Brainwave Technology Privacy Guidelines 2015

The Centre for Responsible Brainwave Technologies

Brainwave Technology Privacy Guidelines

http://www.responsiblebraintech.org/

AuthorsDirk Rodenburg, Faculty of Information, University of Toronto, InteraxonGrady Johnson, Open Technology Institute, New America FoundationAdrian Byram, Neuroethics Core, University of British ColumbiaRachel Wolfsohn, University of California, BerkeleyBrian Behlendorf, Mithril Capital ManagementEugene Kim, OCAD University


Brainwave Technology Privacy GuidelinesSummaryFour Guidelines:

CeReB - Brainwave Technology Privacy - Principles and GuidelinesIntroductionPurpose of this DocumentFoundations for the GuidelinesAbout the Centre for Responsible Brainwave Technology (CeReB)Brainwave Technology Privacy Guidelines

Data Control and PermissionData ProtectionInformed ConsentTransparencySummary

Guidelines for Developers

1

Summary

Rationale for this document: The advent of consumer oriented EEG devices raises some challenging questions about how to deal with the storage and use of the data generated by these devices. Even lower resolution EEG devices may generate data that is potentially biometrically identifiable and indicative of specific cognitive functions or conditions. This makes the issue of privacy, stewardship and protection of this data both important and urgent.

This document provides guidelines that developers, researchers and policy makers (collectively, “brainwave technology providers”) of consumer oriented EEG devices can use when considering the design and implementation of their technologies.

Four Guidelines:

Guideline 1: Brainwave technology providers recognize that control over the collection, use, disclosure and retention of collected brainwave data rests with the individual whose brain was recorded (application “users”). Vendors should obtain explicit permission from the user to collect, use, and disclose this data for specific purposes. Users can withdraw that permission at any time.

Practical implications: Be very clear about the types of data your application potentially records, how it will be used and for what purposes, where it is stored, who will have access and what happens to it over the long term. Since the individual should control the data generated by their brain activity, you must ask for permission to record, use, store and share this data.

Guideline 2: All data generated by brainwave technology should be considered, and treated, as personally identifiable, and accorded a level of protection commensurate with that designation. Ultimately, brainwave technology providers should make the assumption that the generated data will be able to act as an identifier of the end user, even without being combined with other data.

Practical implications: Since the data may contain potentially revealing information about the individual, protect it using industry standard information security best practices.

Guideline 3: All those involved in the application or development of brainwave technology should actively participate in developing users’ and the public’s understanding of the technology and its current and future implications.

Practical implications: Brainwave technology providers should assist users prior to, during and following their use of the application in understanding the potential uses and voluntary and involuntary disclosures that could occur as a result of using the device or application.

Guideline 4: Brainwave technology providers should ensure that brainwave application state and behaviour are transparent to users.

2

Practical implications: Brainwave technology providers should design their applications to be transparent about when the device is operating, recording, using, transmitting, storing and displaying their data, and any applicable retention policies.

CeReB - Brainwave Technology Privacy - Principles and GuidelinesIntroduction

Brainwave or EEG technology, which has a long history within neurology and medicine as a neuropathological diagnostic and biofeedback tool, has recently been incorporated within consumer focused devices and applications. While these currently offer less sensitivity and spatial resolution than their medical counterparts, the technology is rapidly evolving and - as many predict - may soon outstrip modern medical EEG devices in their data capture and interpretive power. This in turn will likely lead to a myriad of new consumer-grade applications that, intentionally or unintentionally, generate and make use of data that reflects or can be directly associated with the end-user, and may disclose information about that user that the user may not wish revealed.

When used within consumer-oriented applications, brainwave data shares the same regulatory “grey space” with other biometric devices such as heart rate, blood pressure and glucose detection monitors. EEG technology, however, occupies an arguably distinct place on the spectrum of biometric devices, since the data generated may support a range of interpretive outcomes that are highly personal, highly sensitive, ultimately highly revealing and, since it offers a ‘window’ into brain and cognitive functioning, highly intimate.

