pith. sign in

arxiv: 2605.11386 · v1 · submitted 2026-05-12 · 💻 cs.AI

Revisiting Privacy Preservation in Brain-Computer Interfaces: Conceptual Boundaries, Risk Pathways, and a Protection-Strength Grading Framework

Lei Sun , Xiuqing Mao , Shuai Zhang , Qingyu Zeng , Min Zhao , Jiyuan Li , Wenle Dong This is my paper

Pith reviewed 2026-05-13 02:38 UTC · model grok-4.3

classification 💻 cs.AI
keywords brain-computer interfaceneural data privacyuser data privacymodel privacyprotection-strength gradingdisentanglementneuroethical risksrisk pathways
0
0 comments X

The pith

A three-dimensional framework classifies BCI privacy techniques into four protection-strength levels by tracking objects, lifecycle stages, and strength.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper begins with the standard BCI setup of direct links from brain signals to external systems and traces how privacy risks extend beyond raw signals to include derived representations, models, and decoded outputs across every stage from collection to feedback. It defines shared risk pathways that connect user data privacy with model privacy and sets clear boundaries around what counts as protected information. The central proposal is a grading system with three axes—protection object, lifecycle stage, and dominant protection strength—that sorts existing methods into four discrete levels. If the classification holds, developers could select protections that match the sensitivity of the data without unnecessary loss of performance. The review also notes that effective privacy requires disentangling task-irrelevant personal details while leaving mental privacy and broader neuroethical questions as areas still needing work.

Core claim

Starting from the general BCI paradigm, the paper defines privacy-protection boundaries and protection objects, shows the relationship between user data privacy and model privacy within a shared risk pathway, and proposes a three-dimensional framework of protection object, lifecycle stage, and dominant protection-strength level that organizes existing techniques into four levels of protection strength, while treating mental privacy and neuroethical risks as open issues that call for disentanglement of task-irrelevant sensitive information without harming utility.

What carries the argument

The three-dimensional protection-strength grading framework, which places each privacy method at the intersection of what object is protected, which lifecycle stage it applies to, and its dominant level of strength to enable consistent classification into four tiers.

If this is right

  • Methods can be compared and chosen according to the specific object being protected at each stage of data handling.
  • Four levels distinguish basic signal masking from advanced techniques that separate task-relevant from sensitive information.
  • Protection choices can balance privacy strength against retained utility in clinical or edge deployments.
  • Mental privacy concerns remain outside the current technical grading and require separate neuroethical attention.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The grading axes could be tested by applying them to a new set of recently published BCI privacy methods to check for consistent placement.
  • If the four levels prove stable, regulators might use the framework to set minimum requirements for different BCI use cases.
  • Extending the lifecycle axis to include post-deployment monitoring could reveal whether current protections hold when models are updated with new user data.

Load-bearing premise

BCI privacy techniques can be sorted reliably into four discrete protection-strength levels along the three proposed axes without significant overlap, gaps, or subjective judgment.

What would settle it

A collection of BCI privacy papers where multiple independent reviewers assign the same method to different strength levels or cannot place it on the three axes without disagreement.

Figures

Figures reproduced from arXiv: 2605.11386 by Jiyuan Li, Lei Sun, Min Zhao, Qingyu Zeng, Shuai Zhang, Wenle Dong, Xiuqing Mao.

Figure 1
Figure 1. Figure 1: General BCI Paradigm and Neural Signal Generation–Decoding Chain [PITH_FULL_IMAGE:figures/full_fig_p005_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Privacy Risk Spectrum Across Different BCI Neural Data Modalities [PITH_FULL_IMAGE:figures/full_fig_p012_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Core Analytical Framework for BCI Privacy Protection [PITH_FULL_IMAGE:figures/full_fig_p017_3.png] view at source ↗
read the original abstract

Brain-computer interfaces (BCIs) are moving rapidly from laboratory research into clinical, edge, and real-world settings. Under ISO/IEC 8663:2025, a BCI is a direct communication link between central nervous system activity and external software or hardware systems. This link expands privacy risk beyond raw neural-signal leakage: neural data, derived representations, model assets, and decoded outputs can be re-associated with individuals across collection, transmission, storage, training, inference, and feedback, or used to infer information beyond what a task requires. Starting from the general BCI paradigm, this review deffnes privacy-protection boundaries, protection objects, and the relationship between user data privacy and model privacy within a shared risk pathway. It then proposes a three-dimensional framework - protection object, lifecycle stage, and dominant protection-strength level - to classify existing work into four levels of protection strength. Finally, mental privacy and neuroethical risks are treated as open issues, emphasizing that BCI privacy protection should not only obscure data but also disentangle task-irrelevant sensitive information while preserving downstream utility. Keywords: Brain-computer interface, Neural data privacy, User data privacy, Model privacy, Disentanglement of task-irrelevant sensitive information, Protection-strength grading, Neuroethical risks

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. This review starts from the general BCI paradigm under ISO/IEC 8663:2025 to define privacy-protection boundaries, protection objects, and the shared risk pathway linking user data privacy and model privacy across collection, transmission, storage, training, inference, and feedback. It proposes a three-dimensional classification framework (protection object, lifecycle stage, and dominant protection-strength level) that sorts existing BCI privacy techniques into four discrete protection-strength levels, while treating mental privacy and neuroethical risks as open issues and stressing the need to disentangle task-irrelevant sensitive information without sacrificing utility.

