The mainstream media is full of stories this week about a Wisconsin vending machine company that plans to embed a rice-size microchip in the hands of employees on a voluntary basis on Aug. 1, 2017.
According to NBC News:
“With the wave of their hands, employees will be able to open doors that require identification cards, log into their computers, operate copy machines or pay for snacks out of the company's vending machines, the company said.
The chips operate on electromagnetic fields and must be no more than 6 inches from a device that can read them, known as radio-frequency identification.
Three Square Market is partnering with Swedish-based BioHax International to install the technology, which was approved by the U.S. Food and Drug Administration in 2004 for the marketing of the VeriChip to medical patients.”
Reactions to this news are all over the map, with headlines ranging from positive stories about the dawning of a great new era to Big Brother privacy concerns to fears that Biblical prophecies are about to come true.
Yesterday’s Predictions Are Today’s Reality: How Did We Get to This Point?
Back in 2010, ABC News ran this report which predicted that we would see implants by 2017, although their example was for medical purposes.
Three years ago, Fox News asked the question: Is there a microchip implant in your future?
“You can inject one under your skin and no one will ever notice. Using short-range radio frequency identification (RFID) signals, it can transmit your identity as you pass through a security checkpoint or walk into a football stadium. It can help you buy groceries at Wal-Mart. In a worst-case scenario — if you are kidnapped in a foreign country, for example — it could save your life.
Microchip implants like the ones pet owners use to track their dogs and cats could become commonplace in humans in the next decade. Experts are divided on whether they’re appropriate for people, but the implants could offer several advantages. For soldiers and journalists in war zones, an implant could be the difference between life and death. A tracker could also help law enforcement quickly locate a kidnapped child.”
And in 2015, ZDNet ran this intriguing piece on biohacking, which is the name that many give to embedding chips into our bodies.
“If you could replace your car keys, website login data, credit cards and bus passes with a chip embedded under your skin, would you?
For those concerned with privacy, the biohacker noted how wearable devices and mobile technology are already collecting and sharing our personal data. Where embedded NFC chips come in, however, is that we can achieve the same results but with "less clutter."
So what does the future hold for biohacking? According to Sjoblad, biotechnology and embedded NFC chips will eventually become a quick digital identification process used for everyday purposes.”
Back in April, The Washington Post pointed out that some Swedish workers have been using this technology for a while.
"But while it may sound like the dawning of an era of a cyborg workforce, management consultants say they're hearing little interest in the concept so far, and those leading the experiment in Sweden say it's an entirely voluntary exercise intended simply as a technological test for convenience."
But this "test for convenience" is being deployed in a real U.S. business this week.
Ethical, Privacy and Medical Issues?
Many experts are pointing to related ethical and privacy issues, which could become a major concern if the implanted chips do more in the future and organizations embrace the technology.
According to this CBN article, there are plenty of legal implications in embedding chips as well.
“Illinois Institute of Technology professor Jeremy Hajek says the legal system needs to catch up with this new technology.
‘So you're opening up a much larger privacy issue of, well, who owns where you go? Who owns what you do? And who owns what you buy? Are you entitled to that privacy? Or does that privacy not really exist,’ he questions.
‘Do you own that data? Or does the company own that data? And I think the legal system needs to catch up a little bit to this because these are new questions that the current laws on hand may not quite accurately cover,’ he added.”
As Ben Libberton, a microbiologist at Stockholm's Karolinska Institute, told the Associated Press, “Conceptually, you could get data about your health, you could get data about your whereabouts, how often you're working, how long you're working, if you're taking toilet breaks and things like that.”
My millennial daughter Katherine Lohrmann said she fears three things about chip implants:
Katherine also pointed out that she thought the entire episode was a PR stunt by the company. “Look at the attention they are getting. This must be worth millions in sales for them.”
One interesting point related to medical and privacy issues will be proposed new laws that will be introduced at the local, state and federal levels to assist in protecting employees that do not want to embed chips in their bodies for various reasons — and protect those that do.
What About Security?
The interviews with Three Square Market executives portrayed the use of encrypted RFID as virtually hack-proof. Bold statements are being made about security that are overconfident, in my opinion. When you consider that we are not just talking about the encrypted chips, but the people, process and technology surrounding the security implementation, the challenge is greater.
