Announcing DTI’s Data Trust Registry
When you move your data from an existing service to a data destination, whether for moving your account or doing something cool with your data, do you think about whether the destination can be trusted with your data? Probably if you’re reading this you do, which is good. But it’s also good to know that your service provider also worries about whether the destination can be trusted.
Many service providers holding personal data have extensive procedures and technology to try to make sure that if they send your personal data to a destination, that destination is who they say they are. Services holding sensitive personal data often do more - in addition to finding out if the data destination is who they say they are (and not an identity theft site impersonating a real service), they also try to find out if the data destination has practices and policies that can make them trustworthy. This is done to benefit the user and also to reduce reputational and legal liability of the service provider.
Although this is all rational and reasonable so far, finding out if the data destination can be trusted has become one of the largest barriers to data portability with high costs experienced by both data services and destinations. That’s because every platform is responsible for its own processes and criteria, and each applicant for approval must navigate each platform’s process separately. In practice, we believe this inefficiency has greatly decreased the practical opportunities for data transfer, and thus decreased user benefit as well as innovation in the field.
To make service-to-service trust for data transfers more efficient and effective, we are introducing a Data Trust Registry. Each participant can rely on the registry to evaluate the trustworthiness of all other participants in the ecosystem.
High Cost and Inconsistency
Sharing is not without risks. Each company that hosts an API allowing third-party access to personal data offers both benefits and risks to their users. Some risks include:
- A bad actor might use deception to get authorized access to personal data, pretending to be another, legitimate organization.
- A legitimate destination for personal data might be carelessly implemented, and be likely to experience data breaches.
- A service offering real value may be deceptive about what else it is doing with user data.
Our first work in data portability and trust was to build an extensive threat model including the above risks. Our next step was to consider what barriers data services can erect that are truly effective against these threats and risks. Is it legitimate and effective to ask that the data destination agree to never sell user data? Does that agreement protect the user? We explored this at length in our Portability Trust Model last year, which organized legitimate criteria into five pillars.
Armed with this framework, we talked to companies about how they do in-house service verification. In-house service verification or “app verification” is the standard way that large platforms mitigate the risks that data transfer to third-parties poses to platforms and their users. Service verification may involve a number of requirements made to the third-party before they even get access to the platform’s APIs. For example, the third-party requirements could include:
- Must have a privacy policy, or the privacy policy must cover certain topics
- Data security must be reviewed by a qualified auditing firm
- SOC/2 or other certification must be provided
- Must agree to certain policies about what they may or may not do with personal data
- Must explain why they want the data
- Must provide organizational details such as incorporation dates and locations, and DUNS or LEI or other identifier
- Must provide logos, descriptions and other presentation information
There are many other requirements made in app verification; these are only some of the most common.
Setting up and operating these service verification systems is very costly. It’s also very costly to the companies applying to each platform. And when third-party applications aren’t approved, the situation can be really messy: one company can approve a third-party and another platform can deny them.
Take the case of a new startup establishing a photo sharing service. They’d like to address a substantial niche, such as sharing wedding and other event photos in India with large extended families. To get easy access to photos, they’d like to ask users to provide direct access to photo albums on the services where their photos are initially uploaded.
This may seem like a simple pitch, but the startup could easily spend a couple of years just getting through the service verification processes for photo source platforms (iCloud, Google, Amazon, Flickr, and professional photography services), providing different assets and following different processes for each. Costs increase with each follow-up request or renewal application. Meanwhile, the source platforms struggle to make the case for integration when it comes with labor costs to build, operate, and maintain their verification systems among ongoing technological and legal changes.
A shared service verification process tailored for personal data can drastically cut ecosystem costs and increase consistency. The more we talked to platforms, startups, and regulators, the more we realized that we could really simplify the situation and improve efficiency and efficacy for all parties.
The Trust Registry
Our approach is to build a secure service with a database to hold verified participant information, and a website to handle applications. This is very similar to the kind of in-house system that each platform has already built. It’s also very similar to other registries that operate to keep the Internet safer at other levels — for example, the Domain Name System is fundamentally a network of domain name registries with overarching governance.
Companies applying to the Data Trust Registry go through a well-documented application process. Applications are reviewed by people with experience in data security and compliance. Companies decide whether to stop at Trust Level 1, or provide further evidence to gain Trust Level 2, which builds on Trust Level 1 for use in more sensitive data applications.
| Trust Level 1 | Trust Level 2 |
|---|---|
| Suitable for non-sensitive personal data | Suitable for more sensitive personal data |
| Organization details Service identification Privacy Policy Secure communication |
Trust Level 1, and Data Security audit by 3rd party Improved authentication Continuation of protection |
Once approved, a service with a trust level appears in the registry so that other participants can not only see that they’re approved, but also make sure that the connection is happening to the correct third-party.
Although we’ve just been in early access and are still starting pilots with some companies, we do have our first company to reach Trust Level 1 in the registry, Koodos Labs, as well as our first company to reach Trust Level 2, complete with a SOC2 report, Fabric.io. Many thanks to these partners for working through our earliest draft processes.
What’s Next
We’ve got plenty of plans for the Data Trust Registry! It can be a springboard to better standardization and interoperability, because it’s easy for companies to put interoperability information in there. We can use it to raise the visibility and interoperability of certain interfaces, like the ones offered by the Data Transfer Project, or public standards where those exist. It can be a springboard to better testing and smoother deployment rather than testing every 1-to-1 connection separately.
Our first priority for the next couple of years will be adding partners and growing out the critical mass to make this all worthwhile. We look forward to working with startups who want access to large platform personal data, as well as large platforms that store and grant access to personal data, as well as other kinds of personal data ecosystem participants such as researchers seeking study participants who are able to donate personal data. To join us, check out https://dt-reg.org and apply or contact us with questions.