Medical devices are strictly regulated with respect to privacy and safety through legislation such as HIPAA in the United States and PIPEDA and provincial statutes in Canada. The legislation enforces the ways in which both patient information and patient medical records are stored, transmitted and shared. General privacy legislation typically applies to the commercial usage of ‘personally identifiable information’ (PII) which is usually interpreted as name, address and other information that can be directly tied to an identifiable individual.

Although privacy legislation applies to the collection, use, disclosure and retention of PII generated by consumers when utilizing an EEG device, developers and users may not recognize that the data generated by the device is in fact highly personal.

The bottom line is that, much as genomic data, we simply do not yet know to what extent the data generated by current and future consumer grade EEG data embodies information and interpretive potentiality having significant undesired outcomes for end-users. What we do know is that this potentiality will likely increase over time as our understanding of the technology and associated neuroscience continues to evolve.

3

Purpose of this Document

In the absence of clear regulatory guidelines controlling the use and output of consumer-oriented biometric devices, the Centre for Responsible Brainwave Technologies (CeReB) has identified the need to provide a framework to address potential privacy issues related to the data generated by these devices. Consequently, CeReB has identified, and is putting forward for discussion, a number of privacy guidelines for discussion by stakeholders in consumer grade EEG technology, including developers, researchers, policy makers and the general public.

These guidelines are based on what is currently understood about the technology, and what can be reasonably foreseen within the ‘cone of visibility’ for the evolution of the technology. Our objectives in drafting these guidelines were to achieve both a defensible general foundation on which to build an effective evolutionary process, and to provide specific guidelines for those developing, using or forming policy around consumer grade EEG technology.

The proposed guidelines are voluntary, although we hope that all stakeholders in consumer grade EEG technology will eventually move to develop and broadly adopt a set of standards that reflect these. Ideally, those adopting these standards, especially developers and vendors, will eventually be able to refer to their products as conforming to an “Ethical Brainwave Product” standard. Although these may evolve into the basis for a certification process, within the shorter term adherence would be based on self-attestation and, where warranted, fact-checking.

Finally, these guidelines are meant to provide an initial framework for considering these issues, not as a ‘fait accompli’. We consider these guidelines, not as static decrees, but as a living document. We fully expect these to evolve through dialogue with stakeholders and welcome that process.

Foundations for the Guidelines

The guidelines are based on several sources, including general privacy principles such as those developed by the Organization for Economic Cooperation and Development (OECD), newer privacy principles such the Privacy by Design principles, and interaction models attempting to define practices within a highly networked and sharing oriented technological and cultural context such as the Respect Network.

The guidelines target the collection, use, disclosure and retention of the data generated by consumer-grade devices, since this data will likely be highly personal and may potentially be used to identify both the individual and their cognitive and emotional states. They are intended to ‘draw a box’ that is big enough for vendors to develop

5

useful, compelling, and highly innovative products, but clear enough so that end-users of these devices can be confident that their common-sense understanding of privacy is respected.

About the Centre for Responsible Brainwave Technology (CeReB)

CeReB is a non-profit center of excellence dedicated to exploring and developing ethical standards and best practices in consumer-oriented brain-computer interface technology (cBCI). We are committed to acting in the public interest by fostering and supporting research and dialogue surrounding the ethics of cBCI and developing clear, meaningful, and achievable standards for ensuring the efficacy of brainwave technologies and safeguarding the agency, privacy, and safety of their users. CeReB also acts as a source for reliable information concerning brainwave technologies, provides and promotes research and education on their relevant ethical issues, and works with cBCI companies to encourage the development of their brainwave technologies in a socially responsible manner.

6


Data Control and Permission

Context: Given the sensitivity of the information and the potential information embodied in brainwave data, even data currently recorded by EEG devices should be considered highly personal and sensitive. Therefore, we strongly endorse the principle that control of that data remain in the hands of the user, who would have full control over its collection, use, disclosure and retention.

