topic Re: BioChipping Employees- Physical Security or Privacy? in Industry News

BioChipping Employees- Physical Security or Privacy?

CraginS — Mon, 12 Nov 2018 02:02:48 GMT

Chipping pets has been around for years.

Chipping people has, too, but not nearly so wide spread.

The Guardian has reported that the idea of chipping employees is being discussed by employers, and unions are expressing concern.

Alarm over talks to implant UK employees with microchips
Trades Union Congress concerned over tech being used to control and micromanage

Consider:

Having chips in all employees and readers placed around the facility, in addition to being connected to IT systems for identification and authentication, could greatly benefit physical security and insider threat protection.

Of course, that same system could become an amazingly intrusive invasion of privacy.

So... would you recommend a chip program as part of the security program at a company you were advising?

Alternately, if your employer set up a voluntary chip program, would you get a chip?

Or, if your employer announced a mandatory program, would you quit?

Re: BioChipping Employees- Physical Security or Privacy?

nagarajan — Mon, 12 Nov 2018 04:34:00 GMT

At the end of the day we are humans and tend to do what we have been doing. Such an implant would be used to track employees and would invade privacy. Such an implant would gather data about where an employee spent time, how much time he spent at work, and much more.

An new approach may add value but has other implications so it has to be weighed appropriately.

Re: BioChipping Employees- Physical Security or Privacy?

Shannon — Mon, 12 Nov 2018 06:27:36 GMT

Let's look at the appeal of having microchip implants (using Passive RFID) from an individual's perspective. A few pros are:

Easier Identity management: Carrying a load of identity cards in your wallet can be a nuisance --- at least it is for me. It would be so much easier to just walk past a security point and get identified and authenticated, without having to bother getting cards out.
Centralized Identity management: This depends on a system being universally standardized, and would allow for you to be identified and authenticated wherever you are, without the need to carry documents. (Pretty much a fantasy right now)
Emergency medical info: In emergencies, information pertaining to your health can be a life saver, to ensure that you get the proper treatment, with no risks, such as allergic reactions. Assuming you don’t have the information with you, an implanted chip would let you have it in you.
Accountability: To prove your innocence in a court of law you have to depend on camera footage, credit card swipes, witnesses, and provide your own word. Tracking can be seen positively in this case.
Tracking loved ones: Being reponsbile for your kids, and concerned about old relatives, you'll want to be able to know where they are. This might be another case were you’d appreciate tracking.
Authentication to personal systems: Ensuring that you are the only one able to use a system you own is achieved by using passwords, fingerprint recognition, facial recognition. Having multiple systems authenticating you just when you’re in proximity would be really convenient and secure.

And then we have the cons:

Invasion of privacy: Undoubtedly the biggest concern. At present the biggest culprit might be a smart-phone, but we can simple turn that off or discard it if needed. That’s not going to be a luxury in the case of an embedded chip. (And frankly, I don't fancy the idea of being tagged, like a pet.)
Inadequacy: As a citizen of India, I have to carry an Aadhar card (akin to an ID card), a Drivers license, an Election card, and a PAN card (related to taxes) besides which I have to carry an ID card & Drivers license for the country I work in. Would an implanted chip cater to all of this --- or will it just be one more thing to carry?
Medical concerns: There have been cases of embedded objects migrating within the body, and reports of them potentially causing cancer. Getting an MRI scan requires that you get rid of metallic devices on you. That’s easy when it comes to a chain, belt or a smart-phone, but not an embedded chip.
Maintenance costs: Technology continually evolves at a very fast pace. When you get a smart phone, it doesn't remain state-of-the-art for long, & you soon have to get a new one either to ensure compatibly with other systems, or to keep up with the trend. Unless implanted chips are going to be future-proof, one might not fancy the thought or cost of a surgical procedure to avoid them becoming obscure.
Limitation of freedom: A lot of us cross the lines to avoid inconvenience, which may not be morally questionable if not serious. For example, if the traffic system doesn’t catch me speeding, I might not be too keen on report it. With implanted chips, you won't have a choice in matters like this.
Security: This is a major concern, at least for me. I can accept the fact that my phone or laptop can be hacked, but it's scary to think of that being done to an embedded writable chip, and the consequences.
No Universal standards: An implanted chip may cater to a single organization / country; unfortunately it isn’t a universal standard yet, so going somewhere else may require that you use the typical forms of Identity and Access control, which will neglect the chip.

