Battle continues with consumers at mercy of mobile operators
Mobile devices are quickly becoming a key tool for ID credentialing, but a lack of standardization of the secure element along with legal questions are causing confusion for organizations considering use of the devices for IDs.
Control of the secure element is also an issue with near field communication because that’s where crucial payment card data will be stored. Overall, the choices consumers have when it comes to identity credentials and possible payment technology options won’t depend on the handset they choose. It’s more likely that the carrier will dictate what kind of services they may be able to access for identity credential and payments.
This will impact Bring Your Own Device initiatives within corporations and government agencies. Since the consumer doesn’t have control of the secure element, in order to securely load identity credentials on to handsets, partnerships will have to be in place that enable them to be stored on a handset’s secure element. Will organizations be willing to partner with multiple carriers or will they choose to limit the carrier and handset options available to employees?
Credentials can be securely stored on a mobile device in three areas: a SIM card or UICC, a microSD card and an embedded element. To allocate credentials into the secure element, a trusted service manager divvies up space between service providers, each having access to a dedicated area within the secure domain that is unique to them, says Juan Lazcano, vice president of sales in communication at Gemalto.
The secure element has one set of “master keys,” meaning one entity can control it, says Jeff Miles, vice president of mobile transactions at NXP. “A landlord, if you will, owns the rights to that chip.” And in most cases it’s not the consumer who controls that secure element.
With the SIM card, the network controls the secure element. With a microSD card, a third-party entity can have control. When the secure element is embedded directly into a phone, the handset manufacturer owns the secure element but may have to transfer that ownership to the end user or network operator.
Legal questions surrounding the secure element are somewhat uncharted. “The use of the mobile device as an authenticator raises very interesting property law questions. The determination has to be made with property interests and property rights,” says Tim Reiniger, an attorney with FutureLaw.
Having the mobile devices used as an identity credential involves multiple parties: the device owner, the owner of the secure element and the owner of the credential. Having multiple owners of different aspects of one device is not a new concept. In property law, there can be multiple owners in the same object or resource, especially in the area of real property, such as joint tenants or easement rights, says Reiniger.
Comparing the options
A SIM card is in many phones today and it’s removable. However, it may not work from device to device, and if an individual changes carriers, the credential also changes. SIM cards are also costly, and replacing them is expensive. Networks own the rights to the SIM card, says Miles.
Carriers are able to lock the SIM and prevent it from being used on other networks. For wireless carriers, this is important for subscriber retention. “There’s definitely strong interest from a carrier, once they’ve enabled a subscriber to keep them as a subscriber,” says Lazcano.
For the microSD option, ownership my pass on to the consumer, says Lazcano. It can be put into any phone equipped for microSD and locked. When the owner wants to change phones, he just unlocks it, removes it, puts it into a new phone and locks it again.
An embedded element can offer better performance, Miles says. “The embedded solution probably delivers the easiest as far as implementation,” says Miles, adding that the ownership then lies with the handset manufacturer. Manufacturers, however, may need to transfer ownership to the consumer.
Once a device has a determined secure element, an entity needs to be able to load credentials onto it. Depending on the relationship the carrier had with a trusted service manager this may limit what can be loaded on to the secure element. “There’s always going to be an entity managing and loading credentials onto the secure element,” Lazcano says.
This will also prevent users from downloading viruses or malware. To prevent that, someone will manage the credentials, and subscribers will rely on what services are offered to them, explains Lazcano. “Subscribers can request different keys on the card, like a Hilton key, etc., and a trusted service manager will make them available,” says Lazcano.
Standardized secure elements?
It remains unclear which element will win out. Lazcano says that the wireless carriers, not the device manufacturers, are driving most of the pilots and developments around the world. Wireless carriers tend to put more emphasis on making sure the secure element is removable and can be transferred from phone to phone.
However, Lazcano says if the wireless carriers don’t succeed in pushing their secure element, manufacturers may push their own.
There may never be one sole standard for the industry, Miles says. There may even be multiple secure elements within a single handset. For example, Facebook could use one secure element for accessing their services, while credit card information goes on a SIM or somewhere else.
Handset manufacturers and networks may also drive the choice of the secure element depending on what services they can offer the consumers, says Miles. Manufacturers will experience success directly proportionate to innovation and the unique things they can do.