Guideline 1: Brainwave technology providers recognize that control over the collection, use, disclosure and retention of collected brainwave data rests with the individual whose brain was recorded (application “users”). Vendors should obtain explicit permission from the user to collect, use, and disclose this data for specific purposes. Users can withdraw that permission at any time and cannot consent to surrendering this revocation ability.

Implications: Vendors are fully transparent to end-users about how the data and all related derivations generated by devices is collected, used, disclosed and retained, and for what purposes.

Users always have the ability to view, download, and delete any individual brainwave recordings, or the whole collection at once. Once deleted, all brainwave recordings and metadata for the recording sessions is irrevocably, permanently purged.

Brainwave data and all related derivations may not be shared by vendors with 3rd parties, even in anonymized form, without the express and informed consent of end-users. Users may download and share their own brainwave data.

Data Protection

Context: It is currently unclear whether the brainwave data being captured contains the potential, under existing or forthcoming interpretive algorithms, to reveal sensitive information that can directly identify the end-user and / or the state of neuro and cognitive functioning, though current research reveals this possibility to be increasingly likely over the long term.

Guideline 2: All data generated by brainwave technology should be considered, and treated, as deeply personal and personally identifiable, and accorded a level of protection commensurate with that designation. Ultimately, brainwave

7

technology providers should make the assumption that the generated data will be able to act as an identifier of the end user, even without being combined with other data.

Implications: All data collection, usage, transmission, storage, and disclosure methods and mechanisms must meet, within reasonable considerations, best-practice technological and handling standards set for sensitive data within the jurisdiction in which the brainwave technology is being used.

This means that vendors should design and develop their applications against current standards in ways that allow for modifications as these standards evolve.

Vendors should also keep an eye on, and incorporate, defenses against currently understood and reasonably foreseeable threat models.

Informed Consent

Context: End-users may not fully understand the nature of, and risks associated with, EEG data and the consequences of decisions made with respect to sharing that data. Therefore, although consent from end-users should be sought for all decisions regarding their data, consent in and of itself is not necessarily sufficient - consent must be informed.

Guideline 3: All those involved in the application or development of brainwave technology should actively participate in developing users‘ and the public‘s understanding of the technology and its current and future implications.

Implications: This participation can take several forms but should involve, at a minimum, providing access to plain language guides describing the application, its usage, data, consequences, potential outcomes, and user rights. Developers should also provide links to additional resources and material as appropriate to ensure end-users have the ability to develop their understanding of the application, technology and notions of consent.

Proposal: One method of easing the burden that conceptualizing informed consent can place on an application end-user is the use of “privacy zones”. Currently utilized by organizations such as the Ontario Brain Institute and Google, each zone corresponds to specific sharing permissions.

Within consumer-oriented brainwave technology, we are proposing four zones as follows. These zones assume that the privacy measures in place for all captured, stored and transmitted user data and its derivations meet the data protection guidelines proposed in Principle 2.

8

Zone 0: My data cannot be shared with anyone in any organization.

Zone 1: My data can be shared in anonymized, aggregate form only with people and / or organizations explicitly listed and sanctioned by the application developer. No potentially identifiable EEG data (e.g. raw capture data) may be shared.

Zone 2: My data can be shared in anonymized form only, but only with people and / or organizations explicitly listed and sanctioned by the application developer. No personally identifiable information (e.g. user name, address, etc.) will be associated with the stored EEG data.

Zone 3: My EEG data and personally identifiable information can be shared with people and / or organizations explicitly listed and sanctioned by the application developer.

As stated in the first guideline, “Data Control and Permission”, regardless of the zone in question, users retain the ability to downgrade or upgrade permissions, or to revoke access entirely to their data. Therefore, organizations must retain the capability to revoke access to 3rd parties and / or purge a user’s data within a reasonable time frame upon receiving a request to do so.

