Usability versus security, or: Why I decided to become a cyborg

This article had previously been published on my Linkedin.

Some months ago, I attended an after work event where one could choose to get implanted with an nfc chip, the kind of chip that you carry on your gym card or your credit card. I went there thinking that I would never, ever do such a foolish thing. I left the place with an urge to get the implant.

What had changed?

I’m a security nerd. I do risk analysis on auto pilot, and my first reaction is that implantable chips can’t possibly be safe. I’m never an early adopter on any tech. I’m the one standing with my arms crossed, on the side, pointing out the risks and choosing the path of risk avoidance.

But I’m also a science fiction nerd. Cyborgs, androids, aliens, they fascinate me on a fundamental level. I’m deeply influenced by the writings of Isaac Asimov, Arthur C. Clarke and Jules Verne as well as the tech utopia of Star Trek and the dystopia of Battlestar Galactica. Up until now, my only possibility to become a cyborg myself (glasses don’t count!) has been to get a pacemaker – and on second thought, I think I’ll pass…

At the event I had a revelation. There is a fundamental cultural difference between security people and usability people. The ones who create new, awesome stuff , they create things regardless of how much the security community stands on the side with their arms crossed, choosing the path of risk avoidance. Humans will choose to augment themselves with technology, regardless of whether the PKI is implemented correctly or if the integrity implications are severe.

Recently I got the chip. It is benevolent. It’s passive, batteryless and mass surveillance or remote tracking is infeasible (practically impossible). It can store less than a kilobyte of data: I have never owned a rewritable device with such ridiculously little amount of data storage capability.

The insertion is done by a professional body piercer, and it hurts less than “normal” body mods. It’s sterile and my skin will fully heal within two weeks.

I use my chip as a business card, to store my phone number and my gpg fingerprint. This is public information that is easily accessible in simpler ways than by attempting to hack or socially engineer me. There are no unbearable negative consequences of having a chip.

But the next chip on the market may not be as cute. What if implanted chips follow the same development as cell phones? Everyone is aware of the fact that they can be tracked anywhere with their phones. It’s not mandatory to have a cell phone, but in reality the social limitations of not being connected are too severe for most people to bear. Very few opt out.

There’s an old truth that usability and security will never go hand in hand, but this isn’t necessarily true. The dichotomy exists because of culture, not out of necessity. In fact, cooperation between usability and security experts is imperative! IT security is something that everyone need in their daily lives, and having super secure systems that only techies can use is simply not good enough. And cool, new devices that make our lives easier will be no good without a proper risk analysis and good crypto.

I chose to be an early adopter of this implant chip, because I want to be a stakeholder in a revolution that is bound to be problematic. I will not take the path of risk avoidance, but the path of risk analysis from the inside.