User Identity Protection in EEG-based Brain-Computer Interfaces

TL;DR

The paper identifies a privacy risk in EEG-based BCIs: user identity information is learnable from EEG data, enabling cross-session linking. It introduces two perturbation-based schemes—sample-wise and per-user—to generate identity-unlearnable EEG data under an $\ell_∞$ bound, preserving task accuracy measured by $BCA$. Across seven datasets and five paradigms, the methods reduce user identification accuracy from $UIA\approx70\%$ to $UIA\leq21.36\%$, with minimal impact on the primary BCI task and strong cross-model transferability. The work also demonstrates perturbation imperceptibility, effectiveness in online scenarios, and discusses limitations and avenues for future work in privacy-preserving BCIs.

Abstract

A brain-computer interface (BCI) establishes a direct communication pathway between the brain and an external device. Electroencephalogram (EEG) is the most popular input signal in BCIs, due to its convenience and low cost. Most research on EEG-based BCIs focuses on the accurate decoding of EEG signals; however, EEG signals also contain rich private information, e.g., user identity, emotion, and so on, which should be protected. This paper first exposes a serious privacy problem in EEG-based BCIs, i.e., the user identity in EEG data can be easily learned so that different sessions of EEG data from the same user can be associated together to more reliably mine private information. To address this issue, we further propose two approaches to convert the original EEG data into identity-unlearnable EEG data, i.e., removing the user identity information while maintaining the good performance on the primary BCI task. Experiments on seven EEG datasets from five different BCI paradigms showed that on average the generated identity-unlearnable EEG data can reduce the user identification accuracy from 70.01\% to at most 21.36\%, greatly facilitating user privacy protection in EEG-based BCIs.

Figures (8)

• Figure 1: Illustration of user identity protection in EEG-based MI classification. The EEG data of Session II can be accurately associated with the unperturbed EEG data of Session I from the same user while performing the primary MI classification task. For the perturbed EEG data, the high MI classification accuracy is maintained, whereas the test session cannot be associated with the training session from the same user.
• Figure 2: An unperturbed EEG trial and its perturbed counterpart on MI1, which are almost identical. (a) Sample-wise; and, (b) User-wise. The perturbations are magnified $25$ times for better visualization.
• Figure 3: Average Cz channel spectrograms of the unperturbed EEG trials, their perturbed counterparts, and the corresponding perturbations, for the imagination of (a) the left fist on MI1; and, (b) the left hand on MI2.
• Figure 4: Average topoplots of the unperturbed EEG trials, their perturbed counterparts, and the corresponding perturbations, for the imagination of (a) the left fist on MI1; and, (b) the left hand on MI2.
• Figure 5: (a) $t$-SNE visualization of common spatial pattern features extracted from the unperturbed EEG trials and their perturbed counterparts on MI1; and, (b) BCAs of logistic regression classifiers trained with common spatial pattern features.