cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
CraginS
Defender I

BioChipping Employees- Physical Security or Privacy?

Chipping pets has been around for years.

Chipping people has, too, but not nearly so wide spread.

The Guardian has reported that the idea of chipping employees is being discussed by employers, and unions are expressing concern.

Alarm over talks to implant UK employees with microchips
Trades Union Congress concerned over tech being used to control and micromanage

 

Consider:

Having chips in all employees and readers placed around the facility, in addition to being connected to IT systems for identification and authentication, could greatly benefit physical security and insider threat protection.

Of course, that same system could become an amazingly intrusive invasion of privacy.

 

So... would you recommend a chip program as part of the security program at a company you were advising?

Alternately, if your employer set up a voluntary chip program, would you get a chip?

Or, if your employer announced a mandatory program, would you quit?

 

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
48 Replies
nagarajan
Contributor I

 

At the end of the day we are humans and tend to do what we have been doing. Such an implant would be used to track employees and would invade privacy. Such an implant would gather data about where an employee spent time, how much time he spent at work, and much more. 

 

An new approach may add value but has other implications so it has to be weighed appropriately.

Regards,
Nagarajan Viswanathan (Raj)
Shannon
Community Champion

 

 

Let's look at the appeal of having microchip implants (using Passive RFID) from an individual's perspective. A few pros are:

  1. Easier Identity management: Carrying a load of identity cards in your wallet can be a nuisance --- at least it is for me. It would be so much easier to just walk past a security point and get identified and authenticated, without having to bother getting cards out.
  2. Centralized Identity management: This depends on a system being universally standardized, and would allow for you to be identified and authenticated wherever you are, without the need to carry documents. (Pretty much a fantasy right now)
  3. Emergency medical info: In emergencies, information pertaining to your health can be a life saver, to ensure that you get the proper treatment, with no risks, such as allergic reactions. Assuming you don’t have the information with you, an implanted chip would let you have it in you.
  4. Accountability: To prove your innocence in a court of law you have to depend on camera footage, credit card swipes, witnesses, and provide your own word. Tracking can be seen positively in this case.
  5. Tracking loved ones: Being reponsbile for your kids, and concerned about old relatives, you'll want to be able to know where they are. This might be another case were you’d appreciate tracking.
  6. Authentication to personal systems: Ensuring that you are the only one able to use a system you own is achieved by using passwords, fingerprint recognition, facial recognition. Having multiple systems authenticating you just when you’re in proximity would be really convenient and secure.  

And then we have the cons:

  1. Invasion of privacy: Undoubtedly the biggest concern. At present the biggest culprit might be a smart-phone, but we can simple turn that off or discard it if needed. That’s not going to be a luxury in the case of an embedded chip. (And frankly, I don't fancy the idea of being tagged, like a pet.)
  2. Inadequacy: As a citizen of India, I have to carry an Aadhar card (akin to an ID card), a Drivers license, an Election card, and a PAN card (related to taxes) besides which I have to carry an ID card & Drivers license for the country I work in. Would an implanted chip cater to all of this --- or will it just be one more thing to carry?
  3. Medical concerns: There have been cases of embedded objects migrating within the body, and reports of them potentially causing cancer. Getting an MRI scan requires that you get rid of metallic devices on you. That’s easy when it comes to a chain, belt or a smart-phone, but not an embedded chip.
  4. Maintenance costs: Technology continually evolves at a very fast pace. When you get a smart phone, it doesn't remain state-of-the-art for long, & you soon have to get a new one either to ensure compatibly with other systems, or to keep up with the trend. Unless implanted chips are going to be future-proof, one might not fancy the thought or cost of a surgical procedure to avoid them becoming obscure.
  5. Limitation of freedom: A lot of us cross the lines to avoid inconvenience, which may not be morally questionable if not serious. For example, if the traffic system doesn’t catch me speeding, I might not be too keen on report it. With implanted chips, you won't have a choice in matters like this.
  6. Security: This is a major concern, at least for me. I can accept the fact that my phone or laptop can be hacked, but it's scary to think of that being done to an embedded writable chip, and the consequences.
  7. No Universal standards: An implanted chip may cater to a single organization / country; unfortunately it isn’t a universal standard yet, so going somewhere else may require that you use the typical forms of Identity and Access control, which will neglect the chip.

 

Considering all this, I wouldn't volunteer to have a chip implanted in me, and if the organization mandates it, I'll want to resign...

 

 

From an employer's / organization's perspective, let's look at the factors they'd consider:

  1. How does this compare with other IAM systems, in terms of the costs of implementation?
  2. Will the solution be organization wide, or only used in certain areas>
  3. Will it cater to other forms of identification and authentication besides using implanted chips?
  4. Are there any compensations provided by the government if the technology is adopted?
  5. What might be the legal implications, assuming this extends to infringement of rights?
  6. Would we have to bear the cost of removing embedded chips if the employee leaves?

