Pretrained, Frozen, Still Leaking: Auditing Cross-Encoder Attribute Transfer in EEG Foundation Models

Researchers demonstrate that popular EEG foundation models (BIOT, LaBraM, EEGPT) leak sensitive neurological attributes despite appearing secure under individual audits. A cross-encoder transfer attack shows that attribute decoders trained on one frozen model successfully transfer to others, indicating shared vulnerabilities that standard defenses like differential privacy fail to adequately address.

This research exposes a critical vulnerability in EEG foundation models that individual security audits fail to detect. The authors demonstrate that while each model passes isolated privacy tests—raw-reconstruction, membership inference, identity linkage, and differential privacy—they collectively leak spectral attributes through cross-encoder transfer attacks. This reveals a fundamental gap in current AI security evaluation methodologies where piecemeal testing misses systemic weaknesses.

The finding is particularly significant because EEG data constitutes highly sensitive biometric information. Unlike image or text models, EEG foundation models directly encode neurological signatures that can identify individuals or reveal health conditions. The successful transfer of attribute decoders across different frozen encoders indicates that these models share overlapping feature spaces that encode sensitive information in ways resistant to traditional privacy protections.

The audit framework introduces an audit-endpoint disagreement score (AEDS) that provides deployment-ready decision rules for release authorization. Critically, the research demonstrates that standard defenses fail: adaptive noise-aware attackers, LiRA membership audits, and differential privacy at practical utility-preserving epsilon values {4,8} all leave the attribute channel "essentially unchanged." This suggests that existing privacy-preserving techniques designed for other domains require fundamental rethinking when applied to neurobiological data.

The implications extend beyond these three models. If EEG foundation models systematically leak attributes through shared encoders, the entire category of biometric foundation models may face similar vulnerabilities. Organizations deploying these models in clinical or research settings must now confront questions about whether current release standards adequately protect sensitive patient data, potentially driving regulatory scrutiny and forcing developers to fundamentally redesign training methodologies rather than relying on post-hoc defenses.

• →Individual privacy audits create false confidence—models passing isolated tests still leak sensitive attributes through cross-encoder transfer attacks.
• →Standard defenses including differential privacy and membership inference audits fail to protect EEG data against attribute extraction.
• →Shared feature-space projections between foundation models enable successful attribute decoder transfer, indicating systemic architectural vulnerabilities.
• →The proposed AEDS framework enables joint multi-endpoint audits to catch vulnerabilities missed by scattered single-endpoint defenses.
• →EEG foundation models may require fundamental architectural redesigns rather than post-hoc privacy patches to adequately protect neurobiological data.