Your Substance Abuse Disorder is an Open Secret! Gleaning Sensitive Personal Information from Templates in an EEG-based Authentication System

Given the task of designing an authentication system that uses brain waves as input, researchers typically focus on the sole objective of maximizing authentication accuracy. In this paper we challenge this common wisdom and argue that because brain waves encode a lot of other (potentially sensitive) information about the user, this single-pronged, privacy-agnostic approach can have significant privacy implications. Based on a publicly accessible dataset, we rigorously analyze two EEG-based authentication systems built in accordance with this philosophy and show that such designs could potentially divulge more of the users sensitive personal information than that regarding the intended authentication functionality. The paper argues for privacy-aware designs for systems which take brain signals as input.