Why Are Google and Verizon Fighting Over The TPM Chip In Your Phone?

I’ll give you a hint: it’s not about using NFC to exchange business cards, and it’s not even primarily about mobile payments. Why does Google want the TPM/NFC module in your phone integrated into the phone, and Verizon wants it in the SIM card? Simple: Identity ecosystem lock-in. Verizon and Google both have a huge vested interest in providing you with an electronic identity which you can use to execute high-stakes transactions. The only good way to do that for the general public is by putting a TPM chip in everyone’s phone and wirelessly provisioning high-assurance credentials to it via their trusted service manager of choice (much like “The Highlander,” there can be only one in control of the keys for each TPM, and they each want it to be theirs).

Why do I think this? Take a look at the OIX-certified FICAM Trust Framework-approved list of identity providers. What do you notice? Verizon is LoA 1, 2 and non-crypto 3 approved, and Google is LoA 1 approved but likely wants to be at LoA 2 and 3. Why is Verizon at LoA 2 and 3? Because they have a very well-established business relationship with their customers. They know, with a high degree of assurance, who they are. How will Google establish this high-assurance relationship with their customers? Google Wallet, Google Voice and their controversial “Real Names” policy.

So why do these companies want to be your default high-assurance identity provider? Simple: vendor lock-in. Can you imagine a more powerful lock-in effect for a specific platform than the one created when you not only use it for all your financial transactions, but also to open all the high security physical doors you use? With the advent of cloudsourced security, we aren’t just talking the front door of your house or starting your car. Your workplace will likely soon move to outsourced identity for login to your workstation, access to the VPN, and even the doors to the data center. Why? It’s much cheaper and easier (and less risky) to sign a contract with Verizon or Google to provide this service than to hire the people and purchase the infrastructure to manage it yourself. It’s also much less cumbersome to use a phone which everyone in the company normally already carries, than to set up some kind of expensive and cumbersome smart card system.

So which vendor will companies buy high-assurance identity from? The one with the largest installed base.

Putting Two And Two Together

So in the course of my evening of NFC/ISO 14443 smartcard/platform/API “literature” review, I put Steve Yegge’s rant together with an analysis piece about what Google thinks about NFC, and came to an unfortunate conclusion.  Google’s lack of NFC APIs, combined with them being the current best hope for getting NFC-enabled, ostensibly open smartphones into the mainstream, does not bode well.  My project must be tempered with realism.

Weekend Identity/Convergence Stream-of-Consciousness

I’ve been wanting to get a Galaxy Nexus phone for a while- as soon as I found out it was coming to Verizon.  This summer I almost ditched Verizon for Sprint to get a Galaxy S 4G with an NFC chip in it, but held off because I knew this newer Nexus was just around the corner.  I want to mess around with the NFC feature and see if I can make it store X.509 certs and act as an ISO 14443 smart card for things like workstation logon and door access.  The secure element in the Galaxy Nexus is an NXP chip which supports a lot of different NFC protocols, but Google has been pretty open about their non-support for card emulation.  This means there’s not a built-in way to handle this stuff yet.  But then I found this: http://code.google.com/p/seek-for-android/

Neat!

For a while I was hoping that InfoCard would be a champion for identity selection and user-centric identity.  Now I hope it’s smartphones.  We’ll see how well this turns out.  I’ll be happy if my wallet can go away at some point.  It would be great to have payment, drivers’ license, passport, work login/door credentials, etc, all on the phone.  Some people probably think that’s a terrible idea and maybe slightly Orwellian (Dvorak: http://www.pcmag.com/article2/0,2817,2395071,00.asp) but I think it just makes sense.  The secure elements in these phones truly are secure, until they aren’t any more.  By that time we’ll have other things to replace them, and probably lots of other things to worry about.