User Identity Protection in EEG-Based Brain–Computer Interfaces

A brain-computer interface (BCI) establishes a direct communication pathway between the brain and an external device. Electroencephalogram (EEG) is the most popular input signal in BCIs, due to its convenience and low cost. Most research on EEG-based BCIs focuses on the accurate decoding of EEG signals; however, EEG signals also contain rich private information, e.g., user identity, emotion, and so on, which should be protected. This paper first exposes a serious privacy problem in EEG-based BCIs, i.e., the user identity in EEG data can be easily learned so that different sessions of EEG data from the same user can be associated together to more reliably mine private information. To address this issue, we further propose two approaches to convert the original EEG data into identity-unlearnable EEG data, i.e., removing the user identity information while maintaining the good performance on the primary BCI task. Experiments on seven EEG datasets from five different BCI paradigms showed that on average the generated identity-unlearnable EEG data can reduce the user identification accuracy from 70.01% to at most 21.36%, greatly facilitating user privacy protection in EEG-based BCIs.

Machine learning has been extensively used to recognize complex EEG patterns in different BCI paradigms, such as motor imagery (MI) [9], event-related potentials (ERP) [10], emotion recognition [11], etc. Usually, adequate EEG data are needed to train an accurate machine learning model. However, EEG data contain not only task-specific information but also rich private information [12]. For example, Martinovic et al. [13] showed that various private information (credit cards, PIN numbers, known people, residential addresses) could be inferred from EEG signals. Icena et al. [14] pointed out that direct-to-consumer neurotechnologies, including neuro-monitoring headsets and neuromodulation tools, may all have ethical concerns including privacy. Choi et al. [15] demonstrated that resting-state EEG signals could be used to infer the user identity at 88.4% accuracy. Landau et al. [16] also showed that meaningful personality traits and cognitive abilities could be predicted by analyzing resting-state EEG recordings.
To accommodate increasing privacy concerns, multiple laws worldwide, e.g., the General Data Protection Regulation of the European Union and the Personal Information Protection Law of China, have been established to enforce strict user privacy protection. As a result, in addition to simple anonymization and data sanitization, various more sophisticated privacy-protection approaches have been proposed for EEG-based BCIs, which can be grouped into the following two categories [12]: 1) Cryptography, which typically includes homomorphic encryption, secure multi-party computation, and secure processors. For example, Agarwal et al. [17] proposed secure multiparty computation based cryptographic protocols for privacy protection in EEG-based driver drowsiness estimation. 2) Privacy-preserving machine learning, which performs machine learning without seeing the raw EEG data or model parameters. Typical approaches include federated learning and source-free transfer learning. For example, Gu et al. [18] proposed frame-level teacher-student learning for EEG-based emotion recognition, where the user data privacy is protected by passing only the model weights instead of the EEG data to the student network. Xia et al. [19] proposed augmentation-based source-free adaptation, which performs privacy-preserving transfer learning in MI classification without accessing the source EEG data, or even the source model parameters.
Zhang and Wu [20] solved the same problem using lightweight source-free transfer. Zhang et al. [21] further proposed unsupervised privacy-preserving multisource decentralized transfer and demonstrated its effectiveness in MI classification and EEG-based emotion classification. Li et al. [22] proposed multi-domain model-agnostic meta-learning for privacy-preserving cross-subject and few-shot MI/ERP classification.
Another popular privacy-protection strategy is applying perturbation, which adds perturbation to or transforms the original data to hide private information while maintaining their utility for downstream tasks. Typical approaches include differential privacy and data reconstruction. However, to our knowledge, this strategy has not been investigated in EEG-based BCIs. This paper fills this gap by proposing a machine learning based perturbation approach to hide user identities in EEG-based BCIs. We first demonstrate that EEG data for different BCI tasks can be used to determine the user's identity, and then propose a framework to convert the original EEG data into identity-unlearnable ones while preserving the task-specific information for the primary BCI task.
Hiding user identities is very important in EEG-based BCIs. Consider the following scenario: a company collects EEG data from multiple volunteers, each with multiple sessions, to train a reliable MI classifier for its products. When a volunteer is performing the MI task, private health information like depression or seizure may be detected from the EEG signals, and the detection accuracy increases with the amount of EEG data. This privacy concern may hinder the recruitment of volunteers. However, if the user identity information can be reliably removed, i.e., multiple sessions from the same user are perturbed so that they cannot be associated with the same individual, then the risk of privacy leakage is significantly reduced, and volunteers may be more willing to contribute their data.
Another related example is EEG-based seizure classification. Consider the scenario that a company is collecting seizure EEG data from multiple hospitals to train an accurate and robust classifier. Each patient may have multiple sessions of EEG recordings during the diagnostics and treatment process in a hospital. If an algorithm can find out which sessions belong to the same patient, then it is possible to further infer how effective the treatment from that hospital is. This is sensitive information that a hospital may not want to disclose, as it affects its competitiveness and reputation. If we can remove the patient identities so that it is impossible to know which sessions are from the same patient, then more hospitals may be willing to participate.
Simple anonymization cannot remove the user identity completely. Fig. 1 uses MI-based BCIs (to distinguish the imagined movement of the left hand, right hand, both feet, and tongue, from EEGs) as an example. Task-Classifier 1 and User-Classifier 1 are trained on the unperturbed EEG data for MI classification and user classification, respectively. Task-Classifier 2 and User-Classifier 2, which have the same structures as Task-Classifier 1 and User-Classifier 1, respectively, are trained on the perturbed identity-unlearnable EEG data. In the test phase, both Task-Classifiers achieve similar MI classification accuracies (55% versus 54%); however, User-Classifier 1 can also associate the test data with the unperturbed training data from the same user accurately (88%), whereas User-Classifier 2 has poor performance (19%). Thus, the perturbed identity-unlearnable training EEG data protect the user identity privacy while maintaining a similar performance in the primary MI classification task.
Our main contributions are: 1) We demonstrate that various BCI paradigms can leak user identity information, hence the necessity of user identity protection. 2) We propose two approaches to generate identityunlearnable EEG data, which can be used to protect the user identity privacy while maintaining the primary task classification accuracy in five different BCI paradigms.
II. METHOD This section introduces the details to the generation of identity-unlearnable EEG data.

