If you open your devices with a fingerprint or face scan, you are probably OK with tech companies having some of your biological data. Now, the rise of neurotech wearables is putting your brainwaves into question. On 17 April 2024, the governor of Colorado signed a bill expanding the state's existing privacy law to include neural data or brain activity. The bill added brainwaves under the umbrella of biological data, which it defined as "data generated by the technological processing, measurement, or analysis of an individual's biological, genetic, biochemical, physiological, or neural properties, compositions, or activities or of an individual's body or bodily functions."[1]
This includes recordings of your fingerprints and face, which tech companies increasingly have, and your DNA. Before the bill, only fingerprints and facial images were protected in Colorado. Neurotech uses electroencephalography (EEG) to measure brain activity using electrodes. Invasive brain-computer interfaces (BCIs) like Neuralink or Synchron are implanted in the body and, therefore, are considered medical devices, meaning they are regulated under higher data protection. But non-invasive neurotech, like wearables that use EEG, are considered consumer devices and these are not regulated yet.
Consumer products that incorporate EEG have been around for a while. Companies like Emotiv and NeuroSky have been exploring the technology for fitness, digital health, and even perfume for nearly a decade. Meta, Apple, and Snap are working on their own devices. Many unregulated neurotech wearables are now available, from headsets promising better athletic performance to headbands that help you meditate. This tech tracks, analyzes, and, at least in some cases, records your brain activity.
The Colorado legislation was passed in response to growing concerns about privacy in consumer BCIs. "Data concerning the activity of the human brain and wider nervous systems, or "neural data," is extremely sensitive and can reveal intimate information about individuals, including health, mental states, emotions, and cognitive functioning," the bill states.
In the wrong hands, that data could be used against individuals by companies or third parties. A report from The Neurorights Foundation found that 29 out of 30 companies surveyed "appear to have access to the consumer's neural data and provide no meaningful limitations to this access." The report also mentions several recent studies contributing to the "growing scientific consensus that neural data collected by non-invasive devices can indeed decode human thought," a privacy weakness if unprotected.
As artificial intelligence, which needs lots of data to train on, has exploded into the mainstream over the last two years, general concerns over the collection and sale of user data have, too. AI in the tech industry is still relatively unregulated, and the US has lagged behind Europe regarding data privacy legislation. Colorado's move is a small but notable step in the right direction. California and Minnesota are making similar progress, but no policy on neural data exists yet at the federal level.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
[1] https://www.zdnet.com/article/how-a-new-law-protects-your-thoughts-from-tech-companies-and-why-it-matters/
Comments