arXiv: Pretrained, Frozen, Still Leaking: Auditing Cross-Encoder Attribute Transfer in EEG Foundation Models

This paper, published on arXiv, presents a security audit of foundation models used for electroencephalography (EEG) data. The researchers demonstrate that even when an EEG model is "frozen" (its parameters are not updated during fine-tuning), it can still leak sensitive personal attributes, such as a person's age, sex, or medical condition, from the training data. This phenomenon, termed "cross-encoder attribute transfer," poses a significant privacy risk because it means that a model deployed for one purpose (e.g., sleep stage classification) can inadvertently reveal protected characteristics about the individuals whose data was used to train it.

This finding directly affects any organization deploying or developing EEG-based AI systems, including medical device manufacturers, digital health startups, research institutions, and hospitals using brain-computer interfaces or neurological diagnostics. Under the EU AI Act, such models likely qualify as high-risk AI systems, particularly if used in medical or biometric categorization contexts. The paper also raises concerns under GDPR, as it highlights a novel mechanism for unintended processing of special category data.

Compliance teams should immediately conduct a data protection impact assessment (DPIA) for any EEG foundation model in use or development. They must verify whether their model's training data contains sensitive attributes that could be extracted, even from a frozen model. Teams should also update their technical documentation to include this specific leakage vector in their risk analysis and consider implementing differential privacy or adversarial debiasing techniques during pre-training. Finally, they should monitor the EU AI Act's implementing acts for any guidance on foundation model auditing requirements.