Mind your privacy: Privacy leakage through BCI applications using machine learning methods

Abstract

With the digitization of almost every aspect of our lives, privacy leakage in cyber space has become a pressing concern. Brain–Computer Interface (BCI) systems have become more popular in recent years and are now being used for a variety of applications. BCI data represents an individual’s brain activity at a given time. Like many other kinds of data, BCI data can be utilized for malicious purposes. Electroencephalography (EEG) is one of the most popular brain activity acquisition methods of BCI applications. More specifically, BCI games, represent one of the main EEG applications. However, a malicious BCI application (e.g. game) could allow an attacker to take advantage of an unsuspecting user happily enjoying a game and record the user’s brain activity; by analyzing this data, the attacker can infer private information and characteristics regarding the user, without his/her consent or awareness. This study is the first to demonstrate the ability to predict and infer meaningful personality traits and cognitive abilities by analyzing resting-state EEG (rsEEG) recordings of an individual’s brain activity using a variety of machine learning methods. A comprehensive set of raw rsEEG scans, along with the dissociation level and executive function (EF) performance measures, for the 162 subjects were used in our evaluation. The best results we achieved were an accuracy of 73% for dissociation classification and less than 16% mean absolute error in predicting performance for all examined EFs. These encouraging results are better than those presented in prior research, both in terms of accuracy and data-validity and dataset size.

Introduction

During the last decade, the amount of data collected and used by industrial entities increased tremendously. Private information leakage happens when a system reveals a user’s private information to an entity that is not supposed to have access to this data; such leakage usually occurs without the user’s consent, and it can often be harmful to the user.

The theft of private information is a cyber-attack vector which, on the one hand, can violate an individual’s privacy, while on the other hand, can jeopardize the reputation of institutions and cause them to lose a large amount of money, particularly due to the new General Data Protection Regulation (GDPR) [1] which imposes significant fines on vendors whose customers suffer from privacy violation.

Fortunately, the importance of privacy is well-known and technical [2] and constitutional [3] solutions have been offered to safeguard privacy. However, there are several domains that are expected to gain popularity which present new, less conventional threats to users’ privacy. One of those domains is the brain–computer interface (BCI) domain, in which a brain monitoring device is used to record the brain’s activity, which is translated to the requested output.

A relatively new domain, BCI systems’ characteristics raise some new privacy related issues that must be addressed before it can be widely implemented and integrated into more products. The fact that the BCI offers a direct link to the user’s mind can be dangerous, particularly with regard to the private information leakage issues discussed above. Furthermore, the data obtained from the user’s brain activity in this domain can be used to infer things about the user, unlike other user data. As described in detail in [4], the data collected using BCI systems is highly confidential and can reflect the user’s cognition, mental and physical health, and much more. Furthermore, current privacy related rules do not address the protection of this data and thus, need to be updated in order to encompass this domain. Given these concerns and the fact that the domain is gaining popularity, increased awareness of the privacy threats and the potential for misuse of the data gathered in the BCI domain is needed. This research will contribute to such awareness and help uncover the threats to privacy inherent in BCI systems that use an EEG device as their input acquisition device.

In this paper, we wish to demonstrate the feasibility of violating privacy using EEG data collected through the use of BCI applications. We achieve this by demonstrating how different personality traits can be inferred from raw resting-state EEG (rsEEG) recordings of brain activity (such recordings are often used in BCI systems for calibration, regardless of the system’s target), using machine learning methods. We propose an ensemble model based on the well-known K-Nearest Neighbor classifier and Dynamic Time Warping (DTW) as the distance function, in order to predict personality traits. To the best of our knowledge, no prior study has used rsEEG data for this kind of task. In addition, we compare the proposed model’s performance to the state-of-the-art models in the domain of classifying subjects based on personality traits using EEG recordings and other closely related domains.

The contributions of our research are as follows:

• We demonstrate that it is possible to use BCI applications in order to violate a user’s privacy.

• We show that rsEEG data is predictive of an individual’s personal traits and cognitive abilities.

• We develop an ensemble machine learning-based model tailored to the analysis of multivariate time series data (MTSD) for accurate classification and prediction.

The rest of the paper is organized as follows. In Section 2, we provide background information required in this domain of research. In Section 3, we present some of the state-of-the-art research and their results in personality trait classification based on EEG data. In Section 4, we provide a detailed description of the data collection used in this research; in this section, we also present some of the data exploration performed in order to better define our experiments and methods. In Section 5, we discuss the preprocessing methods used, as well as the models examined in the sections that follow. In Section 6, we present our research questions, metrics, and experimental layout. In Section 7, we present the achieved results. Finally, in Section 8, we discuss the results with respect to the research questions, draw some conclusions, and discuss future research directions.