Whether it’s our location, contact lists, calendars, photo albums, or search requests, app developers, advertising companies and other tech firms are scrambling to learn everything they can about us in order to sell us things. Data from smartphone apps, aggregated by third-party companies, can indeed paint an eerily accurate picture of us, and data miners are increasingly able to predict how we will behave tomorrow. For example, as Future Tense blogger Ryan Gallagher reported for the Guardian, Raytheon, the world’s fifth-largest defense contractor, has developed software called RIOT (Rapid Information Overlay Technology) that can synthesize a vast amount of data culled from social networks.

By pulling, for instance, the invisible location metadata embedded in the pictures our cellphones take, RIOT tracks where we’ve been and accurately guesses where we will be — and provides all of this information to whomever is running the software. Other companies are increasing the accuracy of such forecasts by comparing our travel habits against our friends’ locations.

Amid the growing popularity of data mining, governments around the world are taking action on perceived misdeeds, like the $7 million fine Google faces for collecting unsecured information. But the stakes are far higher than lawmakers realize. New consumer devices are emerging that, left unchecked, could enable violations of our personal privacy on a far more intimate level: our brains.

Brain-computer interfaces have been widely used in the medical and research communities for decades, but in the last few years, the technology has broken out of the lab and into the marketplace with surprising speed. They work by recording brain activity and transmitting that information to a computer, which interprets it as various inputs or commands.

The most commonly used technique is electroencephalography, which is widely known as a medical diagnostic test (especially for detecting seizures) but now has more potential uses. An EEG device is typically a headset with a small number of electrodes placed on different parts of the skull in order to detect the electrical signals made by your brainwaves. While EEGs cannot read your mind in the traditional, Professor X sense, it turns out that your brainwaves can reveal a great deal about you, such as your attention level and emotional state, and possibly much more. For instance, the presence of beta waves correlates with excitement, focus and stress. One brain signal, known as the P300 response, correlates with recognition, say of a familiar face or object. This response is so well documented that it is widely used by psychologists and researchers in clinical studies. The popularity of EEG devices over other brain scanning technologies, like MRIs, stems from their low cost, their light weight, and their ability to collect real-time data.

Potential risks

In the last few years, the cost of EEG devices has dropped considerably, and consumer-grade headsets are becoming more affordable. A recreational headset capable of running a range of third-party applications can now be purchased for as little as $100.

The information promised by these devices could offer new value to developers, advertisers and users alike: Companies could detect whether you’re paying attention to ads, how you feel about them, and whether they are personally relevant to you. Imagine an app that can detect when you’re hungry and show you ads for restaurants.

But, as with data collected during smartphone use, the consequences for data collected through the use of BCIs reach far beyond mildly unsettling targeted ads. Health insurance companies could use EEG data to determine your deductible based on EEG-recorded stress levels. After all, we live in a world in which banks are determining creditworthiness through data mining and insurance companies are utilizing GPS technology to adjust premiums.

These problems aren’t entirely hypothetical. In August, researchers at the Usenix Security conference demonstrated that these early consumer-grade devices can be used to trick wearers into giving up their personal information. The researchers were able to significantly increase their odds of guessing the PINs, passwords and birthdays of subjects simply by measuring their responses to certain numbers, words and dates.

BCIs invoke serious law enforcement concerns as well. One company, Government Works Inc., is developing BCI headsets for lie detection and criminal investigations. By measuring a person’s responses to questions and images, the company claims to be able to determine whether that person has knowledge of certain information or events. According to one BCI manufacturer, evidence collected from these devices has already been used in criminal trials.