Chips with everything – are you ready to be bio-hacked?

The news that a US shopping self-service vendor plans to implant or “bio-hack” dozens of its employees with tiny chips was always going to grab people’s attention.

The Wisconsin company involved, Three Square Market, is far from the first organisation to do this –Swedish startup hub Epicentre experimented with the idea earlier this year, as have plenty of adventurous individuals – but it is still be an early example of how human microchipping could be used in mainstream business.

The idea is for 53 of the company’s workers to have a tiny $300 NFC (Near Field Communication) RFID chip inserted under the skin between their thumb and index finger, on a voluntary basis. This device can then carry credit card data, allowing wearers to buy goods from the company shop without having to carry plastic.

This application serves as an advert for the company’s self-service vending systems, which doubtless explains why it has come up with the idea as a clever news advertisement for itself.

It will also be used by employees to enter the workplace and authenticate to desktop PCs, which means they won’t need to log in using conventional credentials.

“It takes about two seconds to put it in and to take it out,” Three Square Market’s Patrick McMullan told the BBC.

It would be easy to throw the word “Orwellian” at bio-hacking but, arguably, that is to misapply the term.

The chip does not track the individual’s location, nor does it allow surveillance beyond the fact they have entered a building, logged on to a PC or bought something, which any digital technology can also do. Three Square Market is not watching its workers.

The high-frequency 13.56 MHz NXP NTAG216 NFC chip (888 bytes of writable data) used has been around since 2012, finding a niche in a range of product and smartphone tags. The underlying NFC technology is also used in a wide variety of technology nobody thinks twice about, including contactless credit and debit chip cards as well as inside smartphones themselves.

All the same, putting a chip inside a human being does feel as if it’s crossing a line. Normally people authenticate themselves by carrying a token of sorts, for instance a credit card or two-factor security token. In this concept, the employee becomes the token.

Asking people to turn themselves into a walking authentication system sounds novel today but raises legal and ethical issues that might one day cause problems.

It’s unlikely employees could be compelled to have a chip inserted but would there be a hidden price for anyone unwilling to agree to what might be pitched as an important security boost? It’s also the case that NFC chips are developing rapidly, acquiring more memory as they add functions. That, or their limited lifespan, could inevitably demand upgrades.

Perhaps the biggest unknown is security. The data stored on these NFC chips is encrypted and can’t be read remotely, but it’s impossible to rule that out should some kind of vulnerability be uncovered.

The possibility of hacking chips sitting inside humans, whether to steal data or compromise capabilities, sounds far-fetched. The question is how much hard work tightening security needs to be done before people can take this on trust.