![Multi-level approach to brain privacy (left). The different levels of description relevant for a definition of brain privacy are mapped by corresponding colors to the components of the core BCI cycle [20] (right). This mapping will serve as a bridge between the conceptual definition of brain privacy on the one side, and the implementation of a basic safety architecture on the other.](https://www.researchgate.net/publication/363698133/figure/fig1/AS:11431281085338650@1663739134057/Multi-level-approach-to-brain-privacy-left-The-different-levels-of-description_Q320.jpg)
Available via license: CC BY-NC-ND 4.0
Content may be subject to copyright.
A Framework for Preserving Privacy and
Cybersecurity in Brain-Computer Interfacing
Applications
Maryna Kapitonova, NeuroMentum AI, Freiburg
Philipp Kellmeyer, Human-Technology Interaction Lab, Freiburg
Simon Vogt, Innovation for Cybersecurity, Halle
Tonio Ball, NeuroMentum AI, Freiburg
Version 1.1 — September 16th, 2022
©Agentur für Innovation in der Cybersicherheit GmbH (Innovation for
Cybersecurity)
arXiv:2209.09653v1 [cs.CR] 19 Sep 2022
Abstract
Brain-Computer Interfaces (BCIs) comprise a rapidly evolving field of technology with the potential of
far-reaching impact in domains ranging from medical over industrial to artistic, gaming, and military.
BCIs provide technical interfaces with recording and/or stimulation functionality to connect the brain
with computer systems running "decoders" for online analysis of the recorded brain signals. This on-
line analysis in turn can inform various effectors such as robots, vehicles (brain-to-vehicle interfaces),
brain stimulation devices, or computer games (neurogaming). Today, these emerging BCI applications
are typically still at early technology readiness levels, but because BCIs create novel, technical commu-
nication channels for the human brain, they have raised privacy and security concerns. In particular,
as brain data contain personal information, adversaries may utilize BCIs to compromise brain privacy.
There are first empirical proofs-of-principle that such attacks are indeed possible, possibly foreshadow-
ing a next level of privacy and cybersecurity threats targeting the brain by neurotechnological means.
To mitigate such risks, a large body of countermeasures has been proposed in the literature, but a
general framework is lacking which would describe how privacy and security of BCI applications can
be protected by design, i.e., already as an integral part of the early BCI design process, in a systematic
manner, and allowing suitable depth of analysis for different contexts such as commercial BCI product
development vs. academic research and lab prototypes.
Here we propose the adoption of recent systems-engineering methodologies for privacy threat modeling,
risk assessment, and privacy engineering to the BCI field. These methodologies address privacy and
security concerns in a more systematic and holistic way than previous approaches, and provide reusable
patterns on how to move from principles to actions. We apply these methodologies to BCI processes
and data flows and derive a generic, extensible, and actionable framework for brain-privacy-preserving
cybersecurity in BCI applications. This framework is designed for flexible application to the wide range
of current and future BCI applications. We also propose a range of novel privacy-by-design features for
BCIs, with an emphasis on features promoting BCI transparency as a prerequisite for informational
self-determination of BCI users, as well as design features for ensuring BCI user autonomy. We
anticipate that our framework will contribute to the development of privacy-respecting, trustworthy
BCI technologies.
i
Acknowledgments
The primary development of this document was funded by the Agentur für Innovation in der Cyber-
sicherheit GmbH (Innovation for Cybersecurity).
We thank Paula Vieweg for her helpful comments on the manuscript.
ii
Disclaimer
As part of the project "Secure Neural Human-Machine Interaction" of the German Agentur für Innova-
tion in der Cybersicherheit GmbH (Innovation for Cybersecurity), this document outlines a formalism
to design neural communication between human and machine in such a way that fundamental personal
rights, data security and data integrity are ensured in the acquisition, analysis and interpretation of
neural data.
The views and conclusions contained herein are those of the authors and should not be interpreted
as necessarily representing the official policies or endorsements, either expressed or implied, of the
German Agentur für Innovation in der Cybersicherheit GmbH (Innovation for Cybersecurity), or the
German Government.
iii
Contents
List of Figures vi
1 Introduction 1
2 Brain Privacy 4
2.1 Workingdefinition ...................................... 4
2.2 Hard vs. soft privacy and the associated threat models . . . . . . . . . . . . . . . . . . 6
2.3 Privacy and security by design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3 BCI Concepts and Technology 8
3.1 BCItaxonomy ........................................ 8
3.2 BCIhard-andsoftware ................................... 10
3.3 TheextendedBCIcycle ................................... 11
3.4 Current state and future trajectory of BCI technology . . . . . . . . . . . . . . . . . . 13
4 Related Work 15
5 Basic Neuroprivacy and -security Architecture 18
5.1 Methodologyoverview .................................... 18
5.2 Privacythreatmodeling ................................... 18
5.3 Threat mitigation by privacy engineering . . . . . . . . . . . . . . . . . . . . . . . . . 25
6 Privacy Design Strategies for BCIs 27
6.1 Minimize ........................................... 27
6.2 Abstract............................................ 29
6.3 Hide .............................................. 31
6.3.1 Brain data: Anonymization and re-identification . . . . . . . . . . . . . . . . . 31
6.3.2 Privacy-Preserving Machine Learning (PPML) for BCI applications . . . . . . 33
6.3.3 Unlinking brain data and contextual data . . . . . . . . . . . . . . . . . . . . . 35
6.4 Separate............................................ 36
iv
Contents
6.5 Inform............................................. 36
6.5.1 What is decoded in an online BCI? . . . . . . . . . . . . . . . . . . . . . . . . . 37
6.5.2 Which information can be derived from the stored data? . . . . . . . . . . . . . 38
6.6 Control ............................................ 40
6.6.1 No“Always-OnBCIs”................................ 40
6.6.2 Ensuring user autonomy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
6.7 EnforceandDemonstrate .................................. 42
6.7.1 Regulatory and legal aspects of BCIs . . . . . . . . . . . . . . . . . . . . . . . . 42
6.7.2 Do we need a special governance framework for BCI data? . . . . . . . . . . . . 43
7 Application to Specific BCI Use Cases and Contexts 44
8 Conclusions and Outlook 46
8.1 Conclusions.......................................... 46
8.2 Outlook: Privacy and security across the BCI life cycle . . . . . . . . . . . . . . . . . . 47
9 Bibliography 48
v
List of Figures
1 Multi-level approach to brain privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2 BCI hardware overall structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3 ExtendedBCIcycle ..................................... 12
4 Current and anticipated future phases in the maturation of BCI technology . . . . . . 13
5 Neuroprivacy and -security literature overview . . . . . . . . . . . . . . . . . . . . . . 15
6 Flowchart of analysis steps and related methodologies. . . . . . . . . . . . . . . . . . . 19
7 BCIdataflowdiagram(DFD) ............................... 20
8 Privacydesignpatterns ................................... 25
9 Mapping of privacy engineering strategies onto the BCI DFD. . . . . . . . . . . . . . . 26
10 Design sketch for BCI TransparentMode. . . . . . . . . . . . . . . . . . . . . . . . . . . 37
11 Privacy-preserving BCI design features overview. . . . . . . . . . . . . . . . . . . . . . 46
vi
1 Introduction
Brain-Computer Interfaces (BCIs) are an emerging class of technology enabling direct uni- or bidi-
rectional communication between brains and technical devices [1, 2]. BCIs can measure and convert
brain activity to outputs for control of technical effectors, or to perform brain stimulation. BCI ap-
plications have been proposed for a wide range of domains from medical and well-being, work and
employment, productivity, cognitive enhancement, education, artistic, neurogaming and entertain-
ment including novel interfaces to Virtual Reality (VR), neuromarketing, BCI-informed smart homes
and smart cities, to security and military-related BCI applications.
This broad spectrum is the result of a rapid growth of the BCI field: After decades of research confined
to a (relatively) small academic group, today a large research community has established itself around
BCI-related topics, including the legal, ethical, and societal aspects of BCI technologies. Also the
commercialization efforts for medical and consumer BCI systems are intensifying. The global market
for BCIs in medical applications has been estimated to grow from $1.4 billion in 2021 to $2.4 billion
by 2026 and the total global BCI market to $6.2 billion by 2030 [3, 4]; consumer-neurotechnology
research and development includes prominent companies such as Neuralink or Meta. A variety of
full BCI systems as well as of wearable EEG-headsets enabling BCI application development are now
available on the market – to what extent, however, all of these products truly record and process brain
data as their main information source, as could be expected from a true BCI system, is not always
entirely clear. Following the model of smartphones, neurotechnology companies provide developer tools
such as Software Development Kits (SDKs), Application Programming Interfaces (APIs) for creating
BCI-apps – notably, in this way third-parties might gain access to collected brain data. There are
companies encouraging and enabling users to share their own brain data recordings, e.g., with the
promise to improve the BCIs’ functionality [5].
This rise of BCI technology has, over the past decade, also generated attention to new potential cy-
bersecurity and privacy concerns. A fast-growing body of research literature addresses BCI-related
privacy and security threats, risks, and their mitigation: As part of the current work we conducted an
extensive search of the technical literature and identified 97 original research papers, topical reviews,
and non-academic publications in the field of neuroprivacy and -security (see Chapter 4). The topic
1
1 Introduction
of neuroprivacy and -security has spurred debates in the general public, and, among other initiatives,
fueled the worldwide NeuroRights campaign [6]. In general, there is a broad consensus that neuropri-
vacy and -security are of crucial importance, and it has repeatedly been emphasized that both should
be an integral part of the BCI design process ("security and privacy by design and default").
But it is less clear
•how neuroprivacy and -security threats can be identified and the associated risks assessed,
•and how suitable mitigation strategies can be integrated into the BCI design
•using transparent and systematic methodologies that can be reliably applied to the broad and
heterogeneous spectrum of current and prospective BCI applications.
To address these points, and to contribute to responsible research and innovation, our aim in the work
presented here is to create a framework for neuroprivacy and -security which will be generic (suitable
for different BCI types/paradigms in general, with necessary adjustments and amendments for specific
cases), use-case independent, and extensible. The latter is important as neurotechnology is a
highly dynamic, emerging field of innovation. Our framework and follow-up research aim to ensure
and foster the understanding of the security and privacy challenges of current and future BCI usages
as well as providing actionable guidelines for detection, evaluation, and mitigation of privacy- and
security-related neurorisks.
To this aim we will proceed in the following steps:
1. We start out by providing a practical yet holistic working definition of "brain privacy", of the
privacy-associated properties, and of the corresponding brain privacy threat categories; and we
introduce the ideas of hard vs. soft privacy as well as of "privacy and security by design".
2. We then review the state and development of current BCI technology, propose an extended BCI
cycle as the basis for our risk analysis, and derive a problem formulation on the background of
the current Technology Readiness Level (TRL) and prospective BCI technology.
3. In the following Related Work section, we present an overview of the related work.
4. Next we introduce a basic neuroprivacy and -security architecture, and assess privacy threats
using the LINDDUN privacy threat modeling methodology which has been developed to support
analysts in systematically eliciting and mitigating privacy threats in software architectures, and
estimate the risks associated with the identified threats [7]. As a result we identify critical risks,
such as in the categories linkability and content unawareness.
2
1 Introduction
5. Applying generic privacy design patterns, we discuss and propose both general strategies and
concrete mitigation techniques for all of the identified critical risks and map these solutions onto
a generic privacy- and security-optimized BCI architecture.
6. In doing so, we also propose key research questions for the development of next-level privacy
and security solutions for BCIs.
7. Along the way, we also address a series of more special topics, i.e., regional considerations in
the European/German context, regulatory aspects, identification and authentication in the BCI
context, how to ensure BCI user autonomy, as well as neurodata governance.
3
2 Brain Privacy
2.1 Working definition
Privacy in general, and "neuroprivacy" or "brain privacy" in particular, are not easy to define.
For example, there have been multiple proposals to define neuroprivacy from a variety of fields such
as neuroethics, neurosecurity, neuroscience, or neurolaw [8–16]. General definitions of privacy vary
and are contested across cultures, times, and contexts. For example, Tavani distinguishes unitary,
derivative, and cluster definitions of privacy, as well as interest-based versus rights-based conceptions
which have been adopted by philosophers and legal theorists, and notes that the meaning of privacy
has considerably evolved, from relatively narrow concepts of privacy primarily related to property
rights to much expanded notions of the right to privacy [17]. It appears unlikely that any single
privacy definition will bring the debate about the nature and appropriate definition of privacy to an
end; or that this is necessarily desirable given the diversity and ongoing evolution of privacy concepts.
Thus, for the current work the aim was to select a practical yet holistic working definition of what is
meant by "brain privacy".
We base our working definition on the concept of informational privacy. Informational privacy is cen-
tered on access and control of personal information and can be defined as “having control over/limiting
access to one’s personal information” [17]. Informational privacy is thus different from the notion of
physical privacy as non-intrusion with respect to one’s physical space, decisional privacy as nonin-
terference with respect to one’s choices, and psychological/mental privacy as non-intrusion and/or
non-interference with respect to one’s thoughts and personal identity. It can be argued that the lat-
ter even adds to the problems of constructing a definition of privacy because a general definition of
thoughts and mental states would be required in the first place; thus psychological/mental privacy
notions may be useful to explain why privacy is valuable, but may be less helpful to define what
privacy actually is [18]. Therefore, we base our working definition of brain privacy on the assumption
that brain privacy involves a special case of informational privacy, namely, privacy with respect to
information derived from brain data – brain data in turn defined as any data obtained directly with
respect to the brain, using a technical recording device [15].
4
2 Brain Privacy
Figure 1: Multi-level approach to brain privacy (left). The different levels of description
relevant for a definition of brain privacy are mapped by corresponding colors to the com-
ponents of the core BCI cycle [20] (right). This mapping will serve as a bridge between
the conceptual definition of brain privacy on the one side, and the implementation of a
basic safety architecture on the other.
This working definition of brain privacy as brain-data-related informational privacy has not only the
advantage that it circumvents definition problems associated with terms as "mental states" etc.,
but the concept of information appears well suited to connect across different disciplines relevant to
the topic of neuroprivacy and -security. For example, our definition is compatible with the original
definition of neuroprivacy as “privacy concerns with respect to mental and cerebral functioning as de-
lineated through [information obtained by] brain imaging and other neurodiagnostic techniques” [19].
Information is a central concept in physical, neuro- and computer science. On the legal level, informa-
tional privacy is connected to the right to informational self-determination (Recht auf informationelle
Selbstbestimmung1) in German law. Informational privacy has been analyzed to derive sets of pri-
vacy properties (Tab. 1), and these in turn correspond to privacy threats. For the analysis of privacy
threats, there are systems engineering tools as we will discuss and apply later.
In light of our informational definition of brain privacy, it will also be important to consider what
information exactly can be derived (is "decodable") from brain data, such as aspects of thoughts,
motor intentions, or brain-health-related information, and how such data are generated in the physical
brain. Reasons for this include that brain data may contain information that is not obvious to the BCI
user, and attacks may target the level of neural signal generation [21, 22]. We thus propose a multi-
level approach, separately considering the Physical level (physical brain); the Data level (raw and
processed brain data), in addition to the Decodable Information level as discussed above (including
decoder model parameters, as they may also be informative). Fig. 1 shows these different levels of
1“[...] die Befugnis, grundsätzlich selbst zu entscheiden, wann und innerhalb welcher Grenzen persönliche Lebenssachver-
halte offenbart werden” BVerfGE 103, 21 (33). Engl. “[...] the authority to decide for oneself when and within what
limits personal life facts are to be disclosed”
5
2 Brain Privacy
brain privacy map to a BCI cycle as introduced by van Gerven and colleagues [20]. The BCI cycle is
a helpful abstraction for analyzing BCI privacy and security issues [23].
