I went to Nordstrom and all I got was this lousy tracking device

Jennifer McEwen 26 Apr 2021

Here's what privacy-savvy consumers should know about NFC notifications and RFID tags

A couple of weeks ago, I had a #TreatYoSelf moment and bought myself a sweet wallet. Then, over the course of weekend, I noticed that I was getting NFC notifications and couldn’t figure out what was triggering them. Ping, ping, ping! They wouldn’t leave me alone!

I was hesitant to click the link but, alas, I caved and tapped. Turns out, it was a marketing link from the wallet manufacturer. After some research, I learned that, in 2016, the company started using RFID tags in an effort to verify the authenticity of their goods and fight counterfeits. Fair enough.

Then I realized that there’s no way to turn off the NFC reader on iPhones. That means anytime my phone is near my wallet, I get a notification from the wallet brand to visit their website.

In this scenario, what’s an annoyed customer to do? After all, it’s not feasible to have a notification pop up every time my phone is near my wallet. So I did a deep dive into NFC notifications, RFID tags, and what to do about them. Here’s what I found out. 

What is RFID?

Radio Frequency Identification (RFID) refers to a wireless system that has two main components: tags and readers. The reader is a device that has one or more antennas that emit radio waves and receive signals back from the RFID tag. In my situation, the RFID tag was inside my wallet without my knowledge. 

What is NFC?

Near-Field Communication (NFC) is a method of wireless data transfer that allows smartphones, laptops, tablets, and other devices to share data when in close proximity. Today’s smartphones are equipped with NFC technology. On Android devices, the NFC reader can be turned on and off. The NFC reader on iPhones is always on and cannot be turned off.

What’s the difference between RFID and NFC?

RFID is the process by which items are uniquely identified using radio waves, and NFC is a specialized subset within the family of RFID technology. Specifically, NFC is a branch of High-Frequency (HF) RFID, and both operate at the 13.56 MHz frequency.

What is NFC used for?

While you might not be familiar with the term, NFC actually actually powers a lot of tech that people use every day. For example:

Card Emulation: NFC technology powers contactless payments via mobile wallets like Apple Pay, Android Pay, as well as contactless cards. 

Peer-to-Peer: NFC is commonly used for peer-to-peer payment and data transfer. When two enabled NFC devices are in range, a prompt will appear asking if you’d like to share multimedia and digital content (videos, contact information, or photos) with the other device.

NFC Tags: Passive NFC tags (small stickers embedded with NFC chips) don’t require power and can be programmed to perform certain tasks when scanned. NFC tags are incredibly versatile and can be used in many different ways. Here are just a handful of examples of how NFC chips can be applied when a device reads the tag.

  • At home: Set phone on vibrate, connect to speakers, automate common phone tasks such as calling Mom (or as I call my own, Nanay, which is Tagalog for mom).

  • In public: Scan metro passes, loyalty cards, join a cafe’s Wi-Fi network.

  • Marketing: Embed a link in the NFC tag to take users to your website, landing page, download link, and more. NFC tags can be utilized much like QR codes are used for marketing campaigns. A major drawback here is that a cyber criminal can easily corrupt a tag so it shares your personal information. Putting that aside though, following a link to a website unsecured leaves you exposed to tracking and ad targeting that will follow you around the internet.

Further reading: How to add authentication to your Facebook and Google accounts

So, what’s the problem?

The company, Ferragamo, announced in 2016 that they utilize NFC tags to verify the authenticity of their items to curb counterfeits. However, as far as I can tell, the only place the company has shared that they also use the tags to push marketing notifications to the buyer’s mobile device is deep in the Privacy Policy -- and who even thinks they need to read the privacy policy of a wallet? Further, iPhone users cannot turn off the NFC reader, so whenever an iPhone is close enough to the item, the user will get marketing notification. If a user taps the notification, they are taken to the Ferragamo website where they may be identified, tracked, and retargeted for ads.