A. Problem Statement
Given , where x i ∈ X ⊂ R c×t is the i-th EEG trial with c channels and t time domain samples, y i ∈ Y = {1, . . . , K } the task label (e.g., left fist and right fist in MI1) and u i ∈ U = {1, . . . , U } the user identity label of the i-th EEG trial, N the number of EEG trails.
A feature extractor F and a Task-Classifier C can be trained on D to learn task-related patterns. For brevity, we denote the model as H C = C • F, which maps the input space into a label space, i.e., H C : X → Y.
However, in addition to the task-related information, EEG data may also contain rich private information, such as the user identity. Although F is primarily used to extract task-related features, the extracted features also contain rich user identity information. So, a User-Classifier D can be constructed to learn the user identity information from the features extracted from F, i.e., H D = D • F : X → U maps the input space into a user-identity space.
This paper aims to make the identity information in EEG data unlearnable, while preserving the task-related information. We generate an identity-unlearnable EEG dataset , where x ′ = x + δ and δ is a specifically designed perturbation. This dataset can be used to train H C normally as the original unperturbed dataset D, but it is difficult to train H D to learn the user identity information.

B. Sample-Wise Perturbation Generation
Inspired by Reference [23], we add a crafted perturbation to each EEG trial that may have a strong correlation with the user identity, misleading the machine learning model to learn the The EEG data of Session II can be accurately associated with the unperturbed EEG data of Session I from the same user while performing the primary MI classification task. For the perturbed EEG data, the high MI classification accuracy is maintained, whereas the test session cannot be associated with the training session from the same user. perturbation pattern rather than the true user identity pattern. Simultaneously, we minimize the impact of the perturbation on the task-related information, ensuring its normal use in the primary task.
Specifically, we first train a feature extractor F ′ , a Task-Classifier C ′ , and a User-Classifier D ′ , to evaluate the impact of the perturbation on the task-related information and the identity-related information, which may be different from F, C and D. Denote the models as where ℓ CE is the cross-entropy loss, and α a trade-off parameter. Then, given an EEG trial x, we generate the corresponding perturbation δ by where ℓ MSE is the mean squared error, β a trade-off parameter, and ϵ the maximum perturbation amplitude. The first term constrains the impact of δ on the task-related information, and the second term enhances the correlation between the perturbation δ and the user identity u. A first-order optimization method, project gradient descent [24], can be used to solve this minimization problem iteratively: where i = 1, · · · , n iter , and n iter is the number of iterations. ξ ∈ Uniform(−ϵ, ϵ) is a randomly initialized perturbation, η the gradient step size, and L the loss function in (2). Proj 0,ϵ (·) projects its input onto the ℓ ∞ ball of radius ϵ centered at 0.
To improve the effectiveness of the perturbation δ, we update δ after multiple (instead of only one) epochs of model training. Specifically, we first train the models by (1) for L epochs, then update δ with them by (4). After generating the perturbations for all EEG trials on dataset D, we train the models on dataset The perturbation updates repeat M times, and the final dataset D ′ is the identity-unlearnable EEG dataset. The pseudo-code of sample-wise perturbation generation is given in Algorithm 1.