2.2 Hard vs. soft privacy and the associated threat models
Privacy can be broadly categorized as hard privacy and soft privacy, respectively [24]. The threat
model of hard privacy assumes no trust in third parties. This includes organizational service providers
(such as a BCI manufacturer in our case), data holders (e.g., a cloud storage service), as well as
the general adversarial environment motivated to breach privacy; in our case for example hackers
interested in stealing and selling brain data or secret information.
In the soft privacy case, trust in third parties exists. The threat model is hence softer, including curious
insiders, accidental data leaks, but also adversaries external to the trusted third parties. Unlinkability,
anonymity & pseudonymity, plausible deniability and non-detectability as in the LINDDUN method-
ology are hard privacy properties, content awareness and policy/consent compliance soft properties.
Importantly, the hard and soft privacy scenarios imply different mitigation strategies.
Privacy properties Threats
LINDDUN Hard
privacy
unlinkability linkability
anonymity & pseudonymity identifiability
plausible deniability non-repudiation2
undetectability detectability
confidentiality disclosure of information
Soft
privacy
content awareness content unawareness
policy/consent compliance non-compliance
GDPR-derived
privacy
properties [25]
unlinkability linkability
pseudonymity /non-identifiability identifiability
access control /authorization uncontrolled access
integrity data corruption
confidentiality disclosure of information
availability/access lack of access
data minimization disproportionate data collection
information/transparency content unawareness
storage limitation disproportionate storage
purpose limitation disproportionate processing
accountability non-compliance
encryption decryption
Table 1: Privacy properties which can be associated with our informational definition of brain privacy,
in the LINDDUN privacy threat modeling methodology (top), and derived from the GDPR
(bottom), and as well as privacy threats associated with each of the privacy properties.
Note that the two sets overlap but are not identical.
2Non-repudiation, in contrast to the security context, is considered a threat for privacy.
6
2 Brain Privacy
2.3 Privacy and security by design
The phrases "privacy/security by design" generally refer to making privacy and security part of
the design process for new technologies and products, in contrast to "bolting on" privacy and security
functionality at a later (and, typically, too late) stage [26]. The historical roots of privacy by design
ideas can be traced back to the Fair Information Practice Principles (FIPPs) developed out of a 1973
report from the United States Department of Housing, Education, and Welfare (HEW report) [27].
The term itself was coined later, together with the seven principles of privacy by design, Proactive not
Reactive; Privacy as a Default Setting; Privacy Embedded into Design; Full Functionality; End-to-End
Security; Visibility and Transparency; and Respect for User Privacy [28]
European General Data Protection Regulation (GDPR), as in effect since 2018, now incorporates in
Article 25 entitled “Data Protection by Design and by Default”, the concept of "privacy by design"
into European data protection law. Given the early stage of BCI technology (see below and Fig. 4),
in the current work we will put special focus on "by design" strategies.
7
3 BCI Concepts and Technology
3.1 BCI taxonomy
A BCI has been defined as a system “that measures Central Nervous System (CNS) activity and
converts it into artificial output that replaces, restores, enhances, supplements, or improves natural
CNS output and thereby changes the ongoing interactions between the CNS and its external or internal
environment” [2]. From its beginnings in the 1960s and 70s, BCI technology has now developed into
a broad and multifaceted research area and technology class, spanning fields from assistive devices for
paralyzed patients to neurogaming, from industry and work-related productivity tools to education,
and from military to artistic applications. BCIs may range from high-end research prototypes to
low-cost consumer-grade commercially-available products.
The growth of the BCIs domain is reflected in the fact that it can be structured along multiple (though
partially related) dimensions:
1. Direction of information flow: Recording, stimulating (unidirectional BCIs), or both (bidirec-
tional BCIs).
2. Invasiveness: Invasive, minimally / semi-invasive4, non-invasive;
3. Relatedly, recording techniques: Scalp Electroencephalography (EEG), Magnetoencephalogra-
phy (MEG), functional Near-Infrared Spectroscopy (fNIRS), functional transcranial Doppler
ultrasound, functional Magnetic Resonance Imaging (fMRI), subcutaneous EEG, skull screws,
epidural recordings, Electrocorticography (ECoG), micro-ECoG, stereo-EEG, intracortical Local
Field Potential (LFP), Single Unit Activity (SUA) or Multi Unit Activity (MUA);
4. Type of control: Active, passive, reactive;
4The definition of minimally and semi-invasive BCIs is not uncontroversial. Semi-invasive BCIs can, e.g., be defined as
those which “involve recording from or stimulating the brain surface or nerves.” Rao, R. P. (2013). Brain-computer
interfacing: an introduction. Cambridge University Press, p. 101). Others consider, e.g., BCIs based on clinical
ECoG grids, as more rather than less invasive compared to intracortical BCIs utilizing small implants like the
Blackrock-Array.
8
3 BCI Concepts and Technology
5. Timing of information extraction: Synchronous and asynchronous;
6. "Non-hybrid/unimodal" vs. "bi-/multimodal/hybrid" BCIs;
7. Medical vs. non-medical BCIs with corresponding regulatory consequences;
8. Relatedly, the interfacing target: brain to robot, to internet (“Internet of Neurons” [29]), to
vehicle [30, 31], silent communication/"Synthetic Telepathy" [32], smart-home control, brain-
to-spine and brain-to-brain interfaces, both to human and animal [33], etc.;
9. BCI paradigm / neurophysiological principle: BCIs based on operant conditioning, based on
population decoding, slow-cortical-potential-based, P300 spellers, learned control over oscillatory
brain signals; motor-imagery-based, steady-state sensory evoked potentials, e.g., visual: Steady
State Visually Evoked Potentials (SSVEPs);
10. Type of brain signal processing/decoding: with and without Machine Learning (ML); with ML:
linear vs. nonlinear classifiers; traditional (Support Vector Machine (SVM), Regularized Linear
Discriminant Analysis (RLDA), random forests etc.) vs. Deep Learning (DL)-based;
11. Single-purpose vs. multi/general-purpose BCIs;
12. Single user vs. multi-user (collaborative or competitive) BCIs.
For example, the NextMind BCI could be classified as a non-invasive, reactive, synchronous, non-
hybrid, consumer single user multi-purpose SSVEP-based BCI using an undisclosed ML algorithm [34].
A special type of BCIs uses brain signals (mostly EEG) as a biometrics for both user identification and
authentication. This growing field of research has been extensively reviewed by [35, 36] highlighting
that brain signals generally comply well with the general desiderata of biometric signals5. As an exam-
ple, it can be argued that EEG has superior universality compared to retina scanning or fingerprints.
Beyond its potential as a general biometric modality, brain-signal-based biometrics such as using the
EEG may be used for authentication and identification of users of BCI applications [37]. Such ap-
proaches could leverage specific brain responses that are generated during BCI usage anyhow, and
thus enable seamless authentication with minimal additional burden on the user. This setup would
be a BCI (for biometrics) within a BCI (for another purpose), illustrating the growing complexity of
contemporary BCI setups (posing a challenge for coming up with comprehensive BCI taxonomies).
Next we consider the hard- and software components used to implement these diverse types of BCIs.
5Universality, distinctiveness, collectability, circumvention, permanence, acceptability and performance [36]
9
3 BCI Concepts and Technology
3.2 BCI hard- and software
The scope of hard- and software used in BCIs is broad, with important consequences for neurosecurity
and -safety. BCIs may be implemented either using off-the-shelf components or custom hardware,
such as custom Application-Specific Integrated Circuits (ASICs). Embedded BCIs have been realized,
e.g., using the Raspberry Pi and Arduino platforms; future embedded BCI solutions might utilize
neuromorphic computing hardware.
Many BCIs (but not all) involve a wireless connection to a local computing device for data processing
and storage; and may involve remote/cloud services and components. Such BCIs may also utilize
mobile phones and other general-purpose hardware. Presence or absence of wireless communication
or trusted hardware may result in very different conditions for the establishment of effective BCI
cybersecurity.
Figure 2: BCI hardware overall structure may involve wearable/embedded components (left),
components running on local devices (center), as well as remote/cloud services (right).
In the one extreme, all BCI functions may be on the wearable component (so there is no local or
cloud component); in the other extreme, all functions other than recording (and stimulation) may be
supported by cloud services. In the typical case, at least as currently prevailing, a substantial part
of the BCI functionality is supported by a local device, which may be coupled wirelessly (e.g., Wi-Fi,
Bluetooth) or via a wire connection to those components directly connected to the BCI user.
The wide spectrum of BCI hardware is paralleled on the software side. In addition to the diversity of
specific ML components used in BCIs as mentioned above, there are different general ML frameworks
relevant to BCIs, such as PyTorch and TensorFlow for DL, as well as numerous BCI software frame-
works using different programming languages, e.g., Open BCI GUI, Open ViBe, Python MNE (using
Java, Python, C++, NodeJS) and Letswave, EEGLab, BCILab (Matlab toolboxes).
10
3 BCI Concepts and Technology
3.3 The extended BCI cycle
In light of this conceptual and technological diversity it is crucial to identify generic functional prin-
ciples which are shared by most or even all (currently conceivable) BCIs. One such principle has
been formalized as the so-called BCI cycle. It was originally described as a closed loop, sequentially
involving the measurement of brain activity, classification of the recorded data data, the feedback to
the subject as well as the resulting effect back on brain activity of the BCI subject.
In the subsequent literature, several modifications and extensions of the BCI cycle have been put
forward. In particular with respect to the BCI cycle as a basis for evaluating cybersecurity, Bernal
and colleagues proposed a version of the BCI cycle including stimulation functionality [23]. However,
as our focus here is not on bidirectional BCIs with stimulation functions, and as current unidirectional
BCIs without stimulation functions have developed far beyond the initial, comparable simple systems,
here we propose a different extension of the BCI cycle (Fig. 3). This extended BCI cycle is designed
to accommodate the functionality of current and prospective “three level” BCI setups:
1. The BCI Core Cycle corresponds to the classical BCI cycle and interacts with a single user
(or a group of users in the case of a collaborative BCI).
2. The Extended Core may comprise various possible extensions of the core functionality, which
may communicate with the core, the global components, or both. There are various such existing
or prospective modules extending the core functionality, e.g., modules to implement adaptivity
of the core decoder, BCI app store client modules, extension modules for anomaly detection with
respect to the core data flow, etc.
3. The BCI Global Functionality. The main distinction to the (extended) core is that the global
functions concern multiple (other) users, e.g., data pooling across multiple users, training global
models on such pooled data, or BCI app store servers.
Many different scenarios are possible of how this functionality may map onto the wearable/embedded,
local, and remote/cloud components of a BCI. For example, the core functions may be fully imple-
mented in the embedded/wearable component, and extensions as described above would fit well to a
local device such as a PC or smartphone. On the other hand, decoders may also be run locally, on
a remote server (such as done in [38]), or even as a cloud service (provided appropriate stability and
latency of the remote connection for the given application, such as cloud neurogaming).
11
3 BCI Concepts and Technology
Figure 3: Three-shell, extended BCI cycle. The BCI Core Cycle corresponds to the classical
BCI cycle and interacts with a single user (or a group of users in the case of a collabo-
rative BCI). The Extended Core may comprise various possible extensions of the core
functionality, which may communicate with the core, the global components, or both. The
BCI Global Functionality is defined with respect to multiple cores of other users (sym-
bolized by colored pictograms on the top right), e.g., data pooling across multiple users,
training global models on such pooled data. etc. - note that this distinction is based on
function, not on hardware implementation; there are numerous different possibilities how
this generic functionality can be mapped on hardware (cf. 2). This three-shell BCI cycle
will be used to derive a data flow diagram, which in turn is the basis for the subsequent
systematic privacy threat modeling.
12
3 BCI Concepts and Technology
3.4 Current state and future trajectory of BCI technology
World International Property Organization (WIPO) Technology Trends 2021 report on assistive tech-
nology, analyzing patenting and technology trends in assistive technology, using a scale of technology
readiness. The report estimates the typical readiness of BCI technology as comparably low, somewhere
between "roof of concept" to a "minimal viable product" [39]. Many intriguing BCI application
concepts are still in the stage of (academic) lab prototypes. Many of those still are still fraught with
fundamental issues which need to be resolved for viable BCI products. One bottleneck, for example,
is the limited amount of information which can be derived from recordable brain signals, especially in
the non-invasive cases.
This limitation may be overcome by novel recording techniques, such as MEG with Optically Pumped
Magnetometers (OPMs). Also progress in the field of ML, especially in the field of DL with Artificial
Neural Networks (ANNs), can significantly increase the amount of extractable information from various
data types. DL has set a new state of the art in computer vision and natural language processing.
Despite promising results, DL has not yet enabled similarly large performance increases in brain signal
decoding. One possible reason for this difference lies in the lack of BCI-related "big data". Thus,
data pooling such as EEG recordings may be crucial to move the BCI field from lab prototypes to
real-world products. In other words, current BCI applications typically do not have a lot (if any)
"spare performance" that could be sacrificed for improved security or privacy, in such cases where
security- and privacy-preserving methods come at a performance cost (see below).
Figure 4: Current and anticipated future phases in the maturation of BCI technology.
Privacy and security solutions should match the stage of development of BCIs and thus
face evolving challenges.
BCI technology today can be seen in an "emerging technology phase", characterized by relatively
low TRLs, little or no spare performance (decoding accuracy), by the fact that large-scale data pooling
13
3 BCI Concepts and Technology
could be crucial to develop better ML models and real-world products, and that Privacy-Preserving
Machine Learning (PPML) for BCIs is still in a research stage and technological infancy; when PPML
incurs a performance cost this may be problematical given the limited amount of decodable information
BCIs have to work with anyhow.
We anticipate that after a transition phase, BCI technology will enter a "Mature Technology Phase",
characterized by functional TRLs/real-world products, based on solid decoding performance, a situa-
tion where data pooling may be replaced by distributed/federated ML solutions.
Considering this technology trajectory is crucial in our context, as it implies three distinct strategic
objectives:
1. Act: Come up with concrete neurosecurity and -privacy recommendations which are already
practical "here and now", during the ongoing emerging technology phase of BCIs.
2. Research: Identify key neurosecurity and -privacy research questions to be addressed during
the transition phase.
3. Anticipate: Project how neurosecurity and -privacy issues may be solved in the anticipated
mature BCI technology phase.
14
4 Related Work
We performed a literature search and identified 97 publications on technical aspects of BCI neurose-
curity and -privacy (Fig. 5). Around 15% of original studies (11 papers) actually implemented attacks
on BCIs and demonstrated successful cyberattacks on BCIs in lab or more real-world settings. Some
of the studies were done in laboratory settings, such as Belkacem et al. who implemented Distributed
Denial-of-Service (DDoS) and Man in the Middle attacks on P300-based BCI Unicorn speller [40];
Beltran and colleagues successfully implemented misleading stimuli attacks (see below) and different
versions of noise-based attacks on P300-based BCIs [41–43]. Interestingly, the majority of the im-
plemented and emulated attacks were performed on Event-Related Potential (ERP)-based reactive
BCIs.
