Privacy alert: Brainwave devices can leak sensitive medical conditions and personal information

Research results show that brain-computer interfaces is one source of caused leaked medical and personal information among particular individuals.

Ragib3Nitesh Saxena, Ph.D.Brain-computer interfaces are rapidly gaining popularity in consumer markets, especially in the gaming industry. With these devices, people can control their computers using their thoughts.

But there is a risk. University of Alabama at Birmingham researchers have shown that malicious access to these brainwave signals may reveal privacy-sensitive medical conditions and personal information of users, as they browse the internet or interact with an app. 

Nitesh Saxena, Ph.D., professor in the UAB College of Arts and Sciences Department of Computer Science, studied the privacy implications of such BCI devices in differentiating between people suffering from alcohol use disorder versus healthy individuals and people belonging to different age groups, in particular young versus aged and their vulnerability while using these devices.

In both contexts, Saxena explores how malicious access to brainwave signals may reveal users’ privacy-sensitive medical conditions and personal information. The study was built from prior medical domain studies on alcohol use disorder and aging. 

“In this study, we demonstrate how these devices may be used maliciously to determine whether someone has an alcohol abuse disorder or is elderly,” Saxena explained. “This information may then be used to launch targeted attacks against such individuals. The fundamental issue is that these devices do not control the access to the signals they record, so any malicious app or a website may record their brainwaves as the users browse the web.”

The study investigated the potential of brainwave signals captured during a user’s normal interaction with visual stimuli through a website or computer, exposing whether the user is suffering from a given medical disorder and to which demographics group the user belongs.

Saxena says that their attack, they called Hemorrhage, is designed using machine learning techniques to identify the users suffering from AUD and their age group by analyzing the brainwave signals leaked online in response to users’ viewing of simple images or watching videos. 

“We named our attack Hemorrhage because it can be detrimental to your brainwave privacy,” Saxena said. “This attack is not hard to envision in the future given that cybercriminals recently targeted people from epilepsy disorders by showing videos containing the Strobe signal to cause seizures in such people.” 

The BCI headsets are worn during individuals’ everyday activities; but the threat is that they allow any website or application to have uncontrolled access to brainwaves recorded without the need for prior approval, or without the user’s knowledge.

“Based on the datasets acquired from prior medical studies, we observed statistically significant differences in neural activities between alcoholic and control participants when they were viewing simple images, and between young and elderly participants when they were watching audio-video samples as part of our attack model,” Saxena said.

Overall, the study showed the attack could identify the users having alcohol usage disorder with a precision of 96 percent and their age group with the precision of 94 percent.

Other researchers on the study included Ajaya Neupane, Kiavash Satvat and Mahshid Hosseini, all former Ph.D. or master’s students in the SPIES lab run by Saxena. The study was presented at the International Conference on Privacy, Security and Trust this past summer.