Blog: Considering Brain Data Privacy

Emily Einhorn
March 31, 2020

Every day, streams of personal data flow from our smartphones, laptops, and other personal technology devices. For virtually every behavior we engage in, there is an app, website, or platform designed to capture these actions and turn them into data. Whether we are navigating on Google Maps, swiping on Hinge, or checking our balance on the CitiBank mobile app, the information that makes us who we are is held within our digital records. The pros and cons of this reality have been discussed at length by the media, academia, industry and government. As citizens, we are constantly making tradeoffs between our personal data privacy and the great convenience and quality of life that technology offers. This is a tension that will likely increase over the coming decades as new technologies intertwine our identities and our data still more tightly.

But what will happen to these privacy concerns when neurotechnologies open the gates to new streams of data collected directly from the brain?  Neurotechnology is becoming both more common and more effective, resulting in an increasing cash of data directly denoting human brain activity. While collecting and sharing brain data has countless benefits in clinical care and research, the proliferation of brain data also has unique privacy implications that merit consideration. To begin, it is important to understand how brain data are distinct from other types of data. From there we can explore how neurotechnologies have the potential to become used by a large segment of the population, with applications in a wide array of contexts. How can we expect brain data to be put to use? That is up to us as a society to begin discussing while neurotechnology still remains in its early stages.

What is Brain Data?

Brain data refers to any data that directly or indirectly records the function or structure of the brain. The crucial concern in the collection and sharing of brain data is that it subverts the traditional pathways through which we send thoughts, feelings, and actions out into the world. For example, when Facebook builds user profiles for ad targeting, the profile is built on data reflecting a series of user behaviors (liking content, searching content, etc.), which the user has deliberately chosen to perform. However, when brain data are collected, these conscious choices, which serve as a barrier between the contents of our mind and the outside world, may be surpassed. When that happens, information could be captured directly from the brain, recording and distributing unconscious brain activity, or brain activity that we would not have otherwise acted upon. 

Much of these data are collected through brain computer interfaces (BCIs), which are a category of neurotechnology that connect the brain to computers and digital networks. This enables data transfers in both directions between computers and brains. Data can be “downloaded” from digital networks into the brain or brain data can be recorded and exported into digital networks. The latter function is how brain data are collected and shared.  

Application and Scale of Use 

When considering brain data privacy issues, there are two important factors. First, what are the application contexts of BCIs when they record brain data? Second, at what scale can BCIs be used to collect brain data from the population? These questions are largely determined by the physical characteristics of the BCI device used to record brain activity. 

BCIs can come in a variety of shapes and sizes, from wireless and portable headsets, to bulky circuited machinery confined to clinical or research settings. State-of-the-art BCIs, which might be hooked up to large pieces of equipment in research labs, are not accessible to the majority of the population and are also immobile. However, wireless and portable BCIs, while they may produce less detailed data recordings, can be worn throughout everyday life, steadily collecting data much like a phone or computer does. These are the types of BCIs that have the potential to collect brain data from a wider portion of the population in a variety of life circumstances. Due to this, portable BCIs will generate important questions regarding data privacy for the average citizen if they become widely adopted.

But will the average person face restrictions when seeking access to portable BCIs? The answer is partially dependent on the invasiveness of the recording technology. Some portable BCIs may require neurosurgery to be implanted into the brain. Any device that is surgically embedded into human subjects will require FDA approval and, given the inherent risk of neurosurgery, clinicians will likely restrict device implantations to patients who require them for medical purposes. This limits the number of individuals who will have their brain data collected. 

However, more and more BCIs are being developed that do not require surgery and can instead be worn externally as a headpiece. Noninvasive BCIs have the potential to be adopted en masse, with the important caveat of affordability constraints. Much like other wearable technologies, such as the Apple Watch, there are virtually no regulatory limitations that prevent such technologies from being sold directly to consumers.  This means BCIs could take on a wide variety of uses in nonmedical contexts. Though noninvasive BCIs remain expensive and provide less sophisticated data, the research and for-profit tech community are working to change that. Some of the sectors that have already begun employing BCIs include education, entertainment, advertisement and even defense. The brain data collected from devices sold within these industries can be used and traded like any other data amassed from a personal technology device. The spread of these noninvasive, portable BCIs could lead to brain data collection from a wide portion of the population and from a diverse array of contexts.

Big tech companies such as Facebook, which already rely on data centric business models, are beginning to explore noninvasive and portable neurotechnologies. Over the summer of 2019, Facebook purchased CTRL-Labs, a noninvasive BCI company. Their goal is to devise a wearable technology that will allow customers to type by imagining themselves talking, rather than using their hands. Over the years, Facebook has had multiple instances of data mishandling. The possibility of a device that provides Facebook with a direct data channel into the brains of the citizenry could be cause to think critically about brain data use parameters.

The devices and networks that capture our everyday data became ubiquitous long before the question of privacy was seriously raised. If there’s one thing we can learn from the past, it is that data privacy should be considered proactively, rather than reactively when the problem has already reached a critical level. In the case of brain data privacy, stakes are even higher. We must begin asking ourselves how we want our brain data to be used, so we can reap the many benefits neurotechnology has to offer, without later suffering privacy repercussions.