Figure 5: A Publications on technical aspects of neuroprivacy and -security from 2009 until June
2022; Bpie chart of paper types; other: editorial, opinion paper, blog post, non-peer-
reviewed article, PhD thesis, or book chapter.
One of the first documented successful hacking attempts was Cody’s Emokit project, where Cody
Brocious cracked encrypted data directly from EMOTIV headset [44]. Later on, Cusack and colleagues
used the “Btlejuice”6attack: EEG data were hijacked between Emotiv headset and NCD by tethering
in Bluetooth wireless network [45]. Similarly, Sundararajan showcased several attacks on Emotiv
headset, such as passive eavesdropping, active interception and DDoS (by jamming the connection
6Btlejuice https://github.com/DigitalSecurity/btlejuice
15
4 Related Work
from Emotiv to smartphone) [46]. Xiao and colleagues implemented two sets of Proof-of-Concept
(PoC) attacks, consisting of four remote and one proximate attack. Results showed that all 156 BCI
apps in the Neurosky app store are vulnerable to the proximate attack and all the 31 free apps are
vulnerable to at least one remote attack [47]. Finally, another recent large scale study by Tarkhani
et al. used the system security and privacy threats analysis for existing wearable BCI products
(Muse, NeuroSky and OpenBCI) from the operating system and adversarial ML perspectives. They
designed an information flow control system for attack mitigation and as PoC they implemented a set
of attacks across six vectors (AV1: sniffing, spoofing, man in the middle; AV2: inadequate isolation
and access control; AV3: privilege escalation; AV4-AV6: adversarial ML) and discovered more than
300 vulnerabilities for real-world BCI devices [48]. For an overview of cybersecurity threats taxonomy
for AVs see Bernal et al. [23].
Together, these studies clearly show that cybersecurity issues are an important concern for exist-
ing consumer neurotechnology; therefore state-of-the-art cybersecurity defense strategies are of great
importance for BCIs. At the same time, these studies also highlight that "hacking the BCI" is a
different, yet related, topic area compared to "hacking the brain" violating brain privacy (the latter
being the focus of our work described here). It is thus important to distinguish between the following
different, but tightly entangled aspects of BCI security: Using "conventional" hacking techniques to
get access to a BCI system. Here, the defense is provided by "conventional" cybersecurity measures.
Using the BCI to "hack the BCI" - e.g., to steal secret/personal information, or to compromise the
autonomy of the BCI user. Here, the defense lies in the design of the BCIs. From our literature
review here, however, few papers clearly distinguish between the two concepts of "hacking the BCI"
vs "hacking the brain".
A widely explored topic in the literature is misleading stimuli attacks, or so-called "brain malware".
The most common ways of using malicious stimuli to extract private information are oddball paradigms,
guilty knowledge tests, and priming. For example, Vliet and colleagues showed that the N400 ERP
component can be used to determine what a user is primed on [49]. Other studies used consumer grade
headset and showed the feasibility of detection of subconscious face recognition from ERPs [50, 51].
Such methods can potentially also be used to infer other subconscious information such as implicit
associations, preferences etc. For the excellent review of detection of concealed information from the
P300 as well as possible deception strategies, see Rosenfeld [52]. The first study which showed the
feasibility of such an attack was already reported in 2012 by Martinovic and colleagues [21]. Utilizing
the P300 paradigm and using different types of images, they demonstrated the feasibility to infer PIN
codes, bank information, the month of birth, familiar faces, and geographical locations of the user. The
results were further reproduced and extended by Lange et al. [53]. Using a “Flappy Whale” BCI game,
Bonaci reported the feasibility of probing private information even with subliminal (not consciously
16
4 Related Work
perceived) stimuli [54], similar to Frank et al., who also reported that by analyzing the responses
evoked by short stimuli hidden in video frames it was possible to uncover whether participants were
familiar with the subliminally-presented faces [22]. A number of more recent studies, however, tried
unsuccessfully to reproduce results with subliminal stimuli [42, 55].
Among the proposed countermeasures for misleading stimuli attacks, the most prominent and fre-
quently mentioned is the "BCI Anonymizer" for which a patent was filed (but later abandoned) in
2014 [56]. To our knowledge, however, it still has not been successfully implemented even in laboratory
settings due to lack of neuroscientific understanding of the EEG signal and corresponding difficulties
in filtering out task-irrelevant identifying information. Other measures include concentration on non-
target stimuli, adding noise to raw EEG data and API restriction (non-exposing raw EEG data to
third parties). However, the effectiveness of the countermeasures (except for API restriction) still
requires further research.
Despite the significant number of reviews present in our search, systematic privacy and/or security
threat modeling is very scarce. Bonaci [54] used an approach developed by Friedman for “Value Sen-
sitive Design” [57, 58]. She identified the following general threat categories for BCI technologies:
1. Disclosure to Unauthorized Parties, 2. Unauthorized Use of Individual Data, 3. Unauthorized
Request (Search) for Individual Data, 4. Unauthorized Use of Aggregated Data, 5. Unauthorized
Fusion of BCI data with Unexpected External Data. Another attempt at systematically evaluating
privacy in BCIs was done by Wahlstrom and colleagues [59]. This study discusses potential privacy
disruptions for BCI typology (active, passive, reactive, hybrid) and for existing, prospective and spec-
ulative use-cases. Different privacy theories (control, restricted access, commodification, contextual
and ontological) were used for analysis. The result indicates that while all four types of BCIs have
potential for disrupting privacy, the major risk is likely to arise from the use of reactive, passive and
hybrid BCIs. Pazouki and colleagues attempted to use STRIDE [60] for identifying BCI security risks,
but the paper is lacking in detail on this topic [61].
Literature survey conclusions:
•There are relatively few publications addressing BCI security and privacy by de-
sign, and few publications clearly distinguishing between "hacking the BCI" and
"hacking the brain", and, to our knowledge, no publications applying a combination
of systematic threat modeling, risk assessment, and privacy or security engineering tools
to the field of BCI technology.
•Safety and privacy by BCI design to prevent "hacking the brain" in BCIs is the central
topic of the proposed framework.
17
5 Basic Neuroprivacy and -security
Architecture
5.1 Methodology overview
To establish a basic neuroprivacy and -security architecture in a systematic manner, here we leverage
systems engineering methodologies. Privacy engineering addresses privacy issues in a systematic
and holistic way and provides patterns on how to move from principles to actions. Privacy engineering
has been defined as “a specialty discipline of systems engineering focused on achieving freedom from
conditions that can create problems for individuals with unacceptable consequences that arise from the
system” as it processes personal information [62].
In the first step, we derived a Data Flow Diagram (DFD) based on our functional model (extended BCI
cycle, Fig. 3) and overall hardware structure (Fig. 2). The following steps then involve privacy threat
modeling, risk assessment, and privacy engineering based on a set of basic privacy design patterns
(Fig. 6).
5.2 Privacy threat modeling
To establish a basic neuroprivacy and -security architecture, we start with a systematic approach
to modeling of brain privacy threats. As shown by our literature review above, such a systematic
evaluation is so far lacking. We selected LINDDUN as our threat modeling tool. Similar to Microsoft’s
threat modeling framework STRIDE, LINDDUN leverages an information-flow-oriented system model
to systematically guide the threat analysis and to provide a broad coverage of different threat classes.
In contrast to STRIDE, LINDDUN is oriented towards privacy threats and thus appeared especially
well suited, given the pivotal role of brain privacy in our context7. Furthermore, LINDDUN can be
7However, we are well aware that these threat modeling methodologies were not designed for the very specific cases of
brain privacy and interfacing; thus we considered it as a question to be answered whether or not this approach would
turn out to be useful in the BCI context.
18
5 Basic Neuroprivacy and -security Architecture
Figure 6: Flowchart of analysis steps and related methodologies.
used not only for single systems but also for broader analyses; for example Iwaya et al. recently used
LINDDUN to analyze a large group of top-ranked mental health apps from Google Play Store [63].
Three threat sources are distinguished in LINDDUN: organizational, which may refer to the orga-
nization as a whole or an employee, in our case first of all the BCI service provider; external, which
refers to a misactor external to the organization, in our case for example a malicious adversary with a
motivation to steal brain data or sensitive information derived from it; and (future) receiving parties:
e.g., a cloud storage service, Amazon Web Services (AWS), PayPal, etc., receiving data from the
organization.
Threat modeling according to LINDDUN proceeds in three steps:
1. Modeling the system using a DFD
2. Eliciting threats using the LINDDUN threat catalog and mapping the identified threats to
hotspots in the DFD
3. Identifying mitigation strategies.
Thus, as the first step, we derived a DFD from the extended BCI cycle schematic as introduced and
discussed in the previous sections. The resulting DFD is shown in Fig. 7.
Next, we systematically evaluated the 34 threats in the 7 threat classes: linkability, identifiability,
non-repudiation, detectability, disclosure of information, content unawareness, and noncompliance,
as provided by the LIND(D)UN GO8system [64]. In addition to the standard evaluation, we also
asked whether each of the threats may be considered BCI-specific. The LINDDUN framework (as also
STRIDE) supports threat but not risk assessment and is compatible with the standard risk assessment
techniques. We chose the widely used Open Web Application Security Project (OWASP)’s Risk Rating
Methodology to estimate the risk associated with each identified BCI-specific threat. This means, to
keep the document concise, here we focused on the clearly BCI-specific threats, as opposed
8Note that the second “D” in LINDDUN stands for “Disclosure of information” which is a security category. It is not
included in LINDDUN GO as it focuses on privacy. The LINDDUN authors however advise combining their approach
with security threat modeling as privacy highly depends on security. For the same reason, in our framework we will
also consider the relevant security aspects, such as with respect to disclosure of information and confidentiality.
19
5 Basic Neuroprivacy and -security Architecture
Figure 7: BCI data flow diagram (DFD) and BCI-specific privacy threats mapped to
their potential hotspots (here we assume global functions to run in the cloud). Leg-
end of risk levels and DFD elements on the right. Dashed line indicates one possible
trust boundary. Threat categories; L: Linkability; I: Identifiability; U: Unawareness; Nc:
Noncompliance. Detailed threat acronyms: See main text.
to the less- or non-BCI-specific threats (however, it would be straightforward to extend the
same kind of analysis also to the latter). OWASP overall risk severity ranges from "note","low",
"medium" and "high" to "critical" (critical risk level for threats with high associated impact and
likelihood) [65].
The aims when applying these methodologies here (i.e., to a generic model representing the archi-
tectures across the wide, emerging field of BCI technologies) obviously must be different from the
aims when applying these methodologies to an existing and concrete system. Existing and prospective
BCIs, e.g., range from low-cost systems with a few, low-quality EEG sensors to high-end BCIs with
potentially thousands of implanted electrodes. Accordingly, the amount of personal information that
can be inferred from the recorded brain data acquired with different kinds of BCIs (low- vs. high-end,
non-invasive vs. invasive) can be expected to vary enormously. As a consequence, identical privacy
threats can have very different impacts and, consequently, lead to very different privacy-related risks.
Therefore, our aim is an assessment of the landscape of potential BCI-specific privacy threats and
risks. Thanks to the systematicity of the system engineering tools applied, it is also the aim to lay out
ageneral and extensible framework that can be flexibly adapted and applied to concrete
and specific BCI application examples. It was not our aim to provide ready-made/out-of-the-
box risk assessments and mitigation recipes which can be just copied and put onto arbitrary BCI
application scenarios.
20
5 Basic Neuroprivacy and -security Architecture
LINKABILITY threats:
•L1 – Linkability of credentials (Organizational)
•L2 – Linkable user actions (Organizational)
•L3 – Linkability of inbound data (Organizational)
•L4 – Linkability of context (Organizational/External)
•L5 – Linkability of shared data (Receiving party)
•L6 – Linkability of stored data (Organizational)
•L7 – Linkability of retrieved data (Organizational, [Future] receiving party)
The first threat category in the LINDDUN catalog comprises LINKABILITY threats, threat L1
being LINKABILITY OF CREDENTIALS: Actions and data can be linked by re-using credentials (for
multiple system interactions). We considered this risk as non-BCI specific and therefore did not include
it in our further analysis. The first BCI-specific threat which we identified was L3 LINKABILITY OF
INBOUND DATA (The data sent to the system are linked to already collected data of the same or
other data subjects, from the same or other source). We considered this threat as BCI-specific because
correlating different brain signal recordings of the same subject in a data-driven manner is a highly
specific task due to the special signal properties of such data, e.g., EEG recordings. However, we
also argue that the main risk from such data linkage arises in the stage of stored data (especially for
remote/cloud storage of neuro-data), thus we assigned only a medium risk to item L3, but critical risk
level to L6 LINKABILITY OF STORED DATA. Stored data are not only the raw or processed brain
signals, but also the context, such as visual and auditory stimuli presented (and possibly also other
modalities such as electrooculo- or cardiogram). Without knowing the context of "what happened"
with precise synchronization, the information that can be extracted from brain signals is reduced. For
example, the whole class of misleading stimuli attacks via BCIs requires exact knowledge of when the
misleading stimuli appear in the data stream. Thus, we classify linkability of stored BCI-acquired data
as a critical risk. The same reasoning also applies to L7 LINKABILITY OF RETRIEVED DATA,
provided the scenario that data would be passed on to third, receiving parties.
21
5 Basic Neuroprivacy and -security Architecture
IDENTIFIABILITY threats:
•I1 – Identifying credentials (Organizational)
•I2 – Actions identify users (Organizational)
•I3 – Identifying inbound data (Organizational)
•I4 – Identifying context (Organizational/External)
•I5 – Identifying shared data (Receiving party)
•I6 – Identifying stored data (Organizational)
•I7 – Identifying retrieved data (Organizational, [Future] receiving party)
Closely related, as a special case of linkability, are IDENTIFIABILITY threats including another
risk that we consider critical, I6 IDENTIFYING STORED DATA. BCI-acquired data being stored may
be identified (linked to the user) because they are insufficiently minimized/anonymized before storage;
analogously I7 IDENTIFYING RETRIEVED DATA applies to data passed on to third parties. These
threats were considered critical as they represent the basic risk of data leakage and theft, i.e., that
brain-signal-derived personal information can be linked back to an individual. I1 IDENTIFYING
CREDENTIALS, I2 ACTIONS IDENTIFY USER, and I3 IDENTIFYING INBOUND DATA we
considered as medium risk threats.
REPUDIATION threats:
•Nr1 – Credentials non-repudiation (External)
•Nr2 – Non-repudiation of sending (Organizational)
•Nr3 – Non-repudiation of receipt (Organizational)
•Nr4 – Non-reputable storage (Organizational)
•Nr5 – Non-repudiation of retrieved data ([Future] receiving party)
The next category, NON-REPUDIATION threats, is especially interesting in the BCI context. As
mentioned above, in contrast to the security context, non-repudiation is considered a threat for privacy.
