Media & Resource Center  > White Papers & Guides

> Back to Made Simple Guides

GlobalPlatform | Privacy framework made simple

Why has 'privacy' remained a hot topic?

In today's connected world, people are voluntarily giving up more information about themselves than ever before. Through online forms, social media platforms, tax returns, dating websites, mobile phones and internet browsers (to name just a few) personal details are stored by organizations on their customers, employees and suppliers.

This information is vulnerable to misuse. For example, personal details can be sold on to other companies to be used for soliciting, track an individual's movements and, if it is not protected appropriately, susceptible to unauthorized third party access or malicious use.

As more private and sensitive data is stored and shared, privacy will become even more important to everyone concerned; governments, companies and consumers.  For most governments, loss of sensitive information could lead to citizen discontent; for companies this could result in financial losses; and for consumers the theft of information related to their private life.

While individual efforts to protect privacy are progressing at a national and market level, these regulatory documents seldom offer an accompanying implementation guide and an explanation of how to apply privacy to platform products.  In other words, there is no activity currently underway to develop one, global standardized framework that addresses how to implement privacy rules on a secure platform.

What can GlobalPlatform offer to the privacy landscape? Why is it getting involved?

There are currently countless regulations in place, many of which address the needs of an individual sector. In order to bring consistency and structure to this environment, criteria need to be established by an impartial organization which operates across multiple sectors to deliver a single set of rules – a privacy framework – that can act as a guide for those deploying privacy-enhanced technology.

GlobalPlatform is a cross-industry body that understands the complexity brought about by market convergence. The organization is engaged with a range of players across multiple industries and is therefore in a position to capture and incorporate the privacy needs of each market into one reference document.

The introduction of multiple applications on the same device has implications on privacy as different applications have different privacy and security needs. For instance, applications stored on a mobile device may share access to the secure element (SE), but have different data access rights. This is a complex situation as strict rules need to be implemented to ensure different privacy policies can coexist without the whole platform reverting to the privacy level of the application that requires the least protection. This is important as information leaked by one application could be used by a third party to compromise others. The challenge is to keep the information stored on the device secure and increase control on data that is sent to or used by a third party or service provider, for example, without it being accessed intentionally or unintentionally by an unauthorized party.

GlobalPlatform is working towards the development of a standardized, secure privacy framework which will provide a benchmark for application developers, issuers and system providers to aid in the implementation of a privacy-enhanced environment. The framework will enforce privacy at the platform level which will ensure that, regardless of the differing privacy levels of the individual applications, the user's data is controlled and protected so that sensitive information is not lost and the user cannot be tracked.

As secure-chip solutions are designed to address specific market needs, it is difficult to put a value on ‘privacy' and request all market participants to meet a predefined privacy specification. By creating the framework, GlobalPlatform will instead provide a common set of criteria for all parties to work from, that will evolve over time to guarantee that a privacy-enhanced platform meets the requirements set out by its environment.

What are GlobalPlatform's current priorities?

GlobalPlatform is currently working to define and clarify the existing terminology used by the industry in relation to privacy: removing all ambiguity.

Once defined, the terms / properties can become genuinely meaningful to developers and, as a next step, GlobalPlatform can determine how to implement each property within GlobalPlatform Specifications for platform products and backend systems. GlobalPlatform will therefore deliver specifications that, when implemented, will result in privacy-enhanced technology deployments.

GlobalPlatform will use these properties and give the industry a means to deploy privacy using a modular approach. Implementers will be able to review the list of properties and develop a privacy model that suits the needs and requirements of their specific sector and regulations, omitting properties / privacy requirements that are either unnecessary or do not apply. On its simplest level, the more properties used in an implementation, the more secure the solution. This model will be applicable to all sectors.

GlobalPlatform believes that this modular approach is needed in order to bring structure to this environment. By enabling users to construct a privacy platform that is tailored to their specific needs, solutions can be easily expanded and adapted to meet the needs of an ever changing threat landscape.  

What are the next steps?

The GlobalPlatform Government Task Force has released a Privacy Framework Requirements document for GlobalPlatform member reference and will publish for wider public review in Q2 3013. The document discusses the requirements for enhancing GlobalPlatform Card Specifications to support privacy as required by different markets and mandated by various countries. This information will be used by the GlobalPlatform Technical Committees, at which time development of the framework can commence. The association will then make the common, platform approach available later in 2013.

If you would like any further information on the privacy framework or on how to get involved, please contact