Algorithm 1 Sample-Wise Perturbation Generation
, the original EEG dataset; H ′ C , the task classifier; H ′ D , the user classifier; L, the number of model training epochs before perturbation update; M, the maximum number of perturbation updates; ξ , a randomly initialized perturbation;

C. User-Wise Perturbation Generation
To speed up perturbation generation, we further propose a user-wise perturbation generation approach to design a universal perturbation template for each user. Compared with the sample-wise perturbation, the user-wise perturbation is more convenient to implement in practice. One only needs to generate U perturbations to make the identity information of all EEG trials unlearnable.
To generate the user-wise perturbation, we also first train models H ′ C and H ′ D by (1) on dataset D till convergence. Then, we optimize δ = [δ 1 , · · · , δ U ] by gradient descent: where δ u is the perturbation for user u, β the trade-off parameter, and γ the regularization coefficient. The first two terms are similar to those in (2). The last term constrains the perturbation amplitude.
The pseudo-code of user-wise perturbation generation is described in Algorithm 2.

III. EXPERIMENTAL SETTINGS
This section introduces the experimental settings for validating the effectiveness of the identity-unlearnable EEG data.

A. Datasets
This study used the following five publicly available EEG datasets: M perturbation , the maximum number of perturbation optimization epochs; Output: An identity-unlearnable EEG dataset The EEG data were labeled by three human experts with one-second resolution. 14 seizure patients were used in this paper, 95% of whose EEG labels were consistent from the three experts. For preprocessing, we band-pass filtered the EEG data to [0.5, 70]Hz, down-sampled them to 128Hz, and then segmented them into non-overlapping 1-second trials. 7) The Temple University Hospital EEG Seizure Corpus (TUSZ) [31]: The TUSZ dataset contains a training set from 579 users, an evaluation set from 43 users, and a development set from 53 users. 292 users in the training set, whose EEG recordings were longer than four seconds, were used in this study. The same preprocessing pipeline as that on NS was used. Additionally, since there are two types of EEGs (average re-referenced and linked ears re-referenced), we converted them to a temporal central parasagittal montage [32].

B. Models
We used the following three CNN models without the last fully-connected layer as feature extractors: 1) EEGNet [33]: EEGNet is a compact CNN architecture specifically designed for EEG-based BCIs. It consists of two convolutional blocks, where depthwise and separable convolutions instead of traditional convolutions are used to reduce the number of model parameters. 2) DeepCNN [34]: DeepCNN contains four convolutional blocks. The first convolutional block is specifically designed for EEG inputs, and the other three are standard convolutional blocks. 3) ShallowCNN [34]: ShallowCNN is a shallow version of DeepCNN, inspired by filter bank common spatial patterns. It has only one convolutional block with a larger kernel and a different pooling approach, compared with DeepCNN. Details of the architectures of EEGNet, DeepCNN, and Shal-lowCNN are given in Supplementary Tables I-III, respectively. We used one fully-connected layer as the Task-Classifier, and two fully-connected layers as the User-Classifier.

C. Experimental Settings
For each dataset, we performed leave-one-session-out crossvalidation (i.e., one session as the training set, and the remaining sessions as the test set). Specifically, assume that the dataset contains S sessions; then, one of the S sessions was used to train a Task-Classifier and a User-Classifier, and the remaining S − 1 sessions were used to evaluate the classification accuracy. This validation process was repeated S times so that each session became the training set once. The entire cross-validation process was repeated 5 times with different random seeds. The average BCAs and UIAs of the 5S runs were reported. Since the NS dataset has only one session, we divided each user's data into three equal-length sessions. In the TUSZ dataset, since different users had varying numbers of sessions, we used the first session of each user and divided it into two equal-length sub-sessions.