From a privacy perspective, non-repudiation ensures that one can, for example, plausibly deny having
logged into a questionable website. However, as stated in the GDPR: “The right to the protection
of personal data is not an absolute right; it must be considered in relation to its function in society
22
5 Basic Neuroprivacy and -security Architecture
and be balanced against other fundamental rights, in accordance with the principle of proportionality”
(Recital 4 GDPR). From a security perspective, non-repudiation ensures that users cannot arbitrarily
shift the blame for their actions to a BCI - “I did not do that - this was my BCI misinterpreting my
intentions!”). Weighing the privacy and security considerations, we are convinced that here security
prevails, thus, we have not assigned any risks in this threat category (see also Ensuring user autonomy
section).
DETECTABILITY threats:
•D1 – Detectable credentials (External)
•D2 – Detectable communication (External)
•D3 – Detectable outliers (External)
•D4 – Detectable at storage (External [with access to the system])
•D5 – Detectable at retrieval ([Future] receiving party)
The next category are DETECTABILITY threats, which refer to the ability to detect whether an
item of interest exists or not, without having access to the data. An example given in LINDDUN-Go:
“By detecting that a celebrity has a health record in a rehab facility, one can infer the celebrity has
an addiction, even without having access to the actual record.” In our view, this threat category is
neither specific nor critical for current BCI applications and we have not assigned any substantial risk
to the five threats in this category.
UNAWARENESS threats:
•U1 – No transparency (Organizational)
•U2 – No user-friendly privacy control (Organizational)
•U3 – No access or portability (Organizational)
•U4 – No erasure or rectification (Organizational)
•U5 – Insufficient consent support (Organizational)
This is in contrast to UNAWARENESS threats, namely U1 NO TRANSPARENCY, U2 NO
USER-FRIENDLY PRIVACY CONTROL (and related also Nc4 AUTOMATED DECISION MAK-
ING, see below). We argue that unawareness may be the most dangerous source of risks in the present
stage of BCI technology; in our view it is fundamentally impossible to exert the right to informational
23
5 Basic Neuroprivacy and -security Architecture
self-determination in a meaningful way if brain data of unknown information content are processed by
opaque algorithms implemented in closed-source proprietary software - a black box within a black box
within a black box. We advocate to "Avoid security through obscurity", relying on transparent
and interpretable solutions (cf. Tesla’s open-source patent philosophy for autonomous car security
software [66]). U3 NO ACCESS OR PORTABILITY and U4 NO ERASURE OR RECTIFICATION
we consider as additional high risk unawareness-related threats.
NON-COMPLIANCE threats:
•Nc1 – Disproportionate collection (Organizational)
•Nc2 – Unlawful processing (Organizational)
•Nc3 – Disproportionate processing (Organizational)
•Nc4 – Automated decision making (Organizational)
•Nc5 – Disproportionate storage (Organizational)
The final threat category addressed by the LINDDUN framework is NON-COMPLIANCE threats
which arise if the system does not comply with data protection principles. The GDPR, for example,
establishes 6 data protection principles including purpose limitation, data minimization, integrity and
confidentiality (as well as accountability as an overarching seventh principle related to the other six).
In the LINDDUN framework, this category has been developed mainly in the context of the EU’s
GDPR, but the underlying principles may be considered independent of a specific geographic or legal
domain. On the other hand, threat manifestation in this category appears highly context-dependent,
for example, contingent on differences in legal and political factors. Assessments of non-compliance-
related threats in BCI applications, due to their highly context-dependent nature, can only be prelim-
inary and in our view indicate a threat potential rather than an actual threat. Specific threats Nc1-5
are DISPROPORTIONATE COLLECTION, UNLAWFUL PROCESSING, DISPROPORTIONATE
PROCESSING, AUTOMATED DECISION MAKING, and DISPROPORTIONATE STORAGE. Ex-
cept for Nc2 (unlawful processing) we consider all non-compliance threats as BCI-specific (due to the
specific nature of the collected and processed data) and have assigned a high risk level (in the sense of
a general risk potential rather than an actual risk, see above). Nc2 Unlawful processing we consider
as non-BCI-specific as long there are no specific "BCI laws" in place (but cf. the introduction of
"NeuroRights" in Chile [67]).
In addition, we also consider DISCLOSURE OF INFORMATION threats which imply risks to
brain data confidentiality, as (brain) privacy highly depends on this core aspect of security. Associated
24
5 Basic Neuroprivacy and -security Architecture
risks may exist across the whole BCI data flow, including all stages of data at rest and data in transit.
Measures to ensure brain data confidentiality will be discussed in the Hide Strategy Section.
Fig. 7 shows a summary of the BCI-specific privacy threats as discussed above mapped to their hotspots
in the BCI flow diagram, including several BCI-specific, critical risk-level threats.
Figure 8: Privacy design patterns after Hoepman [68], in our color-coding (also used in the
following figure). Note that the circular arrangement here was chosen to symbolize that
these strategies “protect” the processing nodes (see Fig. 9).
In the next step, to develop suitable mitigation strategies addressing this threat landscape, we need
strategies that can be used modularly for flexible application scenarios, and which lead to actionable
tactics, including descriptions, requirements, and implementation aspects regarding the different levels
to be considered, such as suitable Privacy Enhancing Technologies (PETs).
5.3 Threat mitigation by privacy engineering
We selected the privacy engineering approach by Hoepman [69]. This methodology has the advantage
that it covers the whole range of GDPR privacy requirements: In the review by (Huth & Matthes
2019 [25]), the Hoepman privacy engineering approach was the only one with “GDPR completeness”.
In contrast to the also recent PRIPARE methodology by Notario et al. [70], Hoepman also offers
explicit links to specific techniques for implementation.
The Hoepman methodology is based on 8 privacy design strategies which are derived from the Or-
ganisation for Economic Co-operation and Development (OECD) privacy guidelines, the draft of the
GDPR, as well as the ISO 29100 privacy framework (Fig. 8). Specifically, the design strategies comprise
4 more technical, data processing-oriented strategies: Minimize, Hide, Separate, and Abstract; as
25
5 Basic Neuroprivacy and -security Architecture
well as 4 process-oriented strategies: Inform, Control, Enforce, and Demonstrate, which deal with
the organizational and regulatory aspects of privacy engineering. Crucially, each strategy comes with a
set of tactics guiding the concrete implementation of the various strategies. Fig. 9 shows a mapping of
these strategies onto our BCI flow diagram (note that the strategies Demonstrate and Enforce, which
are directed to the data controller, will be discussed in the context of legal and regulatory aspects).
The abstract flow diagram combined with the mapped engineering strategies provides general ar-
chitecture for BCIs to protect brain privacy. This architecture can be applied to concrete BCI
examples in a flexible way, can be extended for future use cases, and offers a systematic link to concrete
implementation tactics, as we discuss in the following for the individual design strategies.
Figure 9: Basic neuroprivacy and -security architecture mapping the Hoepman privacy engi-
neering strategies onto the BCI data flow. Minimize, abstract, and hide strategies may
apply to processing in core, extended core, and cloud components. The Inform strategy
plays a fundamental role in our architecture and pervades all levels and components of
the BCI system, corresponding to the critical risk of unawareness threats. The main role
of the Separate strategy lies in the transition of centralized to decentralized solutions (see
main text for further details).
26
6 Privacy Design Strategies for BCIs
In this chapter, we will discuss how the 8 privacy design strategies as introduced above can be applied
to BCI applications. We will highlight both actionable design features as well as research questions:
Actionable design features: After the discussion of the strategies we include boxes with
concrete privacy-by-design BCI components which do not require extensive further research to
be already useful for BCI privacy-preservation.
Research questions: We also highlight selected research questions related to privacy-
preserving BCI techniques and methods which may be helpful or required for the transformation
of today’s emerging BCI technologies to a mature and productive technology stage (c.f., Fig. 4).
6.1 Minimize
The Minimize strategy requires limiting as much as possible the collection and the processing of
personal data: “The most obvious strategy to protect privacy is to minimise the collection of personal
data. Nothing can go wrong with data you do not collect.” [68]. The Minimize strategy has the
implementation tactics Select, Exclude, Strip and Destroy.
For BCI applications, the most basic and straightforward implementation of the Minimize strategy
would be to discard the recorded neurodata after they have been passed through the decoder - during
intended use, the neurodata do not leave the core BCI cycle. It has been argued that under such
conditions, a BCI used for cursor control would raise few, if any, privacy issues as it would not reveal
any more personal information than occurs when controlling a cursor with an ordinary computer
mouse9[72].
However, such minimal data storage may have disadvantages for the development and operation of
safe and performant BCI applications. It would prohibit large-scale data pooling, which however may
9However, even in this case privacy issues may arise, e.g., through unsecure wireless data transmission [71]
27
6 Privacy Design Strategies for BCIs
be required to develop improved decoding models at least in the current stage of BCI technology, for
example in the context of exploratory algorithm development, research on robust subject-independent
models or on meta-decoders. Also certain variants of important techniques such as adaptive decod-
ing [73, 74] and data-driven anomaly detection may require storage of data, although not necessarily
permanent, but at least over shorter time horizons. Thus, another concept for implementing the Se-
lect tactics is storing the data, but applying a feature limitation approach to the stored data (also
following the EU data minimization principle). In this approach, only a limited set of features of the
neurodata is stored, or certain features are removed from the data before storing.
Although this seems an attractive idea, the feature limitation in the context of EEG data and BCIs is
not necessarily straightforward and may require further research. Questions here would for example be
“Is it possible to do reliable feature limitations (and if yes, to what extent) for brain signals?”,“Which
information is relevant and irrelevant for the task?”. As an example, one can think of limitations
on the sensor level (recording only a subset of electrodes relevant to the task). For example, the
NextMind BCI is based on visually-evoked potentials and fitting to this signal source, all electrodes
are positioned above the occipital area containing the primary and secondary visual cortex. However,
EEG electrodes positioned in such a way, e.g., above the visual or motor areas, may also pick up
signals from brain areas involved in cognitive processes, e.g., speech processing.
Therefore, a next logical step is to take the feature limitation approach from sensor space to the signal
space, and to strip signal components, such as by filtering out certain frequency ranges, etc. Feature
selection is the process of selecting an optimized subset of features for ML model training and a broad
spectrum of different algorithms has been developed for this purpose [75]. As a BCI example, filter
banks are an important component of many classical pipelines and can also be integrated, e.g., with
deep networks for EEG [76].
The concept of the so-called BCI Anonymizer10 [54, 56] is based on such a feature limitation approach.
This tool has been proposed as a way to remove private information from EEG data before they are
stored or transmitted. The hypothesis here is that recorded brain signals can be decomposed into a
collection of characteristic components in real-time. From these components, one wishes to extract
exactly the information needed for the BCI application while filtering private information out. Sev-
eral issues with the BCI Anonymizer idea have been identified, including resource constraints in BCI
devices, lack of access to proprietary algorithms, lack of a clear method for separating private infor-
mation from intentions and a general lack of any implementation details. Despite the attractiveness
of the BCI-anonymizer idea, appropriate methods for selectively removing all sensitive information
from EEG data are not yet available, and it appears unlikely that this can be achieved by simple
10Note that the concept of the BCI anonymizer refers to online BCI usage, in contrast to EEG anonymization for offline
analysis, see Section 9.
28
6 Privacy Design Strategies for BCIs
removal of (additive) components, reflected by the abandoned status of the BCI Anonymizer patent
application [56].
In contrast, a promising yet methodologically more complex approach to feature limitation lever-
ages generative ML methods. Yao and colleagues have adopted domain adversarial DL techniques
for feature removal from EEG. Generative ML methods such as Generative Adversarial Networks
(GANs) can solve a wide range of tasks. For example, they can generate photorealistic images from
high-dimensional noise [77], generate segmentation masks for medical imaging data [78], translate
photographs into an image with a learned artistic style [79], or generate arbitrary images from verbal
instructions [80]. Similarly, generative methods can be set up to translate a signal into a corresponding
one of the same dimensions, but enforcing that information such as age or gender cannot be inferred
from the generated one. For example, Yao et al. report that using a model structure with multiple
generators and discriminators it was possible to simultaneously achieve state-of-the-art accuracy on a
public EEG data set, while removing privacy-related features [81].
In summary, the Minimize strategy offers a wide range of tactics ranging from simple and immediately
applicable to highly complex, and should always be evaluated for a BCI application, as early as in the
current "Emerging Technology Phase". Feature limitation techniques based on generative ML are
a highly promising research priority for the coming transition phase to more mature BCI solutions.
BCI-Limiter: Integrating channel pre-selection and feature selection, such as using optimized
filter banks, for feature limitation.
How can generative ML be used, likely combined with multi-objective optimization (to
balance extent of feature reduction with computation and performance costs), to achieve fine-
grained feature limitation with minimal performance and computation costs and intuitive con-
trol not only by domain experts, but also BCI users?
6.2 Abstract
The Abstract strategy aims at limiting as much as possible the detail in which personal data are
processed. “The less detailed a personal data item is, the more we ‘zoom out’, the lower the privacy risk
is.” [68]. The Abstract strategy includes the tactics Summarise,Group, and Perturb, for processing
personal data in a more coarse-grained or aggregate manner. Examples are replacing the exact birth
date by an age category, e.g., rounded to years, or a full address by the city of residence.
29
6 Privacy Design Strategies for BCIs
Application of the Abstract strategies to the meta-data acquired and stored alongside the brain
data is straightforward and natural, and may provide substantial privacy advantages. These steps are
directly applicable when meta-data are stored alongside the brain signals. For example, if handedness
is determined with a handedness questionnaire such as the widely-used modified Oldfield question-
naire [82], just the resulting handedness index might be stored, not the answers to all questions. An-
other example would be subject age, where exact dates of birth could be replaced by age categories,
for example in applications involving age as a covariate or aiming at "brain age" decoding [83].
Applications of the Abstract strategies to the brain data themselves appear less straightforward,
as there is a conceptual closeness to other strategies such as feature limitation which is considered part
of the minimization strategy (see above). The Abstract strategy might seem naturally implemented
in feature-based brain signal decoding pipelines. For example, Riemannian-Geometry-based decoders
(among the currently most successful class of decoders for EEG BCIs) use the covariance matrix of
the input signals as their input, thus the input is not a time series anymore, "abstracting" the
detailed temporal structure in the covariance structure of the data. However, the same approach
could also be seen as an example of feature limitation (all features except the covariance are omitted).
Another example is the so-called Low frequency component (LFC) which, in particular combined with
an RLDA decoder for intracranial EEG data, can be highly informative, e.g., about hand movement
kinematics [84]. Again, the LFC could be seen as an abstraction in the sense of "zooming out"
(reducing detail due to the low-pass filtering of the data), or as a feature limitation (omitting the
high-frequency features of the brain signals). For brain signals, Abstract strategies might be best seen
as a special case of limitation, namely coarse-graining feature limitation.
Closer to the concept of a privacy-preserving abstraction, and an interesting topic for research in
the domain of brain signals, could be learned privacy-preserving low-dimensional embeddings
of the input data; for example Bezzam and colleagues [85] demonstrated for lensless cameras the
privacy-preserving potential of joint optimization of an image classifier together with rich (allowing
accurate classification) but lower-resolution optical embeddings learned already at the sensor level of
the camera. On the other hand, such techniques - adapted to the brain signal domain - could also be
included in the Hide strategy category together with other kinds of PPML (see following section).
In summary, privacy engineering using the Abstract strategy is straightforward and important with
respect to the meta-data acquired and stored alongside the brain data; at least current brain data
processing techniques which possess an abstraction aspect seem to more naturally fit into related
categories (Minimize, Hide).