Transparency

Context: To make choices regarding the usage of their data, end-users need to know when and how a brainwave application is collecting, using, disclosing and retaining their data and its derivatives, and how end-users can access their data and the choices they have.

Guideline 4: Brainwave technology providers should ensure that brainwave application state and behaviour are communicated and transparent to users.

Implications: Developers should integrate clear indicators of the state of their, actions and intervention choices within the application. These indicators should be readily apparent, without requiring the end-user to actively seek them out.

9

Summary

CeReB proposes the following four privacy guidelines for developers of brainwave technology:

Guideline 1: Brainwave technology providers recognize that control over the collection, use, disclosure and retention of collected brainwave data rests with the individual whose brain was recorded (application “users”). Vendors should obtain explicit permission from the use to collect, use, and disclose this data for specific purposes. Users can withdraw that permission at any time and cannot consent to surrendering this revocation ability.

Guideline 2: All data generated by brainwave technology should be considered, and treated, as deeply personal and personally identifiable, and accorded a level of protection commensurate with that designation. Ultimately, brainwave technology providers should make the assumption that the generated data will be able to act as an identifier of the end user, even without being combined with other data.

Guideline 3: All those involved in the application or development of brainwave technology should actively participate in developing users’ and the public’s understanding of the technology and its current and future implications.

Guideline 4: Brainwave technology providers should ensure that brainwave application state and behaviour are transparent to users.

10

Guidelines for DevelopersUtilizing Ann Cavoukian’s “Privacy by Design” Principles within the Context of Consumer-Oriented EEG Technology

“Privacy by Design” - developed by Dr. Ann Cavoukian, the former Information and Privacy Commissioner of Ontario - proposes seven foundational principles that can be adopted by any organization providing services that require access to - explicitly or implicitly derived - personally identifiable information. These principles, which are technology agnostic, are meant to make privacy protection an embedded, proactive and integral part of the provided services.2

Far from being viewed as an onerous burden placed on the developer, adherence to these principles should, over the long term, provide a competitive advantage to those adopting them.

The Seven Foundational Principles of “Privacy by Design”

Principle 1. Proactive not Reactive; Preventative not Remedial

The Privacy by Design (PbD) approach is characterized by proactive rather than reactive measures. It anticipates and prevents privacy invasive events before they happen. PbD does not wait for privacy risks to materialize, nor does it offer remedies for resolving privacy infractions once they have occurred — it aims to prevent them from occurring. In short, Privacy by Design comes before-the-fact, not after.

Guidelines for Brainwave (and / or other Brain Computer Interface (BCI) Developers

⁃ All brainwave technology providers have a duty to anticipate / proact on issues of privacy⁃ Not all uses of the technology or associated issues can be anticipated, but there is a duty to

engage with the process of understanding current position of technology and try to remediate consequences where possible

⁃ Brainwave technology providers should participate in or at least monitor platforms and forums that seek to anticipate issues related to the privacy related to technology

⁃ Brainwave technology providers should visibly endorse privacy objectives ⁃ All brainwave technology providers should explicitly state what their privacy objectives are prior

to designing / developing brainwave technology⁃ All brainwave technology providers should conduct a Privacy Impact Analysis

Principle 2. Privacy as the Default Setting

11

We can all be certain of one thing — the default rules! Privacy by Design seeks to deliver the maximum degree of privacy by ensuring that personal data are automatically protected in any given IT system or business practice. If an individual does nothing, their privacy still remains intact. No action is required on the part of the individual to protect their privacy — it is built into the system, by default.


⁃ Brainwave technology providers should design / configure their technology to automatically maximize privacy without actions being required on the part of the user

⁃ Any function within the system that impacts default privacy settings or behaviour should be presented as a choice that the user explicitly consents to - the language regarding the choice and its consequences should be clear, non-technical and consumable in form; links to relevant additional information should be provided

Principle 3. Privacy Embedded into Design

Privacy by Design is embedded into the design and architecture of IT systems and business practices. It is not bolted on as an add-on, after the fact. The result is that privacy becomes an essential component of the core functionality being delivered. Privacy is integral to the system, without diminishing functionality.


