by Dr. Ann Cavoukian
There was a lot of buzz about Near Field Communications (NFC) at The Future of the Internet Congress this week in Ottawa. NFC is an emerging short-range wireless technology being built into the latest generation of smartphones, allowing users to bridge the real and virtual worlds with simple “Tap ‘n Go” gestures.
NFC holds tremendous potential to change the way we interact with our physical environments, acquire and share information, access facilities, and pay for goods and services (to name just a few interoperabilities), using now-ubiquitous mobile devices.
Illustrative Uses Cases
At the Congress, I made available a new paper, entitled Mobile Near Field Communications (NFC) “Tap ‘n Go” – Keep it Secure & Private, that examines the technology’s potential in four illustrative use cases:
- Scanning a public poster to acquire a discount;
- Sending an image to a public printer;
- Sharing contact info between two mobile devices; and
- Using the mobile device as a loyalty card.
NFC Strengths
NFC is similar to – and builds on – radio frequency identification (RFID) technologies, such as those found on some consumer items, library books, prescription vials, and access cards, for example. In consumer mobile devices, NFC technologies offer more security, enhanced usability, and better privacy.
The NFC evolution/revolution gained momentum in 2004 when Philips, Sony and Nokia established NFC Forum, a consortium which today has 140 members involved in the development, application, and marketing of NFC.
Privacy and Security Risks
In partnership with the Nokia Privacy and NFC Teams, my Office also looked at NFC’s potential security and privacy risks associated with the use case scenarios, including:
- Data being leaked (transferred) without consent
- Interception or eavesdropping on wireless communications
- Secret tracking of a device user’s location
- Ascertaining the identity of an anonymous user
- Improperly redirecting the device to an unknown website
- Initiating a (pay-per-use) service without the knowledge of the device user
- Receiving unwanted or malicious content
- Lack of adequate notice and transparency of operations.
Secure and Private by Design
We then suggested solutions informed by each of the 7 Foundational Principles of Privacy by Design. The NFC technology and mobile ecosystem already address some of these risks, by design. For example, interactions must take place within a very close range (four centimetres); users must make a conscious “tap” of the device to initiate a secure transaction. This makes third-party eavesdropping, and skimming, far more difficult.
As well, NFC capabilities should be disabled when the device is in “lock” mode; users should be prompted for feedback when an interaction is requested from another device; and regenerated identifiers should be used when sharing personal data to defeat correlation, identification, tracking, and profiling.
Our paper describes the residual risks and challenges that remain – especially for device and application developers.
Apply Privacy by Design Now – Don’t Put it Off to “Later”
The current stage of NFC technology and standards is the ideal time to apply Privacy by Design’s 7 Foundational Principles to mitigate the risks while maintaining full functionality. Special attention should be paid to effective user interfaces and default privacy options. Data privacy, functionality, and security can and should all be “baked into” device architectures, including the physical design, operating systems, applications, and services.
It’s up to the players of the NFC ecosystem to work together to ensure that PbD is embedded into the technology. The payback will be evident in user trust, consumer confidence, and widespread adoption of this powerful game-changing technology. Do it now!
Dr. Ann Cavoukian is Information and Privacy Commissioner of Ontario, Canada
