We write a lot about NFC technology and its power to change pretty much everything from the way you shop, to the way you exchange information with other phone owners to advertising and so on. Many interesting innovations involve smartphone NFC tech, but it’s not all for good. The United Arab Emirates plans to incorporate NFC into its newish National ID card scheme.
The government has just begun work with local cell phone operator Etisalat to get the project off the ground. Etisalat, remember, was caught in 2010 trying to force a “network upgrade” code patch to its BlackBerry users that was instantly identified as plain old officially sanctioned spyware. So right from the start, this partnership isn’t sounding like the best friend of human rights.
But it gets worse. The National ID card scheme, created in 2004 in its modern smart-card guise, means every citizen has an official ID number which is associated with their chip-enabed card. On its tiny sliver of silicon it also carries personal identification information, a photo, and digitzed versions of the owner’s fingerprints. Carrying your ID card is mandatory, all the time. To be fair, the various parts of the UAE have been a bit lenient with imposing the scheme, but its all-encompassing power is still a bit threatening.
In some ways, popping this information into a smartphone seems like a great idea. The card is a legal requirement, and losing it must be a pain in the ass for citizens–and we all know how easy it is to misplace a tiny credit-card sized slip of plastic. Embedding the data into a phone means it may be harder to lose, as you’ve got more of an incentive to keep hold of your smartphone nowadays because of the way it keeps you digitally connected to the world, and because of all the really personal data you hold inside like credit card numbers and passwords.
But the weird thing is that if you embed your ID into your phone, then you’re probably legally mandated to carry your phone with you. Everywhere, assuming you’re not carrying your old-fashioned card, that is. And it doesn’t even matter if the phone’s battery is dead because, depending on what NFC implementation the UAE authorities ultimately plump for, the NFC ID information could be read anyway–the antenna in the NFC loop can actually power the NFC chip to radiate its information out (which is how your train ticket systems work). You’d basically have to haul your phone around at all times, even if it were out of juice.
And, again dependant on what NFC tech the UAE chooses, there’s the possibility of remote-readable NFC systems. The kind you’re probably familiar with from ticketing or secure door entry systems need very close proximity between reader and card–partly due to the laws of physics. That’s why sometimes you have to wiggle your wallet on the sensor pad to get the card to “ping.” But there’s no reason that an NFC card can’t be activated by a remote sensor system, if it’s carefully designed.
That’s a bit worrying. Of course the ID information inside will be encrypted, and probably only government-approved people will carry the technology that can remotely read and decrypt the information. But hackers do exist, and weak encryption was probably one of the reasons a digital ID card scheme that was once proposed for the U.K. was eventually tossed out. And quite apart from hacking, there’s the issue of “feature creep” on behalf of the authorities. Because once you’ve got remote-readable NFC cards, then how tempting would it be–for the purposes of anti-terrorism–to install public reader systems in train stations or public spaces? No one’s saying the UAE authorities are actually going to do this, but the idea should give you pause. Especially when you remember the bizarre Mexican iris-scanner public-tracking scheme.
Now, skip to 2015 when more of us are carrying NFC-enabled smartphones, and some of the stickier problems around agreed-upon information-storage standards have been worked out. At this point we may be comfortable having our credit card info and Starbucks loyalty card info inside our phone, and we’re probably highly adapted to the tech. Wouldn’t it be a natural step to put your driving license and passport information in there too–in a highly encrypted form, of course? The authorites would probably love it, as faking ID would be a whole bunch trickier.