Nomadsoul1 | Istock | Getty Images
The question “What is a thought?” is no longer a purely philosophical one. Like everything else that can be measured, our thoughts are increasingly subject to technological answers, with data captured through brainwave tracking. This breakthrough also means that data is marketable, and brain data already captured is being bought and sold by companies in the consumer wearable technology space, with little protection for users.
In response, Colorado recently passed a first-in-the-nation privacy law aimed at protecting these rights. The law falls under the existing Colorado Consumer Protection Act, which aims to protect “the privacy of individuals’ personal data by establishing certain requirements for entities that process personal data, including additional protections for sensitive data.”
The key language in the Colorado law is to expand the term “sensitive data” to include “biological data” — including many biological, genetic, biochemical, physiological, and neurological characteristics.
Elon Musk’s Neuralink is the most famous example of how technology is being integrated with the human brain, though it’s not the only one in the field. Paradromics has emerged as a close competitor, along with devices that have restored speech to stroke victims and helped amputees move prosthetic limbs with their minds. All of these products are medical devices that require implantation and are protected by the strict privacy requirements of HIPAA. The Colorado law focuses on the fast-growing field of consumer technology and devices that don’t require medical procedures, have no such protections, and can be purchased and used without any kind of medical supervision.
There are dozens of companies making products that rely on wearable technology to capture brain waves (aka neurodata). On Amazon alone, there are pages of products, from sleep masks designed to improve deep sleep or promote lucid dreaming, to headbands that promise to boost focus, to biofeedback headphones that will take your meditation session to the next level. These products, by design and necessity, capture neurodata by using tiny electrodes that produce readings of brain activity, with some even emitting electrical pulses to influence brain activity.
The laws that exist to deal with all that data in the brain don't really exist.
“We’re entering science fiction territory here,” said Colorado Rep. Kathy Kipp, the bill’s lead sponsor. “As with any advance in science, there must be guardrails.”
The “ChatGPT Moment” of Consumer Brain Technology
A recent study by the NeuroRights Foundation found that of the thirty companies examined that make wearable technology capable of capturing brainwaves, twenty-nine “offer no meaningful restrictions on such access.”
“This consumer neurotechnology revolution has been centered on the increasing ability to capture and interpret brainwaves,” says Dr. Sean Pauzowski, chief medical officer at Neurorites. Devices that use electroencephalography, a technology readily available to consumers, “are a multibillion-dollar market that is expected to double in the next five years or so,” he adds. “In the next two to five years, it’s not inconceivable that neurotechnology will have a ChatGPT moment.”
The amount of data that can be collected depends on several factors, but the technology is advancing rapidly, and could lead to a huge increase in applications, as artificial intelligence is increasingly integrated into the technology. Apple has already filed patents for brain-sensing AirPods.
“Brain data is so important that it should not be left unregulated. It reflects the inner workings of our minds,” said Rafael Yosef, professor of biological sciences and director of the Center for Neurotechnology at Columbia University, president of the Neuralites Foundation and a leading figure in the Neurotech Ethics Morningside Group. “The brain is not just another organ in the body. We need to engage private actors to ensure they adopt a responsible innovation framework, because the brain is the sanctuary of our minds.”
The value to companies comes from interpreting or decoding brain signals collected by wearable technology, Pauzowski said. As a hypothetical example, he said, “If you wear brain-sensing earbuds, Nike not only knows that you’re looking for running shoes from your browsing history, but it can now see how interested you are while you’re browsing.”
A wave of bio-privacy legislation may be needed.
The concerns that the Colorado law addresses could lead to a wave of similar legislation, as interest grows in the intermingling of rapidly advancing technologies and the commodification of user data. In the past, consumer rights and protections have lagged behind innovation.
“Perhaps the best and most recent analogies between technology and privacy are the Internet and the consumer genetic revolutions, which have been largely unchecked,” Pauzowski said.
A similar trajectory could follow the unchecked advance of consumer brain data and its commodification. Hacking, corporate profit motives, ever-changing privacy agreements for users, and narrow or nonexistent laws covering the data are all major risks, Pauzowski says. Under Colorado’s privacy law, brain data has the same privacy rights as fingerprints.
According to Professor Farinaz Kooshanfar and Assistant Professor Duygu Kuzum of the Department of Electrical and Computer Engineering at UC San Diego, it is too early to understand the limitations of the technology, as well as the depth of the potentially intrusive data collection.
Tracking neural data could mean tracking a wide range of cognitive processes and functions, including thoughts, intentions, and memories, the researchers wrote in a joint statement emailed to The Verge. At one extreme, tracking neural data could mean directly accessing medical information.
The wide range of possibilities is itself a problem. “There are still many unknowns in this area, which is worrisome,” the researchers wrote.
If these laws become widespread, companies may have no choice but to overhaul their existing organizational structure, according to Kochanfar and Kuzum. New compliance officers may need to be appointed, and methods such as risk assessment, third-party auditing, and anonymization may be implemented as mechanisms to define requirements for the entities involved.
On the consumer side, the Colorado law and any subsequent efforts represent important steps toward better educating users, as well as giving them the tools to investigate and exercise their rights if they are violated.
“Colorado’s privacy law regarding neurotechnology may be a rare exception, where rights and regulations precede any widespread misuse or abuse of consumer data,” Pauzowski said.