How human are you? The Internet of Bodies is here, but are we ready?

Recent leaps in neurotechnology signal a distinct shift from a world in which we 'use' technology, to one where we 'become' the technology. The third generation of the Internet of Bodies is approaching, so what exactly is it, what are the legal issues, what are countries doing (or not doing) to get ahead of the game and why is the UK taking a different approach to some of its global counterparts?

What is the Internet of Bodies?

Internet-connected devices like smart fridges, video doorbells and voice assistants  are all examples of the Internet of Things (IoTs) – smart devices that connect and communicate through a network.

The Internet of Bodies (IoB) describes a sub-set of IoT devices that interact far more intimately with the human body. They connect the body to an online network through technology that you can wear, ingest, implant or otherwise link to a human body. IoB devices fall into three categories:

• External devices / 1^st gen – these are devices that you can wear and that collect and transmit data using external sensors, such as smart watches.
• Internal devices / 2^nd gen – these are devices that you can ingest or have implanted to control and monitor various aspects of your health, such as digital pills and smart pacemakers.
• Embedded devices / 3^rd gen – these are devices that completely merge with your body while maintaining a real-time connection to a remote machine, such as a brain computer interface (BCI).

External and internal devices are already commonplace but embedded devices are the next frontier. With Elon Musk proclaiming at the latest Neuralink 'Show and Tell' event that the first chip will be installed in a human by June 2023, now is a prime time to consider the impact of such devices.  

What are BCIs?

BCIs are the most talked embedded device to date – these are devices that merge with the human brain, allowing for a real-time connection with remote computers that receive live data updates for the purposes of controlling and monitoring aspects of human health.

BCIs offer the first real step towards uniting humans and artificial intelligence. Their functionality extends far beyond the health stats you'll be familiar with on your smartwatch. They have the potential not only to track our data and provide assistive support, but also to enhance our body's functions – the Milken Institute predicts that AI BCIs could unlock cures to health conditions that have phased scientists for decades, including Alzheimer’s and Parkinson’s disease, and we are quickly seeing companies line up to deliver:

• Synchron, is an Australian-based neurotechnology company that was first to gain FDA approval to conduct human trials for BCIs, and has already successfully enabled paralysed patients to send emails and text messages.
• Neuralink is a Californian-based neurotechnology company that is designing devices that will restore sight in blind people and the ability of those with severed spinal cords to walk. As at the date of this article, Neuralink is awaiting FDA approval to start human trials.

For those currently suffering from severe health conditions, BCIs can't come soon enough, but such technological leaps are not generally characterised by sunshine and rainbows, and if the Borg in Star Trek are anything to go by, it's worth considering the potential downsides and how we can mitigate them.

The price of progress?

In August 2022, the UK Law Society published a report on the potential impact of BCIs, identifying questions we need to consider before we begin to think about realising the potential benefits:

• Criminal liability: What if a person commits a criminal act 'under the influence' of an implanted microchip? Who will be responsible? Was the person in control?
• Employment: Will BCIs be available only to those that can afford it, leading to a world characterised by neurotechnological discrimination where employees with implants will be paid more resulting from their ability to 'download' more desirable skills; or will we have no choice in the matter and wearing a BCI will be a condition of employment?
• Data protection: How can the user control what data leaves their BCI? If consent is relied upon, will it be valid? What can that data be used for? How do we ensure that data is kept secure – to date 'hacking' has only been thought of in a traditional computer context – but what about the brain?

Some of these questions will depend on how we realise the technology in the context of military, health and consumer applications. While Neuralink and Synchron are focussing on health, companies like Facebook have been considering how to use brain data for marketing ads for some years. This being the case, it's clear that regulation will be needed to ensure the safe deployment of the technology. The question then becomes when and how do we start?

How to regulate something that doesn’t exist?

To date 39 countries have taken steps to consider regulation of neurotechnology by signing up to the OECD’s non-binding recommendation on responsible innovation in neurotechnology. Adopted in 2019, the recommendation outlines nine principles that guide stakeholders through each stage of the innovation process (from research to commercialisation) with the goal of maximising the benefits of neurotechnology and minimising its risks. Examples of principles include:

• Promote responsible innovation in neurotechnology to address health challenges.
• Anticipate and monitor the potential unintended use and/or misuse of neurotechnology.

Although a good first step to get the conversation going (which is a success in itself), the breadth of principles and their non-binding nature, are significant limitations. Something more robust with real 'bite' is needed to effectively regulate BCIs and this is where Chile is leading the pack.

The world led by Chile

Back in 2021, Chilean Senator Girardi understood the need to get ahead of the technology:

"we didn’t regulate the big social media and internet platforms in time, and it cost us…"

Shortly after this statement, Chile became the first country to implement legislation in the form of a constitutional amendment that enshrines the right of mental integrity of all citizens. The aim of the legislation is to protect mental privacy, free will, equal access to cognitive enhancement technologies and protection against algorithmic bias. The constitutional amendment was quickly followed up by a draft Chilean neuro-protection bill that seeks to underpin the new and broadly drafted constitutional rights, by giving personal brain data 'organ status' – meaning it cannot be bought or sold, trafficked or manipulated, and any data collection will require explicit 'opt-in' authorisation from the user.

EU – the first steps have been taken

In 2021, several EU countries went beyond the OECD's recommendation:

• France approved a bioethics law that protects the right to mental integrity;
• Spain adopted a 'digital rights charter' with a dedicated section on neuro rights; and
• the Italian Data Protection Authority commenced discussion on whether mental privacy is sufficiently covered under the country’s privacy rights.

UK – let them innovate

Having signed the OCED's recommendations in 2019 and with the Law Society publishing a report in 2022, it's clear that neurotechnology is on the UK government's radar, but unlike Chile and its EU counterparts, the UK is taking a more commercial approach.

As the Law Society explains, there are risks if we regulate too late, but there are also risks if we regulate too early:

"It would be disastrous if progress in treating conditions that cause so much suffering and quite properly could be viewed as requiring urgent action, were unnecessarily slowed by too cautious a regulatory environment..."

This commercial approach to regulation is increasingly the norm in the UK, especially in areas like data protection and Artificial Intelligence. The UK's data protection authority (the ICO) is leading the way with its regulatory sandbox – a service that creates a space for technology companies to innovate in collaboration with the regulator, to push the limits of innovation within the boundaries of applicable regulation.

Whether neurotechnology is a good fit for the ICO's sandbox depends on how you view BCI technology.  This problem has already been considered by the UK Parliament Office of Science and Technology – should neurotechnology be considered a 'personal data technology'  regulated by the ICO, or a medical device regulated by the MHRA, or a consumer technology regulated by the CMA? Or maybe we need something new? In which case the UK's current approach seems sensible… at least for now.

Where does this leave us?

Neurotechnology is both exciting and potentially terrifying, BCIs offer clear benefits to humans in that they may be the key to managing or curing some of our most debilitating health conditions, and driving our functional advancements far beyond what seems possible today. But achieving those benefits comes with a ream of risks that need to be considered in order to safely realise the technology's full potential.

How we go about regulating neurotechnology is still up for debate. Each country seems to have very different views on how and when such regulation should come into being, the promising take away is that at least one of them has to be right…right?