Smartphone apps and home equipment for scanning brainwaves could lead to a future in which governments or companies misuse such data as a way of decoding people’s personality traits, or detecting traces of mental illness, researchers from MIT and the Technical University of Denmark have warned.

“As the equipment for such data collection becomes more available and widely used, the opportunities for using the data are growing; at the same time however inherent privacy risks are mounting,” the researchers write in a paper titled Privacy for Personal Neuroinformatics.

The researchers propose a privaacy standard to prevent misuse of such information, although they do not report that high-resolution portable EEG scanners such as Emotiv or the $100 Neurosky Mindset scanner pose a danger as they stand.

The researchers say that availability of apps and devices which store and process brainwave data could eventually lead to more widespread  storage of EEG data outside the medical organizations which usually process it.  The Register says that such information would be “of interest” to government agencies aiming to “understand targets' state of mind.”

The researchers say that EEG data can be used to detect traits such as mental illness. “The same raw EEG signal can be used for example to diagnose mental diseases, find traces of epilepsy, and decode personality traits,” the researchers write. “As early as in 1988, Karson et al. described the use of EEG for diagnosing schizophrenia, based on increased activity in frequency bands known as delta and beta and decreased activity in the so-called alpha band.”

The researchers say that, as EEG data poses unique privacy concerns, “EEG data appear to be highly unique to an individual and thus should be considered extremely sensitive. The ability to identify subjects in data sets may give the ability to match a short recording of the EEG data with data stored in the large sets, and, if the various types of data are linked, also to link to other information about the user, such as mobility traces or demographics

The researchers propose a privacy standard based on the MIT general privacy framework OpenPDS - and show how EEG data can be collected on mobile devices, uploaded to a server in the form of extracted features, “without the risk fo disclosing sensitive raw signal.”

The availability of commercial, portable EEG scanners has led to some research teams proposing EEG scans have been proposed as a replacement for typed passwords - and even as a replacement for car keys, with brainwave-scanning “hats” identifying drivers, and also ensuring drivers are sober when they take the wheel, as reported by We Live Security here.

A team of UC Berkeley School of Information researchers has proved "thinking" passwords can work using existing technology. The researchers used a Neurosky Mindset brainwave reader, an $100 EEG (electroencephalograph) device which scans brainwaves via a single contact on the forehead. The system could identify the distinctive brain patterns of different users with high accuracy.

The system has error rates of below one per cent - and was able to identify test subjects as they performed mental tasks such as singing a song of their choice (in their heads), or imagining moving a finger up and down.

Even tasks where all the subjects did the same thing, such as moving a finger up and down, offered sufficiently different signals for the computer to differentiate between users.

“We find that brainwave signals, even those collected using low-cost non-intrusive EEG sensors in everyday settings, can be used to authenticate users with high degrees of accuracy,” said the researchers.

“Other than the EEG sensor, the headset is indistinguishable from a conventional Bluetooth headset for use with mobile phones, music players, and other computing devices,” the researchers say.