The development of technology has long been the major driver behind the growth of the communications industry. As the communications market finally moves towards full convergence, establishing new battlegrounds in such areas as systems integration and service provision, new technologies continue to offer new opportunities and challenges.
There has been substantial debate in recent years over the local loop and access to the "final mile". Now, with apt timing given the current vogue in miniaturisation, the debate amongst some electronics companies and service providers is shifting focus from the final mile to the last 20 centimetres.
Operating at 13.56 MHz and with a planned data exchange rate of up to 1 Mb/s, Near Field Communication (NFC) technology may be the next essential enhancement to your mobile telephone or PDA. NFC technology has evolved from a combination of interconnection technology and contactless identification technology, such as RFID tags. It offers the ability to link electronic devices over a short distance (up to 20 centimetres or so) to transfer information from one device to the other. Once the two devices have established a peer-topeer network, another wireless communication technology, such as Bluetooth or Wi-Fi, can be used for longer range communication.
The new technology does however raise potential privacy, data protection and security issues. Ongoing processes of miniaturisation mean that some devices can be made to be virtually undetectable and are open to abuse by individuals, companies and official agencies. Unlike, for example, Bluetooth, which pings a device to see if it wants to connect before going through with the coupling, NFC needs no "permission" before making a connection between devices. Its backers claim that NFC is fully secure, ensuring the safe transfer of data between enabled devices, but it is also true to say that when Wi-Fi networks were first built out, many users failed to activate their default security settings, increasing the risk of hackers entering their networks either at work or at home.
In many ways, the extremely short distance over which NFC operates mitigates against casual interception of communications. In addition, having an NFC-enabled phone adds another level of security over the traditional smart card embedded in the credit cards we use every day, as the power can be turned on or off, and a passcode or voice biometric code may be used for higher-volume transactions. For applications that require tighter security, chips can be used to store biometric information for identification.
NFC will however enable rapid, contactless transfer of data which will lead to corresponding difficulties in tracing data transfers either within and out of organisations, in particular by disgruntled employees. The ease with which individuals will be able to transfer confidential information to a PDA in the office will require companies to introduce ever more stringent guidelines for their employees and security measures to prevent abuse of the new technology.
In relation to mobile phones, the additional data in respect of an individual's purchasing habits will impose further pressure on operators to ensure that data relating to individuals is kept confidential. Whilst this is less of a problem in the European Union where the relatively stringent provisions of the Data Protection Directive are well-enforced, in other jurisdictions this is not always the case.
A number of recent data haemorrhages have occurred in the USA. Several colleges have admitted security breaches where the personal data of hundreds of thousands of individuals have been illegally accessed. ChoicePoint, which has access to the personal data of every adult in the USA, recently had to announce that it had unintentionally made the private data of 145,000 individuals available to thieves. LexisNexis announced in March that intruders had accessed information including names and Social Security numbers of more than 300,000 customers. In the UK, some online banks have had their own wellpublicised problems. And these are large, well-funded organisations. Not surprisingly, there are few estimates of data breaches suffered by small businesses, not least because many of them are unaware of breaches when they occur.
Much of the stolen data is used for identity theft, seen by many as still a comparatively rare type of crime, but dramatically increasing. In the UK, there were approximately 130,000 reported cases of identity fraud in 2004. In the USA, however, the FTC estimated that 9.3 million Americans suffered from the same crime in the same period. The real figures are probably much higher.
Because nearly all of us own tri-band phones these days, there will be a risk that when we are travelling in jurisdictions outside the EEA and use our NFC-enabled phones to make purchases, the resulting data might be used in a manner inconsistent with the data protection laws to which we are accustomed. It is of course a wider issue than simply new technologies. It is perfectly possible today for somebody to steal and misuse our credit card details (indeed, offline fraud through stolen wallets and cheque books is still more frequently committed than online identity fraud). But developing technologies increase the risk to which we are exposed, both because the technology makes it simpler and quicker for us to purchase items electronically, and because our personal data will transfer between ever more service providers with each new method of purchase. With each data transfer, the potential for data exposure increases.
The 7th Data Protection Principle requires that appropriate technical and organisational measures are taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. As more employees carry additional personal data on their laptops and PDAs, the burden on their employers to ensure compliance with this standard will only increase.
This is an edited version of a longer article first published in the May 2005 issue of e-commerce law & policy.
On 9 March the European Commission launched a public consultation on RFID tags, to examine the principles which should be guiding any future regulation with respect to the issues of privacy and security which they raise along with the need for technical interoperability, spectrum requirements and international compatibility. This builds upon the existing inter-service group on RFID established last year, and will consist of a series of workshops to be held over the next three months to establish what consensus exists over the appropriate approach. A consultation document will be produced from the findings and published on-line in September for further feedback, leading among other outputs to possible amendments to the e-privacy Directive (Directive on privacy in the electronic communications sector 2002/58/EC).