Push Back on NameDrop Privacy Insinuations

Okay, I ran some tests with a friend with an iPhone who is not in my Contacts. She seemed concerned, so I didn’t ask her to send her info. (In fact, she thought somehow I’d get her bank passwords! But I helped her pull up her “My Card” and literally all it had was her phone #, not even her name :slight_smile: . Not exactly a power user) But we got most of the way through the test nonetheless.

TLDR: it’s secure.

Here’s the flow: When you put the devices together, and you have not disabled Name Drop, your phone will glow (as the "warmup "to Name Drop) regardless of whether it’s locked.

Receiving: If your phone is locked, you still appear to be ready to accept a name drop that the OTHER PERSON may choose to send you; I cannot confirm that it won’t prompt you to unlock at the point where they actually send you something (because like I said, I didn’t want to make her hit send). But receiving is not the security risk that people are complaining about. If someone wants to send you porno stuff as a contact, then that could be an issue, but no more an issue than some random person texting you today. Either way, it’s nothing like identity theft, the real issue. Perhaps another test will give me the final answer on this, but it’s not a significant concern.

Sending: This is the test that we need the answer to, since it presents an ID theft risk. If your phone is locked, you are never presented with anything on your screen inviting your contact to be sent to the other (possibly rogue) party. There is nothing to “tap”. And in one case (the test where her phone was set up to send), her phone presented the PIN screen to have it unlocked; that’s it.

So, sending any Name Drop info is secured behind the sender’s locked iPhone. Obviously, if your phone is unlocked, there’s a lot at risk in general. But if your phone is locked, your info is safe.

I don’t think there’s anything to see here. These are not the androids you’re looking for. Move along.

3 Likes

That’s good info to have. I’d just add that right now, it seems the major risk of NameDrop is somebody who is confused, distracted, impatient, or careless just hits “Yes” (or whatever the approval dialog says) in response to a transfer request.

Yea, but that means they tap “Yes” when there’s a person face to face with them holding another iPhone. Is this a friend? Then the risk is low. Is it a stranger? Then who would tap “Yes” or instead say “who tf are you?? Get away!”

And for most people, the risk is contact information, which isn’t particularly confidential in most cases. I’m sure there are exceptions, but not with people who you’re going to let within an inch of your iPhone and then agree to send it to them.

2 Likes

… and in the situation people are freaking out over, if a stranger tried to shove his phone in your face (or into your pants) in order to make contact, I think you would notice and probably get quite angry. You wouldn’t unlock the phone and tap a confirmation button.

This reminds me of the fears from years ago claiming that crooks can read all of your contactless credit cards from a long distance away using cheap and easy equipment. People had set up all kinds of proof-of-concept experiments to underscore the danger, but in all of the years since then, I can’t remember a single news article about someone whose cards were actually compromised via that mechanism. (If it actually worked, you can be sure that criminal syndicates would have set up scanning/theft devices in crowded parts of big cities. The fact that there have been no arrests or even reports of this tells me that it doesn’t actually work.)

I agree that most people in most situations wouldn’t approve an unwanted NameDrop request. But I think the longevity and prevalence of offline and online scams that rely on greed, lust, fear, and other powerful emotions–or just simple confusion–to get victims to do things they normally wouldn’t means that NameDrop can be risky, especially with its default setting to “on”.

Is that why all new wallets boast “RFID” protection? I never really made sense of that…

To me, NameDrop just seems like a new Apple variant on what we used to do with Palm Pilots and other devices: Proximity info sharing. From Apple’s perspective, this is intended to reduce a common pain point of social contact between two people that want to share each other’s contact info.

How does this event usually play out? From what I have observed, it often entails one person calling the other’s phone and then each person hand-enters the other’s info, or manually push their contact cards via text. NameDrop is an attempt to reduce the steps and tedium of this process.

Apple could have perhaps explained things a little more (something they have become increasingly deficient at, sadly), but that may not have prevented the social/news media going off into left field with this story.

One never knows what an individual may find annoying… or exciting. :laughing:

I wonder what real problem this new NameDrop feature solves? We can already share contact info via AirDrop. It may take a few more taps than NameDrop as I understand it (have not used it), but AirDrop works well and requires active action for both parties to work, so no security/privacy issues to worry about. Or am I missing something?

With the caveat that I haven’t used NameDrop before, one difference is that you can choose the fields and information that you want to share with someone, which I don’t think that you can do with AirDrop. AirDrop with someone not in your contacts requires also turning on the less-secure “share with anyone”. Lastly, NameDrop is a lot more simple - you don’t have to share your Apple ID or phone number as part of the transaction. Just tap the phones.

3 Likes

I could picture this being extremely useful at professional conferences, after lectures, or at networking events, or even parties. A bunch of people meet who want to stay in touch. They pull out there phones and, like raising a toast, tap the others they want to stay connected to. Very streamlined.

AirDrop would share your entire Contact card, which may contain PII that you don’t necessarily want to share with a person you just met.

I remember doing this in 1998 at a party when most of my friends and I all bought Palm III PDAs. We were “beaming” the data via its IR transceiver, but it worked great and we all thought it was really cool.

1 Like

I had a Palm too! It’s crazy how in some ways we took a technological step backwards for decades before catching up!

Heck, we got our first Apple pencil recently and I was remembering writing on my Newton… :sweat_smile:

1 Like

I had a Sharp Wizard back in the 90s and remember IR printing to an HP LaserJet at the time - 6P maybe? It was a small non-network printer. I thought that was such cool technology that took a long time to come back.

Now I feel like I’ve hardwired my current printer but it still does AirPrint even when I don’t want it to.

Diane

I recall exchanging contact info from one iPhone to another was possible with a third-party app way back, shortly after writing apps was possible. The transfer was initiated by tapping the phones together so I assume the accelerometer was part of the process to avoid spontaneous, unwanted transfers.

I haven’t used it much, but if I remember correctly AirDrop allows you to select which fields you want to share.

2 posts were split to a new topic: Remembering the Newton

Might NameDrop have some of the same risks as AirDrop?

Fascinating.

Curious about this too. But there are a couple reasons I have a hunch NameDrop is less vulnerable to this.

  1. It’s near-field. So you’d have to be basically touching to leak that data
  2. It’s peer to peer, not broadcast. So I don’t think you have to share who you are so that the other guy can check their address book for a match.

But I’m all ears to be told I’m wrong.