Imagining the Future of Privacy with NFC

Near Field Communication (NFC) is nearly upon us. This technology, that enables “tap to pay” systems like the one seen here, is waiting in the wings with companies like Google, Microsoft, Apple, Citigroup, and MasterCard all developing systems that would integrate with mobile phones to be rolled out as early as 2012. These systems currently seem to focus on implementing mobile payment solutions but the NFC technology could be used for wide range of applications, many of which have yet to be imagined.

Near Field Communication (NFC) is a subset of the larger Radio Frequency Identification (RFID) technology which has already been integrated into American passports. The technology allows data to be transferred between devices in close proximity (approximately 20cm for NFC). The application for this technology could range from allowing users to download coupons or other information from interactive posters of signage, NFC enabled locks would allow users “tap access” to secure areas of office buildings, or users could pass information form phone to phone, all without internet access. Needless to say the scope of uses for this technology has yet to be fully explored, but it would be easy to imagine a world in the future where the ubiquity of NFC would match that of credit cards and mobile phones today.

NFC Leaves Current Privacy Law in the Dust

The debate over online privacy has received increased attention in recent years as more people incorporate Facebook and other online services into their daily life. While these debates have taken place behind the scenes at institutions like the EFF and ACLU for years, only recently have misteps like the Google Buzz fiasco, and flaws in Facebook’s privacy settings, brought the debate into the mainstream. Industry has recently responded to the issue by pushing for a “Do Not Track” option in web browsers, while congress is on the verge of introducing the Commercial Privacy Bill of Rights Act of 2011, both of which have their own flaws. The problem is that the current debate focuses soley on online tracking via web browsing, and fails to anticipate any of the transformative changes in the personal data landscape that technology like NFC is sure to bring. Unfortunately by the time current legislation and regulatory regimes are implemented they may already be outdated. The outpacing of law by technology is always a difficult problem, but the current debate over online privacy seems especially short sighted as it tends toward specific technical measures for current problems instead of declaring a set of “first principles of privacy” on which future disputes may be evaluated.

NFC allows people to give away personal information simply by touching and item with their phone or passing through a sensor. This type of tight integration into peoples’ daily habits mean that they can be tracked passively while performing their daily activities as opposed to the more deliberate act of web browsing. While the shift in data collection from people actively filling out online forms to being monitored in the way they surf the web was major change, a much larger paradigm shift exists in the transition to NFC tracking where peoples’ day to day offline activities are logged and tracked.

NFC companies need to follow guidelines

While Congress won’t be adressing these issue until long after the technogloy is pervasive, it is important that advocacy groups and consumers demand certain standards before the technology hits the market and norms are set by the way the industry has implmented their systems. In fact putting pressure on the industry to build in privacy and securty ideas into their products while tthey are still in devlopment may be the only way to ensure that these products can support the kind of protections that consumers deserve. The following are some best practices that companies deploying NFC tehcnology should follow.

Notice

Of course the most obvious requirement is that NFC products notify the user that they are about to connect with the user’s mobile device. As the CDT (Center for Democracy and Technology) puts it:

Consumers should be provided with clear, conspicuous and concise notice when information, including location information, is collected through an RFID system and linked, or is intended by a commercial entity to become linked, to an individual’s personal information either on the RFID tag itself or through a database. 

The objective here is that user are not having information taken from their phone, or downloaded to their phone, without their knowledge, something that is very possible given the abilities of NFC technology.

Choice and Consent

On top of notifying users that they are sharing their personal information, users should be given a choice before the transaction of information is complete on whether or not they want to proceed with the transfer. Requesting the user’s consent must be done before the transaction is complete and companies should make available as many services as possible while collecting only information that is essential for the transaction.

Access to Data

If an NFC tag itself stores data, users should be able to see what data of theirs is stored on the tag. Not only should they be given access to their data but also informed of how that data is being used and with whom it is being shared. It is important that users are aware of where their data is being held, and while initial consent is critical, it is equally important that users’ can find where their data is being held after their initial transaction with the NFC device.

Basic Security

NFC technology offers a lot of ways in which unauthorized parties in search of personal identifiable information such as credit cards can gain access to such data. It is important that companies develop systems which are safe from the numerous attacks that such systems will inevitably face. While the details of such protections are still being developed it is important that an industry standard emerges so that users can be reasonably confident that data given to any NFC devices will be safe from theft. Of course like current databases NFC companies should have an obligation, and method in place, to inform users when data breaches occur.

While it is difficult to predict exactly where NFC technology will take us we must try to anticipate the privacy challenges that will surely confront us. Congress, advocacy groups, and individual users will have to act together to demand standards that protect people’s right to privacy. Only through this system of accountability can we be assured that companies take responsible measures to ensure the freedoms that we all enjoy today.