Nomadsoul1 | Istock | Getty Images
The question “What is a thought?” it is no longer strictly philosophical. Like anything measurable, our thoughts are subject to increasingly technical responses, with data collected from brainwave monitoring. This discovery also means that the data is marketable, and the brain data captured is already being bought and sold by companies in the wearable consumer technology space, with minimal protections for users.
In response, Colorado recently passed a first-in-the-nation privacy law aimed at protecting these rights. The law falls under the existing “Colorado Consumer Protection Act,” which aims to protect “the privacy of individuals’ personal data by establishing certain requirements for entities that process personal data [and] includes additional protections for sensitive data.”
THE key language in the Colorado act is the expansion of the term “sensitive data” to include “biological data” — including numerous biological, genetic, biochemical, physiological, and neural properties.
Elon Musk’s Neuralink is the most famous example of how the technology is being integrated into the human mind, although it is not alone in the space, with Paradromics emerging as a close competitor, along with devices that have returned speech to stroke victims and helped amputees move prosthetic limbs with their minds. All of these products are medical devices that require implantation and are protected under the strict privacy requirements of HIPAA. Colorado’s law focuses on the fast-growing consumer technology sphere and devices that do not require medical procedures, lack similar protections, and can be purchased and used without medical supervision of any kind.
There are dozens of companies making products that are wearable technologies that capture brain waves (also known as neura data). On Amazon alone, there are pages of products ranging from sleep masks designed to optimize deep sleep or promote lucid dreaming, to headbands that promise to promote focus and biofeedback headphones that will take your meditation session to the next level. These products, by design and necessity, capture neural data through the use of small electrodes that produce measurements of brain activity, with some developing electrical impulses to affect brain activity.
The laws governing the handling of all this brain data are virtually non-existent.
“We’ve entered the world of science fiction here,” said the lead sponsor of the Colorado bill, Representative Cathy Kipp. “As with any advancement in science, there must be guardrails.”
‘ChatGPT-moment’ for consumer brain technology
A recent study by the NeuroRights Foundation found that of the thirty companies surveyed that make wearable technology capable of capturing brain waves, twenty-nine “provide no meaningful restrictions on this access.”
“This revolution in consumer neurotechnology has centered on the increasing ability to capture and interpret brain waves,” said Dr. Sean Pauzauskie, medical director at The NeuroRights Foundation. Devices that use electroencephalography, a technology readily available to consumers, are “a multibillion-dollar market that’s going to double in the next five years or so,” he said. “In the next two to five years it is not unlikely that neurotechnology will see a ChatGPT moment.”
How much data can be collected depends on a number of factors, but technology is advancing rapidly and could lead to an exponential increase in applications, with technology increasingly incorporating artificial intelligence. Apple already has filed patents for brain-sensing AirPods.
“Brain data is too important not to be regulated. It reflects the inner workings of our minds,” said Raphael Youssef, professor of biological sciences and director of the Center for Neurotechnology at Columbia University, as well as President of the NeuroRights Foundation and a leading figure in the neutotech ethics organization Morningside Group. “The brain is not just another organ in the body,” he added. “We need to engage private actors to ensure they adopt a responsible innovation framework, as the brain is the sanctuary of our minds.”
Pauzauskie said the value for companies comes from interpreting or decoding brain signals collected by wearable technologies. As a hypothetical example, he said, “if you wore brain-sensing headphones, not only would Nike know you were looking for running shoes from your browsing history, but they could now know how interested you were as you browsed.”
A wave of bio-privacy legislation may be needed
The concern targeted by the Colorado law could lead to a wave of similar legislation, with increased attention to the meddling of rapidly evolving technologies and the commoditization of user data. In the past, consumer rights and protection have lagged behind innovation.
“The best and latest technology/privacy ratios may be the largely unchecked Internet and consumer genetic revolutions,” Pauzauskie said.
A similar arc could follow rampant developments in the collection and commercialization of consumer brain data. Hacking, corporate profit motives, ever-changing privacy agreements for users and little to no laws covering data are all big risks, Pauzauskie said. Under the Colorado Privacy Act, brain data extends the same privacy rights as fingerprints.
According to Professor Farinaz Koushanfar and Associate Professor Duygu Kuzum of the Department of Electrical and Computer Engineering at UC San Diego, it is still too early to understand the limitations of the technology, as well as the depths of potentially intrusive data collection.
Tracking neural data could mean monitoring a wide range of cognitive processes and functions, including thoughts, intentions and memories, they wrote in an emailed joint statement. At one extreme, tracking neural data can mean instant access to medical information.
The wide range of possibilities is an issue in itself. “There are still too many unknowns in this field and that is worrying,” they wrote.
If these laws become widespread, companies may have no choice but to overhaul their current organizational structure, according to Koushanfar and Kuzum. There may be a need to establish new compliance officers and implement methods such as risk assessment, third-party auditing and anonymization as mechanisms to set requirements for the entities involved.
From the consumer perspective, Colorado’s law and any subsequent efforts represent important steps to better educate users, as well as provide them with the tools they need to control and exercise their rights in the event of a breach.
“The Privacy Act [in Colorado] on neurotechnology may be a rare exception, where rights and regulations precede any widespread misuse or abuse of consumer data,” Pauzauskie said.