Significance. If operationalized with reproducible criteria, the framework could usefully organize the BCI privacy literature, surface gaps in current techniques, and inform standards development by distinguishing mere data obfuscation from genuine disentanglement. The conceptual mapping of risk pathways and the emphasis on preserving downstream utility are timely given the shift of BCIs into clinical and edge deployments.

major comments (2)
  1. [Section proposing the three-dimensional framework] Section proposing the three-dimensional framework: the central claim that existing work can be systematically classified into four protection-strength levels rests on the 'dominant protection-strength level' axis, yet no explicit decision procedure, scoring rubric, or threshold rules are supplied for determining dominance when a technique spans multiple protection objects or lifecycle stages. This is load-bearing; without such criteria, assignments (e.g., a method that partially disentangles sensitive information at inference while leaving raw signals exposed at collection) remain open to subjective judgment and risk non-reproducible or overlapping classifications.
  2. [Framework application section] Framework application section: the manuscript states that the framework is used to classify existing work but provides no concrete mapping table, worked examples, or inter-rater consistency check showing how specific published methods are assigned to the four levels. This absence leaves the framework's practical utility and the claim of low-overlap partitioning untested.
minor comments (2)
  1. [Abstract] Abstract: 'deffnes' is a typographical error and should read 'defines'.
  2. [Framework definition] The four protection-strength levels are introduced conceptually but never given explicit names or short descriptors in the text, which would aid readability when the framework is later referenced.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback, which identifies key areas where the framework's reproducibility and demonstrated utility can be strengthened. We address each major comment in turn and commit to revisions that directly respond to the concerns raised.

read point-by-point responses

  1. Referee: [Section proposing the three-dimensional framework] Section proposing the three-dimensional framework: the central claim that existing work can be systematically classified into four protection-strength levels rests on the 'dominant protection-strength level' axis, yet no explicit decision procedure, scoring rubric, or threshold rules are supplied for determining dominance when a technique spans multiple protection objects or lifecycle stages. This is load-bearing; without such criteria, assignments (e.g., a method that partially disentangles sensitive information at inference while leaving raw signals exposed at collection) remain open to subjective judgment and risk non-reproducible or overlapping classifications.

    Authors: We agree that an explicit decision procedure is necessary to support reproducible classifications. In the revised manuscript we will insert a new subsection that defines a step-by-step rubric for determining the dominant protection-strength level. The rubric will specify quantitative thresholds (for example, the fraction of risk mitigated at the primary stage versus secondary stages) and tie-breaking rules when a technique affects multiple objects or lifecycle phases. We will apply the procedure to the referee's own example to illustrate how dominance is resolved without ambiguity. revision: yes

  2. Referee: [Framework application section] Framework application section: the manuscript states that the framework is used to classify existing work but provides no concrete mapping table, worked examples, or inter-rater consistency check showing how specific published methods are assigned to the four levels. This absence leaves the framework's practical utility and the claim of low-overlap partitioning untested.

    Authors: We accept that the current text lacks a concrete mapping and worked examples. The revised version will add a mapping table that classifies at least ten representative BCI privacy methods drawn from the literature, using the newly specified decision procedure. Two detailed worked examples—one involving a multi-stage technique—will be included to show the classification steps and to substantiate the low-overlap claim. A formal inter-rater study lies outside the scope of this conceptual review, but the added documentation will enable such validation by the community. revision: yes

Circularity Check

0 steps flagged

No circularity; conceptual classification framework is self-contained

full rationale

The paper is a literature review that starts from the standard BCI paradigm, defines privacy boundaries and objects conceptually, and proposes a three-dimensional classification scheme (protection object, lifecycle stage, dominant protection-strength level) to organize existing techniques into four levels. No equations, derivations, fitted parameters, or predictions appear in the provided text. The framework is presented as an organizing proposal grounded in external literature analysis rather than any reduction to self-defined inputs or self-citations. No load-bearing step reduces by construction to the paper's own outputs; the central claim remains an independent conceptual contribution.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The paper rests on standard domain assumptions about BCI data flows and privacy concepts drawn from ISO standards and existing literature, with no free parameters, invented entities, or ad-hoc axioms required for the central framework proposal.

axioms (1)
  • domain assumption A BCI is a direct communication link between central nervous system activity and external software or hardware systems per ISO/IEC 8663:2025
    Defines the scope of privacy risks beyond raw signals.

pith-pipeline@v0.9.0 · 5545 in / 1204 out tokens · 46234 ms · 2026-05-13T02:38:04.755135+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

92 extracted references · 92 canonical work pages · 1 internal anchor

  1. [1]

    The state of clinical trials of implantable brain–computer interfaces [J]

    PATRICK-KRUEGER K M, BURKHART I, CONTRERAS-VIDAL J L. The state of clinical trials of implantable brain–computer interfaces [J]. Nature Reviews Bioengineering, 2024, 3(1): 50-67. (2024)

    work page 2024

  2. [2]

    Privacy-Preserving Brain–Computer Interfaces: A Systematic Review[J]

