the VirusShare project.
Today’s smartphone operating systems frequently fail to provide users with visibility into how third-party applications collect and share their private data. We address these shortcomings with TaintDroid, an efficient, system-wide dynamic taint tracking and analysis system capable of simultaneously tracking multiple sources of sensitive data. TaintDroid enables realtime analysis by leveraging Android’s virtualized execution environment. TaintDroid incurs only 32% performance overhead on a CPU-bound microbenchmark and imposes negligible overhead on interactive third-party applications. Using TaintDroid to monitor the behavior of 30 popular third-party Android applications, in our 2010 study we found 20 applications potentially misused users’ private information; so did a similar fraction of the tested applications in our 2012 study. Monitoring the flow of privacy-sensitive data with TaintDroid provides valuable input for smartphone users and security service firms seeking to identify misbehaving applications.
Conference Paper
An increasing number of Brain-Computer Interfaces (BCIs) are being developed in medical and nonmedical fields, including marketing, gaming and entertainment industries. BCI-enabled technology carries a great potential to improve and enhance the quality of human lives. It provides people suffering from severe neuromuscular disorders with a way to interact with the external environment. It also enables a more personalized user experience in gaming and entertainment. These BCI applications are, however, not without risk. Established engineering practices set guarantees on performance, reliability and physical safety of BCIs. But no guarantees or standards are currently in place regarding user privacy and security. In this paper, we identify privacy and security issues arising from possible misuse or inappropriate use of BCIs. In particular, we explore how current and emerging non-invasive BCI platforms can be used to extract private information, and we suggest an interdisciplinary approach to mitigating this problem. We then propose a tool to prevent this side-channel extraction of users' private information. This is a first step towards making BCI-enabled technologies secure and privacy preserving.