D. Performance Measures
As there is significantly class imbalance in some BCI tasks, balanced classification accuracy (BCA) was used to evaluate the Task-Classifier's performance: where K is the number of classes, N k the number of test samples in class k, y pred,i the classifier's prediction on the i-th test sample, and 1(·) an indicator function.
To measure the difficulty of mining the user identity information from the EEG data, the user identification accuracy (UIA) was used to evaluate the User-Classifier's performance: where N t is the number of test samples, u pred,i the classifier's prediction on the i-th test sample, and u i the true user identity.

E. Hyper-Parameters
The hyper-parameters for generating the sample-wise and user-wise perturbations in our experiments are shown in Tables I and II, respectively.

IV. RESULTS
This section validates the effectiveness of the identity-unlearnable EEG data.

A. User Identity Discovery in EEG-Based BCIs
In addition to the primary task, EEG data also contain rich user identity information.
To demonstrate that, we first trained a feature extractor and a Task-Classifier on the unperturbed training EEG data to perform the primary BCI task (e.g., MI classification), then used the learned task-related feature to train a User-Classifier to discriminate the identity. The test results are shown in the 'Unperturbed EEG' panel of Table III. Balanced classification accuracies (BCAs) of different BCI tasks were reasonable, and user identification accuracies (UIAs) were much higher than random guess (UIAs on MI1 were relatively low because its number of users is much larger), no matter which convolutional neural network (CNN) model (EEGNet, DeepCNN, or ShallowCNN) was used as the feature extractor. These results confirmed our conjecture: rich user identity information can be exploited from EEG data in different BCI paradigms, so that different sessions of EEG data from the same user can be accurately associated together.

B. User Identity Protection on the Perturbed EEG Data
To protect the user identity information in EEG-based BCIs, we perturbed the original EEG data into identityunlearnable EEG data, from which machine learning models cannot easily identify which sessions are from the same user.
We generated sample-wise perturbations and user-wise perturbations (EEGNet was used as the feature extractor) and added them to the original EEG data, making the user identity information unlearnable. To evaluate its effectiveness, we first trained a feature extractor and a Task-Classifier on the perturbed training EEG data, then used the extracted features to train a User-Classifier. The results are shown in Table III. We can observe that: 1) The BCAs after both sample-wise perturbations and user-wise perturbations were very close to their counterparts on the unperturbed EEG, indicating that the perturbations had almost no negative impact on the primary BCI tasks.
2) The UIAs after both perturbations were significantly lower than their counterparts on the unperturbed EEG, indicating that little user identity information can be learned from the perturbed EEG data. Although EEGNet was always used as the feature extractor in training, the learned perturbations were still effective when DeepCNN and ShallowCNN were used as the feature extractor in testing, suggesting the generalization ability of sample-wise and user-wise perturbations. This makes our approach very easy to implement in practice: the user can use an arbitrary neural network model to perturb the EEG data for identity protection.

C. Characteristics of the Perturbed EEG Data
We further demonstrate that the identity-unlearnable EEG data are very similar to the original unperturbed EEG data from various perspectives.  In addition to deep learning, manual feature extraction and traditional machine learning models are also frequently used in EEG-based BCIs. Figs. 5(a) and 6(a) show t-SNE [35] visualizations of common spatial pattern [9] features extracted from the unperturbed EEG trials, sample-wise perturbed EEG trials (left), and user-wise perturbed EEG trials (right), on MI1 and MI2, respectively. The overall feature distributions are almost identical, with or without perturbations.
Figs. 5(a) and 6(b) show BCAs of logistic regression classifiers trained with common spatial pattern features on MI1 and MI2, respectively. To check if the BCA differences between the unperturbed EEG trials and their perturbed counterparts were statistically significant, p-values were calculated by the standard t-test and adjusted by Benjamini Hochberg False Discovery Rate correction [36]. In most cases, there was no statistically significant difference between the results of the unperturbed EEG trials and the perturbed ones.
All above results demonstrated that the perturbed EEG trials have almost identical characteristics to their unperturbed counterparts, in the primary BCI tasks.