    XIA K, DUCH W, SUN Y, et al. Privacy-Preserving Brain–Computer Interfaces: A Systematic Review[J]. IEEE Transactions on Computa- tional Social Systems, 2023, 10(5): 2312-2324. (2023)

    work page 2023

  3. [3]

    Semantic reconstruction of con- tinuous language from non-invasive brain recordings[J]

    TANG J, LEBEL A, JAIN S, et al. Semantic reconstruction of con- tinuous language from non-invasive brain recordings[J]. Nature Neuro- science, 2023, 26(5): 858-866. (2023)

    work page 2023

  4. [4]

    Towards new human rights in the age of neuroscience and neurotechnology[J]

    IENCA M, ANDORNO R. Towards new human rights in the age of neuroscience and neurotechnology[J]. Life Sciences, Society and Policy, 2017, 13(1): 5. (2017)

    work page 2017

  5. [5]

    Decoding speech perception from non-invasive brain recordings[J]

    DÉFOSSEZ A, CANDIOTTI L, DEMBINSKI C, et al. Decoding speech perception from non-invasive brain recordings[J]. Nature Machine Intel- ligence, 2023, 5(10): 1097-1107. (2023). 45

    work page 2023

  6. [6]

    Image classification and reconstruction from low-density EEG[J]

    GUENTHER N, SCHMITT L M, TONG J, et al. Image classification and reconstruction from low-density EEG[J]. Scientific Reports, 2024, 14: 14498. (2024)

    work page 2024

  7. [7]

    Membership Inference At- tacks Against Machine Learning Models[C/OL]//2017 IEEE Sympo- sium on Security and Privacy (SP)

    SHOKRI R, STRONATI M, SONG C, et al. Membership Inference At- tacks Against Machine Learning Models[C/OL]//2017 IEEE Sympo- sium on Security and Privacy (SP). San Jose, CA, USA: IEEE, 2017: 3-18[2026-04-02].http://ieeexplore.ieee.org/document/7958568/. (2017)

    work page arXiv 2017

  8. [8]

    NASR M, SHOKRI R, HOUMANSADR A. Comprehensive Privacy Analysis of Deep Learning: Passive and Active White-box Inference At- tacks against Centralized and Federated Learning[C/OL]//2019 IEEE Symposium on Security and Privacy (SP). 2019: 739-753[2026-04-02]. http://arxiv.org/abs/1812.00910. (2019)

    work page arXiv 2019

  9. [9]

    ZHUL,LIUZ,HANS.DeepLeakagefromGradients[C/OL]//Advances in Neural Information Processing Systems: Vol. 32. Curran Associates, Inc., 2019[2026-04-02].https : / / proceedings . neurips . cc / paper / 2019 / hash / 60a6c4002cc7b29142def8871531281a-Abstract . html. (2019)

    work page 2019

  10. [10]

    Invert- ing Gradients - How easy is it to break privacy in fed- erated learning? [C/OL] // Advances in Neural Informa- tion Processing Systems: Vol

    GEIPING J, BAUERMEISTER H, DROGE H, et al. Invert- ing Gradients - How easy is it to break privacy in fed- erated learning? [C/OL] // Advances in Neural Informa- tion Processing Systems: Vol. 33. Curran Associates, Inc., 2020: 16937-16947 [2026-04-02].https : / / proceedings . neurips . cc/paper_files/paper/2020/hash/c4ede56bbd98819ae6112b20ac6bf145- Abst...

    work page 2020

  11. [11]

    GANJU K, WANG Q, YANG W, et al. Property Inference Attacks on Fully Connected Neural Networks using Permutation Invariant Rep- resentations[C/OL]//Proceedings of the 2018 ACM SIGSAC Confer- ence on Computer and Communications Security. New York, NY, USA: Association for Computing Machinery, 2018: 619–633 [2026-04-01]. https://dl.acm.org/doi/10.1145/324373...

    work page doi:10.1145/3243734.3243834 2018

  12. [12]

    Exploiting Unintended Feature Leakage in Collaborative Learning[EB/OL]

    MELIS L, SONG C, CRISTOFARO E D, et al. Exploiting Unintended Feature Leakage in Collaborative Learning[EB/OL]. arXiv, 2018[2026- 04-02].http://arxiv.org/abs/1805.04049. (2018). 46

    work page arXiv 2018

  13. [13]

    FREDRIKSON M, JHA S, RISTENPART T. Model Inversion At- tacks that Exploit Confidence Information and Basic Countermea- sures[C/OL]//Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. New York, NY, USA: Associ- ation for Computing Machinery, 2015: 1322–1333 [2026-04-01].https: //dl.acm.org/doi/10.1145/2810103.2813677. (2015)

    work page doi:10.1145/2810103.2813677 2015

  14. [14]

    Beyond neural data: Cognitive biometrics and mental privacy[J]

    MAGEE P, IENCA M, FARAHANY N. Beyond neural data: Cognitive biometrics and mental privacy[J]. Neuron, 2024, 112(18): 3017-3028. (2024)

    work page 2024

  15. [15]

