ITBusiness.ca

NFC the next big thing? Do it right – embed privacy from the start

by Dr. Ann Cavoukian

 

There was a lot of buzz about Near Field Communications (NFC) at The Future of the Internet Congress this week in Ottawa.  NFC is an emerging short-range wireless technology being built into the latest generation of smartphones, allowing users to bridge the real and virtual worlds with simple “Tap ‘n Go” gestures.   

Ann Cavoukian, Information and Privacy Commissioner of Ontario

NFC holds tremendous potential to change the way we interact with our physical environments, acquire and share information, access facilities, and pay for goods and services (to name just a few interoperabilities), using now-ubiquitous mobile devices. 

Illustrative Uses Cases

At the Congress, I made available a new paper, entitled Mobile Near Field Communications (NFC) “Tap ‘n Go” – Keep it Secure & Private, that examines the technology’s potential in four illustrative use cases:

  1. Scanning a public poster to acquire a discount;
  2. Sending an image to a public printer;
  3. Sharing contact info between two mobile devices; and
  4. Using the mobile device as a loyalty card.  

NFC Strengths

NFC is similar to – and builds on – radio frequency identification (RFID) technologies, such as those found on some consumer items, library books, prescription vials, and access cards, for example. In consumer mobile devices, NFC technologies offer more security, enhanced usability, and better privacy.  

The NFC evolution/revolution gained momentum in 2004 when Philips, Sony and Nokia established  NFC Forum, a consortium which today has 140 members involved in the development, application, and marketing of NFC. 

Privacy and Security Risks

In partnership with the Nokia Privacy and NFC Teams, my Office also looked at NFC’s potential security and privacy risks associated with the use case scenarios, including:  

Secure and Private by Design

We then suggested solutions informed by each of the 7 Foundational Principles of Privacy by Design.  The NFC technology and mobile ecosystem already address some of these risks, by design.  For example, interactions must take place within a very close range (four centimetres); users must make a conscious “tap” of the device to initiate a secure transaction.  This makes third-party eavesdropping, and skimming, far more difficult.   

As well, NFC capabilities should be disabled when the device is in “lock” mode; users should be prompted for feedback when an interaction is requested from another device; and regenerated identifiers should be used when sharing personal data to defeat correlation, identification, tracking, and profiling. 

Our paper describes the residual risks and challenges that remain – especially for device and application developers. 

Apply Privacy by Design Now – Don’t Put it Off to “Later”

The current stage of NFC technology and standards is the ideal time to apply Privacy by Design’s 7 Foundational Principles to mitigate the risks while maintaining full functionality.  Special attention should be paid to effective user interfaces and default privacy options.  Data privacy, functionality, and security can and should all be “baked into” device architectures, including the physical design, operating systems, applications, and services. 

It’s up to the players of the NFC ecosystem to work together to ensure that PbD is embedded into the technology.  The payback will be evident in user trust, consumer confidence, and widespread adoption of this powerful game-changing technology.  Do it now!

 Dr. Ann Cavoukian is  Information and Privacy Commissioner of Ontario, Canada

 

 

 

 

 

Exit mobile version