NFC the next big thing? Do it right – embed privacy from the start

by Dr. Ann Cavoukian


There was a lot of buzz about Near Field Communications (NFC) at The Future of the Internet Congress this week in Ottawa.  NFC is an emerging short-range wireless technology being built into the latest generation of smartphones, allowing users to bridge the real and virtual worlds with simple “Tap ‘n Go” gestures.   

Ann Cavoukian, Information and Privacy Commissioner of Ontario
Ann Cavoukian, Information and Privacy Commissioner of Ontario

NFC holds tremendous potential to change the way we interact with our physical environments, acquire and share information, access facilities, and pay for goods and services (to name just a few interoperabilities), using now-ubiquitous mobile devices. 

Illustrative Uses Cases

At the Congress, I made available a new paper, entitled Mobile Near Field Communications (NFC) “Tap ‘n Go” – Keep it Secure & Private, that examines the technology’s potential in four illustrative use cases:

  1. Scanning a public poster to acquire a discount;
  2. Sending an image to a public printer;
  3. Sharing contact info between two mobile devices; and
  4. Using the mobile device as a loyalty card.  

NFC Strengths

NFC is similar to – and builds on – radio frequency identification (RFID) technologies, such as those found on some consumer items, library books, prescription vials, and access cards, for example. In consumer mobile devices, NFC technologies offer more security, enhanced usability, and better privacy.  

The NFC evolution/revolution gained momentum in 2004 when Philips, Sony and Nokia established  NFC Forum, a consortium which today has 140 members involved in the development, application, and marketing of NFC. 

Privacy and Security Risks

In partnership with the Nokia Privacy and NFC Teams, my Office also looked at NFC’s potential security and privacy risks associated with the use case scenarios, including:  

  •  Data being leaked (transferred) without consent
  • Interception or eavesdropping on wireless communications
  • Secret tracking of a device user’s location
  • Ascertaining the identity of an anonymous user
  • Improperly redirecting the device to an unknown website
  •  Initiating a (pay-per-use) service without the knowledge of the device user
  • Receiving unwanted or malicious content
  • Lack of adequate notice and transparency of operations. 

Secure and Private by Design

We then suggested solutions informed by each of the 7 Foundational Principles of Privacy by Design.  The NFC technology and mobile ecosystem already address some of these risks, by design.  For example, interactions must take place within a very close range (four centimetres); users must make a conscious “tap” of the device to initiate a secure transaction.  This makes third-party eavesdropping, and skimming, far more difficult.   

As well, NFC capabilities should be disabled when the device is in “lock” mode; users should be prompted for feedback when an interaction is requested from another device; and regenerated identifiers should be used when sharing personal data to defeat correlation, identification, tracking, and profiling. 

Our paper describes the residual risks and challenges that remain – especially for device and application developers. 

Apply Privacy by Design Now – Don’t Put it Off to “Later”

The current stage of NFC technology and standards is the ideal time to apply Privacy by Design’s 7 Foundational Principles to mitigate the risks while maintaining full functionality.  Special attention should be paid to effective user interfaces and default privacy options.  Data privacy, functionality, and security can and should all be “baked into” device architectures, including the physical design, operating systems, applications, and services. 

It’s up to the players of the NFC ecosystem to work together to ensure that PbD is embedded into the technology.  The payback will be evident in user trust, consumer confidence, and widespread adoption of this powerful game-changing technology.  Do it now!

 Dr. Ann Cavoukian is  Information and Privacy Commissioner of Ontario, Canada






Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Latest Blogs

ITB in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.