Is NFC a mechanism to track all transactions?

[Steve]

In the thread about Eric Schmidt's comments regarding Bitcoin, I began digging into Google Bucks.  It turns out he mentioned it in his 2011 keynote at the Mobile World Congress (see the other thread for the video and time ranges).  During that segment he also talks about NFC.  He mentioned a secure, 80 byte code that is embedded into NFC devices.  Previously I had just thought of NFC as a communications protocol, but these comments made me think there's more to it.  If NFC devices have an 80 byte code embedded in them, then presumably this is a private key of some sort.  If these devices are only available through providers that collect identifying information about you (i.e. mobile carriers that make you pledge your first born to obtain a phone), then surely they can connect any NFC device back to an individual.  And if they can do that, they can trace your every financial transaction (and if it becomes popular enough, perhaps your every communication).  I'm not an expert on NFC, but I wonder whether the standard is such that any person can create their own NFC device with a uniquely generated private key (good), or if they've instituted measures that ensure NFC devices (and the associated private key) can only be obtained through channels that would connect your identity to this NFC key (very bad).  I'm concerned it's the latter.

This poses the question: is NFC actually a strategy to institute a system whereby all communications (especially financial communications) can be tracked (by institutions that don't have your best interests in mind).

[1714958260]

1714958260

[1714958260]

1714958260

[1714958260]

1714958260

[Phinnaeus Gage]

http://sequent.com/Cata-Sequent

NFC is moving credit cards, keys, ID cards and other credentials into mobile devices, combining the maturity of the payments industry with the innovation of the mobile ecosystem. Sequent bridges both worlds.

Sequent collaborates with existing industry stakeholders – secure element owners, credential issuers, OEMs, mobile operating system providers – to deliver a rich NFC experience to consumers. Sequent is reshaping conventional industry roles, allowing legacy players to excel and be profitable in their core businesses, doing what they do best.

Sequent Secure Element Management administers access to any type of secure element on any mobile device and enables storage of any card issued by any credential manager. Sequent acts as a neutral Trusted Service Manager (TSM), but is not a credential issuer. Sequent Core Card Services let developers build rich NFC apps while protecting the integrity of the secure element. Putting it all together, Sequent makes it easy for users to access all their credentials from all apps on all mobile devices – to fully enjoy the benefits of NFC.

[Steve]

I guess my reaction would be: Isn’t that why we’re all here? We want to be free from easy access to our financial transactions and to not be molested by grotesque transaction fees & taxes? Or is that just why I’m here?

That's a different question.  I had assumed (like I think many others may have assumed) that NFC was just another communications protocol (like bluetooth, wifi or tcp/ip).  But I now question whether it's a protocol that enables institutions to track your financial activity.  I suppose that even an ethernet device (with its MAC address) could be used similarly if it were only possible to purchase ethernet devices in conjunction with the revelation of your identity (but fortunately, Fry's accepts physical cash for payments).  Since NFC is very closely tied to mobile devices and carriers which collect personally identifying information, I'm concerned that NFC is a mechanism to bind a someone's identity to every NFC device that is issued and enable the tracking and identification of every bit of communications (financial or otherwise) from those devices.

I've not studied the NFC standards, so I could be completely off base.  But if this is true, then the message about NFC and it's privacy issues needs to get out.  This is the kind of thing that should be on the front page of slashdot.

[Steve]

http://sequent.com/Cata-Sequent

Wow…"credential issuer" …how could have I have been so ignorant about this.  So, why isn't every privacy advocate on the planet up in arms about NFC?

[kjj]

In the thread about Eric Schmidt's comments regarding Bitcoin, I began digging into Google Bucks.  It turns out he mentioned it in his 2011 keynote at the Mobile World Congress (see the other thread for the video and time ranges).  During that segment he also talks about NFC.  He mentioned a secure, 80 byte code that is embedded into NFC devices.  Previously I had just thought of NFC as a communications protocol, but these comments made me think there's more to it.  If NFC devices have an 80 byte code embedded in them, then presumably this is a private key of some sort.  If these devices are only available through providers that collect identifying information about you (i.e. mobile carriers that make you pledge your first born to obtain a phone), then surely they can connect any NFC device back to an individual.  And if they can do that, they can trace your every financial transaction (and if it becomes popular enough, perhaps your every communication).  I'm not an expert on NFC, but I wonder whether the standard is such that any person can create their own NFC device with a uniquely generated private key (good), or if they've instituted measures that ensure NFC devices (and the associated private key) can only be obtained through channels that would connect your identity to this NFC key (very bad).  I'm concerned it's the latter.

This poses the question: is NFC actually a strategy to institute a system whereby all communications (especially financial communications) can be tracked (by institutions that don't have your best interests in mind).

NFC is a communication system.  Essentially very short range radio.  Actually, it is an extension of RFID, from what I can tell.  My guess is that someone's patents were expiring, so they came to the amazing revelation that two intelligent devices may want to communicate with each other, rather than always assuming that the peer was an unpowered tag.

And since it looks like something very close to 100% of all NFC communication today is along the lines of "Here is my credit card number!", it doesn't seem productive to get upset that your phone is identifying itself at the same time.

[Wandering Albatross]

This poses the question: is NFC actually a strategy to institute a system whereby all communications (especially financial communications) can be tracked (by institutions that don't have your best interests in mind).

(I don't even know what NFC is)
Everything's setup so that you can be tracked.  Why would they not do this? Because they don't need the extra control point? They have enough already?

[BusmasterDMA]

Devices other than smartphones (not tied to a service account) will have NFC chipsets as well.  Also second-hand marketplaces exist for purchasing phones without service contracts.

[Mike Hearn]

NFC is just an air protocol, you can already send Bitcoins via NFC (check out the android bitcoin wallet app).

The confusion arises from the fact that the primary "use case" for NFC has, historically, been credit card payments. The radio and application layers are not cleanly separated in NFC deployments for security reasons. The Nexus S/Galaxy Nexus phones have "secure elements" inside them, basically smartcard chips, which are wired to the NFC radio at the hardware level. Therefore it's very common for people to use "NFC" as a shorthand for mobile payments.

Hopefully now Ice Cream Sandwich has support for non-payment related NFC uses, this kind of semantic lazyness will go away.

With regards to tracking, your phone is already tracked by governments and even private companies (see HLR lookup services).