30
6 Privacy Design Strategies for BCIs
BCI-MetaAbstract: Use suitable abstractions for BCI metadata when possible.
Closely related to the research question on limitation methods - How can ML approaches,
combined with advanced optimization, be used for performance- and computation-efficient ab-
straction not only on meta- and behavioral data, but also for abstraction on the brain or
multimodal signal level? It may not be optimal to implement limitation and abstraction
methods separately, but rather jointly, allowing joint optimization.
6.3 Hide
This important strategy comprises a broad spectrum of privacy-enhancing tactics and techniques
employed to ensure the confidentiality,unlinkability, and unobservability of personal data. Its
logical place is downstream to the Minimize and Abstract strategies as discussed above: After it has
been decided that personal data need to be recorded, and at which level of abstraction, the aim of the
Hide strategy is to make sure that these data do not become public or known.
Importantly, this strategy also addresses confidentiality, which can be seen as a security rather than
a privacy topic (see footnote[8] Section 5.2), but due to its pivotal role for privacy we consider it
crucial to include this aspect in a brain-privacy-centered framework as well. Tactics within the Hide
strategy are to Restrict,Obfuscate,Dissociate, and to Mix. From the implementation side, access
control policies, encryption, anonymization (removing directly-identifying data), and a large part of
the rapidly-growing PPML field all fall into this broad category. In the following we discuss key aspects
for the adoption of the Hide strategy to BCI applications, focusing on (i) brain data anonymization
and its relation to EEG biometrics, (ii) PPML for BCIs, and (iii) the crucial role of unlinking brain
data and contextual data.
6.3.1 Brain data: Anonymization and re-identification
Can brain data be anonymized, and if yes, how? This is a topic of paramount importance, as Recital
26 EU GDPR states that the principles of data protection should apply only to information concerning
an identified or identifiable natural person (personal data), and not to anonymous information (non-
personal data). If brain data can be anonymized, this could greatly facilitate large-scale data pooling,
31
6 Privacy Design Strategies for BCIs
for example. To determine whether a natural person is identifiable, GDPR refers to the risk of
identification, considering all means which are “reasonably likely” given factors such as costs, time,
current and prospective technology. What does this mean and what are the consequences for brain
data recorded by BCI systems?
Finck and Pallas [86] have recently examined the concept of personal vs. non-personal data under
the GDPR from both a legal and computer science perspective. They point out that there is a
basic contradiction between the GDPR on the one hand, which implies an acceptable residual risk
of identification compatible with the anonymous status of data, with interpretations by national
supervisory authorities as well as the European Data Protection Board on the other, which consider
that no remaining risk of identification is acceptable for data to qualify as anonymous. Purtova
has provided a similar analysis of the uncertainties surrounding the concept of identification and
identifiability as critical boundary concepts of data protection law [87]. Another open thread of legal
discussion concerns the question whether the scope of personal data protection should be extended to
ML models, such as DL networks trained on personal data [88].
On the technical side, what can we say about the feasibility and risk of (re-)identification of brain
data, EEG data in particular? Here, the literature on EEG for biometrics is helpful, as this literature
provides insights into the feasibility of re-identification of an otherwise anonymous EEG recording
against a database of known EEGs11. The EEG data used for biometrics may be spontaneous ongoing
activity, or may also contain different kinds of event-related responses, such as to "passthoughts".
As a large number of studies have reported high biometric accuracies, the feasibility of EEG re-
identification is sometimes taken as a fact. However, how well established is it that EEG recordings
can be re-identified on a large scale of individuals, across large time scales, and with high accuracies?
According to the survey by Bigdoly and colleagues, only 13% of the included studies used EEG from as
many as 100 to 150 participants, while arguably an EEG biometric system would have to be functional
in a population several orders of magnitude larger in size. 27% of the reviewed studies used 10 subjects
or even fewer [89]. As also stated by Bigdoly and colleagues, it has been argued that the accuracy of
EEG biometrics may decrease as a function of an increasing number of participants (c.f. also [90]). Also
the number of studies investigating the long-term stability of EEG biometrics is relatively small. One
notable exception is for example the study by Ruiz-Blondet et al., who re-tested their “Cognitive Event
RElated Biometric REcognition” (CEREBRE) protocol in 20 subjects after 48 to 516 days, reporting
100% recognition accuracy [91]. Other factors which may challenge the real-world performance of EEG
biometrics are changes in affective, vigilance, and hormonal state, medication, sobriety, occurrence (or
disappearance) of neurological disorders, all of which can change the recorded EEG patterns. Thus, it
11However, see Bigdoly et al. [89], for an EEG-based authentication approach based on a privacy-preserving EEG
fingerprint function.
32
6 Privacy Design Strategies for BCIs
may be argued that despite the impressive reports in the EEG biometrics literature and encouraging
results, at present it is unclear what accuracy re-identification/biometrics of EEG will be able to
achieve on large scales (10s of thousands of users or more, over years). It will be crucial to find out
whether these accuracies at scale will be high enough to enable reliable EEG-based identification and
authentication, or, on the other hand, low enough to dispel privacy concerns due to the risk of EEG
re-identification.
Furthermore, even if the raw EEG recordings can be re-identified, feature limitation approaches may be
employed to reduce or remove personally-identifying EEG features. As discussed above, the concept of
the so-called BCI Anonymizer was based on a simple feature limitation approach. Generative ML (as
also discussed above with respect to feature limitation in general), however, may help to better remove
personally-identifying EEG components. Large scale studies with substantially more subjects will
be needed for the development and evaluation of advanced EEG anonymization algorithms, assessment
of the risk of identification, and, in parallel with advances on the legal side, clarifying the personal vs.
non-personal status of data processes with different anonymization approaches.
6.3.2 Privacy-Preserving Machine Learning (PPML) for BCI applications
PPML is a class of ML specifically designed to mitigate data privacy concerns12 [92]. This field for
example includes research on methods for DL on encrypted data (e.g., CryptoNets [93]). Recently,
studies have started to explore the potential of PPML for EEG data analytics. For example, Popescu et
al. have used homomorphic encryption, designed for model inference on encrypted data and giving
encrypted predictions decipherable only by the data owner, for privacy-preserving classification of
EEG data. They report comparable prediction performance of the models operating on the encrypted
and plaintext data, but increased computational time for training in the homomorphic encryption
case [94].
Agarwal et al. proposed cryptographic protocols based on Secure Multiparty Computation
(SMC) for EEG [95]. SMC is a specialty of cryptography that studies methods to allow a party
of participants joint computation of a public function while keeping their respective inputs private. In
the cited work, Agarwal et al. utilized SMC for estimating drowsiness of drivers using linear regression
12Many of the strategies adopted in PPML fit to the Hoepman “Hide strategy”, therefore we discuss PPML for EEG and
BCI applications as a whole in this section. However, PPML is a wide field comprising many different techniques across
the whole ML pipeline and life cycle. Addition of noise is systematically exploited by differential privacy PPML,
which would fit to the perturb tactics in the Hoepman Abstract Strategy. Hoepman also discusses homomorphic
encryption in the Abstract Strategy section, and SMC in the Separate Strategy section, respectively [68]. We would
argue that the assignment of methods to strategies can be ambiguous and should not be overcomplicated; what we
want to encourage is that the full range of advantages and solutions offered by state-of-the-art PPML be evaluated
and included in a systematic BCI privacy engineering strategy.
33
6 Privacy Design Strategies for BCIs
over EEG signals from multiple users in a fully privacy-preserving manner and report a manageable
computational cost.
A series of recent works has studied the feasibility and performance of federated learning for
EEG [96–99], such as for online seizure detection in epilepsy [100]. Federated learning addresses
similar privacy scenarios as SMC, but instead of cryptography relies on ML techniques to train ML
models, such as deep neural networks, on distributed data, by training local models on the local,
private data, and providing methods to combine the local models into a global model without the
need to disclose the local data.
Others have recently started to explore PPML for brain data using synthetic data generation. For
example, GANs are a novel, powerful generative ML model class that can be used to generate synthetic
yet realistic EEG data [101]. Debie and Mustafa have proposed a GAN trained under a differential
privacy model for generating privacy-preserving synthetic EEG data [102]. Similarly, Pascual and
colleagues proposed a GAN model to generate synthetic seizure-like EEG signals used to train seizure
detection algorithms, reporting that their GAN model was both successfully privacy-preserving and
without performance degradation during seizure monitoring [103].
In summary, there are first encouraging steps highlighting the potential of PPML in the brain signal
domain. The application of PPML in this context is a very recent development – all of the works
summarized above were published not earlier than 2019. It is important to underscore the fact that
PPML for brain signals is still a research-level technology in a very early stage. There still seems
to be a long way to go to implement these approaches in commercial products. PPML in itself is
also a highly dynamic field of research with new, promising solutions being generated which have not
yet been investigated in the BCI domain. For example, Mo et al. have recently proposed privacy-
preserving federated learning with Trusted Execution Environments (TEEs), showing the feasibility of
running deep networks in TEEs on the client side for local training, and on the server side for secure
aggregation, thus strongly hiding model updates from adversaries [104].
34
6 Privacy Design Strategies for BCIs
Given the convergence of two dynamic technologies, neurotechnology/BCI and PPML, in our
view, at the present stage of development it would be by far premature to prescribe any con-
crete PPML technique as a general solution to BCI privacy concerns. Rather, we think that
research on a broad spectrum of PPML solutions for BCI applications will be a key
component in the transformation of the BCI field from its current, early phase to a more
mature level in the future (Fig. 4). Such research will enable informed choices which PPML
techniques are practicable applicable for online BCIs considering their potential computation
and performance costs, and relatedly, which PPML techniques may or may not be necessary
and/or useful for specific BCI applications.
6.3.3 Unlinking brain data and contextual data
Unlinkability is one of the main concepts within the Hide Strategy. In this last section within the Hide
Strategy chapter, we want to draw attention to the important role of unlinkability in the BCI/brain
privacy context. This is due to the fact that in most cases, decoding information from brain signals
also requires synchronized information about the sensory or behavioral context. For example, trying
to decode the emotional reaction to different faces requires knowledge about which face the subject
was looking at when. Trying to steal PIN codes by presenting numbers also requires knowledge
about time and identity of the numbers presented. Brain data without context contain much less
decodable personal information (still decodable may be information about (approximate) age, gender,
or neurological disorders). Thus unlinking brain and contextual data provides a powerful means to
substantially reduce the risk of information leakage.
In contrast to the complex and methodologically demanding techniques discussed above, such unlink-
ing could be implemented with much simpler means and already "here and now", for example by
systematically storing brain data and context data in separate files, without mutual identifiers, and
keeping the linking information encrypted. We believe that this approach is so simple and powerful
that it should be widely applied, and we refer to this principle as:
BCI-AntiLink: In the different data streams (brain signals, behavioral data, stimuli, multi-
modal signals), any plaintext mutual identifiers should be removed before storage. This includes
subject identifiers or common time stamps, which would allow linking corresponding files.
35
6 Privacy Design Strategies for BCIs
6.4 Separate
Another important privacy-by-design strategy is to logically or physically Separate the processing of
personal data. This strategy has two associated tactics, Isolate and Distribute.Isolate refers to logical
and physical separation even though databases or applications are still run on centralized hardware.
In contrast, Distribute refers to distributed processing over separate physical locations. As laid out
by Hoepman, this latter tactic involves relying on the local equipment (in our scenario the local
BCI hardware) of the data subject as much as possible, and centralized components (in our scenario
the remote BCI components) as little as possible. Therefore, the Separate strategy is closely linked
to PPML techniques including SMC and federated learning which allow moving from centralized to
decentralized solutions as discussed above (cf. Fig. 9 where we indicate this transition by the yellow
arrow).
6.5 Inform
The aim of the Inform Strategy is to ensure transparency about personal data processing. This
includes transparency about what data are processed how and to what purpose, and the three tactics
Supply,Explain, and Notify. In our view, at the present developmental stage of BCI technology,
this strategy is arguably the most important component of a BCI privacy strategy at all. On the
level of the individual, transparency is a necessary precondition for exerting the right of informational
self-determination and for users to make informed decisions. On the societal level, transparency is a
precondition for verifying the legal and regulatory compliance of organizations (as put by Hoepman:
“Sunlight is said to be the best of disinfectants.”).
Transparency in the context of brain data and BCIs is especially challenging, as we do not have a
natural intuition about the information contents of brain signal recordings and the related privacy
issues, in contrast to, e.g., e-mails or photographs, where we have a much better understanding about
the private information they contain about us. Therefore we argue that measures to implement an
elaborate Inform Strategy is to ensure "BCI transparency" and should be woven into the fabric of
the whole BCI setup - as indicated by the blue box (Fig. 9) encompassing all of the BCI components.
We propose transparency as a key element of a privacy-preserving strategy for BCIs,
addressing (at least) the following two different levels of transparency:
•What is decoded in an online BCI?
•Which information can be derived from the stored data?
36
6 Privacy Design Strategies for BCIs
6.5.1 What is decoded in an online BCI?
To address the first level (What is decoded in an online BCI?) we propose a transparency- oriented
mode of operation for online BCIs. This will be a useful mechanism also to ensure that a BCI is only
used for the stated and legitimized purpose.
Figure 10: Design sketch for BCI TransparentMode based on a BCI-controlled VR neurogame
(currently developed by the authors and coworkers), where subjects use imagined right
(R) and left (L) hand movements to interact with virtual robots. On the top left, the
TransparentMode display components show decoded classes over time, bars scaled by
model confidence of classification. Maps below would visualize an EEG map of the
features important for the classification decisions. Subjects are hence able to verify that
the decoded information makes sense given their behavior in the game and to report
suspicious events.
37
6 Privacy Design Strategies for BCIs
TransparentMode for online BCIs:ab
•Most BCIs today are based on decoders which are trained in a supervised manner, e.g.,
to infer right vs. left imagined hand movement from EEG.
•For this supervised training, in most of the cases there is a human-interpretable, seman-
tically meaningful class or regressor label (such as which hand was moved, which letter
was selected, the level of tiredness).
•BCIs should have a transparent mode, which can be arbitrarily switched on and off by
the user, in which all decoded labels are displayed to the user online.
•The key advantage of such a transparent mode is that it allows the user to make sanity
checks online. In the hand-movement decoding case, for example, the user can match the
decoded labels to the imagined hand movement. For example, if the decoded labels do
not match at all to the associated behavior, either the decoder is not working properly, or
the decoder is in fact inferring something different than pretended. Thus, a transparent
mode could not only contribute to uncover attempts to steal information online, or to
uncover "fake BCIs" which otherwise may hide behind a magic black box marketing.
•In addition, all decoded labels should by default be stored in a plaintext log file which is
also accessible for the user.
aNote that the Inform Strategy addresses Unawareness Threats falling into the soft privacy category (Tab.1).
Thus, transparency-oriented measures as described above are only helpful if the BCI provider (who would
also be responsible for implementing, e.g. the transparency mode as described above) is trusted.
bSuch a transparent mode might distract users in critical applications, therefore as stated, it would be important
that it can always be switched off.
How can interpretable/explainable ML be used to provide online feedback helping to
understand the decisions of the ML model including uncertainties / model confidence, visualizing
which signal components are used, etc., not only by domain experts, but also BCI users?
