To understand why the fuss, and why this is of relevance to the digital money world, you need to understand a couple of technical architectures relating to mobile phones and the role of the Secure Element (SE). The SE doesn’t exist in phones yet, but it’s important because if we want to implement anything important (such as payments) inside a phone, we need somewhere to store cryptographic keys, and that somewhere needs to be tamper-resistant to a great degree. Thus we need a handset to have an SE. Ah! You might say: but handsets already have a tamper-resistant thingumy inside them, why not use that?
That’s a good point. In the modern way of things, the tamper-resistant chip thingumy the handset is more properly called the UICC:
The UICC (Universal Integrated Circuit Card) is the smart card used in mobile terminals in GSM and UMTS networks. The UICC ensures the integrity and security of all kinds of personal data, and it typically holds a few hundred kilobytes. With the advent of more services, the storage space will need to be larger.
[From UICC – Wikipedia, the free encyclopedia]
Historically, we’ve tended to associate the UICC (in the form of a removable smart card) with one application only, and that application is the Subscriber Identification Module (SIM) that allows the phone to connect to a mobile network and refer to the combination as “the SIM”. But…
A UICC may contain several applications, making it possible for the same smart card to give access to both GSM and UMTS networks, and also provide storage of a phone book and other applications
[From UICC – Wikipedia, the free encyclopedia]
It can also contain more than one of each. Thus, you could have multiple “soft SIMS” inside one UICC (that special case where the UICC contains only one application, and that is a SIM, we will refer to henceforth as the “hard SIM”). Now let’s consider what happens when Apple add an NFC interface to their devices and therefore need an SE.
The filing also points to the inclusion of near-field communication (NFC) technology in upcoming iPhones — and, for that matter, in Macs and media devices such as the Apple TV.
[From Apple patent seeks to reinvent retail • The Register]
Where can the SE that makes the NFC interface useful go? Either we can plug in an SE (eg, a DeviceFidelity microSD) or we can add an SE to the UICC (the e GSM Association, GSMA, preferred option) or we can build an SE into the device by adding it to the motherboard. The GSMA want to put the applications that control the NFC interfaces to be on the UICC, which kind of makes sense because if you take your UICC out of one phone and put it in another, then you’d want your SE applications (eg, your MasterCard, Oyster etc) to go with it. But not everyone thinks that the SIM is the key to this picture.
Suppose that instead of adding an SE, Apple add a UICC and put the SE in that? What this means in practice is that the UICC will be inside the iPhone or iPad or Mac, on the motherboard. But the SE need not be the only contents of the UICC. Why not put soft SIMs in there as well and do away with fiddly microSIMs? If I walk into the Apple Store in London and buy a 3G iPad, say, then the UICC could come with a default SIM application. Let’s say this is O2. When I take the iPad to France, instead of paying outrageous 3G roaming charges (and therefore leaving my iPad at home), my iPad will download a French operator’s SIM application and start using that. I won’t choose the operator — in fact I won’t even know this is going on, because Apple will simply negotiate with mobile operators to provide commodity service.
In other words, perhaps we move to a world in which the operators’ SIM connectivity function becomes just software running on someone else’s physical card.
[From Dean Bubley’s Disruptive Wireless: Apple, embedded SIMs, NFC and mobile payments – some speculation]
Dean is spot on. And you can see plenty of positives in this architecture. If you’re not a mobile operator, that is. If you’re a mobile operator, this is another step towards being nothing more than a pipe. As a customer, I think I’d be quite happy with the mobile operators as a pipe, selected purely on a cost/QoS basis (and competing with each other on that basis). After all, they haven’t (in Europe) got very far with “smart pipe” services such as, just to name two examples, digital money and digital identity. So the Apple UICC containing soft SIMs and an SE may not be such a bad architectural option for consumers. But…
The operators are privately saying they could refuse to subsidise the iPhone if Apple inserts an embedded subscriber identity module, or Sim card.
[From FT.com / Telecoms – Apple warned over built-in Sim cards]
There are other people in this value chain too, such as smart card manufacturer Gemalto who were rumoured to be making the Apple UICC.
Gemalto explained to us why such a deal, which involved a significant amount of devolution from the mobile phone operators to the mobile phone manufacturers, is unlikely to happen without the tacit approval of network carriers themselves.
Gemalto has been a strategic partner for mobile phone operators for more than a decade now (the company is the biggest SIM manufacturer in the world) and gets the majority of its revenue (more than 60 per cent of last year’s 1.654 billion Euros).
[From Gemalto : No Apple iPhone 5 Deal On The Table Yet | ITProPortal.com]
Quite. But let’s just go back over another main point: in order to provide payments, or other useful services, via NFC it is not necessary to have the co-operation of the carriers.
Visa’s approach “shows that basically there’s nothing that the carriers can do that the [payment] networks can’t do without them,” McPherson said.
[From Mobile Payments Set for Surge, But Who ll Set the Pace? – American Banker Article]
The mobile operators have no acceptance at retail POS so they have to work with payment scheme partners to reach scale, but other payments players don’t need the operators. They can put stickers on the back of phones, plug microSD into handsets or use the NFC interfaces that will be built in by Google, Apple and RIM. Since customers will come to expect these services, they will eventually get built in to all handsets. Unless the operators can launch highly functional NFC platforms quickly (which they probably should have started doing a couple of years ago) then they will be out of the loop.
Issuing hard SIMs is expensive, so if the operator’s connection with the customer is downgraded, there is no point in doing it and the operators would save money by providing soft SIMs to any UICC that they can bill to. So I think the situation is this: in the future, many devices will a UICC built-in. This UICC will function as an SE for NFC interfaces. The UICC will store a number of soft SIMs, not only for mobile phone communications but for future 4G and 5G communications. The UICC will also hold standard digital money and digital identity applications. And instead of Vodafone and Telefonica controlling the matrix, Apple and Google will.
These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]
The big problem with all this is that security is never perfect. The ability to download (or clone)a SIM or bank card in the wrong hands would be a disaster. With the physical bank card or SIM at least the banks/opertors have some control over risk – they can go through security evaluations of their chosen card suppliers and cards/SIMs tend to be personalised in secure facilities. If Apple’s UICC has a flaw would they be willing to underwrite all losses incured from cloning? One of the other big issues is how does an operator/bank “know” it is downloading a SIM/bank application to a secure UICC or to something pretending to be one that isn’t secure at all. These issues are the elephants in the room of the brave new world you describe.
Haven’t Amazon already done this to a degree with the Kindle? And it’s FREE 3g to boot!
From the Amazon.co.uk website:
‘Built-in Free 3G connectivity uses the same wireless signals that cell phones use, but there are no monthly fees or commitments—Amazon pays for Kindle’s 3G wireless connectivity. The added convenience of 3G enables you to download books anytime, anywhere on the go—without having to find a Wi-Fi hotspot connection. With wireless coverage in over 100 countries and territories’
Yes that’s a good comparison and it hadn’t occurred to me. No-one with a Kindle cares less about which 3G network they’re actually connected to.
“how does an operator/bank “know” it is downloading a SIM/bank application to a secure UICC or to something pretending to be one that isn’t secure at all”
Very good point. This is why the world of keys and certificates and devices is so fascinating.