    [2026-04-09].https : / / www

    Recommendation on the Ethics of Neurotechnology - Legal Af- fairs[EB/OL]. [2026-04-09].https : / / www . unesco . org / en / legal-affairs/recommendation-ethics-neurotechnology. (2026)

    work page 2026

  16. [16]

    Mental privacy: navigating risks, rights and regulation: Advances in neuroscience challenge contemporary legal frameworks to protect mental privacy[J]

    SZOSZKIEWICZ Ł, YUSTE R. Mental privacy: navigating risks, rights and regulation: Advances in neuroscience challenge contemporary legal frameworks to protect mental privacy[J]. EMBO Reports, 2025, 26(14): 3469-3473. (2025)

    work page 2025

  17. [17]

    Four ethical priorities for neurotechnologies and AI[J]

    YUSTE R, GOERING S, ARCAS B A Y, et al. Four ethical priorities for neurotechnologies and AI[J]. Nature, 2017, 551(7679): 159-163. (2017)

    work page 2017

  18. [18]

    Addressing privacy risk in neuroscience data: from data protection to harm prevention[J]

    JWA A S, POLDRACK R A. Addressing privacy risk in neuroscience data: from data protection to harm prevention[J]. Journal of Law and the Biosciences, 2022, 9(2): lsac025. (2022)

    work page 2022

  19. [19]

    Brain–computer interface: trends, challenges, and threats[J]

    MAISELI B, ABDALLA A T, MASSAWE L V, et al. Brain–computer interface: trends, challenges, and threats[J]. Brain Informatics, 2023, 10(1): 20-35. (2023)

    work page 2023

  20. [20]

    Communication- Efficient Learning of Deep Networks from Decentralized Data[C/OL]//Proceedings of the 20th International Conference on Artificial Intelligence and Statistics

    MCMAHAN B, MOORE E, RAMAGE D, et al. Communication- Efficient Learning of Deep Networks from Decentralized Data[C/OL]//Proceedings of the 20th International Conference on Artificial Intelligence and Statistics. PMLR, 2017: 1273-1282[2026- 04-01].https : / / proceedings . mlr . press / v54 / mcmahan17a . html. (2017)

    work page 2017

  21. [21]

    Advances and Open Problems in Feder- ated Learning[J]

    KAIROUZ P, MCMAHAN H B. Advances and Open Problems in Feder- ated Learning[J]. Foundations and Trends®in Machine Learning, 2021, 14(1-2): 1-210. (2021). 47

    work page 2021

  22. [22]

    The Algorithmic Foundations of Differential Pri- vacy[J]

    DWORK C, ROTH A. The Algorithmic Foundations of Differential Pri- vacy[J]. Foundations and Trends®in Theoretical Computer Science, 2014, 9(3-4): 211-487. (2014)

    work page 2014

  23. [23]

    Guidelines for Evalu- ating Differential Privacy Guarantees[R]

    NEAR J P, ABUHALIMEH H, HAY M, et al. Guidelines for Evalu- ating Differential Privacy Guarantees[R]. Gaithersburg, MD: National Institute of Standards and Technology, 2023: NIST SP 800-226. (2023)

    work page 2023

  24. [24]

    Fully homomorphic encryption using ideal lattices [C/OL]//Proceedings of the forty-first annual ACM symposium on The- ory of computing

    GENTRY C. Fully homomorphic encryption using ideal lattices [C/OL]//Proceedings of the forty-first annual ACM symposium on The- ory of computing. New York, NY, USA: Association for Computing Ma- chinery, 2009: 169–178 [2026-04-09].https://dl.acm.org/doi/10. 1145/1536414.1536440. (2009)

    work page arXiv 2009

  25. [25]

    Practical secure aggregation for privacy-preserving machine learning,

    BONAWITZ K, IVANOV V, KREUTER B, et al. Practi- cal Secure Aggregation for Privacy-Preserving Machine Learn- ing[C/OL]//Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. New York, NY, USA: Association for Computing Machinery, 2017: 1175-1191[2026-04-01]. https://dl.acm.org/doi/10.1145/3133956.3133982. (2017)

    work page doi:10.1145/3133956.3133982 2017

  26. [26]

    Privacy-Preserving Classification of EEG Data Using Machine Learning and Homomor- phic Encryption [J/OL]

    POPESCU A B, TACA I A, NITA C I, et al. Privacy-Preserving Classification of EEG Data Using Machine Learning and Homomor- phic Encryption [J/OL]. Applied Sciences, 2021, 11 (16)[2026-02-25]. https://www.mdpi.com/2076-3417/11/16/7360. (2021)

    work page 2021

  27. [27]

    Lightweight Privacy-Preserving Fea- ture Extraction for EEG Signals Under Edge Computing[J]

    YAN N, CHENG H, LIU X, et al. Lightweight Privacy-Preserving Fea- ture Extraction for EEG Signals Under Edge Computing[J]. IEEE In- ternet of Things Journal, 2024, 11(2): 2520-2533. (2024)

    work page 2024

  28. [28]

    ISO/IEC 8663:2025 Information technology - Brain-computer interfaces - Vocabulary[S]

    ISO/IEC. ISO/IEC 8663:2025 Information technology - Brain-computer interfaces - Vocabulary[S]. Geneva: International Organization for Stan- dardization / International Electrotechnical Commission, 2025. (2025)

    work page 2025

  29. [29]

