As the legal industry wonders whether associate jobs will soon be replaced by AI lawyers and bots, another sci-fi concept worthy of getting the "Black Mirror" treatment is starting to take hold in a growing number of workplaces: employee microchipping.
Once reserved for dogs and cats, microchipping is now par for the course for workers at Three Square Market, a technology company in Wisconsin. There, workers are being given microchip implants that will allow them to open doors, access company accounts, and even order vending machine beverages by simply waving their hands.
According to a recent report, nearly two-thirds of the company’s workforce has signed up for these implants:
This trend, however, raises numerous privacy concerns for employees who participate. Although the Wisconsin company here does not require all of its employees to be microchipped and claims its chips do not use GPS tracking, this doesn’t prevent other companies from using the wireless and radio frequency technologies underlying the company’s microchipping implant tracking system to do just that—turning the microchips into a hypodermal employee monitoring system.
Given the amount of data that microchip implants can collect and the vulnerability of their frequency-based communications to cyberattacks, workplace microchipping can create troubling legal issues for not only the companies considering implementing them, but also for the employees that signup for the implants.
Potential Pitfalls of Microchipping
Most of the microchips that are starting to be used in the United States and in Europe rely on passive near-frequency communication (NFC), an offshoot of radio-frequency identification (RFID) technology. RFID relies on radio wave signals between chips and sensors to pass through information and commands to do tasks. NFC chips operate similarly, but use low-powered electromagnetic signals and wireless connections to accomplish the same feat at close distances.
It’s very much the same technology powering Apple Pay and similar smartphone-based payment systems, except it’s being used to conduct other tasks. Several European workplaces have started using NFC chips, though individuals who don’t want to wait for their employers to microchip them can purchase NFC chips online, using them for everything from sleep monitoring to WiFi password sharing.
These chips, however, do possess some tracking capabilities. This alone is not particularly newsworthy; free and freemium smartphone app companies, for example, have come under scrutiny for the way they track and sell usage, browsing and location data to third-party providers while you’re playing with Disney princess pets or searching your neighborhood for Snorlaxes and Pikachus.
NFC chip tracking, however, takes these tracking issues to a whole other level. In addition to storing sensitive personal information such as driver’s license and credit card numbers, these microchips are theoretically capable of monitoring more intimate data such as your movements around the office and bathroom breaks. Hackers that break into this information could possess very intimate information regarding your movements and corporate account information.
Yes, you read that right. NFC technology is not hacker-proof. Both the chips and the sensors receiving the chips’ signals can be tampered with to divert data into malicious hands. This has been illustrated with how NFC technology works with smartphone credit card payments, since RFID payment sensors merely pick up on any short-range signal it receives without applying substantial encryption. Other signal frequency-based products such as drones and UAVs have shown similar security flaws in the way they process communications between the drone itself and the operator’s controller. Even the FDA, after approving microchip implants for medical purposes in the early 2000s, acknowledged compromised information security as among the many potential problems that implant users could face. This inevitably will spell trouble for companies that are careless with protecting their employees’ microchip data, and for the employees who are using NFC implants.
Legal Issues Raised by Microchipping
While workplace microchipping is only just starting to catch on stateside, it could quickly become a major issue that lawyers and legislators will soon need to address. Five states so far have laws prohibiting mandatory RFID chip implantation, with other states contemplating joining their ranks. California, for example, outlines strict policies under California Civil Code § 52.7 that prevent companies from requiring, compelling, or coercing employees to receive subcutaneous implants. Noncompliance can be costly; in addition to facing civil liability and the possibility of punitive damages, companies can be initially fined up to $100,000 as an initial fine, and up to $1,000 for each subsequent day the employee is forced to wear the device up until actual removal.
Employee microchip data, too, could become subject to discovery in litigation, just like all other ESI. Yet, much more so than email, such ESI could be incredibly revealing, laying bare even the most personal and quotidian details of one’s life. That, in turn, will raise difficult issues around proportionality and privacy. Meanwhile, the data collected by such microchipping programs promises to be voluminous; another source of data growth that practitioners and judges alike worry will be difficult to manage, burdensome to maintain, and expensive to collect, review, and produce in litigation.
Microchipping issues have even been indirectly addressed in the federal courts, albeit by analyzing analogous technologies. This was especially clear in U.S. v. Jones, a 2012 Supreme Court case where the Court held that the police’s secret use of GPS tracking devices on the defendant’s car to map out the defendant’s movements constituted a trespass against the defendant’s property and, in turn, an unconstitutional search under the Fourth Amendment. It will also be interesting as to whether courts will consider microchip tracking data to be subject to the Stored Communications Act’s relaxed warrant requirements during criminal investigations, as the Fifth Circuit did when it held in In re U.S. for Historical Cell Site Data that cell site historical data possessed by cell phone providers are discoverable without a warrant under the SCA. This, of course, will depend on how courts will view the ownership rights that both companies and employees possess in their microchip data, as well as whether companies and third-party providers that stored and maintain microchip data will be governed under the SCA’s guidelines.
In any event, companies, lawyers and legislators will need to tread a fine line towards balancing the interests of businesses and employees regarding whether to bring microchip implants into the workplace—if at all. It only underscores how the law needs to quickly adapt to the pervasive and intrusive technologies that are starting to take hold in the modern-day workplace.
This post was authored by Eric Pesale, the founder of Write For Law, who writes regularly about eDiscovery, cybersecurity and other legal topics for law firms, publications, and companies. He is a graduate of New York Law School and the University of North Carolina at Chapel Hill, and recently passed the New York bar exam. Eric can be reached at [email protected] or on Twitter at @writeforlaw.