6.5.2 Which information can be derived from the stored data?
In the previous paragraph we addressed the issue of transparency of the online processing of data
during BCI usage. Equally, or maybe even more important is transparency with respect to the offline
38
6 Privacy Design Strategies for BCIs
processing of data collected during BCI usage.
As a BCI-specific step towards more transparency with respect to offline processing of BCI-related
brain data, we propose BCI quality benchmarking (BCIQ-bench), a standardized benchmarking
for addressing the fundamental issue that BCI users so far have no means to gain even a most basic
insight into the informativeness of the brain signals recorded and stored in the context of the BCI usage.
It has been stated that “(EEG), even with low number of sensors, is an extremely rich signal” [105] -
but can we a priori be sure of this? And what does extremely rich mean exactly? BCIQ-bench (or other
similar benchmarking approaches) could be implemented "here and now" to address these questions
without the need for complex methods development, and yet could substantially help promote informed
user decisions.
BCI.Q-Bench: Age and gender are two widely available labels which can be decoded from
brain data, in particular there are good baselines about the performance one can expect from
EEG data [83, 106], and there are efforts to promote standardized and reusable benchmarks for
example for age decoding from EEG [83]. Requiring BCI providers to publish age and gender
decoding accuracies for the data recorded with their BCI systems would provide users with at
least basic information. BCI benchmarking, prospectively, could be extended to other stan-
dardizable, privacy-related tasks, to provide users with a solid overview about how informative
(or not) the recorded brain signals are.
How can the amount of personal information decodable from brain signals with a
given set of ML methods be reliably assessed? Public benchmarks as above are an important
first step, but over time such benchmarks tend to be overfitted and if all labels are public, are
open to cheating. In the best case, they reveal only the “tip of the iceberg”, as many aspects
of personal information will not be covered by such benchmarks. Also, performance on offline
benchmarks cannot substitute for evaluation in online applications. Competition (similar to
the Cybathlona) could offer a way ahead.
ahttps://cybathlon.ethz.ch/de
39
6 Privacy Design Strategies for BCIs
6.6 Control
The Control Strategy fulfills the fundamental role to ensure that users have control over the processing
of their personal data. The control tactics are Consent,Choose,Update, and Retract. Logically
the Control strategy builds on the Inform aspects as discussed above, as it impedes the meaningful
control of a system if one has no understanding of it. Therefore we argue that a major focus at the
current development level of BCI technology should aim at increased transparency and promote better
understanding, including BCI competence of the users, explainability of the used ML methods, etc.,
and that appropriate control strategies can be built on the basis of such transparency and improved
understanding.
This being said, there also is a range of basic control functions which can already be implemented in
the "here and now" of the current stage of development, without needing to wait for the development
of a better BCI transparency fundament. For example, to ensure user control over the data, BCI
providers should have strong data governance (see 6.7.1) and provide detailed information to users
about how and where the data are stored, and delete the data upon request. Informed consent should
be systematically obtained from the BCI users, with possibility of withdrawal.
6.6.1 No “Always-On BCIs”
One very simple yet apparently not entirely self-evident example of an effective BCI control is that
BCIs should have an On/Off switch, as called for by [72, 107]. This switch may, if necessary, be
incorporated both in software and hardware BCI design, to ensure fine-grained temporal control of
the device by the user. This is important, as there are known privacy and security threats with
"always on" devices [108]; studies highlighted the feasibility of decoding private information from
long-term BCI usage (all -day recordings), especially in scenarios when the main activity for which
BCI is intended (e.g. gaming) is briefly stopped and a user is, for example, using an online banking
system while still wearing the continuously recording BCI [109, 110]. Privacy risks may also arise
when combining brain data from an always-on BCI with other types of user activity, such as keystroke
dynamics [110]. Also, similar to webcams, BCIs should clearly indicate to the user whether they are
in recording mode or not.
40
6 Privacy Design Strategies for BCIs
Not-AlwaysOn-BCI: On principle, unless there are medical or safety reasons which would
require continuous operation, BCIs should not be designed as always-on devices, have an On/Off
switch, and clear indicators whether they are in recording mode or not.
6.6.2 Ensuring user autonomy
Beyond brain privacy, it is also crucial to ensure that users maintain control over actions mediated
via active BCI devices. We envisage this functionality as a final "safety net" to catch as early as
possible all BCI actions which are against the user’s intent before they unfold (BCI errors due to
misclassification or malicious activities). Equally, user autonomy is related to the notion of liability,
therefore we also aim here to prevent "cheating" and ensure that BCI outcomes are genuine and
reflect true user intent. Thus the BCI device cannot be blamed if the adversary is the user him/herself
(non-repudiation). Note that in the case of closed-loop BCI /stimulation the notion of user autonomy
gets another level of complexity and requires separate considerations.
Furthermore, we propose two classes of functions for ensuring user autonomy: The first class comprises
explicit alert and emergency functions or intervention options, e.g., the BCI analog to an emergency
stop function. For example, in one of our previous online BCIs for robot control [38], users could
stop the BCI-controlled robot actions any time by an imagined command. Alert functions will notify
users in case of detection of suspicious activities within the BCI system. Emergency functions are
intended to also notify trusted parties (for example, caregivers) about device malfunctioning and halt
the device if possible. The mandatory On/Off switch as mentioned above would also give users more
granular temporal control of the device.
The second class of functions to detect BCI behavior violating the user’s intent is based on brain
responses caused by unintended actions. Decoding such implicit error-related brain responses, like the
Error-Related Negativity (ERN), online provides an elegant approach to ensuring that users maintain
control over the BCI [111, 112]. Notably, explicit and implicit methods could also be combined within
one and the same BCI application. Further, data-driven anomaly detection may help to identify
outliers in the BCI-controlled behavior and ask for additional confirmation (“Do you really want
olives on your pizza, you never eat them otherwise?”). Thus for specific BCI use cases, it will be
important to consider such approaches and how they can be optimally engaged/combined to ensure
user autonomy over their BCI.
41
6 Privacy Design Strategies for BCIs
BCI-AutonomyGuard 1.0: Including an emergency stop function to ensure the possibility
of a user veto over their active BCI.
BCI-AutonomyGuard 2.0: How can we use an optimized combination of explicit (emergency
stop function), intrinsic (error-related brain responses), and data-driven (anomaly detection)
methods to ensure user autonomy over their active BCI at all times?
6.7 Enforce and Demonstrate
Finally, the Enforce and Demonstrate strategies address how to anchor privacy policies as part of the
organizational culture, how they can be propagated by management, as well as how to demonstrate
compliance to privacy regulations towards the data protection authorities. These strategies are thus
less concerned with the design of secure and privacy-preserving BCIs, which is the main topic of our
framework, but these strategies clearly need to be embedded on on the legal and regulatory level.
Thus, in the following, we will review some legal and regulatory aspects related to BCI privacy and
security considerations.
6.7.1 Regulatory and legal aspects of BCIs
Since the Charter of Fundamental Rights of the European Union became binding in 2009, data protec-
tion has acquired the status of a fundamental right (Article 8) throughout the EU. The implementation
of the GDPR (Datenschutzgrundverordnung (DSGVO) in Germany) has subsequently positioned the
EU as a global leader in data protection regulation. Furthermore, data protection is of particular
relevance in Germany - not only against the rapid development of information technology, but also
because of historical experiences with political regimes that collect information to suppress citizens.
For a recent analysis of this German perspective, see [113]. Another study reported Germans stood
out as the only nationality placing more value on the privacy of health data than credit card informa-
tion [114].
In Germany, a number of different legal texts address the security of patient data for medical facilities
or data protection in general. In addition to the DSGVO and the Bundesdatenschutzgesetz (BDSG),
there are also regional state data protection laws (e.g., the Datenschutzgesetz Nordrhein-Westfalen).
42
6 Privacy Design Strategies for BCIs
Application of general principles to brain data may require special considerations, such as the Princi-
ple of data avoidance and data economy of the BDSG. Data anonymization and limitation is a special
challenge in the context of BCI devices, as discussed above. The detailed legal situation with respect
to BCI technology in Germany has been recently reviewed by Martini and Kemper [115]. The authors
conclude that on the one hand, our current legal system already formulates individual requirements
for the cybersecurity of BCIs, but that it lacks a complete regulatory concept that adequately guar-
antees the security of the applications. Medical device law in Germany regulates security with respect
to patient safety, the situation for non-medical BCIs is however substantially different and is charac-
terized by various open regulatory gaps. Martini and Kemper argue that the new EU directives on
digital products may at least close these gaps to some extent, as companies are obliged to provide
software updates in order to maintain contractual compliance of digital products, which would at least
encompass the BCI software components.
The EU Commission’s draft regulation on Artificial Intelligence (AI) also provides for strict require-
ments for safety of AI systems. On the European level, in Article 52 of the EU AI act, the proposed
EU AI law regulates “Transparency obligations for certain AI systems”. This article states that users
of “an emotion recognition system or a biometric categorisation system shall inform of the operation
of the system the natural persons exposed thereto.” This article could thus be applied at least to some
BCI systems using AI technology in the context of emotion recognition. Given the pivotal role of
transparency for the development of trustworthy BCIs, we consider that a discussion on extended
transparency obligations for AI-BCI systems also beyond the narrow topics of emotion recognition
and biometric categorization could be fruitful.
6.7.2 Do we need a special governance framework for BCI data?
On a general governance level, we have recently proposed a Governance Framework for Brain
Data [15]. In this framework, we have identified distinctive ethical and legal implications of brain
data acquisition and processing, and have outlined a multi-level governance framework for brain data.
The rationale of this framework is aimed at maximizing the benefits of brain data collection and
further processing for science and medicine whilst minimizing risks and preventing harmful use. The
framework consists of four levels of regulatory intervention: binding regulation, ethics and soft law,
responsible innovation, and human rights. This framework considers brain data in general, including
brain data obtained through BCIs. Due to its comprehensive nature, we are confident that this
Governance Framework for Brain Data also adequately covers the BCI data case, and that on this
generic level, at least for the time being, no additional BCI-specific considerations and specifications
are obviously necessary.
43
7 Application to Specific BCI Use Cases and
Contexts
Up to here, we have described a general Framework for Brain-Privacy-Preserving Cybersecurity in BCI
Applications. How can this framework be applied to specific use cases? Such use cases may include a
wide range of application scenarios, and imply different security and regulatory requirements, broad
BCI categories include:
•Clinical vs. non-clinical,
•Invasive vs. non-invasive,
•Commercial BCI product development vs. academic research and lab prototypes.
Importantly, different contexts will require a different depth of analysis and considerations.
Commercial BCI products may require a fine-grained, full-fledged analysis. For academic research
and lab prototypes, our work may offer a more high-level, systematic, conceptual framework even in
cases where a detailed, step-by-step analysis is not feasible or useful.
Basically, application of our framework to specific use cases will proceed in the same steps as described
above, namely threat modeling, risk assessment, and privacy engineering. Starting with a DFD, it is
important to emphasize that not all BCI use cases will necessarily have all the components we have
mapped out in our extended BCI cycle and the corresponding DFD. For example, a research-grade
implantable BCI system for communication in a locked-in patient may not have remote components;
BCI model training in this case may proceed purely within-subject but longitudinally over a long time
period. On the other hand, it is also imaginable that for example a neurogaming BCI might run all
functionality except for the core BCI cycle in the cloud, thus omitting the extended core according to
our terminology. Future BCIs may also include additional components not envisaged in our schematic,
or more fine-grained DFDs may be called for.
In the next step, threat modeling and risk assessment is performed. In contrast to our general frame-
work, however, not only general risk potential but also specific risks for a concrete use case can be
44
7 Application to Specific BCI Use Cases and Contexts
assessed, because the specifics of the BCI system, such as the information content of the recorded brain
data, are known (or else should be determined). For example, a risk assessment of a low-cost BCI with
a few channels of non-invasively recorded signals will result in much lower risk assessments compared
to a high-end system potentially providing hundreds or even thousands of much more informative
recording channels.
Such differences in the estimated risk which have profound consequences for the threat mitigation will
be implemented in the following step, moving through the 8 privacy strategies as described in detail
above. For example, in our general architecture (Fig. 9), we have assigned the Minimize,Abstract and
Hide strategies to all three processing nodes of our general BCI data flow schematic. However, in a
low-privacy-risk BCI application, it might be deemed sufficient to implement the Minimize strategy
for the BCI core, and the Hide strategy on the remote level. Implementation of sophisticated PPML
techniques may be waived considering an overall low risk. In contrast, in a high-risk and safety-
critical BCI application, the full range of technically possible defenses across all BCI components may
be required.
Finally it is important to emphasize that we have made specific choices concerning the tools we
selected for each of these steps; we have discussed the motivation of these choices above, such as for
example the aim of achieving GDPR compliance. However, the development of systems engineering
methodologies is a dynamic field, and more suitable tools may exist in the foreseeable future, or already
now in other legal contexts, e.g. the US data privacy framework Health Insurance Portability and
Accountability Act (HIPAA). Thus the choice of specific tools for threat modeling, risk assessment,
and privacy engineering should be reviewed and if necessary they should be adapted to the specific
legal and regulatory context. For example the LINDDUN framework, and similarly also STRIDE, is
designed to be independent of the specific risk assessment technique that is used, providing the analyst
freedom of choice, if needed, thus contributing to the flexibility and extensibility of the systematic
approach to BCI privacy and security as advocated here.
45
8 Conclusions and Outlook
8.1 Conclusions
Here, we have presented a framework for preserving privacy and cybersecurity in BCI applications. We
started out with a working definition of brain privacy based on concepts of informational privacy and
self-determination. Then, we delineated the functional, hardware, and software scope of current and
prospective BCI applications. We introduce a novel, extended model of BCI functionality, consisting of
the core BCI cycle, an extended core, and global functionality. We discuss the different ways in which
this functionality can be implemented in concrete BCI applications with embedded, local computing,
and cloud components. Based on these considerations we derive a BCI DFD as the key abstraction
underlying the following steps of analysis.
Figure 11: Privacy-preserving BCI design features overview. Most of the features proposed
within our framework could be implemented as part of the extended BCI core. We
envision that such an extended BCI core might serve as a “BCI privacy shield” integrating
multiple privacy-preserving mechanisms
46
8 Conclusions and Outlook
We performed a systematic privacy threat modeling and risk assessment using the LINDDUN and
OWASP methodologies, respectively, and systematically evaluated design patterns addressing these
risks along the Hoepman privacy design strategies. Thus, we delineate both a landscape of BCI-related
privacy threats and risks as well as of mitigation strategies and tactics. Because our framework is
entirely based on systematic methodologies, it can be also adapted to concrete BCI use cases.
Our results here provide both a blueprint for brain privacy-preserving BCI architectures, and con-
crete, actionable design features. In Fig 11, we have mapped these features to our functional BCI
overview. Most of the proposed features are naturally fitting to an implementation within the ex-
tended BCI core, namely the BCI-Limiter, BCI-AntiLink, TransparentMode, Not-Always-On-BCI,
BCI-AutonomyGuard, and BCI-Meta-Abstract (BCI.Q-Bench as a benchmarking tool for data from
multiple users also involves global functionality) – highlighting the usefulness of distinguishing the
extended core as a separate important functional BCI layer. We envision that such an extended BCI
core might serve as a "BCI privacy shield" integrating multiple privacy-preserving mechanisms.