    Science 304(5679):1926--1929

    BUZSÁKI G, DRAGUHN A. Neuronal oscillations in cor- tical networks[J]. Science, 2004, 304(5679): 1926-1929. DOI:10.1126/science.1099745. (2004)

    work page doi:10.1126/science.1099745 2004

  30. [30]

    Functional and effective connectivity: A review[J]

    FRISTON K J. Functional and effective connectivity: A review[J]. Brain Connectivity, 2011, 1(1): 13-36. DOI:10.1089/brain.2011.0008. (2011). 48

    work page doi:10.1089/brain.2011.0008 2011

  31. [31]

    Regulating neural data processing in the age of BCIs: Ethical concerns and legal approaches[J]

    YANG H, JIANG L. Regulating neural data processing in the age of BCIs: Ethical concerns and legal approaches[J]. DIGITAL HEALTH, 2025, 11: 20552076251326123. (2025)

    work page 2025

  32. [32]

    Advocating for neurodata privacy and neurotechnology reg- ulation[J]

    YUSTE R. Advocating for neurodata privacy and neurotechnology reg- ulation[J]. Nature Protocols, 2023, 18(10): 2869–2875. (2023)

    work page 2023

  33. [33]

    Privacy and Freedom[M]

    WESTIN A F. Privacy and Freedom[M]. New York: Atheneum, 1967. (1967)

    work page 1967

  34. [34]

    Privacy as contextual integrity[J]

    NISSENBAUM H. Privacy as contextual integrity[J]. Washington Law Review, 2004, 79. (2004)

    work page 2004

  35. [35]

    [2026-04-17].https : //legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0188

    OECD Legal Instruments[EB/OL]. [2026-04-17].https : //legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0188. (2026)

    work page 2026

  36. [36]

    An introduction to privacy engineering and risk management in federal systems: NIST IR 8062[R/OL]

    BROOKS S, GARCIA M, LEFKOVITZ N, et al. An introduction to privacy engineering and risk management in federal systems: NIST IR 8062[R/OL]. Gaithersburg, MD: National Institute of Standards and Technology, 2017: NIST IR 8062[2026-04-17].https://nvlpubs.nist. gov/nistpubs/ir/2017/NIST.IR.8062.pdf. (2017)

    work page 2017

  37. [37]

    The Right to Privacy[J]

    WARREN S D, BRANDEIS L D. The Right to Privacy[J]. Harvard Law Review, 1890, 4(5): 193-220. (1890)

    work page

  38. [38]

    Information technology – Security techniques – Privacyframework[S].Geneva: InternationalOrganizationforStandard- ization, 2011

    ISO/IEC 29100:2011. Information technology – Security techniques – Privacyframework[S].Geneva: InternationalOrganizationforStandard- ization, 2011. (2011)

    work page 2011

  39. [39]

    A Framework for Preserving Privacy and Cybersecurity in Brain-Computer Interfac- ing Applications[EB/OL]

    KAPITONOVA M, KELLMEYER P, VOGT S, et al. A Framework for Preserving Privacy and Cybersecurity in Brain-Computer Interfac- ing Applications[EB/OL]. arXiv, 2022[2026-02-25].http://arxiv.org/ abs/2209.09653. (2022)

    work page arXiv 2022

  40. [40]

    Protecting Neural Data Pri- vacy—First, DoNoHarm[J].JAMANeurology, 2025, 82(3): 212.(2025)

    PAUZAUSKIE S, GENSER J, YUSTE R. Protecting Neural Data Pri- vacy—First, DoNoHarm[J].JAMANeurology, 2025, 82(3): 212.(2025)

    work page 2025

  41. [41]

    fNIRS-based brain-computer inter- faces: a review[J]

    NASEER N, HONG K S. fNIRS-based brain-computer inter- faces: a review[J]. Frontiers in Human Neuroscience, 2015, 9: 3. doi:10.3389/fnhum.2015.00003. (2015). 49

    work page doi:10.3389/fnhum.2015.00003 2015

  42. [42]

    An MEG-based brain-computer interface (BCI)[J]

    MELLINGER J, SCHALK G, BRAUN C, et al. An MEG-based brain-computer interface (BCI)[J]. NeuroImage, 2007, 36(3): 581-593. doi:10.1016/j.neuroimage.2007.03.019. (2007)

    work page doi:10.1016/j.neuroimage.2007.03.019 2007

  43. [43]

    Brain-computer interfaces using elec- trocorticographic signals[J]

    SCHALK G, LEUTHARDT E C. Brain-computer interfaces using elec- trocorticographic signals[J]. IEEE Reviews in Biomedical Engineering, 2011, 4: 140-154. (2011)

    work page 2011

  44. [44]

    Reputation-Based Feder- ated Learning Defense to Mitigate Threats in EEG Signal Classification [C/OL]//202416thInternationalConferenceonComputerandAutoma- tion Engineering (ICCAE)

    ZHANG Z, LI P, AL HAMMADI A Y, et al. Reputation-Based Feder- ated Learning Defense to Mitigate Threats in EEG Signal Classification [C/OL]//202416thInternationalConferenceonComputerandAutoma- tion Engineering (ICCAE). Melbourne, Australia: IEEE, 2024: 173-180 [2026-03-30].https://ieeexplore.ieee.org/document/10569874/. (2024)

    work page arXiv 2024

  45. [45]

