GlobalPlatform | Privacy framework made simple
Why has 'privacy' remained a hot topic?
In today's connected world, people are voluntarily
giving up more information about themselves than ever before. Through online
forms, social media platforms, tax returns, dating websites, mobile phones and internet
browsers (to name just a few) personal details are stored by organizations on
their customers, employees and suppliers.
This information is vulnerable to misuse.
For example, personal details can be sold on to other companies to be used for soliciting,
track an individual's movements and, if it is not protected appropriately,
susceptible to unauthorized third party access or malicious use.
As more private and sensitive data is
stored and shared, privacy will become even more important to everyone
concerned; governments, companies and consumers. For most governments, loss of
sensitive information could lead to citizen discontent; for companies this could
result in financial losses; and for consumers the theft of information related
to their private life.
While individual efforts to protect privacy
are progressing at a national and market level, these regulatory documents
seldom offer an accompanying implementation guide and an explanation of how to
apply privacy to platform products. In other words, there is no activity currently
underway to develop one, global standardized framework that addresses how to
implement privacy rules on a secure platform.
Why is GlobalPlatform involved in the
There are currently countless regulations
in place, many of which address the needs of an individual sector. In order to
bring consistency and structure to this environment, criteria need to be
established by an impartial organization which operates across multiple sectors
to deliver a single set of rules – a privacy framework – that can act as a
guide for those deploying privacy-enhanced technology.
GlobalPlatform is a cross-industry body that
understands the complexity brought about by market convergence. The
organization is engaged with a range of players across multiple industries and
is therefore in a position to capture and incorporate the privacy needs of each
market into one reference document.
The introduction of multiple applications
on the same device has implications on privacy as different applications have
different privacy and security needs. For instance, applications stored on a
mobile device may share access to the Secure Element (SE), but have different
data access rights. This is a complex situation as strict rules need to be
implemented to ensure different privacy policies can coexist without the whole
platform reverting to the privacy level of the application that requires the
least protection. This is important as information leaked by one application could
be used by a third party to compromise others. The challenge is to keep the
information stored on the device secure and increase control on data that is sent
to or used by a third party or service provider, for example, without it being
accessed intentionally or unintentionally by an unauthorized party.
As secure-chip solutions are designed to address specific market needs, it is difficult
to put a value on ‘privacy' and request all market participants to meet a predefined
privacy specification. By creating the framework, GlobalPlatform will instead provide a
common set of criteria for all parties to work from, that will evolve over time to guarantee
that a privacy-enhanced platform meets the requirements set out by its
To date, what work efforts has GlobalPlatform completed in the privacy
The GlobalPlatform Government Task Force (now known as the Identity Task Force)
has published a Privacy Framework Requirements document, which provides an
overview of how GlobalPlatform Specifications will address the issue of privacy in relation
to the management of applications and data on secure chip technology. The framework
aims to assist governments during their Privacy Impact Assessment Process (PIA) as well
as enterprises conducting privacy-related activities.
The Privacy Framework has been created to provide implementers with the tools and
knowledge of ‘how’ regulatory privacy guidelines can be applied using GlobalPlatform’s
Card Specifications. Using commonly referenced industry definitions, the framework
defines a selection of privacy attributes – with precise properties and terminology – to
create a unique, global framework that enables applications with different privacy
requirements to reside on the same platform. The framework is applicable to any privacy
enhanced technology (PET).
What are the next steps?
The GlobalPlatform Identity Task Force continues to identify and address the identity
use cases that can be supported by GlobalPlatform technologies, including and
specifically encompassing privacy.
If you would like any further information
on the privacy framework or on how to get involved, please contact