8.2 Outlook: Privacy and security across the BCI life cycle
Ensuring privacy and security across the BCI life cycle brings additional challenges. Brain signals
display nonstationarities on timescales from milliseconds to years. Dealing with these changes in the
measurement streams of neuronal activity is a fundamental challenge in brain signal analytics and
a topic of ongoing research. Thus consistent safety of BCI applications must be ensured under the
presence of such nonstationarities in the brain signals. Specifically, robust and adaptive decoders
should be designed to deal with this challenge. For example, in our previous work we implemented
and successfully tested a first online BCI using adaptive DL [38], finding that the adaptivity of the
networks was critical to high BCI performance. Adaptive algorithms, however, come with their own
risks and challenges, for example, an adaptive decoder may become unstable or adapt to a suboptimal
EEG feature. On the other hand, neuronal variability may impede, e.g., side-channel attacks on BCI
systems [53]; thus variability may even help to make BCIs safer. Extending our current framework to
encompass the entire BCI life cycle would therefore be a perspective for future work.
47
9 Bibliography
[1] R. P. N. Rao, Brain-computer interfacing: an introduction. New York: Cambridge University
Press, 2013.
[2] J. Wolpaw and E. W. Wolpaw, Brain–Computer Interfaces Principles and Practice. Oxford
University Press, Jan. 2012.
[3] “Brain Computer Interface Market Size, Share & Trends Analysis Report by Application
(Healthcare, Communication & Control), by Product (Invasive, Non-invasive), by End Use (Med-
ical, Military), and Segment Forecasts, 2022-2030.” https://www.researchandmarkets.com/
reports/5004000/brain-computer-interface-market-size-share-and. Accessed: 2022-07-
03.
[4] “Brain-Computer Interfaces: Global Markets 2021-2026.” https://www.researchandmarkets.
com/reports/5441165/brain-computer-interfaces-global-markets-2021. Accessed:
2022-07-03.
[5] “Emotiv. Mobile and Secure EEG Cloud Database.” https://www.emotiv.com/
emotiv-eeg-cloud/. Accessed: 2022-07-03.
[6] “The NeuroRights Foundation: New Human Rights for the Age of Neurotechnology.” https:
//neurorightsfoundation.org/. Accessed: 2022-07-05.
[7] “LINDDUN privacy engineering.” https://www.linddun.org/. Accessed: 2022-07-03.
[8] J. C. Bublitz, “Privacy Concerns in Brain–Computer Interfaces,” AJOB Neuroscience, vol. 10,
pp. 30–32, Jan. 2019.
[9] A. Gilead, “Can Brain Imaging Breach Our Mental Privacy?,” Review of Philosophy and Psy-
chology, vol. 6, pp. 275–291, June 2015.
[10] N. Gligorov, “Brain Imaging and the Privacy of Inner States,” in Neuroethics and the Scientific
Revision of Common Sense, vol. 11, pp. 95–116, Dordrecht: Springer Netherlands, 2016. Series
Title: Studies in Brain and Mind.
48
9 Bibliography
[11] S. Ligthart, T. Douglas, C. Bublitz, T. Kooijmans, and G. Meynen, “Forensic Brain-Reading
and Mental Privacy in European Human Rights Law: Foundations and Challenges,” Neuroethics,
vol. 14, pp. 191–203, July 2021.
[12] N. Minielly, V. Hrincu, and J. Illes, “Privacy Challenges to the Democratization of Brain Data,”
iScience, vol. 23, p. 101134, June 2020.
[13] S. Naufel and E. Klein, “Brain–computer interface (BCI) researcher perspectives on neural data
ownership and privacy,” Journal of Neural Engineering, vol. 17, p. 016039, Jan. 2020.
[14] S. D. Richmond, G. Rees, and S. J. L. Edwards, eds., I Know What You’re Thinking: Brain
imaging and mental privacy. Oxford University Press, Aug. 2012.
[15] M. Ienca, J. J. Fins, R. J. Jox, F. Jotterand, S. Voeneky, R. Andorno, T. Ball, C. Castelluccia,
R. Chavarriaga, H. Chneiweiss, A. Ferretti, O. Friedrich, S. Hurst, G. Merkel, F. Molnár-Gábor,
J.-M. Rickli, J. Scheibner, E. Vayena, R. Yuste, and P. Kellmeyer, “Towards a Governance
Framework for Brain Data,” Neuroethics, vol. 15, p. 20, July 2022.
[16] P. Kellmeyer, “Big Brain Data: On the Responsible Use of Brain Data from Clinical and
Consumer-Directed Neurotechnological Devices,” Neuroethics, vol. 14, pp. 83–98, Apr. 2021.
[17] K. E. Himma and H. T. Tavani, eds., The Handbook of Information and Computer Ethics.
Hoboken, NJ, USA: John Wiley & Sons, Inc., May 2008.
[18] A. Moore, “Toward informational privacy rights,” San Diego Law Review, pp. 809–845, 2007.
[19] “Are Your Thoughts Your Own Neuroprivacy and the Legal Implications of Brain Imaging: The
Commitee on Science and Law.”
[20] M. v. Gerven, J. Farquhar, R. Schaefer, R. Vlek, J. Geuze, A. Nijholt, N. Ramsey, P. Haselager,
L. Vuurpijl, S. Gielen, and P. Desain, “The brain–computer interface cycle,” Journal of Neural
Engineering, vol. 6, p. 041001, Aug. 2009.
[21] I. Martinovic, D. Davies, M. Frank, D. Perito, T. Ros, and D. Song, “On the Feasibility of
Side-Channel Attacks with Brain-Computer Interfaces,” in In Proceedings of the 21st USENIX
Security Symposium, pp. 143–158, 2012.
[22] M. Frank, T. Hwu, S. Jain, R. T. Knight, I. Martinovic, P. Mittal, D. Perito, I. Sluganovic, and
D. Song, “Using EEG-Based BCI Devices to Subliminally Probe for Private Information,” in
Proceedings of the 2017 on Workshop on Privacy in the Electronic Society, (Dallas Texas USA),
pp. 133–136, ACM, Oct. 2017.
49
9 Bibliography
[23] S. L. Bernal, A. H. Celdrán, G. M. Pérez, M. T. Barros, and S. Balasubramaniam, “Security
in Brain-Computer Interfaces: State-of-the-Art, Opportunities, and Future Challenges,” ACM
Computing Surveys, vol. 54, pp. 1–35, Jan. 2022.
[24] M. Deng, K. Wuyts, R. Scandariato, B. Preneel, and W. Joosen, “A privacy threat analysis
framework: supporting the elicitation and fulfillment of privacy requirements,” Requirements
Engineering Journal, vol. 16, pp. 3–32, 2011.
[25] D. Huth and F. Matthes, ““Appropriate Technical and Organizational Measures”: Identifying
Privacy Engineering Approaches to Meet GDPR Requirements,” in AMCIS 2019 Proceedings.
5., Dec. 2019.
[26] S. Gürses, C. Troncoso, and C. Diaz, “Engineering privacy by design,” Computers, Privacy &
Data Protection, vol. 14, no. 3, p. 25, 2011.
[27] A. E. Waldman, “Data Protection by Design? A Critique of Article 25 of the GDPR,” Cornell
International Law Journal, vol. 53, Jan. 2021.
[28] A. Cavoukian, “The 7 foundational principles: implementation and mapping of fair information
practices,” tech. rep., Technical Report. Information and Privacy Commissioner of Ontario. 10
pages . . . , 2010.
[29] D. Sempreboni and L. Viganò, “Privacy, Security and Trust in the Internet of Neurons,” 2018.
[30] “Nissan’s Brain-to-Vehicle technology communicates our brains with vehicles.” https://www.
bitbrain.com/blog/nissan-brain-to-vehicle-technology. Accessed: 2022-07-04.
[31] ““Avatar”-Inspired Concept Car Uses Brain Activity as UI.” https:
//www.electronicdesign.com/markets/automotive/article/21175809/
electronic-design-avatarinspired-concept-car-uses-brain-activity-as-ui. Ac-
cessed: 2022-07-04.
[32] K. Brigham and B. V. K. V. Kumar, “Imagined Speech Classification with EEG Signals for
Silent Communication: A Preliminary Investigation into Synthetic Telepathy,” in 2010 4th
International Conference on Bioinformatics and Biomedical Engineering, (Chengdu, China),
pp. 1–4, IEEE, June 2010.
[33] S. Zhang, S. Yuan, L. Huang, X. Zheng, Z. Wu, K. Xu, and G. Pan, “Human Mind Control of Rat
Cyborg’s Continuous Locomotion with Wireless Brain-to-Brain Interface,” Scientific Reports,
vol. 9, p. 1321, Dec. 2019.
[34] “NextMind.” https://www.next-mind.com/. Accessed: 2022-07-03.
50
9 Bibliography
[35] A. Jalaly Bidgoly, H. Jalaly Bidgoly, and Z. Arezoumand, “A survey on methods and challenges
in EEG based authentication,” Computers & Security, vol. 93, p. 101788, June 2020.
[36] H.-L. Chan, P.-C. Kuo, C.-Y. Cheng, and Y.-S. Chen, “Challenges and Future Perspectives on
Electroencephalogram-Based Biometrics in Person Recognition,” Frontiers in Neuroinformatics,
vol. 12, p. 66, Oct. 2018.
[37] M. R. Boubakeur, G. Wang, C. Zhang, and K. Liu, “EEG-Based Person Recognition Analysis and
Criticism,” in 2017 IEEE International Conference on Big Knowledge (ICBK), (Hefei, China),
pp. 155–160, IEEE, Aug. 2017.
[38] D. Kuhner, L. Fiederer, J. Aldinger, F. Burget, M. Völker, R. Schirrmeister, C. Do, J. Boedecker,
B. Nebel, T. Ball, and W. Burgard, “A service assistant combining autonomous robotics, flex-
ible goal formulation, and deep-learning-based brain–computer interfacing,” Robotics and Au-
tonomous Systems, vol. 116, pp. 98–113, June 2019.
[39] W. I. P. Organization, WIPO Technology Trends 2021- Assistive Technology. World Intellectual
Property Organization, 0.
[40] A. N. Belkacem, “Cybersecurity Framework for P300-based Brain Computer Interface,” in
2020 IEEE International Conference on Systems, Man, and Cybernetics (SMC), (Toronto, ON,
Canada), pp. 1–6, IEEE, Oct. 2020.
[41] “The CyberBrain Project - Cybersecurity in Brain-Computer Interfaces.” https://www.
bitbrain.com/blog/the-cyberbrain-project. Accessed: 2022-07-04.
[42] E. T. Martínez Beltrán, M. Quiles Pérez, S. López Bernal, A. Huertas Celdrán, and
G. Martínez Pérez, “Noise-based cyberattacks generating fake P300 waves in brain–computer
interfaces,” Cluster Computing, vol. 25, pp. 33–48, Feb. 2022.
[43] E. T. Martínez Beltrán, M. Quiles Pérez, S. López Bernal, A. Huertas Celdrán, and
G. Martínez Pérez, “SecBrain: A Framework to Detect Cyberattacks Revealing Sensitive Data
in Brain-Computer Interfaces,” in Advances in Information Security, Privacy, and Ethics (B. B.
Gupta, ed.), pp. 176–198, IGI Global, 2022.
[44] M. Conner, “Hacking the brain: Brain-to-computer-interface hardware moves from the realm of
research.” edn.com, 2010. Accessed: 2022-07-04.
[45] B. Cusack, K. Sundararajan, and R. Khaleghparast, “Neurosecurity for brainware devices,”
Australian Information Security Management Conference, 2017.
[46] K. Sundararajan, Privacy and security issues in Brain Computer Interface. PhD thesis, 2017.
51
9 Bibliography
[47] Y. Xiao, Y. Jia, X. Cheng, J. Yu, Z. Liang, and Z. Tian, “I Can See Your Brain: Investigating
Home-Use Electroencephalography System Security,” IEEE Internet of Things Journal, vol. 6,
pp. 6681–6691, Aug. 2019.
[48] Z. Tarkhani, L. Qendro, M. O. Brown, O. Hill, C. Mascolo, and A. Madhavapeddy, “Enhancing
the Security & Privacy of Wearable Brain-Computer Interfaces,” 2022.
[49] M. van Vliet, C. Mühl, B. Reuderink, and M. Poel, “Guessing What’s on Your Mind: Using the
N400 in Brain Computer Interfaces,” in Brain Informatics (Y. Yao, R. Sun, T. Poggio, J. Liu,
N. Zhong, and J. Huang, eds.), vol. 6334, pp. 180–191, Berlin, Heidelberg: Springer Berlin
Heidelberg, 2010.
[50] M. V. Martin, V. Cho, and G. Aversano, “Detection of Subconscious Face Recognition Using
Consumer-Grade Brain-Computer Interfaces,” ACM Transactions on Applied Perception, vol. 14,
pp. 1–20, Aug. 2016.
[51] C. Bellman, M. Vargas Martin, and S. MacDonald, “(WKSP) On the Potential of Data Extrac-
tion by Detecting Unaware Facial Recognition with Brain-Computer Interfaces,” in 2018 IEEE
International Conference on Cognitive Computing (ICCC), (San Francisco, CA), pp. 99–105,
IEEE, July 2018.
[52] J. P. Rosenfeld, “P300 in detecting concealed information,” in Memory Detection (B. Verschuere,
G. Ben-Shakhar, and E. Meijer, eds.), pp. 63–89, Cambridge University Press, 1 ed., Feb. 2011.
[53] J. Lange, C. Massart, A. Mouraux, and F.-X. Standaert, “Side-Channel Attacks Against the
Human Brain: The PIN Code Case Study,” in Constructive Side-Channel Analysis and Secure
Design (S. Guilley, ed.), vol. 10348, pp. 171–189, Cham: Springer International Publishing, 2017.
[54] T. Bonaci, Security and Privacy of Biomedical Cyber-Physical Systems. PhD thesis, 2015.
[55] M. Quiles Pérez, E. T. Martínez Beltrán, S. López Bernal, A. Huertas Celdrán, and
G. Martínez Pérez, “Breaching Subjects’ Thoughts Privacy: A Study with Visual Stimuli and
Brain-Computer Interfaces,” Journal of Healthcare Engineering, vol. 2021, pp. 1–12, Aug. 2021.
[56] H. J. Chizeck and T. Bonaci., “Brain-computer interface anonymizer..” https://patentimages.
storage.googleapis.com/c2/7d/0e/94eb08937cc764/US20140228701A1.pdf, 2014. Ac-
cessed: 2022-07-04.
[57] B. Friedman, P. H. Kahn, A. Borning, and A. Huldtgren, “Value Sensitive Design and Informa-
tion Systems,” in Early engagement and new technologies: Opening up the laboratory (N. Doorn,
D. Schuurbiers, I. van de Poel, and M. E. Gorman, eds.), vol. 16, pp. 55–95, Dordrecht: Springer
Netherlands, 2013.
52
9 Bibliography
[58] B. Friedman, I. Smith, P. H. Kahn, S. Consolvo, and J. Selawski, “Development of a Privacy
Addendum for Open Source Licenses: Value Sensitive Design in Industry,” in UbiComp 2006:
Ubiquitous Computing (D. Hutchison, T. Kanade, J. Kittler, J. M. Kleinberg, F. Mattern, J. C.
