The issue is rather simple. A school has issued RFID badges to track attendance, a student refuses to wear the badge, she gets expelled, a judge issues a stay, an we are now waiting for the trial. I also wear a RFID badge at work every day, and that doesn’t bother me much (well, it bothers me a bit: I usually wear it “visibly”, but not too much, as I don’t like the idea of the dangling name tag around my neck). This badge helps me getting into offices; it could also help me get connected to internet, and many other things. However, there is a big difference: my badge is a proximity badge. When I want to enter a room, I wave it to a reader; when I want to access internet, I insert it in a card reader. I can be tracked, but there are clear limits on what can be tracked. In that particular schoool’s case, things are different: the badges are designed to be read from a distance, without any badgeholder interference.

This is transparency, of course, and it could make your life easier. Think about a restricted area’s door opening just because you are arriving: sounds nice, doesn’t it? That makes it more convenient than a standard badge. However, this convenience implies that you trust the badge’s issuer, at least enough to believe that they won’t read your badge to monitor your every movement, like how much time do you spend in your office (working), or elsewhere (potentially not working). Here, the issue is the lack of user engagement from the user. With such a system, the user ends up believing/fearing that she is the victim of pemanent surveillance, and this may just be true.

This problem is not specific to this case. Gemalto has a technology called eGo that faces similar issues. This technology communicates through the body to establish a secure link between a reader and a personal device. To take the access control example, a door could open when you touch it. It is better than simply using RFID, but not much. With this technology, you can be tracked whenever you touch something, and some people will (understandably) not like it. Of course, it is easy to design limits. For instance, one could imagine a specific, clearly marked pad that you have to touch in order to start the authentication: then, there is a specific gesture, which can be interpreted as an acknowledgement. For RFID, this is more difficult to do, especially in crowded areas like schools, where several badges are likely to be readable at any time.

This post is actually turning into advertisement for Natural Security. This startup proposes a contactless device that communicates with a fingerprint reader that can be integrated in a variety of envionments. When you swipe your finger, you are authenticated, and then a transaction can occur. You don’t need to take the card out of your pocket or purse, but you are doing a specific simple gesture to acknowledge your intention to do something. On top of that, you are authenticated, which is a nice bonus. Security, naturally and esaily; I guess that this is where the company name comes from.

Once again, no system is foolproof, and heavy surveillance could be achieved with most products, just like fraud remains possible in most cases. However, good security systems should allow/encourage the institutions and corporations who use them to respect their users’ privacy, just as much as they should encourage/force the end users to comply to the security rules. As I mentioned in the previous post, end users aren’t security providers’ customers, but they have rights, which are often hard to understan, and it is also our responsibility to help our customers respect these rights.

One final note about RFID at school. If this system is installed, it is likely that it will soon replace human checks, and sudents will be able to escape class or other oblgations by swapping badges or putting their badge in somebody else’s pocket. Why? Because a human being looking at badges performs an authentication by matching the ace on the badge and the face of the person wearing it, where a RFID system simply counts badges, and doesn’t care about human beings. What a package: you get less privacy and less security.

Yet, Apple thinks about embracing the technology. The Register, in the article, states that including NFC is a real step in the unknown, more than what Apple did before. Here, I don’t completely agree. In fact, it depends on what part of NFC they push forward. And here, Apple has plenty of ways to do things better than Nokia or others.

In many trials, the emphasis has been put on card emulation applications, in which a NFC phone replaces a payment card or a public transportation token, dematerialized into a NFC application, on some secure element bundled with the phone. This sounds very exciting for card people, but I am not sure how compelling such closed applications are to the general public, or at least, to the technophile crowd.

However, NFC also includes the ability to read and write tags, as well as the ability to perform peer-to-peer transactions. Although this has not been the main focus of NFC trials so far, it opens the door to many new applications. Apple filed two patents around RFID: one is an application, in which each network device is identified by a RFID tag, and inserted in a local network by presenting the tag to a reader included in the router (or maybe, on a NFC phone). The other one is about mixing a touch device and a RFID reader.

With its Application Store, Apple has the power to distribute applications that actually make innovative use of RFIDs. If Apple gets some inspiration from Nano:ztag or other fun devices, maybe that some of these applications can be really useful. And in addition, there are no deployment issues, like the ones that plague the card emulation NFC applications (Who owns the secure element? Who pays who?).

So, to make things short, although the smart card industry tends to think that NFC is a smart card technology, there are good chances that the part of NFC that in which the value really is is the RFID reader, because it enables innovative applications, without complex deployment schemes. In that vision, card emulation is not useless, it just holds more value. It is the cherry on the RFID cake: when NFC devices will be pervasive, and when deployment models will be clarified, this is quite likely to be a successful application of NFC.

But once again, not necessarily the application that makes NFC a success.