You could say that security got under Joe Krull’s skin — literally. The security expert recently let VeriChip implant a small RFID chip under the skin of his right arm.
VeriChip, a subsidiary of Applied Digital, sells automatic identification equipment for identifying pets, livestock and food products — and humans seem to be its next market. High-profile human implants began in July, when attorney general of Mexico Rafael Macedo de la Concha and 15 Mexican security officials submitted to chip implants to act as access controls to secure areas of their headquarters.
In December, John D. Halamka, the CIO of Harvard Medical School, also got chipped, saying he wanted to experience the process for himself. According to a VeriChip press release, Halamka reported that he was able to climb Mount Washington without any ill effects from the chip. He thinks the technology could be used to identify unconscious patients, matching hospital patients to the correct meds and verifying that patients were medicated.
Krull leads the information security practice of Virtual Corporation, a consulting company that consults on business continuity, information security and supply chain management. He’s been a senior security executive at Telecom Finland, Philips Electronics and Lucent Technologies and was a senior intelligence and security officer with the U.S. Defense Intelligence Agency at American embassies overseas from 1979 to 1996.
He spoke with internetnews.com about his chip, and why automatic identification may be the only incorruptible way to go.
Q: How did your relationship with VeriChip emerge?
First, I don’t work for VeriChip, and they’ve supplied no stock or compensation to me. I saw a presentation on the chip at a European conference on privacy and identification in 2003. When the CEO started talking about this, I said no way. I was probably one of his most vocal critics. When I saw them again [the next year], they talked about how they’ll deal with opt-in and opt-out. They had a six-point privacy model. I committed on the spot.
Coming from the security and privacy side of the house, having the chip in my arm makes me a lightning rod for the company.
Q: VeriChip said you’re “in the process” of placing your personal medical information in VeriChip’s secure database. How long does that take?
I’m given access to a Web site that’s still under development because so few people have committed to having the chip.
I made my own risk analysis, uploaded my blood type, allergies, business card, next of kin. I have a specific medical condition — there’s a metal plate under my eye. I’ve been told by doctors many times that if I were incapacitated, doctors would assume I had a head injury, and their first course of action is to start drilling holes. If I have a chip and a reader they can scan me.
Q: In theory. But right now, it’s useless because there’s no database.
As applications become more pervasive and readers are deployed to emergency rooms, I’ll have an application that gives me some value. Applied Digital did a distribution deal with one of the largest medical supply companies in the business to distribute their readers to emergency rooms and doctors’ offices.
Q: But couldn’t there be a problem if the emergency room uses a different reader or doesn’t subscribe to VeriChip’s service?
You’ll always have proprietary applications, a leader and followers. It’s a proof of concept now. Until applications are commercially launched, we’re still playing around with this.
My big feeling as a former military officer is that electronic dog tags will be the use case that drives it into the market. I had a big issue when I was in American embassies overseas. They’d send people to us on a temporary basis, and their only verification was a passport. With a VeriChip, I have a very nice mechanism to say, “Come on in to most sensitive area of the building.”
Q: The FDA has warned that the chip might migrate or interfere with MRI. I guess you’re not worried?
The company had to develop a special process that I think they got a patent for. They coat the chip in a chemical that bonds with the skin around it. As far as MRI, I did my own unofficial test at the University of Texas Medical Center, and we saw no interference whatsoever from my chip.
Q: You consult with companies about vulnerabilities, potential liabilities and protection. Do you have plans to advise any Virtual Corporation clients to use this technology?
We’re vendor neutral. We will look at clients’ problems, and if we see a technology or product that’s useful, we will make an introduction. I haven’t seen a use case for it right now in my official capacity, but as a private individual, every day.
Q: You’re not worried about your individual privacy?
There’s a secure Web site where I — and only I — can change my data. It’s strictly self-service. If I can control what data goes in and gets added and subtracted, I’m fine. If I had a health condition, for example, that might deter employers, I wouldn’t put it in the database. But the minute it becomes mandatory or gets combined with other data, [this chip] is coming out.
Q: There was a fair amount of concern over plans for the Brittan Elementary School in Sutter, California, to use RFID tags to keep track of students. What do you think of this use for RFID?
It was completely wrong, but not from a technology point of view. They were wrong in how the project was presented to parents. Had they brought together a town meeting, where they said, “This is our problem, and these are the available technologies, and here’s what it does and won’t do,” I think they could have turned it around. The company did a very poor job in managing the expectations of parents.
Q: VeriChip has a deal with Orbcomm to develop satellite and telecommunications services for VeriChip. Some say this is a short step to universal surveillance. What do you say?
I’m not aware of that. Right now, the read distance is very, very short.
Q: What if the feds come knocking on VeriChip’s door, saying, “We need the database?”
Right now, the chips still are in dozens of people, not tens of thousands. As it becomes more pervasive, I expect the company or the patent holder to be a bridge between the government and private citizenry. They just appointed a chief privacy officer who will do nothing but interface on questions like this. Otherwise it will remain a niche technology and die.
If you compromise a biometric feature, it’s gone forever. This is a replicable biometric. You need three things to get to my information: a reader, being within 2.5 inches of my arm, and the password or PIN code for my database. If managed correctly, it can be a great technology from the security point of view.