Neuroscience and security: your thoughts are safe (for now)

ESET's Sabrina Pagnotta delves deep into the fascinating world of neuroscience, examining whether our brains can be compromised.

ESET’s Sabrina Pagnotta delves deep into the fascinating world of neuroscience, examining whether our brains can be compromised.

Could an attacker guess your PIN number or your email password by reading your brain?

A Canadian researcher called Melanie Segado explained to us the extent to which your brain activity could be used for malicious purposes, to find out, for example, what you’re thinking or to guess your PIN.

Melanie, who is finishing her doctorate in neuroscience in Montreal and is co-founder of the NeurotechX community, differentiated the techniques that are used for measuring brain activity, which allows for the interpretation of the signals that emitted due to stimuli.

She and other researchers in the field are trying to determine the capabilities and limitations of this technology in the context of security.

Brain activity measurement techniques

Firstly, there is the electrocorticography (ECoG) technique, in which electrodes are placed on the exposed surface of the brain to record the electrical activity of the cerebral cortex. However, because this requires a surgical incision in the skull, it is an invasive procedure.

There is also the electroencephalogram technique, in which electrodes are placed on the scalp and send electrical signals to a recorder, which then converts them into wave-like patterns. The person must remain still with their eyes closed because any movement can alter the results.

Secondly, there are functional magnetic resonance imaging (fMRI) and functional near-infrared spectroscopy (fNIRS) studies, which provide real-time monitoring of tissue oxygenation in the brain while the subject performs a task or receives a stimulus. This allows brain functions such as attention, memory, and problem solving to be analyzed while the individual performs a cognitive task.

Thirdly, there is the positron emission tomography (PET) technique, which identifies changes at a cellular level to detect the early onset of a disease.

What can these techniques measure?

According to Melanie, all of these brain activity measurement techniques can be used to observe movements, senses (is the person seeing, tasting, touching, or hearing?), cognition (memories, intentions), biometric components, language (words), and emotions.

But could they be used maliciously to guess what we are thinking? Well, there are a number of considerations to take into account before assuming this is possible. Some techniques are invasive, others are very expensive; some require physical access to the person who must remain still in a scanner, and others do not provide very high-quality data.

Yes, it is true that some fMRI procedures have produced records that were used to reconstruct what the person was seeing (a face, a plane), but the cost is very high (about $600 per hour, according to Melanie) and takes an average of between one to three hours to complete.

So, this procedure is unlikely to be used maliciously; and in any case, it only shows what the person is actually seeing in that particular place, not a reconstruction of their most “secret” thoughts or memories.

Measurements aimed at reading language-related signals, using yes/no response experiments, are extremely useful for communicating with someone who cannot speak for themselves, but are equally useless for malicious purposes. The same is true for lie detection techniques, which operate on the basis of familiarity and the distinctive behavior of the brain when the option presented generates an emotion in the person.

“Perhaps the only electroencephalogram method that could be useful for an attacker would be the N400 wave.”

Perhaps the only electroencephalogram method that could be useful for an attacker would be the N400 wave, which is related to semantic processing and is mainly activated due to unexpected words in sentences, such as “John smeared the hot bread with a sock”.

The magnitude of the signal varies according to how familiar it is to the subject; words, faces, images, or numbers can be used. So if the subject is shown many PIN numbers, they will react differently to the combination they recognize.

However, it is important not to lose sight of the fact that the signal will intensify due to any significant stimulus, i.e. any combination of numbers that refers to something known to the person, which may not be their PIN or whatever is to be determined at that particular moment. Again, there are more limitations and costs involved than there are possible returns.

It is still extremely difficult for an attacker to exploit these signals, especially those that only show stimuli. “If they had enough individual data from someone, they could build a model for generating signals that look like those individuals, but it would take a lot of computational power, which is currently impractical for an attacker,” Melanie clarified.

What should concern us

““Brain activity is unique for every individual, so you can never be fully anonymous.”

“Brain activity is unique for every individual, so you can never be fully anonymous,” Melanie warned. So, if your patterns are in a database because you did an MRI scan, for example, you would be easily identifiable.

And so the real concern should lie in the interpretation and protection of our data. Who has access to it? Is the clinic where you had your CT or MRI scan careful enough with your brain activity records? Or could they be compromised and used to identify you?

Of course, we still do not know what can be predicted with brain activity records, as they can be interpreted in many ways and can vary over time for many reasons. For example, if you are in a car accident, the reaction you have to a “car” stimulus will be very different to the one you had before the accident.

Something that Melanie strongly recommends is to not contribute to the confusion of those who believe that our thoughts will soon be monitored, or that we will be able to control technology without physically interacting with it.

In fact, she does not think that Facebook’s project to control computers with our brains is very feasible. This year, one of the company’s divisions announced that it would be creating “silent speech” software that would allow you to type 100 words per minute by detecting brain waves, without the need for invasive surgery. But again, this is not very likely.

In conclusion, and as Melanie envisaged from the title of her talk, your thoughts remain safe and private, for now. It is just a matter of taking care of who can access your brain activity data because, after all, it is as personal and sensitive as your DNA.

Sign up to receive an email update whenever a new article is published in our Ukraine Crisis – Digital Security Resource Center