Networks also can provide services that consumers can’t get elsewhere. “How much value can you derive for the consumer in the end?” asks Miles.
Ultimately, consumers will make the decision on what the secure element will be–and their choice may not have anything to do with which part of the phone holds the element. “‘I want this phone because it does this,'” says Miles. “That will win the battle of the secure element.”
Legal issues surround control of secure element
Ownership of the secure element raises key questions from a legal perspective. Who has the right to dictate the use of the mobile device? Who is responsible when there is an authentication failure? With different ultimate owners, each type of secure element potentially transfers responsibility for failures to different parties, says Tim Reiniger, an attorney with FutureLaw.
“Entities trying to position themselves to control the element are aware of implications regarding liability and regarding authentication failure,” says Reiniger.
For protection, these entities are attempting to use contracts to limit or shift the liability, says Reiniger. “The liability never disappears. It has to fall on some person or entity, so all the players are looking for ways to address it,” says Reiniger. And without legislation, the use of contracts is the primary available method.
Another related issue is how the secure element will impact the network access rights of the device holder. “That’s an issue that is related to copyright questions and will need to be worked out by the legal system,” says Reiniger.
This could have implications for corporations with Bring Your Own Device policies. “Ultimately, the owner of the secure element has the right to control overall use and access to networks. It is serving a gatekeeper role,” says Reiniger, adding that the owner of the secure element would have the ability to shut off a person’s access at anytime.
Predictably, concerns have emerged regarding what rights the consumer has to prevent access from being shut off or subsequently restore terminated access.
Reiniger says the government is taking a wait and see approach in terms of liability for the owner of the secure element. However, the Commonwealth of Virginia is now studying legislation to address the allocation of liability for identity credential providers, users and relying parties. “That would obviously have implications for mobile devices being used as ID credentials,” says Reiniger.
Virginia is the first state to contemplate legislation addressing liability issues, with interest being driven by technology companies in the northern part of the state that deal with federal employees and contractors. Reiniger says it has been studying it for a year and may have a law in place as soon as July 2013.
U.S. carriers drag feet on NFC handsets
While international carriers have accepted NFC, U.S. mobile network operators seem reluctant, if not skeptical about the new technology. Europe and Asia offer a variety of NFC-enabled handsets and services, but U.S. carriers offer few, if any options.
At present, there are less than 20 NFC-capable mobile devices available to consumers in the states, according to NFCNews/re:ID research. This may be changing, as major carriers claim that NFC will be a standard feature on a number of upcoming devices.
Reasons suggested for the lag in adoption vary, but a yet-to-be-defined business case leads the pack. Charge-happy mobile carriers may just be waiting for an ongoing revenue stream to emerge. Or, the operators may be buying time as they wait for their own NFC payment and loyalty schemes to take off.
Some carriers in the U.S. have gone so far as to turn off or deactivate the NFC capability in handsets they offer that happen to include it. While AT&T offers the Samsung Galaxy SIII, it disables the NFC technology on the handset. Verizon also handicapped the handset originally, but later enabled the functionality. Insiders suggest that AT&T and Verizon did this because, as founders of the new ISIS payment network, they did not want their customers using competitor Google Wallet.
Delayed adoption aside, expect U.S. mobile carriers to offer a number of additional NFC-capable options in 2013.
NFC-enabled phones in the U.S.
HTC EVO 4G–Sprint/Virgin Mobile
HTC One X–AT&T
HTC DROID Incredible 4G LTE–Verizon
Blackberry Curve 9360–T-Mobile/AT&T
Blackberry Bold 9900 4G–T-Mobile/AT&T
Blackberry Curve 9350–Sprint
Blackberry Curve 9370–Verizon
Blackberry Bold 9930–Verizon/Sprint
Samsung Galaxy Nexus–Sprint
Samsung Galaxy Nexus 4G–Verizon
Samsung Galaxy Note–AT&T/T-Mobile
Samsung Galaxy S Blaze–T-Mobile
Samsung Galaxy S II–AT&T/T-Mobile/Sprint
Samsung Galaxy S III–AT&T/T-Mobile/Sprint/Verizon
LG Optimus Elite–Virgin Mobile/Sprint
LG Viper 4G LTE–Sprint