Privacy and Security are Top-of-Mind Concerns with iBeacon
A question popped up recently on Twitter from our friends at Blue Rocket:
Blue Rocket, thanks for asking! In this post, we’ll discuss two of the most primary concerns, and our solution for both. (FYI for any newbies - If you’re new to Low Energy Bluetooth (BLE) and iBeacon, please check out our video introduction to help you get acquainted before diving any deeper.)
iSpy with My Little iBeacon…
Lots of folks today are seriously concerned about their privacy since the topic of Apple’s iBeacon became a tech media darling in 2013. One recent Pew Report cited by Pando Daily indicates that while many smart phone users want to use their phone to navigate, the majority do not want their phone’s navigational capabilities to be used to target them. They are also more accepting of being tracked online, than offline.
Consumers shouldn’t fret. iBeacon and BLE beacons are completely incapable of tracking you if you haven’t opted in. There are several things a user would have to go through to do this (download an app, turn BT on, and turn your location services on), so signing up without consent is simply not an option.
Why would you want to do that? If you can obtain value from a service, research suggests you might even LIKE being tracked, says Doug Thompson of the BEEKn blog. As Doug hypothesizes, at BestFit, we’re confident that our solutions include winning experiences, where sign up is a no-brainer!
iBeacon Security 101
In the news today is a newly published Apple patent that’s a very strong indicator that more is coming from them, soon, in the way of mobile payment systems. According to MacRumors and Patently Apple, it describes “a method that would send payment data through various wireless interfaces without compromising the user’s data.” And the perfect channel for that? Oh, yes – iBeacon. Obviously, these things have to be secure, lest Apple be the next Target disaster.
Cardinal rule # 1: Beacons are very simple devices. They send out an identifier (which your phone knows to look for), and receive basic commands which your device tells it to do.
Cardinal rule#2: No sensitive information should EVER be sent through Bluetooth. Highly personal data (credit card information, etc.) should be handled elsewhere.
A BLE beacon is comprised of two layers, one which is public, and another, private:
The public advertising layer is the one everyone is most familiar with. It sends out an identifier called a “Broadcast ID,” which your phone looks for. At this most basic level, it’s discoverable by anyone. This is how the guys at MAKEzine were able to “hack” into the CES Scavenger hunt. And it’s true, Estimote beacons can be hacked. But, at this level, so can any beacon. See cardinal rule #1.
However, additional private service layers, with each with identifiers called “Service IDs,” can also be built into a beacon, and have the capacity to contain encrypted data (characteristics) for each transaction. These are the types of behaviors or requests the beacon would safeguard:
- “Make a payment with my card.”
- “What I’m looking at.”
- “Where I am right now.”
- “I’ve been here for three minutes.”
There’s no limit to the number of commands the beacons can receive. But, remember cardinal rule #2? Highly sensitive information (such as your credit card number) should never, ever be sent through Bluetooth. Therefore, rest assured – we build our solutions’ business rules with this in mind.
iBeacon Safety, In a Nutshell
No, you don’t have to worry about someone stealing the little beacons in your local mall and downloading all of the data. Remember, the beacons just pass information along to the cloud. They don’t store anything. And no, you also don’t have to worry about someone stealing a store associate’s iPad and getting a record of everything. The Associate device is also merely a transmitter of information to the cloud.
This technology is no more or less secure than logging online and completing a transaction with any eCommerce site out there, today. It simply digitizes the “old way” of standing in line to ask for help, or to complete a transaction. All of the physical “queues” are now handled by BLE beacons and the cloud, to make things quicker and simpler for you.
Moral of the story is – you truly want to be off the grid, learn how to lock your phone. Or maybe don’t buy a “smart” one, altogether. And don’t shop online. Actually, don’t get on Facebook. They’ll catch you there, too. The dark side has cookies everywhere.
Please tweet @BestFitMobile with more questions!