    R S S, APARAJEETA J, KAIMAL S S. Security Auditing and Mali- cious Client Blocking in Federated EEG Seizure Detection[C/OL]//2026 9th International Conference on Computational Intelligence in Data Sci- ence (ICCIDS). Chennai, India: IEEE, 2026: 1-6[2026-04-01].https: //ieeexplore.ieee.org/document/11407536/. (2026)

    work page arXiv 2026

  46. [46]

    Federated Transfer Learning for EEG Signal Classification[C/OL]//2020 42nd Annual International Confer- ence of the IEEE Engineering in Medicine & Biology Society (EMBC)

    JU C, GAO D, MANE R, et al. Federated Transfer Learning for EEG Signal Classification[C/OL]//2020 42nd Annual International Confer- ence of the IEEE Engineering in Medicine & Biology Society (EMBC). 2020: 3040-3045[2026-03-13].http : / / arxiv . org / abs / 2004 . 12321. (2020)

    work page 2020

  47. [47]

    Federated Learning for Training Brain-computer interfaces [M/OL]//BAROLLI L

    AMATO A, BELARDO V, SIVO D D, et al. Federated Learning for Training Brain-computer interfaces [M/OL]//BAROLLI L. Advanced Information Networking and Applications: Vol. 250. Cham: Springer Nature Switzerland, 2025: 306-315 [2026-03-30].https : / / link . springer.com/10.1007/978-3-031-87778-0_30. (2025)

    work page doi:10.1007/978-3-031-87778-0_30 2025

  48. [48]

    SAFE: Secure and Accurate Federated Learn- ing for Privacy-Preserving Brain-computer interfaces [EB/OL]

    JIA T, CHEN X, WU D. SAFE: Secure and Accurate Federated Learn- ing for Privacy-Preserving Brain-computer interfaces [EB/OL]. arXiv preprint, 2026 [2026-03-09].http : / / arxiv . org / abs / 2601 . 05789. (2026)

    work page 2026

  49. [49]

    Goodfellow, H

    ABADI M, CHU A, GOODFELLOW I, et al. Deep Learning with Dif- ferential Privacy [C/OL]//Proceedings of the 2016 ACM SIGSAC Con- ference on Computer and Communications Security. New York, NY, 50 USA: Association for Computing Machinery, 2016: 308-318 [2026-04- 01].https://dl.acm.org/doi/10.1145/2976749.2978318. (2016)

    work page doi:10.1145/2976749.2978318 2016

  50. [50]

    EEG-Based Epilepsy Recognition via Federated Learning With Differential Privacy[J]

    LUO Y, JIANG B, QIN S, et al. EEG-Based Epilepsy Recognition via Federated Learning With Differential Privacy[J]. Concurrency and Com- putation: Practice and Experience, 2025, 37 (9-11): e70072. (2025)

    work page 2025

  51. [51]

    Sleep Staging Method for Imbalanced EEG Data Based on Differential Privacy Federated Learning[J]

    YIN K, DING Z, YANG X, et al. Sleep Staging Method for Imbalanced EEG Data Based on Differential Privacy Federated Learning[J]. Inter- national Journal on Artificial Intelligence Tools, 2022, 31(06): 2240018. (2022)

    work page 2022

  52. [52]

    Differentially private multimodal laplacian dropout (DP-MLD) for EEG representative learning[EB/OL]

    FU X, WANG B, GUO X, et al. Differentially private multimodal laplacian dropout (DP-MLD) for EEG representative learning[EB/OL]. SSRN preprint, 2024[2025-06-26].https://www.ssrn.com/abstract= 4990230. (2024)

    work page 2024

  53. [53]

    Securing Secure Aggregation: Mit- igating Multi-Round Privacy Leakage in Federated Learning[EB/OL]

    SO J, ALI R E, GULER B, et al. Securing Secure Aggregation: Mit- igating Multi-Round Privacy Leakage in Federated Learning[EB/OL]. arXiv, 2023[2026-04-02].http://arxiv.org/abs/2106.03328. (2023)

    work page arXiv 2023

  54. [54]

    PAUL S, BAJWA G. Privacy-Preserving EEG Data Generation: A Fed- erated Split Learning Approach Using Privacy-Adaptive Autoencoders and Secure Aggregation with GFlowNet: [C/OL] // Proceedings of the 22nd International Conference on Security and Cryptography. Bil- bao, Spain: SCITEPRESS - Science and Technology Publications, 2025: 638-643[2026-04-01].https:...

    work page doi:10.5220/0013529100003979 2025

  55. [55]

    User identity protection in EEG- based brain–computer interfaces[J]

    MENG L, JIANG X, HUANG J, et al. User identity protection in EEG- based brain–computer interfaces[J]. IEEE Transactions on Neural Sys- tems and Rehabilitation Engineering, 2023, 31: 3576-3586. (2023)

    work page 2023

  56. [56]

    Protecting Multiple Types of Pri- vacy Simultaneously in EEG-based Brain-computer interfaces[EB/OL]

