Update on trust efforts at DTI
The more important a project is, the less likely it is ever to be fully completed. I’m sure that maxim – which I just made up, though I’m sure I’m not the first to articulate it – resonates with many people reading this, more so in some contexts than others of course. It’s certainly true for DTI’s work on trust in the context of data portability.
In early March, we shared our trust model report, which included in an appendix the initial trust model. We received universally positive reactions to the effort, with the primary caveat that, as we anticipated, it was high-level by design, and thus not yet ready to be directly implemented.
So, we’re digging in. We’ve hired Venable LLP to build out a more granular Trust Model v2, grounded in the threat model work that DTI has done for the context of data portability. In the coming months, we’ll release this updated model, which we believe will be a useful guide for all stakeholders in direct data transfer processes, including senders and receivers as well as users.
We’re also looking into a pilot project to build a trust registry. Trust registries are common in a number of technology contexts, more so than is widely known. Adequate trust models clearly involve trust decisions made by experienced humans, not just automated digital certificates (or verifiable credentials or API keys), so the trust registry includes plans for operational and security expertise. In addition to establishing trust, a registry can be a springboard for discovery and interoperability, reducing barriers to broad participation while still meeting safety goals.
To the best of our knowledge, there are no trust registries specific to our use cases, portability of personal data in the internet sector. Nevertheless, we can learn much from registries in other contexts, and as well from similar work being developed for the context of data intermediaries in the European Union, as guided by the Data Governance Act.
Some of the trust challenges in data portability are universal – such as making sure data is encrypted in transit, that systems are secure, and so forth. Others are unique to this context, in particular those questions related to whether the user is fully informed of the scope and nature of the transfer. The “horizontal” and “new use” scenarios in our trust model report illustrate some of these, such as a situation where the user originally kept social media posts private to friends, and transferred them to a service that would by default make the posts world-viewable.
Our vision is to provide a framework for companies of all sizes to establish trust as they expand their portability offerings and partnerships, and simultaneously, to develop a value-add service that in some circumstances establishes trust directly, or reduces the cost and effort of trust processes run by other organizations by streamlining the collection and processing of common review matters.
This is a major area of investment for DTI as an organization. Trust is fundamental for direct data transfers, but must not be assumed nor taken lightly. Collaborating on a shared model for trust will help make it easier for new connections to be made and for new organizations to benefit from data portability – directly advancing DTI’s mission.