An article from last year articulated 7 types of security attacks on RFID systems. A more recent article describes how easy it is to clone ID cards, although it should be added that the examples used at DEFCON were not as secure as those used in the Wisconsin embedded chip implementation.
This article from stackexchange.com describes the reasons why it is not easy to clone RFID tags when they are using passive technology:
"The reason these cards are not easily clonable is that nobody but the bank knows the secret key hidden in the chip, so nobody else can produce a card that will react the same way to the challenge that came from the reader, thus the card cannot produce the correct CVV. The bank is responsible for detecting the incorrect CVV and rejecting the cloned card.
Not all the systems in use today are perfect. Researchers (and criminals) have figured out several attacks. Some cards are inherently insecure because they use weak encryption (such as the MiFare cards often used in transit systems). Some cards have had their secret keys read by using side channel attacks, such as power analysis or timing analysis. Some have been examined using ion beam microscopy, revealing the bits containing the secret keys. And some banks did a poor job initially implementing their secret keys such that they didn't validate the CCVs correctly."
Also, this RFID Journal blog describes some ways to prevent RFID cloning using encryption.
Social Media Feedback
When I posted this story on LinkedIn this week, the comments were overwhelmingly negative. Most people were concerned less with this specific “volunteer” deployment and more about where this trend may lead in the future.
Here is a selection of the more than 50 public comments received:
Tony Robinson: “I hope laws in place so as not to make this an opt-out without termination ... no chip, no job is not acceptable.”
Tim Johnsrude: Optional" tends to be a temporary condition. For example, credit cards are optional, but it is becoming increasingly more inconvenient not to have one. Can't rent a car without one. Can't order food on an airliner. eBay is out of reach for cash customers. Let's not let this monkey out of its cage.”
Baran Erdogan: “Who wants to live and work like an ‘asset’???”
Allison Dolan: “One company that did this got positive feedback from employees when the 'chip' was linked to the internal cafeteria payment system - just swipe your wrist to pay for lunch! Just a reminder that if the incentives are there, people will accept almost anything.”
Robert Myles: “The chip signs/logs/is registered into a data base as well, which could be hacked.”
Jeffrey Lunde: “Key question is when, not if, a health insurance company offers it. Optional becomes conditionally then mandatory way too often.”
Andrew L.: “Why isn't anyone talking about the malicious removal of the chip for ill intent? It's not like you can hide it once it's inserted?”
Jan Buitron: “Something so easy to 'install 'can probably be easily removed, and then used by a miscreant to 'hack' the building, the computers, the lunchroom, you name it...Does anyone remember the 'eyeball' scene in Minority Report?”
Maria Thompson: “You have got to be kidding me? The ways in which this could go sideways are mind boggling. I truly support and embrace innovation and technology but the privacy violations that come to mind make this option repulsive. The thought occurred to me years ago that it was only a matter of time this would be introduced to humans once tested on animals. I read an article recently that certain areas in Asia are using microchips to track elderly folks with Alzheimer's ... sorry, not biting.”
Allison Dolan (in response to Maria): “The point I was making is that for many people, myself included, convenience is a big appeal, especially when the risks in this very specific case seem quite low, including the option not to participate. Every new technology has a dark side, and if we rejected new things based on what could happen, we wouldn't have most of what we have today.”
Allan Bradley: “There is a place for this, but without a clear defined digital citizenship boundary under legal definition, it is an invasion of bodily private space.”
With the exception of medical purposes to embed chips in the human body, I am very concerned about this embedded chip trend — especially for security convenience. I think this is the beginning of a long trip down a “Yellow Brick Road” that will not lead to the Emerald City that people expect.
I agree with the social media comments that “optional” is usually the first step that leads to “standard,” which leads to “expected,” which can lead to mandatory or almost-required situations (such as with credit cards). I am concerned with “hack-proof” statements about 256-bit encryption, which do not take into account the people, process and technology that needs to be implemented with such system security.
No, the sky is not falling. Yes, there is still plenty of time for planning. However, the technology is again out in front of the ethical and legal framework for microchip implants. No doubt, new laws will be coming in this area soon — so legislatures should pay attention.
Finally, watch out for the list of technologies that managers claim are not being deployed with microchip implants yet. For example, “We are not tracking people around the building” or “we are not using GPS.” Others will do these things down the road, but whether they tell their employees that or not is another matter.
Even if policies state that tracking is not allowed, and privacy is assured, audits often prove otherwise.