Considering all this, I wouldn't volunteer to have a chip implanted in me, and if the organization mandates it, I'll want to resign...

From an employer's / organization's perspective, let's look at the factors they'd consider:

How does this compare with other IAM systems, in terms of the costs of implementation?
Will the solution be organization wide, or only used in certain areas>
Will it cater to other forms of identification and authentication besides using implanted chips?
Are there any compensations provided by the government if the technology is adopted?
What might be the legal implications, assuming this extends to infringement of rights?
Would we have to bear the cost of removing embedded chips if the employee leaves?

Based on the present scenario & considering the factors listed above, I wouldn't recommend implementing it at this stage...

Re: BioChipping Employees- Physical Security or Privacy?

rslade — Mon, 12 Nov 2018 19:53:46 GMT

> CraginS (Advocate I) posted a new topic in Industry News on 11-11-2018 09:02 PM in the (ISC)Â² Community :

> So... would you recommend a chip program
> as part of the security program at a company you were advising? Alternately,
> if your employer set up a voluntary chip program, would you get a chip? Or,
> if your employer announced a mandatory program, would you quit?

Silly humans. Chips are for kids!

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
Have nothing in your home that you do not know to be useful or
believe to be beautiful.
- William Morris, 19th century founder of Arts & Crafts movement
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

Re: BioChipping Employees- Physical Security or Privacy?

rslade — Mon, 12 Nov 2018 20:11:46 GMT

> nagarajan (Newcomer III) posted a new reply in Industry News on 11-11-2018 11:34 PM in the (ISC)Â² Community :

> At the end of the day we are humans and tend to do what we have been
> doing.

Exactly. And we have been doing this for some time.

> Such an implant would be used to track employees and would invade
> privacy.

Which is why we invade privacy by giving people access cards, at the moment,
rather than chipping them. (Does the same thing.)

> Such an implant would gather data about where an employee spent
> time, how much time he spent at work, and much more.

Actually, probably not. I mean, you not only have to have the chips, but also the
readers. So, if you want to know where people are, you have to have readers
everywhere. (You also have to remember that the readers probably don't have a
great range, unless you want your workers working in a sea of microwaves, so you
have to put a number of them in the areas you want to check on.) Want to check
if your employees are at home? You're out of luck, unless you can convince them
to install readers in their domiciles ...

> An new approach
> may add value but has other implications so it has to be weighed
> appropriately.

Exactly. Is the convenience of having a chip embedded in your hand worth the
potential hassle of infections? Etc, etc, etc ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
You may not have the bandwidth for this, but wouldn't it be a
value-add if going forward, we could push the envelope and, as a
deliverable, have a vision to think outside the box and leverage
our core competencies to create some negative growth in the use
of hackneyed business lingo? - Mark Sutcliffe, Sun, 20060905
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

Re: BioChipping Employees- Physical Security or Privacy?

Flyslinger2 — Tue, 13 Nov 2018 12:57:53 GMT

IAM is my passion. I've matured with IAM for 25 + years as it has matured. I've done a lot of large projects for federal agencies based on IAM.

I have never thought embedded tech was the way to go. In Europe's nanny state they could be forced to go this route when the technology is more advanced but not here in the litigious U.S. of A. The ACLU and other civil liberties watchdog groups would jump all over this and tie it up in courts for years.

I concur with the logic that there would have to be readers all over the place. Small chip implants (not breasts-filter test! lol) means big readers emitting lots of energy. It's a matter of physics and energy.

I like the Yubi key. It's small, highly compatible with OpenID and also has PIV integrated with it. I think this device would reduce many security issues and not impact the privacy of the individual.

Re: BioChipping Employees- Physical Security or Privacy?

