The following is Part 1 of a five part student blog series sharing the excellent work of Edinburgh Law School undergraduate and postgraduate students on the Contemporary Issues in Medical Jurisprudence course.
Orwell projected a future where “nothing was your own except the few cubic centimetres inside your skull” but novel neurotechnologies, particularly neural implants, might erode such intrinsic dimension. These brain-implanted devices have been developing exponentially to treat severe medical conditions. However, like any other technological device, their wireless connectivity makes them susceptible to being hacked by third parties – a matter that may compromise their ambitious future.
This begs a larger question of how the law shall determine the legitimate conditions to interfere with an individual’s neural activity. Furthermore, how can the law guarantee the alignment of personal freedoms and neurotechnological development? I am to explore these tensions further in this blog. I will first argue the potential legal implications of hacking neural devices. I will then link such devastating consequences to why brain data warrants normative protection. This blog evinces why neural data regulation – through the extension of the right to privacy to include mental privacy – is paramount. It would protect individuals against unauthorised third-party intrusion into their brain data, unconsented collection and use of such data and enshrine the development and security of these novel neurotechnologies. Finally, I will look at the broader implications of neural data protection, particularly its use in future criminal trials.
Brainjacking: a theoretical crime the law should look out for
Neural implants target specific sets of neurons through direct contact with brain tissue. Implanted neuromodulation is medically promising; however, its technological nature makes it highly susceptible to third-party interference. In fact, cardiac defibrillators and insulin pumps have already been hacked in real life. Even worse, as neural implants are in constant connection with neural circuits, they enable access to visualise the neural correlates of an individual’s mental processes. In short, neural implants can read and record brain activity.
Research suggests that such technological vulnerability paves the way for brainjacking – a theoretical proposal of crime in which third parties unauthorisedly control, attack or alter these neurotechnologies. Brainjacking or ‘mind hacking’ through blind or targeted attacks can potentially disrupt individuals’ behaviour or steal their most personal thoughts and memories. Furthermore, if malicious neuromodulation occurs, third parties will be able to access, record, decode or extract brain data and activity (“neural data”) of any neurodevice user.
STEM experts sustain that brainjacking poses a severe threat as neural data can be stolen or hacked. The potential consequences of ‘mind hacking’ or the extent of ‘mind reading’ remains relatively unexplored by neurolaw and neuroethics literature; however, unauthorised collection of neural data could likely enter illegal markets where selling, transferring or manipulation would potentially occur. No doubt, a single brainjacking incident would malign a neural implant’s reputation and raise endless privacy and safety questions. In consequence, it is paramount for the law to address these novel dimensional threats to human privacy before neural implants hit commercial markets.
The (Neuro)Right to Mental Privacy
The aforesaid threats demand a reconceptualisation of the internationally recognised human right to privacy to include mental privacy. Following this idea, Chile is pioneering mental privacy protection by endorsing a bill on neuroprotection. This initiative seeks to recognise five neurorights, including the right to mental privacy.
It is vital to elucidate that a neuroright does not refer to “creating” a new human right. Instead, it is an extension of existing human rights, in this case, the right to privacy to further protect an individual’s cerebral and mental domain. As shown, the neurotechnological revolution is making traditional notions of privacy obsolete. However, the umbrella of protection of current international human rights frameworks and data protection laws does not encapsulate mental privacy as they do not explicitly cover neural data nor contemplate scenarios of unauthorised collection or use of such data.
Neural data lacks normative protection as there are multiple caveats to the concept of personal data found in diverse international legal frameworks such as the GDPR. To illustrate such lacunae, the GDPR would not be applicable to the brain if the data extracted from neural implants is anonymised. Moreover, as neural data often escapes conscious control and leaves the door open for re-identification, it is exceptionally challenging to safeguard an individual’s right to be forgotten. Furthermore, instruments like the GDPR may offer insufficient neural data protection as they permit several exemptions to subjects’ rights such as research purposes. Additionally, subjecting neural data to purpose limitation would be particularly difficult because neural implants cannot discern purpose-specific neural data from the pool of brain signals and subconscious processes.
In view of these factors, it is not yet clear how people will exercise solid control over their neural data. Moreover, as neurotechnology disseminates outside clinical settings, the law is faced with the challenging task of delimitating what rights are individuals entitled to exercise in relation to their mental dimension.
The motivations to advocate for a neuroright to mental privacy are clear cut as no specific governance framework currently focuses on the human brain. Furthermore, existing legal frameworks are becoming vague to deal with the pitfalls stemming from neurotechnological advances. Thus, neural data regulation is paramount to prevent neural implants from being used as a brain-reading technology that hinders the promising medical and cognitive enhancement benefits, protect individuals against malicious intrusion and unauthorised collection of their most intrinsic mental processes, including intentions, memories and even dreams.
Efforts to protect neural data must also be enforced by criminal justice systems. For instance, Argentina’s Parliament is about to discuss a bill to include neurorights in their Criminal Procedure Code. Criminal regulation will also shed light on the legitimate conditions to access or interfere with an individual’s neural data. To do so, the criminal law should establish mechanisms and delimitate the exceptional circumstances to use such data. For example, neural data shall require opt-in scrutinised authorisation for its collection and use in criminal trials. Regulating mental privacy on criminal codes will also mitigate the emergent pave of future crime such as brainjacking.
Overall, as neural breaches of privacy bypass conscious reasoning, they are potentially more dangerous than conventional breaches because they leave individuals without protection against their mental states. The rapid expansion of cutting-edge neurotechnologies warrants mental privacy protection. This will guarantee an individual’s sovereignty over their neural data and countermeasures to mitigate brainjacking – as this threat will apply to any user of brain implanted devices.
Claudia González-Márquez (Twitter: @cgzzmarquez)is a Medical Law & Ethics LLM student at The University of Edinburgh. Their research interests lie at the intersection between ethics, law and neuroscience, with a particular focus in neuroethics surrounding emerging neurotechnologies. They are currently working on their master’s dissertation titled ‘Neuromodulation and Memory: What Are the Ethical Implications of Memory Modification Caused by Implantable Neural Devices?’.