The development of technology has long been the major driver behind the growth of the communications industry. The move from copper pairs to fibre optics; the replacement of PDH with SDH transmission systems; and the irresistible rise of the Internet, supplementing then supplanting other network structures, are all obvious examples from the telecommunications sector. As the communications market finally moves towards full convergence, establishing new battlegrounds in such areas as systems integration and service provision, new technologies continue to offer new opportunities and challenges.
There has been substantial debate in recent years over the local loop and access to the “final mile”. Alternatives now include ADSL, ADSL Lite, HDSL, or VDSL over cable, and CDMA transmission provides limited wireless capability. Now, with apt timing given the current vogue in miniaturisation, the debate amongst some electronics companies and service providers is shifting focus from the final mile to the last 20 centimetres.
Operating at 13.56 MHz and with a planned data exchange rate of up to 1 Mb/s, Near Field Communication (NFC) technology may be the next essential enhancement to your mobile telephone or PDA. The potential to transfer photographs from a mobile phone to an enabled television, or to download games and other applications from the web simply by holding one’s PDA next to an enabled PC, offers obvious attractions to both consumers and retailers.
NFC technology has evolved from a combination of interconnection technology and contactless identification technology, such as RFID tags. It offers the ability to link electronic devices over a short distance (up to 20 centimetres or so) to transfer information from one device to the other. Once the two devices have established a peer-to-peer network, another wireless communication technology, such as Bluetooth or Wi-Fi, can be used for longer range communication.
The new technology does however raise potential privacy, data protection and security issues. Ongoing processes of miniaturisation mean that some devices can be made to be virtually undetectable and are open to abuse by individuals, companies and official agencies. Unlike, for example, Bluetooth, which pings a device to see if it wants to connect before going through with the coupling, NFC needs no "permission" before making a connection between devices. This may help to boost the popularity of the technology in its chosen target markets of gaming, ticketing, music and home shopping, but in other areas, there are concerns that the technology might be abused. Its backers claim that NFC is fully secure, ensuring the safe transfer of data between enabled devices, but it is also true to say that when Wi-Fi networks were first built out, many users failed to activate their default security settings, increasing the risk of hackers entering their networks either at work or at home.
In many ways, the extremely short distance over which NFC operates mitigates against casual interception of communications. In addition, having an NFC-enabled phone adds another level of security over the traditional smart card embedded in the credit cards we use every day, as the power can be turned on or off, and a passcode or voice biometric code may be used for higher-volume transactions. For applications that require tighter security, chips can be used to store biometric information for identification.
NFC will however enable the rapid transfer of data which will lead to corresponding difficulties in tracing data within and without organisations, in particular by disgruntled employees. The ease with which individuals will be able to transfer confidential information to a PDA in the office will require companies to introduce ever more stringent guidelines for their employees and security measures to prevent abuse of the new technology.
In relation to mobile phones, the additional data in respect of an individual’s purchasing habits will impose further pressure on operators to ensure that data relating to individuals is kept confidential. Whilst this is less of a problem in the UK where the relatively stringent provisions of the Data Protection Act 1998 are well-enforced, in jurisdictions such as the United States and elsewhere in the world, this is not always the case.
A number of recent data haemorrhages have occurred in the USA. Several colleges have admitted security breaches where the personal data of hundreds of thousands of individuals have been illegally accessed (this figure is no exaggeration – Boston College alone lost the personal data of up to 120,000 alumni, including Social Security Numbers; and an employee of the University of California, Berkeley lost a laptop containing similar details in respect of 98,000 graduate students and applicants). ChoicePoint, which has access to the personal data of every adult in the USA, recently had to announce that it had unintentionally made the private data of 145,000 individuals available to thieves. LexisNexis announced in March that intruders had accessed information including names and Social Security numbers of more than 300,000 customers. In the UK, some online banks have had their own well-publicised problems. And these are large, well-funded organisations. Smaller businesses may have fewer customers, but equally the data they hold may be more accessible to hackers, because such businesses do not always avail themselves of the most advanced security measures. Not surprisingly, there are few estimates of data breaches suffered by small businesses, not least because many of them are unaware of breaches when they occur.
Much of the stolen data is used for identity theft, seen by many as still a comparatively rare type of crime, but it is on the increase. In the UK, there were approximately 130,000 reported cases of identity fraud in 2004. In the USA, however, the FTC estimated that 9.3 million Americans suffered from the same crime in the same period. (For the record, Arizona is ranked number one in the country for both fraud thefts and identity thefts). And these are the reported cases. The real figures are probably much higher. Interestingly, CIFAS (the UK fraud prevention service established by the consumer credit industry) argues that part of the problem in the UK is the fact that, unlike much of the rest of Europe, the UK does not have an ID card system or a central 'identity database'. It has suggested that organised crime targets the UK because of the less stringent laws in this country on the identification of individuals. The USA, however, has a ID card system based on driving licences, but still suffers worse fraud than the UK.
Because nearly all of us own tri-band phones these days, there will be a risk that when we are travelling in jurisdictions outside the EEA and use our NFC-enabled phones to make purchases, the resulting data might be used in a manner inconsistent with the data protection laws to which we are accustomed. It is of course a wider issue than simply new technologies. It is perfectly possible today for somebody to steal and misuse our credit card details (indeed, offline fraud through stolen wallets and cheque books is still more frequently committed than online identity fraud). But developing technologies increase the risk to which we are exposed, both because the technology makes it simpler and quicker for us to purchase items electronically, and because our personal data will transfer between ever more service providers with each new method of purchase. With each data transfer, the potential for data exposure increases.
And as more employees carry additional personal data on their laptops and PDAs, the obligation on their employers to implement appropriate technical and organisational measures against unauthorised or unlawful processing of personal data under the seventh Data Protection Principle will only increase.
It may be that in the medium term the current problems being experienced in the United States will lead to the introduction of federal data protection and privacy laws. In the short term, however, each new technology we introduce will raise new legal issues.
First published in the May 2005 issue of e-commercelaw&policy.