In 2019, Patrick Paumen, a 37-year-old from the Netherlands had a contactless payment microchip injected under his skin. He described the procedure as hurting ‘as much as when someone pinches your skin’. [1] A chip like this weighs less than a gram and is of a similar size to a grain of rice.
British-Polish firm, Walletmor, is the first company to offer the chips for sale. The technology that they use is known as near-field communication (NFC) which is the contactless payment system found in smartphones. There are other similar payment implants that use radio-frequency identification (RFID), an analogous technology that is used in physical contactless credit cards. Chip implants like this allow people to have those kinds of technology that we use every day, like unlocking doors, public transport tickets and bank cards, in the palm of their hand – literally.
For many years, pets have been required to be microchipped by their owners in countries such as the UK, and the question of whether it is appropriate to now microchip people in a similar way is left unanswered. This article will not touch on the equally important issues around the ethics and health outcomes of such microchips, as it will focus on the data protection and privacy concerns.
In Sweden, a tech start-up company Epicenter has implanted the chips into 150 of its employees, enabling them to open doors, access printers and pay at the company’s café.[2] The question of whether it is acceptable to microchip employees has been widely debated, and UK’s Confederation of British Industries and Trade Union Congress opined that such technology can invade workers’ privacy.[3]
One primary issue with such chips is the uncertainty of how much more advanced they will become in the future and how much of personal private information they will collect. Secondly, there are issues with the security of data – whether the information is secure and whether a person could be tracked using the microchips. These chips are sometimes called ‘an extension of the internet of things’ (IoT)[4], meaning it is a way to exchange data.
Currently, there is a trend toward technology and putting devices in our bodies not only for urgent medical circumstances, but for convenience too. We see that companies and individuals are becoming more interested in the innovative microchips and while it may be convenient to pay for things without taking any device or even a wallet with you, it is important to think about the risks. In particular, we need to question who owns the data, who, how and when they can access it, and can the chips be hacked?
Most of the same concerns that we see in cybersecurity and privacy in other fields apply to the microchip implant topic, however with much higher and personal stakes. Unlike your smartphone or laptop, which you can leave at home, a microchip that is implanted in your skin could potentially continuously track your movements, permanently. Some have argued that because the microchip tags cannot be traced by satellite, they do not violate individual privacy. Although the microchip is understood to be passive, unable to connect itself with the internet, it is still possible that the ambient reader devices can download the information stored in the chip and transmit its location to internet, with the Internet of Things this can happen very quickly.[5] This demonstrates the risks to privacy such as data breaches, unauthorised surveillance and data misuse. The argument that the microchips are passive – meaning they do not have a power source so they do nothing until they interact with a reader and without emitting a signal they cannot be tracked is also controversial. Most of the microchips that use near-fear communication can store data and this ability highlights the risks of these devices to hacking. Having an NFC reader on your phone and placing it against someone’s chip would allow you to read information off it and maybe even change the data on the chip.[6]
With the developments of such microchips, there are certain safeguards that need to be in place and they should be legally regulated before allowing commercial companies to sell such implants to the public. Even if some people would want to voluntarily get a microchip implanted, they may not be fully aware of the privacy risks that can result from that, and therefore a regulatory system is definitely required, with organisations ensuring that individuals are provided with full transparency about the risks and consequences of the procedure from a health and data privacy perspective. If the microchips are to become increasingly widespread, we need to make sure that we are prepared for it and can protect the public from the risks we discussed. Lawmakers need to ensure that there is appropriate legislation to keep up to date with emerging technologies such as microchip implants to address the privacy risks.
[1] https://www.bbc.co.uk/news/business-61008730
[2] https://www.abc.net.au/news/2017-04-03/swedish-employees-agree-to-microchip-implants/8410018
[3] Gasson, M. (2010). Human Enhancement: Could you become infected with a computer virus?. 2010 IEEE International Symposium on Technology and Society, pp.61-68
[4] Bradley Leimer and Theodora Lau, ‘Beyond Good: How Technology Is Leading A Business Driven Revolution’, 2021
[5] ACLU. (2013). RFID Position Paper. [online] ACLU. Available at: https://www.aclu.org/other/rfid-position-statement.
[6] Rothschild, N. (2020) ‘Chipping away at our privacy: Swedes are having microchips inserted under their skin. What does that mean for their privacy?’, Index on Censorship, 49(1), pp. 17–19. doi: 10.1177/0306422020917596.