 

Based on the present scenario & considering the factors listed above, I wouldn't recommend implementing it at this stage...

 

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz
rslade
Influencer II

> CraginS (Advocate I) posted a new topic in Industry News on 11-11-2018 09:02 PM in the (ISC)² Community :

>   So... would you recommend a chip program
> as part of the security program at a company you were advising? Alternately,
> if your employer set up a voluntary chip program, would you get a chip? Or,
> if your employer announced a mandatory program, would you quit?

Silly humans. Chips are for kids!

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
Have nothing in your home that you do not know to be useful or
believe to be beautiful.
- William Morris, 19th century founder of Arts & Crafts movement
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
rslade
Influencer II

> nagarajan (Newcomer III) posted a new reply in Industry News on 11-11-2018 11:34 PM in the (ISC)² Community :

>   At the end of the day we are humans and tend to do what we have been
> doing.

Exactly. And we have been doing this for some time.

> Such an implant would be used to track employees and would invade
> privacy.

Which is why we invade privacy by giving people access cards, at the moment,
rather than chipping them. (Does the same thing.)

> Such an implant would gather data about where an employee spent
> time, how much time he spent at work, and much more.

Actually, probably not. I mean, you not only have to have the chips, but also the
readers. So, if you want to know where people are, you have to have readers
everywhere. (You also have to remember that the readers probably don't have a
great range, unless you want your workers working in a sea of microwaves, so you
have to put a number of them in the areas you want to check on.) Want to check
if your employees are at home? You're out of luck, unless you can convince them
to install readers in their domiciles ...

>    An new approach
> may add value but has other implications so it has to be weighed
> appropriately.

Exactly. Is the convenience of having a chip embedded in your hand worth the
potential hassle of infections? Etc, etc, etc ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
You may not have the bandwidth for this, but wouldn't it be a
value-add if going forward, we could push the envelope and, as a
deliverable, have a vision to think outside the box and leverage
our core competencies to create some negative growth in the use
of hackneyed business lingo? - Mark Sutcliffe, Sun, 20060905
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Flyslinger2
Community Champion

IAM is my passion.  I've matured with IAM for 25 + years as it has matured.  I've done a lot of large projects for federal agencies based on IAM.  

 

I have never thought embedded tech was the way to go.  In Europe's nanny state they could be forced to go this route when the technology is more advanced but not here in the litigious U.S. of A.   The ACLU and other civil liberties watchdog groups would jump all over this and tie it up in courts for years.

 

I concur with the logic that there would have to be readers all over the place. Small chip implants (not breasts-filter test! lol) means big readers emitting lots of energy.  It's a matter of physics and energy.

 

I like the Yubi key. It's small, highly compatible with OpenID and also has PIV integrated with it.  I think this device would reduce many security issues and not impact the privacy of the individual.

CISOScott
Community Champion

@CraginS Mandated implants? Hello job boards, Goodbye to company. A company ID that does effectively the same thing, except for can be removed at will by the employee, I would be OK with it. There used to be a joke in one of the companies I worked for that they were going to install new sensors in the bathroom areas. If the sensors realized that you had been on the toilet for too long the toilet paper dispensers would close up and the door would unlock and fling open. Someone circulated this in an email and the uproar was hilarious. People called in the union demanding that their privacy not be compromised, etc., etc.  The fact that it was a joke was missed by a lot of people, but it brought up a good point. How do you manage productivity losses by unproductive employees? Not by monitoring their bathroom behaviors but by better management of the employees. I think management figured out how to do this by installing automatic lighting with motion sensors  that shuts off after 10 minutes of inactivity.......

Caute_cautim
Community Champion

I guess you have to ask the Swedes their opinion, they are embracing it wholeheartedly:

https://theconversation.com/thousands-of-swedes-are-inserting-microchips-into-themselves-heres-why-9...

 

They see the advantages, benefits - as one interview went today on New Zealand Radio, one of the advantages quotes was reducing the chance that the employee forgot their security pass!

 

This is going full circle - privacy, IoT we just want to chip everything!

 

Regards

 

Caute_cautim

CISOScott
Community Champion

The next step then should be to create a governing body and standardize where these chips should be placed. Not everyone has hands and hands can be dismembered through accidents or other means so I guess you got to have a head to survive.... so lets put it in our foreheads.

 

Caute_cautim
Community Champion

It must be a bad episode of Dr Who - disguise it as the "third eye" in the forehead.   

 

Regards

 

Caute_cautim