GlobalPlatform | Privacy framework made simple
Why has 'privacy' remained a hot topic?
In today's connected world, people are voluntarily
giving up more information about themselves than ever before. Through online
forms, social media platforms, tax returns, dating websites, mobile phones and internet
browsers (to name just a few) personal details are stored by organizations on
their customers, employees and suppliers.
This information is vulnerable to misuse.
For example, personal details can be sold on to other companies to be used for soliciting,
track an individual's movements and, if it is not protected appropriately,
susceptible to unauthorized third party access or malicious use.
As more private and sensitive data is
stored and shared, privacy will become even more important to everyone
concerned; governments, companies and consumers. For most governments, loss of
sensitive information could lead to citizen discontent; for companies this could
result in financial losses; and for consumers the theft of information related
to their private life.
While individual efforts to protect privacy
are progressing at a national and market level, these regulatory documents
seldom offer an accompanying implementation guide and an explanation of how to
apply privacy to platform products. In other words, there is no activity currently
underway to develop one, global standardized framework that addresses how to
implement privacy rules on a secure platform.
What can GlobalPlatform offer to the
privacy landscape? Why is it getting involved?
There are currently countless regulations
in place, many of which address the needs of an individual sector. In order to
bring consistency and structure to this environment, criteria need to be
established by an impartial organization which operates across multiple sectors
to deliver a single set of rules – a privacy framework – that can act as a
guide for those deploying privacy-enhanced technology.
GlobalPlatform is a cross-industry body that
understands the complexity brought about by market convergence. The
organization is engaged with a range of players across multiple industries and
is therefore in a position to capture and incorporate the privacy needs of each
market into one reference document.
The introduction of multiple applications
on the same device has implications on privacy as different applications have
different privacy and security needs. For instance, applications stored on a
mobile device may share access to the secure element (SE), but have different
data access rights. This is a complex situation as strict rules need to be
implemented to ensure different privacy policies can coexist without the whole
platform reverting to the privacy level of the application that requires the
least protection. This is important as information leaked by one application could
be used by a third party to compromise others. The challenge is to keep the
information stored on the device secure and increase control on data that is sent
to or used by a third party or service provider, for example, without it being
accessed intentionally or unintentionally by an unauthorized party.
GlobalPlatform is working towards the development
of a standardized, secure privacy framework which will provide a benchmark for application
developers, issuers and system providers to aid in the implementation of a
privacy-enhanced environment. The framework will enforce privacy at the
platform level which will ensure that, regardless of the differing privacy
levels of the individual applications, the user's data is controlled and
protected so that sensitive information is not lost and the user cannot be
As secure-chip solutions are designed to
address specific market needs, it is difficult to put a value on ‘privacy' and
request all market participants to meet a predefined privacy specification. By
creating the framework, GlobalPlatform will instead provide a common set of
criteria for all parties to work from, that will evolve over time to guarantee
that a privacy-enhanced platform meets the requirements set out by its
What are GlobalPlatform's current
GlobalPlatform is currently working to
define and clarify the existing terminology used by the industry in relation to
privacy: removing all ambiguity.
Once defined, the terms / properties can
become genuinely meaningful to developers and, as a next step, GlobalPlatform
can determine how to implement each property within GlobalPlatform Specifications
for platform products and backend systems. GlobalPlatform will therefore
deliver specifications that, when implemented, will result in privacy-enhanced
GlobalPlatform will use these properties
and give the industry a means to deploy privacy using a modular approach. Implementers
will be able to review the list of properties and develop a privacy model that
suits the needs and requirements of their specific sector and regulations, omitting
properties / privacy requirements that are either unnecessary or do not apply. On
its simplest level, the more properties used in an implementation, the more
secure the solution. This model will be applicable to all sectors.
GlobalPlatform believes that this modular
approach is needed in order to bring structure to this environment. By enabling
users to construct a privacy platform that is tailored to their specific needs,
solutions can be easily expanded and adapted to meet the needs of an ever
changing threat landscape.
What are the next steps?
The GlobalPlatform Government Task Force has
released a Privacy Framework Requirements document for GlobalPlatform member
reference and will publish for wider public review in Q2 3013. The document
discusses the requirements for enhancing GlobalPlatform Card Specifications to
support privacy as required by different markets and mandated by various
countries. This information will be used by the GlobalPlatform Technical Committees,
at which time development of the framework can commence. The association will
then make the common, platform approach available later in 2013.
If you would like any further information
on the privacy framework or on how to get involved, please contact firstname.lastname@example.org.