Chipping Away at Privacy?

An icy sense of dread suddenly grips you, as you frantically search your pockets. Not again! At some point or another, each of us has endured the humbling experience of misplacing an office key, swipe card, or fob. But for many of the 2,000 employees at Epicenter, an innovative Swedish startup company, this scenario could become a worry of the past.

At Epicenter, employees can now receive a new type of business key — a microchip implanted in between one’s thumb and index finger, according to a recently released Associated Press report. Since January 2015, 150 Epicenter employees have elected to be microchipped at ‘microchipping parties,’ using syringe injections of microchips that are roughly the size of a grain of rice. According to the AP, this technology is dual-programmed to operate as a swipe key and credit card that can ‘open doors, operate printers, or buy smoothies with a wave of the hand.’

Although simply waving one’s hand to pay for a smoothie is appealing, is this convenience worth the security risks to our personal and financial information?

Answering that question first requires understanding how the technology works. Epicenter’s microchips use Near Field Communication (NFC), meaning that the technology relies on electromagnetic radio fields to communicate data. At its core, NFC enables ‘wireless communication and data exchange between digital devices like smartphones.’ According to the AP, Epicenter’s NFC device is “the same as in contactless credit cards or mobile payments.” Basically, it is a “passive device” containing information that other devices can read, but it does not actually read any information itself. When activated by a reader a few centimeters (inches) away, a small amount of data flows between the two devices via electromagnetic waves.

However, just because it’s “passive” doesn’t mean it is impervious to security vulnerabilities. According to NFC.org, the technology could allow third parties to eavesdrop on device communication, corrupt or modify data, or intercept attacks.

In this case, eavesdropping is when an unintended third party, like a criminal, ‘“listens in” on an NFC transaction, data corruption and manipulation happens when criminals tamper with the data being transmitted, and interception attacks occur when someone intercepts information that’s being channeled between two NFC devices and modifies it as it passes between the devices. Based on what is currently publicly known about Epicenter’s microchip implants, we can’t be sure how well these passive devices are protected against interception attacks. As some general security advice to consumers, NFC.org recommends that users first ensure that the companies of these devices use secure channels to communicate and encrypt data.

What we do know, however, is that the data flow NFCs generate can pose personal privacy risks in addition to those data security risks. For instance, the implants produce data that reveal how often employees clock into work as well as how often they buy things. (And you thought that earlier mentioned smoothie purchase sounded so harmless.)

More seriously, according to microbiologist Ben Libberton, these chip implants can reveal “data about your health, you could get data about your whereabouts, how often you’re working, how long you’re working, if you’re taking toilet breaks and things like that.” That said, one big question that consumers should be asking is: To what extent could this data be legally shared with third parties and/or with employers?

Part of the reason why the answer to that question is still murky is that the United States Supreme Court has yet to issue a ruling that squarely addresses the treatment of NFC devices as third parties. The third party records doctrine, as articulated by the U.S. Supreme Court in Smith v. Maryland (1979), is founded on the notion that “[t]he Fourth Amendment does not prohibit the obtaining of information revealed to a third party and conveyed by him to government authorities, even if the information is revealed on the assumption that it will be used only for a limited purpose and the confidence placed in the third party will not be betrayed.” The question remains: are these devices third parties or not?

As we wait for Supreme Court clarity, we should explore new technologies like the microchip implants, but consider the potential privacy and security risks as we do so. That goes not only for consumers, but also for the designers of these new technologies. And for guidance on that point, we can look to the past — a seminal 1890 Harvard Law Review article by Samuel Warren and Louis Brandeis. In “The Right to Privacy”, Warren and Brandeis explained that “[t]he design of the law must be to protect those persons with whose affairs the community has no legitimate concern, from being dragged into an undesirable and undesired publicity and to protect all persons, whatsoever; their position or station, from having matters which they may properly prefer to keep private, made public against their will.”

Here, I’ll add one point to Warren and Brandeis’ sage words: the onus can’t be on the law alone — especially when it often takes time for it to catch up with the pace of technological innovation. It’s also up to the creators of technology to design products with humans truly at the center — products that protect all users from having personal, financial, and health data made public against their will.

Jessica “Zhanna” Malekos Smith is a M.A. candidate at King’s College London, Department of War Studies. Previously, she was a Postdoctoral Fellow at the Harvard Kennedy School’s Belfer Center for Science and International Affairs. She received her B.A. from Wellesley College, where she was a Fellow of the Madeleine Korbel Albright Institute for Global Affairs, and J.D. from the University of California, Davis School of Law.