CISOScott — Tue, 13 Nov 2018 13:08:43 GMT

@CraginS Mandated implants? Hello job boards, Goodbye to company. A company ID that does effectively the same thing, except for can be removed at will by the employee, I would be OK with it. There used to be a joke in one of the companies I worked for that they were going to install new sensors in the bathroom areas. If the sensors realized that you had been on the toilet for too long the toilet paper dispensers would close up and the door would unlock and fling open. Someone circulated this in an email and the uproar was hilarious. People called in the union demanding that their privacy not be compromised, etc., etc. The fact that it was a joke was missed by a lot of people, but it brought up a good point. How do you manage productivity losses by unproductive employees? Not by monitoring their bathroom behaviors but by better management of the employees. I think management figured out how to do this by installing automatic lighting with motion sensors that shuts off after 10 minutes of inactivity.......

Re: BioChipping Employees- Physical Security or Privacy?

Caute_cautim — Wed, 14 Nov 2018 19:05:45 GMT

I guess you have to ask the Swedes their opinion, they are embracing it wholeheartedly:

https://theconversation.com/thousands-of-swedes-are-inserting-microchips-into-themselves-heres-why-97741

They see the advantages, benefits - as one interview went today on New Zealand Radio, one of the advantages quotes was reducing the chance that the employee forgot their security pass!

This is going full circle - privacy, IoT we just want to chip everything!

Regards

Caute_cautim

Re: BioChipping Employees- Physical Security or Privacy?

CISOScott — Wed, 14 Nov 2018 20:41:11 GMT

The next step then should be to create a governing body and standardize where these chips should be placed. Not everyone has hands and hands can be dismembered through accidents or other means so I guess you got to have a head to survive.... so lets put it in our foreheads.

Re: BioChipping Employees- Physical Security or Privacy?

Caute_cautim — Wed, 14 Nov 2018 20:51:43 GMT

It must be a bad episode of Dr Who - disguise it as the "third eye" in the forehead.

Regards

Caute_cautim

Re: BioChipping Employees- Physical Security or Privacy?

Caute_cautim — Wed, 14 Nov 2018 21:21:31 GMT

There is another issue as well:

"The key to any successful identity token is that it can be replaced at will when compromised or considered compromised. Think somebody knows you password – then change it. Fraudster has your credit card number – lock the card and get a new one, etc. I’m yet to read anything on these implanted chips to suggest that this can be done in a reliable, secure, and of course, non-surgical manner."

So, one could nullify the original token via Radio Frequency means, and then have a new one inserted, but one could be waiting for some time waiting for an appointment.

Whether it was between the thumb and forefinger or the forehead - it is a single point of failure.

So what does one do in between whilst waiting for their credentials to be re-assigned?

Regards

Caute_cautim

Re: BioChipping Employees- Physical Security or Privacy?

rslade — Thu, 15 Nov 2018 17:17:46 GMT

> CISOScott (Advocate I) posted a new reply in Industry News on 11-14-2018 03:41 PM in the (ISC)Â² Community :

> The next step then should be to create a governing body and standardize
> where these chips should be placed. Not everyone has hands and hands can be
> dismembered through accidents or other means so I guess you got to have a
> head to survive.... so lets put it in our foreheads.

I'd say right hand and forehead, you know, just for redundancy ...

0/' ... If the band will play six sixty six ... 0/'

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
If you spend more on coffee than on IT security, then you will be
hacked. What's more, you deserve to be hacked.
- Richard Clarke, former advisor to the President on Cybersecurity
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

Re: BioChipping Employees- Physical Security or Privacy?

CISOScott — Thu, 15 Nov 2018 19:30:22 GMT

Which brings up another issue. If the chips can be remotely wiped easily, then what is the purpose in having them inserted in the first place? I would be mighty upset if I got a chip inserted on Monday and was back on Wednesday to have it removed and another one inserted. A hacker could effectively DDoS the entire workforce with a remote wipe command.

Re: BioChipping Employees- Physical Security or Privacy?