    MENG L, JIANG X, JIA T, et al. Protecting Multiple Types of Pri- vacy Simultaneously in EEG-based Brain-computer interfaces[EB/OL]. arXiv preprint, 2024[2026-02-25].http://arxiv.org/abs/2411.19498. (2024)

    work page arXiv 2024

  57. [57]

    PAT: Privacy-Preserving Adversarial Transfer for Accurate, Robust and Privacy-Preserving EEG Decoding

    CHEN X, JIA T, WU D. A3E: Aligned and Augmented Adversarial Ensemble for Accurate, Robust, and Privacy-Preserving EEG Decoding 51 [EB/OL]. arXiv preprint, 2025 [2025-09-12].http://arxiv.org/abs/ 2412.11390. (2025)

    work page internal anchor Pith review Pith/arXiv arXiv 2025

  58. [58]

    PAT: Privacy-preserving Adversarial Transfer for Accurate, Robust and Privacy-Preserving EEG Decoding[EB/OL]

    CHEN X, JIA T, WU D. PAT: Privacy-preserving Adversarial Transfer for Accurate, Robust and Privacy-Preserving EEG Decoding[EB/OL]. arXiv preprint, 2025. (2025)

    work page 2025

  59. [59]

    Privacy-Preserving Attention- Weighted Multi-Source Domain Adaptation for EEG Motor Imagery [J]

    HUANG Y M, HUNG H N, TSENG V S. Privacy-Preserving Attention- Weighted Multi-Source Domain Adaptation for EEG Motor Imagery [J]. Neural Computing and Applications, 2024. (2024)

    work page 2024

  60. [60]

    Meta-learning for fast and privacy- preserving source knowledge transfer of EEG-based BCIs[J]

    LI S, WU H, DING L, et al. Meta-learning for fast and privacy- preserving source knowledge transfer of EEG-based BCIs[J]. IEEE Com- putational Intelligence Magazine, 2022, 17(4): 16-26. (2022)

    work page 2022

  61. [61]

    A privacy-preserving generative adversarial network method for securing EEG brain sig- nals[C/OL]//2020 International Joint Conference on Neural Networks (IJCNN)

    DEBIE E, MOUSTAFA N, WHITTY M T. A privacy-preserving generative adversarial network method for securing EEG brain sig- nals[C/OL]//2020 International Joint Conference on Neural Networks (IJCNN). Glasgow, United Kingdom: IEEE, 2020: 1-8[2025-09-04]. https://ieeexplore.ieee.org/document/9206683/. (2020)

    work page arXiv 2020

  62. [62]

    EpilepsyGAN: Synthetic Epileptic Brain Activities With Privacy Protection[J]

    PASCUAL D, AMIRSHAHI A, AMINIFAR A, et al. EpilepsyGAN: Synthetic Epileptic Brain Activities With Privacy Protection[J]. IEEE Transactions on Biomedical Engineering, 2021, 68 (8): 2435–2446. (2021)

    work page 2021

  63. [63]

    EEGCiD: EEG condensation into dif- fusion model[J]

    CHEN J, PI D, JIANG X, et al. EEGCiD: EEG condensation into dif- fusion model[J]. IEEE Transactions on Automation Science and Engi- neering, 2025, 22: 8502–8518. (2025)

    work page 2025

  64. [64]

    Nature Communications, 2025, 16: 7914

    XIAOQ,FANLH,MAQ,etal.Securewirelesscommunicationofbrain- computer interface and mind control of smart devices enabled by space- time-coding metasurface[J]. Nature Communications, 2025, 16: 7914. DOI:10.1038/s41467-025-63326-0. (2025)

    work page doi:10.1038/s41467-025-63326-0 2025

  65. [65]

    CryptoNets: Applying Neural Networks to Encrypted Data with High Throughput and Accuracy[C]//Proceedings of the 33rd International Conference on Machine Learning Workshops

    DOWLIN N, GILAD-BACHRACH R, LAINE K, et al. CryptoNets: Applying Neural Networks to Encrypted Data with High Throughput and Accuracy[C]//Proceedings of the 33rd International Conference on Machine Learning Workshops. New York: JMLR, 2016. (2016). 52

    work page 2016

  66. [66]

    GAZELLE: A Low Latency Framework for Secure Neural Network Inference[C]//27th USENIX Security Symposium

    JUVEKAR C, VAIDA C, CHANDRAKASAN A. GAZELLE: A Low Latency Framework for Secure Neural Network Inference[C]//27th USENIX Security Symposium. Baltimore, MD: USENIX Association, 2018: 1651-1669. (2018)

    work page 2018

  67. [67]

    Split HE: Fast Secure Inference Combining Split Learning and Homomorphic Encryption[EB/OL]

    PERETEANU G L, ALANSARY A, PASSERAT-PALMBACH J. Split HE: Fast Secure Inference Combining Split Learning and Homomorphic Encryption[EB/OL]. arXiv, 2022[2026-04-02].http://arxiv.org/abs/ 2202.13351. (2022)

    work page arXiv 2022

  68. [68]

    Label- Only Membership Inference Attacks[C]//Proceedings of the 38th In- ternational Conference on Machine Learning