⁃ Brainwave technology providers should incorporate existing best practices with respect to privacy and technology into the design of their technology

⁃ Technology designs should be sufficiently modular to allow for changes to existing, or additional, privacy protections

⁃ Privacy and security considerations should be an integral part of all design and develop planning, programming and testing activities

⁃ To the extent possible, privacy and security design should anticipate ways in which the devices and data generated by the usage of the technology could be compromised

⁃ All functional and technological design strategies should be directly traceable to a privacy objective

Principle 4. Full Functionality — Positive-Sum, not Zero-Sum

Privacy by Design seeks to accommodate all legitimate interests and objectives in a positive-sum “win-win” manner, not through a dated, zero-sum approach, where unnecessary trade-offs are made. Privacy by Design avoids the pretense of false dichotomies, such as privacy vs. security, demonstrating that it is possible to have both.


⁃ BCI design should start with the goals of full privacy protection, leveraging mature, well tested, modular security technologies

12

⁃ All components of the brainwave system should conform to - and be traceable to privacy and security standards commensurate with the sensitivity of the data

Principle 5. End-to-End Security — Full Lifecycle Protection

Privacy by Design, having been embedded into the system prior to the first element of information being collected, extends throughout the entire lifecycle of the data involved — strong security measures are essential to privacy, from start to finish. This ensures that all data are securely retained, and then securely destroyed at the end of the process, in a timely fashion. Thus, Privacy by Design ensures cradle to grave, secure lifecycle management of information, end-to-end.


⁃ Developers should explicitly identify their privacy objectives for any given application of brainwave technology

⁃ Brainwave design should consider privacy at every stage of user interaction and the collection, use, disclosure and retention of their data and its derivatives

⁃ Every user to system action and component interaction should be identified and documented; each privacy remediation strategy should be identified and documented

Principle 6. Visibility and Transparency — Keep it Open

Privacy by Design seeks to assure all stakeholders that whatever the business practice or technology involved, it is in fact, operating according to the stated promises and objectives, subject to independent verification. Its component parts and operations remain visible and transparent, to users and providers alike. Remember, trust but verify.


⁃ Developers should explicitly identify their privacy objectives for any given application of brainwave technology

⁃ Design strategies used to protect privacy within the technology and applications should be identified and tied to accepted standards

⁃ Where applicable, any state of operation having a potential impact on privacy should be signaled when toggled on or off

⁃ Brainwave organizations should be willing to submit their applications for verification of functioning against privacy standards

Principle 7. Respect for User Privacy — Keep it User-Centric

Above all, Privacy by Design requires architects and operators to keep the interests of the individual uppermost by offering such measures as strong privacy defaults, appropriate notice, and empowering user-friendly options. Keep it user-centric.


13

⁃ From the white paper, the integrity of the end-user should be the primary objective of brainwave developers

⁃ All device and development application should strive to support that objective; devices or applications should never seek to subvert that objective through action or inaction, commission or omission

Useful Links

The Centre for Responsible Brainwave Technologieshttp://www.responsiblebraintech.org/

The Ethics of Brain Wave Technology http://static1.squarespace.com/static/5344501be4b0d532fc42e22f/t/5390ceece4b0fe2199de93cc/1401999084766/The+Ethics+of+Brainwave+Technology.pdf

OECD Privacy Principleshttp://oecdprivacy.org/

Ontario Brain Institute - Brain Code Governancehttps://braincode.ca/sites/default/files_new/about/OBI-GovPolicy-1.3-Privacy-Policy-Jan-8-14_0.pdf

Privacy by Design Principles: http://www.privacybydesign.ca/content/uploads/2009/08/7foundationalprinciples.pdf

The Respect Networkhttps://www.respectnetwork.com/

14

Brainwave Technology Privacy Guidelines 2015

Documents

Transcript of Brainwave Technology Privacy Guidelines 2015