D. Imperceptibility During Training
The high similarity between the identity-unlearnable EEG data and the original unperturbed EEG data can prevent privacy attackers from discovering that the data have been perturbed. We further compared the training processes of Task-Classifier and User-Classifier on the original unperturbed data and the identity-unlearnable data, to validate if the perturbation can be discovered from the training process.
Figs. 7(a) and 7(b) show the training and test curves of Task-Classifier and User-Classifier in the training process with the unperturbed data and their perturbed counterparts on the MI1 and MI2 datasets, respectively. The curves on the other five datasets are shown in Supplementary Figs. 17-21. We can observe that: 1) The training BCA and UIA curves on the unperturbed data and their perturbed counterparts were very similar, suggesting that it is almost impossible to discover that the data have been perturbed from the training process. 2) Consistent with Table III, the test BCA curves of Task-Classifier trained with the unperturbed and perturbed data were similar; however, the test UIA curves of User-Classifier trained with the identity-unlearnable data dramatically decreased, compared with those on their unperturbed counterparts, indicating that the user identity related information is removed.

E. Privacy Protection in Online Scenario
We further verified the effectiveness of our proposed approaches in an online scenario, where EEG data of different users are sequentially acquired. We simulated this scenario on the MI1 dataset which has many users, assuming that EEG data of 10 users are collected each time. We converted the newly acquired EEG data into identity-unlearnable ones and added them to the dataset. Fig. 8 shows the UIAs of User-Classifier on existing users and new users. UIAs on the identity-unlearnable data were maintained at a very low level as the number of users increased, indicating the effectiveness of our approaches in online learning, i.e., we can protect the identify privacy of the new users while maintaining the privacy-protection ability for previous users. On the contrary, the UIAs almost always exceeded 50% if the original unperturbed EEG data were used.   V. DISCUSSIONS This paper has proposed two approaches to perturb the original EEG data into identity-unlearnable EEG data, which protect the user identity privacy while maintaining the primary BCI task classification accuracy. Experiments on seven EEG datasets from five different BCI paradigms demonstrated their effectiveness. Furthermore, we validated the effectiveness of the proposed approaches on the emotion recognition dataset SEED [37]. However, considering the relatively low UIA of 34.22% on the unperturbed SEED dataset, we did not include  the results on the SEED in the paper. It may be attributed to the limited amount of user data in each session, which leads to overfitting of the models.
In the experiments, we used EEGNet as a feature extractor to generate identity-unlearnable perturbations, and utilized the transferability of the perturbations across models to apply them to DeepCNN and ShallowCNN. However, the transfer effectiveness may depend on the similarity between models, e.g., the greater differences between Deep-CNN and EEGNet led to relatively less effective results on DeepCNN.
We further explored the effectiveness of the perturbations generated by EEGNet on Long Short-Term Memory (LSTM). Table IV shows the UIAs of the 1D-LSTM model [38] for user identification on identity-unlearnable EEG data. The average reduction of UIAs is lower than that in Table III, indicating again that the transferability of the perturbations is impacted by the similarity between models. Our future research will investigate how to improve the perturbation transferability.
Our proposed approaches remove user identity from the EEG data, but there are also scenarios that user identity could be useful. For example, EEG recognition, or linking the same user's EEGs across different devices. In these scenarios, our approaches can be used for cryptography, i.e., recovering the original EEG data by subtracting the identity-unlearnable perturbations. Additionally, since the  identity-unlearnable perturbations are user-specific, the userwise perturbations can also be used as features for user identification.

VI. CONCLUSION
EEG signals contain rich private information, e.g., user identity, emotion, and so on, which should be protected in EEG-based BCIs. This paper has exposed a serious privacy problem in EEG-based BCIs, i.e., the user identity in EEG data can be easily learned so that different sessions of EEG data from the same user can be associated together to more reliably mine private information. To address this issue, we proposed two approaches to convert the original EEG data into identity-unlearnable EEG data, i.e., removing the user identity information while maintaining the good performance on the primary BCI task. Experiments on seven EEG datasets from five different BCI paradigms showed that on average the generated identity-unlearnable EEG data can reduce the user identification accuracy by at least 48.65%, greatly facilitating user privacy protection in EEG-based BCIs.