From their Privacy Policy, the embedded NFC tags collect “generic IP location, but without being able to precisely locate you.” Coupled with your personal data collected through their site, that collection of data can be processed, among myriad other ways:

  • To access and enjoy the contents by means of interaction with the tag placed inside Ferragamo products through your device, by using the Near Field Communication (NFC) technology; in the context of this activity, Ferragamo processes only general information related to the device you are using (device type, language, IP general localization), without processing any ID of your device (“Smart Tag”);

  • To combat and prevent the counterfeiting of Ferragamo products, by analysing data relating to when and where a tag stored inside a Ferragamo product is read by a device, by using the Near Field Communication (NFC) technology, to check for irregularities and clones; your device reads the ID tag and thus interrogates Ferragamo internal database; Ferragamo then detects the device type, language, IP general localization in order to ascertain whether products have been counterfeited (e.g., where the same tag has been read by two different devices located far away from each other). This processing activity does not imply the continuous monitoring of your location, nor whether a specific product has been counterfeited, and allows Ferragamo to gather general information related to counterfeiting (“Anti-Counterfeiting”);

And here’s how they collect data about you through their site.

2.1. As you use the Website or Social Pages, we inform you that Ferragamo may collect and process information related to you as an individual and which allows you to be identified (either directly or together with additional information), or which is related to other individuals (“Personal Data”), such as your name, an identification number, an online ID or one or more characteristic elements of your physical, physiological, mental, economic, cultural or social identity.

Browsing Data

2.A.1. The Website’s operation, as is standard with any website on the Internet, involves the use of computer systems and software procedures, which collect information about the Website’s users as part of their routine operation. While Ferragamo does not collect this information in order to link it to specific users, it is still possible to identify those users either directly via that information, or by using other information collected – as such, this information is also considered Personal Data.

2.A.2. This information includes several parameters related to your operating system and IT environment, including your IP address, location (country), the domain names of your computer, the URI (Uniform Resource Identifier) addresses of resources you request on the Website, the time of requests made, the method used to submit requests to the server, the dimensions of the file obtained in response to a request, the numerical code indicating the status of the response sent by the server (successful, error, etc.), and so on.

2.A.3. These data are used exclusively to compile anonymous, statistical information on the use of the Website, as well as to ensure its correct operation and identify any faults and/or abuse of the Website – the data is deleted immediately after processing, unless it must be used to identify responsible parties in the event of cybercrime committed which harms the Website or third parties, in which case information on web contacts may be kept for a period of 7 (seven) days.

The devil is in the metadata. None of these things are inherently bad. But, together, they can paint a vivid picture of who and where you are. And I believe that any reasonable person would not expect their clothing or small leatherwork item to be capable of tracking them for marketing purposes. 

NFC tags best practices

NFC tags are designed for convenience, not security. With that in mind, if possible, turn off your NFC reader when you aren’t using it. When you get an NFC tag notification, treat it as you would any unexpected link and use the same practices you already employ for email, DMs, SMS, or QR codes. 

  • Just like with email, DMs, SMS, and QR codes, if you receive an unexpected link from an unknown source, do not click or tap it

  • If you trust the source, first make sure you have a secure and private browser installed on your smartphone and set it as your default browser. The mobile version of Avast Secure Browser features a built-in VPN, ad-blocker, and full data encryption, which will automatically encrypt your internet connection and block ads from tracking you. 

  • If your browser supports DNS over TLS (which encrypts your DNS queries), make sure this, too, is enabled as well before you tap the link. Avast Secure Browser offers secure DNS options for your iOS or Android device.

  • Additionally, Avast Secure Browser does NOT automatically download files by default. But for your peace of mind, you can double check this setting by going to Mode Settings > Basics to make sure “Download without asking” is toggled off.

  • Lastly, when you’re done, you can clear any cookies and site data associated with that link with just a tap! Open your tab menu and tap Nuke this site (Android) or Remove site data (iOS).
--> -->