Mitchell, M. Naor, O. Nierstrasz, C. Pandu Rangan, B. Steffen, M. Sudan, D. Terzopoulos,
D. Tygar, M. Y. Vardi, G. Weikum, P. Dourish, and A. Friday, eds.), vol. 4206, pp. 194–211,
Berlin, Heidelberg: Springer Berlin Heidelberg, 2006.
[59] K. Wahlstrom, N. B. Fairweather, and H. Ashman, “Privacy and brain-computer interfaces:
identifying potential privacy disruptions,” ACM SIGCAS Computers and Society, vol. 46, pp. 41–
53, Mar. 2016.
[60] Microsoft, “The stride threat model.” https://docs.microsoft.com/en-us/
previous-versions/commerce-server/ee823878(v=cs.20)?redirectedfrom=MSDN. Ac-
cessed: 2022-07-06.
[61] S. Pazouki, A. Aydeger, and S. M. Kazemi-Razi, “False Data Injection Cyberattacks to Human
Brain Implants’ Power Source,” in 2021 International Conference on Electrical, Computer and
Energy Technologies (ICECET), (Cape Town, South Africa), pp. 1–6, IEEE, Dec. 2021.
[62] S. Brooks, M. Garcia, N. Lefkovitz, S. Lightman, and E. Nadeau, “An introduction to pri-
vacy engineering and risk management in federal systems,” Tech. Rep. NIST IR 8062, National
Institute of Standards and Technology, Gaithersburg, MD, Jan. 2017.
[63] L. H. Iwaya, M. A. Babar, A. Rashid, and C. Wijayarathna, “On the Privacy of Mental Health
Apps: An Empirical Investigation and its Implications for Apps Development,” 2022.
[64] K. Wuyts, L. Sion, and W. Joosen, “Linddun go: A lightweight approach to privacy threat
modeling,” pp. 302–309, IEEE, 2020.
[65] “OWASP Risk Rating Methodology.” https://owasp.org/www-community/OWASP_Risk_
Rating_Methodology. Accessed: 2022-07-03.
[66] J. Wang and X. Peng, “A Study of Patent Open Source Strategies Based on Open Innovation:
The Case of Tesla,” Open Journal of Social Sciences, vol. 08, no. 07, pp. 386–394, 2020.
[67] Lorena Guzmán H., “Chile: Pioneering the protection of neurorights,” The UNESCO Courier,
vol. 2022, pp. 13–14, Feb. 2022.
[68] J.-H. Hoepman, “Privacy Design Strategies (The Little Blue Book).” https://www.cs.ru.nl/
~jhh/publications/pds-booklet.pdf, 2022. Accessed: 2022-07-04.
53
9 Bibliography
[69] J.-H. Hoepman, “Privacy Design Strategies,” in ICT Systems Security and Privacy Protection
(N. Cuppens-Boulahia, F. Cuppens, S. Jajodia, A. Abou El Kalam, and T. Sans, eds.), vol. 428,
pp. 446–459, Berlin, Heidelberg: Springer Berlin Heidelberg, 2014.
[70] N. Notario, A. Crespo, Y.-S. Martin, J. M. Del Alamo, D. L. Metayer, T. Antignac, A. Kung,
I. Kroener, and D. Wright, “PRIPARE: Integrating Privacy Best Practices into a Privacy Engi-
neering Methodology,” in 2015 IEEE Security and Privacy Workshops, (San Jose, CA), pp. 151–
158, IEEE, May 2015.
[71] H. Karim and D. Rawat, “A Trusted Bluetooth Performance Evaluation Model for Brain Com-
puter Interfaces,” in 2019 IEEE 20th International Conference on Information Reuse and Inte-
gration for Data Science (IRI), (Los Angeles, CA, USA), pp. 47–52, IEEE, July 2019.
[72] J. Greenberg, K. Ringrose, S. Berger, J. VanDodick, F. Rossi, and J. N. New, “Privacy and the
Connected Mind,” white paper, 2021. Accessed: 2022-07-04.
[73] R. Chen, K. Wu, and P. Luo, “On batch adaptive training for deep learning: Lower loss and
larger step size,” 2018.
[74] D. Chang, “Effect of Batch Size on Neural Net Training.” https://medium.com/
deep-learning-experiments/effect-of-batch-size-on-neural-net-training-c5ae8516e57,
2020. Accessed: 2022-07-04.
[75] G. James, D. Witten, T. Hastie, and R. Tibshirani, An Introduction to Statistical Learning,
vol. 103 of Springer Texts in Statistics. New York, NY: Springer New York, 2013.
[76] R. Mane, E. Chew, K. Chua, K. K. Ang, N. Robinson, A. P. Vinod, S.-W. Lee, and C. Guan,
“FBCNet: A Multi-view Convolutional Neural Network for Brain-Computer Interface,” 2021.
[77] T. Karras, T. Aila, S. Laine, and J. Lehtinen, “Progressive Growing of GANs for Improved
Quality, Stability, and Variation,” 2017.
[78] O. Ronneberger, P. Fischer, and T. Brox, “U-Net: Convolutional Networks for Biomedical Image
Segmentation,” in Medical Image Computing and Computer-Assisted Intervention – MICCAI
2015 (N. Navab, J. Hornegger, W. M. Wells, and A. F. Frangi, eds.), vol. 9351, pp. 234–241,
Cham: Springer International Publishing, 2015.
[79] L. A. Gatys, A. S. Ecker, and M. Bethge, “Image style transfer using convolutional neural
networks,” in Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition
(CVPR), June 2016.
[80] “Dall-e 2.” https://openai.com/dall-e-2/, 2022. Accessed: 2022-07-04.
54
9 Bibliography
[81] Y. Yao, J. Plested, T. Gedeon, Y. Liu, and Z. Wang, “Improved Techniques for Building EEG
Feature Filters,” in 2019 International Joint Conference on Neural Networks (IJCNN), (Bu-
dapest, Hungary), pp. 1–6, IEEE, July 2019.
[82] R. C. Oldfield, “The assessment and analysis of handedness: The Edinburgh inventory,” Neu-
ropsychologia, vol. 9, no. 1, pp. 97–113, 1971.
[83] D. A. Engemann, A. Mellot, R. Höchenberger, H. Banville, D. Sabbagh, L. Gemein, T. Ball,
and A. Gramfort, “A reusable benchmark of brain-age prediction from M/EEG resting-state
signals,” preprint, Neuroscience, Dec. 2021.
[84] J. Hammer, J. Fischer, J. Ruescher, A. Schulze-Bonhage, A. Aertsen, and T. Ball, “The role of
ECoG magnitude and phase in decoding position, velocity, and acceleration during continuous
motor behavior,” Frontiers in Neuroscience, vol. 7, 2013.
[85] E. Bezzam, M. Vetterli, and M. Simeoni, “Learning rich optical embeddings for privacy-
preserving lensless image classification,” June 2022. arXiv:2206.01429 [cs, eess].
[86] M. Finck and F. Pallas, “They who must not be identified—distinguishing personal from non-
personal data under the GDPR,” International Data Privacy Law, vol. 10, pp. 11–36, Feb. 2020.
[87] N. Purtova, “From knowing by name to targeting: the meaning of identification under the
GDPR,” International Data Privacy Law, p. ipac013, June 2022.
[88] M. R. Leiser and F. Dechesne, “Governing machine-learning models: challenging the personal
data presumption,” International Data Privacy Law, vol. 10, pp. 187–200, Aug. 2020.
[89] A. J. Bidgoly, H. J. Bidgoly, and Z. Arezoumand, “Towards a universal and privacy preserving
EEG-based authentication system,” Scientific Reports, vol. 12, p. 2531, Dec. 2022.
[90] P. Tangkraingkij, C. Lursinsap, S. Sanguansintukul, and T. Desudchit, “Personal Identification
by EEG Using ICA and Neural Network,” in Computational Science and Its Applications –
ICCSA 2010 (D. Hutchison, T. Kanade, J. Kittler, J. M. Kleinberg, F. Mattern, J. C. Mitchell,
M. Naor, O. Nierstrasz, C. Pandu Rangan, B. Steffen, M. Sudan, D. Terzopoulos, D. Tygar,
M. Y. Vardi, G. Weikum, D. Taniar, O. Gervasi, B. Murgante, E. Pardede, and B. O. Apduhan,
eds.), vol. 6018, pp. 419–430, Berlin, Heidelberg: Springer Berlin Heidelberg, 2010. Series Title:
Lecture Notes in Computer Science.
[91] M. V. Ruiz-Blondet, Z. Jin, and S. Laszlo, “Permanence of the CEREBRE brain biometric
protocol,” Pattern Recognition Letters, vol. 95, pp. 37–43, Aug. 2017.
55
9 Bibliography
[92] R. Xu, N. Baracaldo, and J. Joshi, “Privacy-Preserving Machine Learning: Methods, Challenges
and Directions,” Sept. 2021. arXiv:2108.04417 [cs].
[93] R. Gilad-Bachrach, N. Dowlin, K. Laine, K. Lauter, M. Naehrig, and J. Wernsing, “Cryptonets:
Applying neural networks to encrypted data with high throughput and accuracy,” in Proceed-
ings of The 33rd International Conference on Machine Learning (M. F. Balcan and K. Q. Wein-
berger, eds.), vol. 48 of Proceedings of Machine Learning Research, (New York, New York, USA),
pp. 201–210, PMLR, 20–22 Jun 2016.
[94] A. B. Popescu, I. A. Taca, C. I. Nita, A. Vizitiu, R. Demeter, C. Suciu, and L. M. Itu, “Privacy
Preserving Classification of EEG Data Using Machine Learning and Homomorphic Encryption,”
Applied Sciences, vol. 11, p. 7360, Aug. 2021.
[95] A. Agarwal, R. Dowsley, N. D. McKinney, D. Wu, C.-T. Lin, M. De Cock, and A. C. A.
Nascimento, “Protecting Privacy of Users in Brain-Computer Interface Applications,” IEEE
Transactions on Neural Systems and Rehabilitation Engineering, vol. 27, pp. 1546–1555, Aug.
2019.
[96] D. Gao, C. Ju, X. Wei, Y. Liu, T. Chen, and Q. Yang, “HHHFL: Hierarchical Heterogeneous
Horizontal Federated Learning for Electroencephalography,” Sept. 2020. arXiv:1909.05784 [cs,
eess].
[97] C. Ju, D. Gao, R. Mane, B. Tan, Y. Liu, and C. Guan, “Federated Transfer Learning for EEG
Signal Classification,” in 2020 42nd Annual International Conference of the IEEE Engineering
in Medicine & Biology Society (EMBC), (Montreal, QC, Canada), pp. 3040–3045, IEEE, July
2020.
[98] G. Szegedi, P. Kiss, and T. Horváth, “Evolutionary federated learning on eeg-data,” in ITAT,
2019.
[99] L. Sun and J. Wu, “A Scalable and Transferable Federated Learning System for Classifying
Healthcare Sensor Data,” IEEE Journal of Biomedical and Health Informatics, pp. 1–1, 2022.
[100] S. Baghersalimi, T. Teijeiro, D. Atienza, and A. Aminifar, “Personalized Real-Time Federated
Learning for Epileptic Seizure Detection,” IEEE Journal of Biomedical and Health Informatics,
vol. 26, pp. 898–909, Feb. 2022.
[101] K. G. Hartmann, R. T. Schirrmeister, and T. Ball, “EEG-GAN: Generative adversarial networks
for electroencephalograhic (EEG) brain signals,” June 2018. arXiv:1806.01875 [cs, eess, q-bio,
stat].
56
9 Bibliography
[102] E. Debie, N. Moustafa, and M. T. Whitty, “A Privacy-Preserving Generative Adversarial Net-
work Method for Securing EEG Brain Signals,” in 2020 International Joint Conference on Neural
Networks (IJCNN), (Glasgow, United Kingdom), pp. 1–8, IEEE, July 2020.
[103] D. Pascual, A. Amirshahi, A. Aminifar, D. Atienza, P. Ryvlin, and R. Wattenhofer, “Epilepsy-
GAN: Synthetic Epileptic Brain Activities With Privacy Preservation,” IEEE Transactions on
Biomedical Engineering, vol. 68, pp. 2435–2446, Aug. 2021.
[104] F. Mo, H. Haddadi, K. Katevas, E. Marin, D. Perino, and N. Kourtellis, “PPFL:
Privacy-preserving Federated Learning with Trusted Execution Environments,” June 2021.
arXiv:2104.14380 [cs].
[105] A. Stopczynski, D. Greenwood, L. K. Hansen, and A. Pentland, “Privacy for Personal Neuroin-
formatics,” Mar. 2014. arXiv:1403.2745 [cs].
[106] G. Siddhad, A. Gupta, D. P. Dogra, and P. P. Roy, “Efficacy of Transformer Networks for
Classification of Raw EEG Data,” Feb. 2022. arXiv:2202.05170 [cs, eess].
[107] J. Fernick and M. Lewis, “Internet of Thinks Securing the Brain Computer Interface,” white
paper, 2022. Accessed: 2022-07-05.
[108] S. Gray, “Always On: Privacy Implications of Microphone-Enabled Devices,” white paper, 2016.
Accessed: 2022-07-05.
[109] A. Neupane, M. L. Rahman, and N. Saxena, “PEEP: Passively Eavesdropping Private Input via
Brainwave Signals,” in Financial Cryptography and Data Security (A. Kiayias, ed.), vol. 10322,
pp. 227–246, Cham: Springer International Publishing, 2017. Series Title: Lecture Notes in
Computer Science.
[110] A. Neupane, K. Satvat, M. Hosseini, and N. Saxena, “Brain Hemorrhage: When Brainwaves Leak
Sensitive Medical Conditions and Personal Information,” in 2019 17th International Conference
on Privacy, Security and Trust (PST), (Fredericton, NB, Canada), pp. 1–10, IEEE, Aug. 2019.
[111] M. Völker, L. D. Fiederer, S. Berberich, J. Hammer, J. Behncke, P. Kršek, M. Tomášek,
P. Marusič, P. C. Reinacher, V. A. Coenen, M. Helias, A. Schulze-Bonhage, W. Burgard, and
T. Ball, “The dynamics of error processing in the human brain as reflected by high-gamma
activity in noninvasive and intracranial EEG,” NeuroImage, vol. 173, pp. 564–579, June 2018.
[112] M. Völker, J. Hammer, R. T. Schirrmeister, J. Behncke, L. D. J. Fiederer, A. Schulze-Bonhage,
P. Marusič, W. Burgard, and T. Ball, “Intracranial Error Detection via Deep Learning,” Nov.
2018. arXiv:1805.01667 [cs, q-bio, stat].
57
9 Bibliography
[113] H. Aden, “Privacy and Security: German Perspectives, European Trends and Ethical Impli-
cations,” in Advances in Research Ethics and Integrity (R. Iphofen and D. O’Mathúna, eds.),
pp. 119–129, Emerald Publishing Limited, Dec. 2021.
[114] T. Morey, T. Forbath, and A. Schoop, “Customer Data: Designing for Transparency and Trust,”
Harvard Business Review, pp. 96–105, May 2015.
[115] M. Martini and C. Kemper, “Cybersicherheit von Gehirn-Computer-Schnittstellen,” Interna-
tional Cybersecurity Law Review, vol. 3, pp. 191–243, June 2022.
58
