{"id":5995,"date":"2024-09-20T12:00:09","date_gmt":"2024-09-20T12:00:09","guid":{"rendered":"https:\/\/blogs.luc.edu\/compliance\/?p=5995"},"modified":"2024-09-30T21:05:30","modified_gmt":"2024-09-30T21:05:30","slug":"breaching-the-last-bastion-of-the-human-psyche-neural-data-as-biometrics","status":"publish","type":"post","link":"https:\/\/blogs.luc.edu\/compliance\/?p=5995","title":{"rendered":"Breaching the Last Bastion of the Human Psyche: Neural Data as Biometrics"},"content":{"rendered":"

Pete Haas<\/em>
\nAssociate Editor<\/em>
\nLoyola University Chicago, School of Law, JD 2025<\/em><\/p>\n

Earlier this year, the New York Times reported<\/a> on the proposed Colorado Privacy Act<\/a> and the impact it would have on neurotechnology which uses \u201cneural data<\/a>\u201d and already has noteworthy support within programming communities<\/a>. What the Colorado Privacy Act aims to address are not the labs and medical studies conducted within clinics, but how it may be used within a consumer context. The Colorado Privacy Act does more than Illinois\u2019 pioneer Biometric Information Protection Act (BIPA)<\/a>.<\/p>\n

Brief overview of biometric law<\/strong><\/p>\n

BIPA is the prominent law that established protection for consumers regarding their biometrics. Within the privacy space, there are few like it, though Colorado\u2019s bill would be of a similar nature. BIPA established the scope of protected biometric identifiers: a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. BIPA is explicit about what it protects, leaving little room for what is, and what is not, a biometric identifier. What BIPA does not consider are the expansions in terms of what biometrics are commercially available from a consumer.<\/p>\n

The most commonly known biometric in use today is the fingerprint. As the need for obtaining identity assurance\u2014for the benefit of a secure society\u2014fingerprints and other biometrics have become regularly used by government organizations including the Department of Justice<\/a> to identify arrestees, Department of Defense to identify combatants, and the Department of Homeland Security<\/a> to identify immigrants who may be illegally entering the US. Those biometrics, however, may be obtained in any number of ways, including through third parties. Clearview AI<\/a> is among the companies that employs facial recognition software to identify anyone in public. Clearview AI made its services available to private and public organizations, though it now is exclusively supporting law enforcement. Biometric information collected by companies like Clearview AI go well beyond the original collection use like banning people from sports venues<\/a>.<\/p>\n

Adding neural data to biometric identifiers<\/strong><\/p>\n

Where the Colorado Privacy Act improves on BIPA\u2019s lead is that it adds neural data to the list of protected sensitive information. Biometric information is considered sensitive personal information from a privacy perspective. A person\u2019s collective biometric identifiers are measurements for who that particular person is and is used as a unique identifier for that person\u2014much more sensitive and unique than their Social Security Number, photo, or address<\/a> (combined even). Because biometrics are closely tied to our identities, biometrics have been subject to certain privacy laws, BIPA and the Colorado Privacy Act included.<\/p>\n

Neural data is, perhaps, the most sensitive and personal access that can be granted to the external world. Neural data is collected through consumer electronics<\/a> and wearable technology<\/a> by monitoring brainwave activities and correlating that activity to basic thoughts and emotions. When neural data is combined with accurate interpretations for what brain waves may translate toward, anyone may be able to gain access to how a person thinks, what they are thinking, and what propensities they may have toward any given topic. Colorado rightly decided this technology should be carefully employed to protect consumers. With the concerning history of facial recognition<\/a> software to misidentify people, applying similar technology to determine what a person is thinking could have catastrophic consequences.<\/p>\n

A concise case for neural data as biometrics<\/strong><\/p>\n

The privacy concerns with neural data are rife with the potential for missteps and abuse, the least of which stem from the history of legally recognized biometrics<\/a>. Neurotechnology could provide a gateway for hefty legal implications, including erroneously founded ones. For instance, this new technology could register that innocent individuals have terrorist ideals, may pose a threat as a sexual offender, or may be homicidal. Alternatively, neurotechnology monitoring a person having legitimate concerns about their employer may be the trigger that leads to the termination of that employee. Data collected through neurotechnology must be protected to the same level, if not higher than, biometrics.<\/p>\n

While the widespread usage of such neurotechnology would likely be focused around recommending the next video or product, we have seen otherwise<\/a>. It could become the next avenue for law enforcement to promote and create a safer society, or for employers to \u201cbetter understand their employees.\u201d When considering the potential abuse of this technology and the sheer impact on privacy, neural data must receive the highest protections of the law.<\/p>\n","protected":false},"excerpt":{"rendered":"

Earlier this year, the New York Times reported on the proposed Colorado Privacy Act and the impact it would have on neurotechnology which uses \u201cneural data\u201d and already has noteworthy support within programming communities. What the Colorado Privacy Act aims to address are not the labs and medical studies conducted within clinics, but how it may be used within a consumer context. The Colorado Privacy Act does more than Illinois\u2019 pioneer Biometric Information Protection Act (BIPA).<\/p>\n","protected":false},"author":159,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[45,50],"tags":[288,2205,293,2202,468,2207,715,1205,2204,2203,1623,1953,2206],"class_list":["post-5995","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","category-technology","tag-biometric","tag-biometric-information-protection-act","tag-bipa","tag-colorado-privacy-act","tag-compliance","tag-consumer-electronics","tag-employment","tag-journal-of-regulatory-compliance","tag-neural-data","tag-neurotechnology","tag-cybersecurity","tag-technology","tag-wearable-technology"],"_links":{"self":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/posts\/5995","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/users\/159"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5995"}],"version-history":[{"count":3,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/posts\/5995\/revisions"}],"predecessor-version":[{"id":6092,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/posts\/5995\/revisions\/6092"}],"wp:attachment":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5995"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5995"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5995"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}