About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion



  • Add to
Technorati Favorites


  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« Data shrinkage | Main | Paradigms and pseudonyms »

Touch and gone

By Dave Birch posted Jun 24 2009 at 10:14 PM

[Dave Birch] I ran a workshop on mobile proximity security day, and one of the things we touched on in the group is the EU's publication of their recommendations on the "identity of stuff" last week. They've published a 14-point action plan.

The European Commission has announced plans for Europe to play a leading part in developing and managing interconnected networks formed from everyday objects with radio frequency identity (RFID) tags embedded in them - the so-called "internet of things".

[From EU lays out plans for the "internet of things" - V3.co.uk - formerly vnunet.com]

These are real issues, and although I'm not making any comment on the value or otherwise of the specific recommendations, there's no doubt that the subject deserves more attention. There's an "identity of things" problem that came up (again) in a meeting I was in last week that I think is worth sharing. It comes from the world of NFC, where the problem revolves around contactless stickers, tags, posters and that kind of thing. It's the same problem that we looked at before, and it's worth reviewing because there's been no industry progress toward a solution.

A little background. The NFC Forum have announced their "N mark" which is a standard symbol to be applied to adverts, magazines, posters and such like. The idea is to show consumers (none of whom have ever even heard of NFC, let alone seen an NFC phone) where they can "tap" their phones to get some kind of service.

The NFC Forum has developed the “N-Mark” trademark so that consumers can easily identify where their NFC-enabled devices can be used. It is a stylized “N” and indicates the spot where an NFC-enabled device can read an NFC tag to establish the connection.

[From NFC Forum : N-Mark]

If you haven't seen it, it looks like this. A simple ecosystem in the offing: you put the N-mark on things, consumers come along and touch them with other things.

So what's the problem? Well, how does the customer (and the customer's phone) know that the tag is "real"? How can I be sure that the "get your bus timetable" tag doesn't link a porn site? When I touch my phone to the poster to find out more about The Glastonbury Festival (this is hypothetical: I stopped going in 1983 on the grounds that it was getting to big and too commercial) how do I know that I will be connected to the Glastonbury Festival ticket line (or whatever) and not a premium-rate call to Nigerian scammers who will play me "please hold, your call is important to us" followed by snatches of Vivaldi until Vodafone cut you off when your bill passes $10,000? It would be nice to have some kind of setting in the NFC preferences to say something like "ignore all tags except for the phones with a digital signature, signed by a key that resolves through a certificate chain to a root known to my mobile phone operator". But I see at least two problems with this:

  1. Consumers, and more importantly, mobile phone company marketing types, don't have the slightest idea what this means and there is no possibility of explaining it to them, and
  2. Even if it was turned on, most consumers confronted by a dialogue box on their mobile phone saying something like "warning, this tag is unrecognised and could lead to you being ripped off big time or embarrassed in public" would just hit "OK". We know this, but that's what they do on the web.

The NFC specifications don't include a security layer. It's not good enough for them to say that service providers should implement their own security layers, because we need something interoperable: a digital identity infrastructure, if you will. Therefore, it seems to me, we need the industry to assemble a group that combines technologists, security specialists, psychologists and UI designers to come up with a way of dealing with it in an intelligent way. There's a great business somewhere here.

These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]


TrackBack URL for this entry:

Listed below are links to weblogs that reference Touch and gone:


The comments to this entry are closed.