    CHOQUETTE-CHOO C A, TRAMÈR F, CARLINI N, et al. Label- Only Membership Inference Attacks[C]//Proceedings of the 38th In- ternational Conference on Machine Learning. PMLR, 2021: 1964-1974. (2021)

    work page 2021

  69. [69]

    Cancellable Template Design for Privacy- Preserving EEG Biometric Authentication Systems [EB/OL]

    WANG M, WANG S, HU J. Cancellable Template Design for Privacy- Preserving EEG Biometric Authentication Systems [EB/OL]. arXiv preprint, 2022 [2026-03-31].http : / / arxiv . org / abs / 2203 . 16730. (2022)

    work page 2022

  70. [70]

    PolyCosGraph: A Privacy-Preserving Can- celable EEG Biometric System[J]

    WANG M, WANG S, HU J. PolyCosGraph: A Privacy-Preserving Can- celable EEG Biometric System[J]. IEEE Transactions on Dependable and Secure Computing, 2023, 20(5): 4258-4272. (2023)

    work page 2023

  71. [71]

    A Privacy-Preserving Brainprint Recogni- tion System Based on Feature Homomorphic Encryption[C/OL]//2024 International Joint Conference on Neural Networks (IJCNN)

    ZHANG Y, YI H, KONG W. A Privacy-Preserving Brainprint Recogni- tion System Based on Feature Homomorphic Encryption[C/OL]//2024 International Joint Conference on Neural Networks (IJCNN) . Yoko- hama, Japan: IEEE, 2024: 1-10[2026-04-01].https://ieeexplore. ieee.org/document/10651340/. (2024)

    work page arXiv 2024

  72. [72]

    Privacy-Preserving EEG-Based Authentication Using Perceptual Hashing[D/OL]

    KOPPIKAR S D. Privacy-Preserving EEG-Based Authentication Using Perceptual Hashing[D/OL]. Denton, Texas: University of North Texas, 2016[2026-04-01].https://digital.library.unt.edu/ark:/67531/ metadc955127/. (2016)

    work page 2016

  73. [73]

    SecureML: A System for Scalable Privacy- Preserving Machine Learning [C/OL]//2017 IEEE Symposium on Secu- rity and Privacy (SP)

    MOHASSEL P, ZHANG Y. SecureML: A System for Scalable Privacy- Preserving Machine Learning [C/OL]//2017 IEEE Symposium on Secu- rity and Privacy (SP). San Jose, CA, USA: IEEE, 2017: 19-38 [2026-03- 03].http://ieeexplore.ieee.org/document/7958569/. (2017). 53

    work page arXiv 2017

  74. [74]

    SecureNN: 3-Party Secure Com- putation for Neural Network Training[J]

    WAGH S, GUPTA D, CHANDRAN N. SecureNN: 3-Party Secure Com- putation for Neural Network Training[J]. Proceedings on Privacy En- hancing Technologies, 2019, 2019(3): 26-49. (2019)

    work page 2019

  75. [75]

    Secure multiparty computation (MPC)[EB/OL]

    LINDELL Y. Secure multiparty computation (MPC)[EB/OL]. Cryp- tology ePrint Archive, 2020[2026-04-10].https://eprint.iacr.org/ 2020/300. (2020)

    work page 2020

  76. [76]

    Toward Practical Privacy-Preserving Convolutional Neural Networks Exploiting Fully Homomorphic Encryp- tion [EB/OL]

    PARK J, KIM D, KIM J, et al. Toward Practical Privacy-Preserving Convolutional Neural Networks Exploiting Fully Homomorphic Encryp- tion [EB/OL]. arXiv, 2023 [2026-04-02].http://arxiv.org/abs/2310. 16530. (2023)

    work page 2023

  77. [77]

    DONG H, WU J, BASHIR A K, et al. Privacy-Preserving EEG Signal Analysis with Electrode Attention for Depression Diagnosis: Joint FHE and CNN Approach [C/OL]//GLOBECOM 2023 - 2023 IEEE Global Communications Conference. Kuala Lumpur, Malaysia: IEEE, 2023: 4265-4270 [2026-03-31].https://ieeexplore.ieee.org/document/ 10436783/. (2023)

    work page 2023

  78. [78]

    THOR: Secure Transformer Inference with Homomorphic Encryption[EB/OL]

    MOON J, YOO D, JIANG X, et al. THOR: Secure Transformer Inference with Homomorphic Encryption[EB/OL]. Cryptology ePrint Archive, 2024[2026-04-02].https : / / eprint . iacr . org / 2024 / 1881. (2024)

    work page 2024

  79. [79]

    A guide to fully homomor- phic encryption[EB/OL]

    ARMKNECHT F, BOYD C, CARR C, et al. A guide to fully homomor- phic encryption[EB/OL]. Cryptology ePrint Archive, 2015[2026-04-10]. https://eprint.iacr.org/2015/1192. (2015)

    work page 2015

  80. [80]

    Stealing Machine Learning Models via Prediction APIs [C]//25th USENIX Security Symposium

    TRAMÈR F, ZHANG F, JUELS A, et al. Stealing Machine Learning Models via Prediction APIs [C]//25th USENIX Security Symposium. Austin, TX: USENIX Association, 2016: 601–618. (2016)

    work page 2016

Showing first 80 references.