Caute_cautim — Thu, 15 Nov 2018 21:07:13 GMT

Some brilliant thoughts going on in the background there! So if the device is a Near Field Communications (NFC) so you need a portable device i.e. the Microchip and a fixed scanning device i.e. door way to organisation - so technically you have to be 4 cm away from the device. But obviously getting the correct frequency and picking ones target, you could use a stronger and further away radio communications beamed transmission or even a localised EMC pulse to destroy the NFC device. Or a strong transmitting device in the locality would do the same.

Or in a shop, they use NFC devices on items, and they then swipe across the counter to remove or break the NFC devices aerials after confirmation of payment.

Thus causing a DoS situation, or if you knew your targets were bunched together - a carefully initiated EMC pulse would take a bunch of them or cause a DDoS situation.

Thus negating the microchip and a new one having to be inserted etc.

Would you be better with an IoT device? But how would you power it? Wireless Power Transmission (WPT) within 30 metres, which is the current CEPT standard, still being debated globally.

Regards

Caute_cautim

Re: BioChipping Employees- Physical Security or Privacy?

Kempy — Mon, 19 Nov 2018 08:45:36 GMT

I would say that GDPR would wipe out any such folly, because a business that stupid is guaranteed to loose such highly sensitive data, or maybe a disgruntled employee who allowed their rights to be violated, would just leak the data.

I don't see a way for such a ridiculous policy to become mandatory unless people became someone else's property, a practice stamped out hundreds of years ago.

Ultimately what is the purpose? To subjugate the employee (I'll keep the id badge thanks)

Re: BioChipping Employees- Physical Security or Privacy?

Caute_cautim — Mon, 19 Nov 2018 19:04:28 GMT

We will ask you the same question in 2-5 years time and see if you viewpoint still holds?

Cheers

Caute_cautim

@Kempy wrote:
I would say that GDPR would wipe out any such folly, because a business that stupid is guaranteed to loose such highly sensitive data, or maybe a disgruntled employee who allowed their rights to be violated, would just leak the data.

I don't see a way for such a ridiculous policy to become mandatory unless people became someone else's property, a practice stamped out hundreds of years ago.

Ultimately what is the purpose? To subjugate the employee (I'll keep the id badge thanks)

Re: BioChipping Employees- Physical Security or Privacy?

CraginS — Sat, 24 Nov 2018 11:18:10 GMT

@Caute_cautim wrote:
I guess you have to ask the Swedes their opinion, they are embracing it wholeheartedly:
https://theconversation.com/thousands-of-swedes-are-inserting-microchips-into-themselves-heres-why-97741

The Financial Post republished a New York Times article to continue discussion on the Swedish experiment in the November 23 article headlined

In Sweden, cash is almost extinct and people implant microchips in their hands to pay for things. More than 4,000 Swedes have gone the microchip route as cash use fades and the government scrambles to figure out the effects on society and the economy

The article concerns me because the entire discussion addresses the cost value of converting the economy to digital finances based on personal chipping, but there is no mention of even a hint of the possible (probable?) massive surveillance of the population by government and by commercial interests,

Re: BioChipping Employees- Physical Security or Privacy?

Kempy — Sat, 24 Nov 2018 21:43:55 GMT

I would consider implanting a reader on the basis that every Swedish handshake is making me £30 better off 😉

Re: BioChipping Employees- Physical Security or Privacy?

Caute_cautim — Sun, 25 Nov 2018 18:34:59 GMT

However, we would be totally naive to think it cannot be used in the future for whatever use the government of the day deems necessary to protect its borders or reduce healthcare costs etc.

It could reduce crime and also reduce the amount of time taken to identify the culprit - so once again it could save time effort and costs.

Regards

Caute_cautim

Re: BioChipping Employees- Physical Security or Privacy?

CISOScott — Mon, 26 Nov 2018 12:41:58 GMT

There are several US government entities that would love to see the US go to a cashless society.

1) The IRS because then all transactions could be tracked and proper taxes collected.

2) Law enforcement agencies because it would be easier to track illicit drug sales, prostitution, other black market transactions, etc.

3) Local and state governments for both of the above reasons.

I think it will be hard to go to a cashless society because of the privacy concerns, but I wonder if that is why bitcoin (anonymous digital transactions) were invented.