A State by State Determination
There are currently no known U.S. employers that require employees to have a device implanted on their person as a condition of employment.[1] However, many states are implementing preemptive legislation to prohibit such a thing from becoming a possibility.[2] Most recently, the state of Michigan introduced the “Microchip Protection Act,” which passed the House and now heads to the Senate for further consideration.[3] The act would prevent employers from requiring employees to have devices implanted into their bodies as a condition for employment, and prohibits employers from discriminating against employees who refuse.[4]
Usually, a microchip refers to a Radio Frequency Identification (RFID) tag. This wireless technology consists of a tiny radio transmitter which communicates its unique identity to nearby readers using electromagnetic waves.[5] Common uses of the technology include inventory tracking, key fobs to open your car door, automatic payment passes used in toll booths, building access systems, and even payment and ID cards.[6]
Beginning in 2017, a company named Three Square Market located in River Falls, Wisconsin started offering RFID implants to employees—80 of the 250 employees agreed to have the chip installed.[7] The chip is roughly the size of a grain of rice and is implanted under the skin between the thumb and the forefinger. The CEO of Three Square Market said the idea came after a trip to Sweden where he noticed many people having chips implanted to do things like enter secure buildings and book train tickets.[8] The chip is intended to simplify tasks such as assessing the building, logging into the computer, and buying food and drink items in the cafeteria.[9] So far, nearly a third of the company has the chip installed and everyone seems to be enjoying the convenience. Two people have had their chips removed upon leaving the organization.
The company behind the commercially produced, implantable microchip is named VeriChip and was given FDA approval back in 2004 to implant the chip for various purposes.[10] The company claims the chips cannot be counterfeited and advocates for use in the health care industry as well as the private sector. So far, the chip is commonly used for identifying patients whose identity is difficult to establish and the chip is often installed on household pets to attach the owner’s information to the pet if it wonders off.[11]
The privacy concerns associated with the use of implantable RFID chips involves the potential leaking, stealing, or spoofing of information stored on the chip. Although very little information is stored on these chips, usually only a unique identification number, access to that unique number paired with other information can expose the underlying sensitive data.[12] Spoofing is also a real issue—for example, the unique identifier in your credit card may be read by a third-party reader and duplicated to be used without your authorization.[13] Another fear is that many of these supply chain databases which store information about their products RFID movement, may be able to profile consumers based upon where the tag on their products has traveled.[14] Although the tags do not have GPS capability and cannot track location in real time, by comparing where the signals of the RFID chip have been received, you may deduce where the person has been.[15]
Solutions to these concerns include the use of encryption methods such as “one-way hashing” which creates a unique meta-ID that can only be read between two parties.[16] This would mean that the RFID is in a locked state until it receives an exact signal of the same hash value and could then be temporarily unlocked for use of nearby readers. Physical shielding sleeves that block radio signals are also used to store passports and credit cards so that the RFID cannot communicate with a reader until taken out of the sleeve. However, with implantable RFIDs, encryption is obviously the best method of protection.
From a legislative point of view, over 10 states have passed laws prohibiting employers from requiring an implant of any kind. Additionally, around 20 states have laws on the books that deal with regulating the use of RFID. Commonly, the laws state that it shall be unlawful for a person to remotely read a person’s identification using RFID, without that person’s knowledge and prior consent.[17] States like Illinois have made it a felony identity theft crime to possess or transfer a RFID device capable of obtaining personally identifiable information (PII) from a RFID tag, with knowledge that the device will be used by an individual to commit such crime.[18] States like Minnesota, Michigan, and Washington have required that the new enhanced drivers licenses containing RFID tags contain reasonable security measures to protect against unauthorized disclosure of PII.
So far, it appears that RFID chips are treated just like any other sensitive identification card you would have in your wallet. It is illegal for anyone to steal or access the technology without your consent, but there is now a heighted risk of your information being stolen without reasonable security measures in place—it is easier to steal a radio signal you cannot feel than it is to take your wallet or purse off your person. In short, although your personal identification number feels safe implanted beneath the palm of your hand, its signal is susceptible to more danger than ever before.
[1] Dave Royse, States Just Saying No to Employee Microchipping, LexisNexis (Mar. 13, 2020), https://www.lexisnexis.com/en-us/products/state-net/news/2020/03/13/states-just-saying-no.page.
[2] Id.
[3] Rep. Kahle’s plan to prohibit employers from requiring microchipping for workers in Michigan passes House, Michigan House Republicans (June 24, 2020), http://gophouse.org/rep-kahles-plan-to-make-microchipping-in-michigan-voluntary-for-workers-and-job-providers-passes-house-unanimously/.
[4] See HB 5672 (June 24, 2020)
[5] Radio Frequency Identification (RFID), U.S. Food and Drug Administration, https://www.fda.gov/radiation-emitting-products/electromagnetic-compatibility-emc/radio-frequency-identification-rfid.
[6] See Gavin Phillips, How Does RFID Technology Work?, makeuseof (May 31, 2017), https://www.makeuseof.com/tag/technology-explained-how-do-rfid-tags-work/.
[7] Rachel Metz, This company embeds microships in its employees, and they love it, MIT Technology Review (Aug. 17, 2018), https://www.technologyreview.com/2018/08/17/140994/this-company-embeds-microchips-in-its-employees-and-they-love-it/.
[8] Id.
[9] Id.
[10] John Halamka, The Security Implications of VeriChip Cloning, Journal of the American Medical informatics Association (Nov. 2006), https://www.ncbi.nlm.nih.gov/pmc/articles/PMC1656959/.
[11] Id.
[12] See Phillips, supra note 6.
[13] See Halamka, supra note 10.
[14] Id.
[15] Id.
[16] RFID Security and Privacy White Paper, Department of Homeland Security, https://www.dhs.gov/xlibrary/assets/foia/US-VISIT_RFIDattachE.pdf.
[17] See Radio Frequency Identification (RFID) Privacy State Law Survey, LexisNexis (Nov. 18, 2019), https://advance.lexis.com/api/permalink/ba1e4165-8d6d-41d0-a4e0-648984540d51/?context=1000522.
[18] Id.