TM

1

Enhancing Trust for Governments using the Latest GlobalPlatform Standards

Dongyan Wang

GlobalPlatform Technical Program Manager

Thursday 20 March

GP Confidential©2013

@GlobalPlatform_ www.linkedin.com/company/globalplatform

TM

GlobalPlatform Positioning

Across several market sectors and in converging sectors

GlobalPlatform is the standard for managing applications on secure chip technology

TrustedExecution

Environment

Secure Element

AND

PremiumContent

TM

Our Collaborative Industry Partners

TM

GlobalPlatform Members

4

TM

Some Use Cases

Consumer

Government eGovernment

Enterprise

TM

Some Regulations

Legal Act Scope

Regulation (EC) 45/2001 On the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data

Commission Decision 2001/497/EC

On standard contractual clauses for the transfer of personal data to third countries, under Directive 95/46/EC

Directive 2002/58/EC Concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)

Commission Decision 2002/16/EC On standard contractual clauses for the transfer of personal data to processors established in third countries, under Directive 95/46/EC

Commission Decision 2004/915/EC

Amending Decision 2001/497/EC as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries

Directive 2006/24/EC On the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC

COM(2007) 228 final On Promoting Data Protection by Privacy Enhancing Technologies (PETs)

COM(2007) 87 final On the follow-up of the Work Program for better implementation of the Data Protection Directive

COM(2012) 10 final 2012/0010 (COD)

On the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data

TM

Other Initiatives

• PIA working in practice globally

– China’s legislature passed an amendment to the country’s Consumer Rights Protection Law (the ‘Amendment’),

which introduces new data privacy protections in amended Consumer Protection Law, effective on March 15, 2014

– ICO (Information Commissioner Office) published Conducting privacy impact assessments code of practice - Data

Protection Act v1.0 (effective February 25, 2014)

– French Data Protection Authority (‘CNIL’) adopted several amendments to its Single Authorization AU-004

regarding the processing of personal data in the context of whistleblowing schemes (the ‘Single Authorization’) as

published on February 11, 2014.

• ANR(Agence Nationality Research) Workshop on Privacy by Design in April 2012.

– The Treasury Board of Canada Secretariat’s (TBS) Directive on Privacy Impact Assessment (effective April 1,

2010).

– US Department Of Commerce PIA requirement based on Homeland Security Presidential Directive 12 (HSPD-12),

Policy for a Common, Identification Standard for Federal Employees and Contractors (August 27, 2004).

– South Korea’s new Personal Information Protection Act came into force on September 30, 2011.

– …

• Privacy Control Catalog, (Appendix J of Security Controls for Federal Information Systems and Organizations,

NIST Special Publication 800-53, Revision 4).

• ENISA position paper, Privacy Features of European eID Card

Specifications, Jan 27, 2009, Version 1.0.1, European Network&Information Security Agency.

• More…

TM

GlobalPlatform and Privacy

• Multi-application platform introduces additional privacy challenges

• Different applications may have different privacy policies and levels, some of which may require remote management

• Cannot have leakage of data across applications and also from one application publishing the sensitive data

• In a multi-application provider context, privacy paradigm is contingent on providers adhering to a common framework

So…

• There is a need for a platform approach to this privacy framework

TM

Anonymity Properties (1 of 2)

Un-traceability – Ability to prevent user identification even if the secure platform issuer and the identity provider

(IdP) or the service provider collude

Un-linkability – Ability to prevent the establishment of a link between different attributes presented by the same

user: two credentials cannot be linked to the same user, even if issued by the same issuer (or IdP), at the same time and for the same purposes

Selective disclosure– Ability to disclose only the minimal amount of user identification data necessary for a selected

action. e.g. user consent required upon each criterion

Usage confidentiality– The communicated data does not reveal the nature and details of the transaction, such as

identification data, application identifier, execution success or failure

Pseudonym– Ability to generate a unique pseudonym which will identify the user in a unique way without

disclosing his/her data

Forward secrecy

– Limited risk in case of attack: ability to protect the secure channel exchange even if the service

provider key is compromised at a later date

TM

Limited use

– Ability to limit the use of credentials over a determined period of time or to restrict their use to a

determined number of presentations

Predicate computation (proving computation on attributes)

– Ability to prove computations on the attributes rather than disclosing the attributes themselves.

The actual value of user identification attributes is not disclosed whereas the user can prove

some computation on these attributes

Trusted third party disclosure

– Ability to protect an attribute by allowing its disclosure only by a trusted third party (e.g. by

encoding the attribute in the credential). The credentials can contain some verifiable encrypted

attributes that can be checked by the service provider

Revocation

– Ability to revoke a credential. This procedure MAY resort to authorized exchange of information

leading to user identification in some cases

Secure messaging

– Ability to provide secure messaging to protect commands exchange

Anonymity Properties (2 of 2)

TM

Summary of Main Requirements

• GlobalPlatform’s Government Task Force has developed a set of requirements including: – Support of a list of anonymity properties

– Protection against card / user tracking

– Protection against application identifier-based profiling

– Registration with declared privacy level(s)

– Protection against unauthorized inter-application data exchange

– Privacy level implemented by GPP (Platform Global Privacy Protocol) and SPP (Application Specific Privacy Protocol)

TM

Privacy Framework Requirements Released

• For the use by anyone developing to GlobalPlatform Specifications

• Useful for defining additional features to enable privacy sensitive applications on GlobalPlatform cards

• Government agencies benefit by knowing what can be expected from GlobalPlatform cards in the future in respect to privacy

https://www.globalplatform.org/documents/GP_PrivacyFrameworkRequirements_v1.0.pdf

TM

GlobalPlatform Privacy by Design Architecture

The value proposition aims to define a migration path where the card platform provides:

• Support of current GlobalPlatform functions and secure channel protocols

• Card content management

• Incremental improvements– Reusing existing blocks

– Not building a platform from scratch

• Privacy enforcement – Privacy enhanced services offered to all applications within a security domain

– Choice of standalone privacy-enhanced protocols (host, card, and / or user authentication)

– A privacy manager on-board confirming the platform meets the privacy rules established for it

• Lightweight solution– Easy migration for existing applications

– Preventing environment complexity

• User consent scheme – User consent MAY be requested before or after authentication

• Privacy ecosystem – A platform that addresses privacy requirements and a deployment infrastructure

TM

Market Impact

• Assessment of the impact of privacy is needed on all steps– When creating, loading, installing, using and deleting applications

• To allow further role separation of application providers, issuers and system providers by extending the separation to the privacy area, that is, avoid sharing privacy relevant data between these roles

• To guarantee that a given platform meets the necessary privacy requirements and thus establish a reference in terms of privacy levels

• GlobalPlatform Card Framework will facilitate implementation of applications with privacy requirements on a GlobalPlatform card, e.g.– Government applications– Machine readable travel documents– Driving licenses– National ID cards, etc.

TM

Visit us @ www.globalplatform.org

White Papers

Specifications

Becomea

Member

Organization

TM

Thank You!

16