Announcing DTI’s Data Trust Registry

When you move your data from an existing service to a data destination, whether for moving your account or doing something cool with your data, do you think about whether the destination can be trusted with your data? Probably if you’re reading this you do, which is good. But it’s also good to know that your service provider also worries about whether the destination can be trusted.

Many service providers holding personal data have extensive procedures and technology to try to make sure that if they send your personal data to a destination, that destination is who they say they are. Services holding sensitive personal data often do more - in addition to finding out if the data destination is who they say they are (and not an identity theft site impersonating a real service), they also try to find out if the data destination has practices and policies that can make them trustworthy. This is done to benefit the user and also to reduce reputational and legal liability of the service provider.

Although this is all rational and reasonable so far, finding out if the data destination can be trusted has become one of the largest barriers to data portability with high costs experienced by both data services and destinations. That’s because every platform is responsible for its own processes and criteria, and each applicant for approval must navigate each platform’s process separately. In practice, we believe this inefficiency has greatly decreased the practical opportunities for data transfer, and thus decreased user benefit as well as innovation in the field.

To make service-to-service trust for data transfers more efficient and effective, we are introducing a Data Trust Registry. Each participant can rely on the registry to evaluate the trustworthiness of all other participants in the ecosystem.

High Cost and Inconsistency

Sharing is not without risks. Each company that hosts an API allowing third-party access to personal data offers both benefits and risks to their users. Some risks include:

Our first work in data portability and trust was to build an extensive threat model including the above risks. Our next step was to consider what barriers data services can erect that are truly effective against these threats and risks. Is it legitimate and effective to ask that the data destination agree to never sell user data? Does that agreement protect the user? We explored this at length in our Portability Trust Model last year, which organized legitimate criteria into five pillars.

DTI Data Trust Pillars: Transfer Party Authentication, Proper Jurisdiction, Data Security, Transparency to End Users, and End User Authorization.

Armed with this framework, we talked to companies about how they do in-house service verification. In-house service verification or “app verification” is the standard way that large platforms mitigate the risks that data transfer to third-parties poses to platforms and their users. Service verification may involve a number of requirements made to the third-party before they even get access to the platform’s APIs. For example, the third-party requirements could include:

There are many other requirements made in app verification; these are only some of the most common.

Inconsistent verification requirements between different companies vetting applications
Trust processes share common goals and criteria, but specific requirements and processes can be slightly different or very different.

Setting up and operating these service verification systems is very costly. It’s also very costly to the companies applying to each platform. And when third-party applications aren’t approved, the situation can be really messy: one company can approve a third-party and another platform can deny them.

Inconsistent outcomes for companies applying for verification to different platforms
Different evaluation criteria leads to different outcomes - but what did each company learn when they reject an applicant?

Take the case of a new startup establishing a photo sharing service. They’d like to address a substantial niche, such as sharing wedding and other event photos in India with large extended families. To get easy access to photos, they’d like to ask users to provide direct access to photo albums on the services where their photos are initially uploaded.

This may seem like a simple pitch, but the startup could easily spend a couple of years just getting through the service verification processes for photo source platforms (iCloud, Google, Amazon, Flickr, and professional photography services), providing different assets and following different processes for each. Costs increase with each follow-up request or renewal application. Meanwhile, the source platforms struggle to make the case for integration when it comes with labor costs to build, operate, and maintain their verification systems among ongoing technological and legal changes.

A shared service verification process tailored for personal data can drastically cut ecosystem costs and increase consistency. The more we talked to platforms, startups, and regulators, the more we realized that we could really simplify the situation and improve efficiency and efficacy for all parties.

The Trust Registry

Our approach is to build a secure service with a database to hold verified participant information, and a website to handle applications. This is very similar to the kind of in-house system that each platform has already built. It’s also very similar to other registries that operate to keep the Internet safer at other levels — for example, the Domain Name System is fundamentally a network of domain name registries with overarching governance.

Complexity of ecosystem with independent verification processes, vs trusted verification authority - Data Trust Registry

Companies applying to the Data Trust Registry go through a well-documented application process. Applications are reviewed by people with experience in data security and compliance. Companies decide whether to stop at Trust Level 1, or provide further evidence to gain Trust Level 2, which builds on Trust Level 1 for use in more sensitive data applications.

Trust Level 1 Trust Level 2
Suitable for non-sensitive personal data Suitable for more sensitive personal data
Organization details
Service identification
Privacy Policy
Secure communication
Trust Level 1, and
Data Security audit by 3rd party
Improved authentication
Continuation of protection

Once approved, a service with a trust level appears in the registry so that other participants can not only see that they’re approved, but also make sure that the connection is happening to the correct third-party.

Although we’ve just been in early access and are still starting pilots with some companies, we do have our first company to reach Trust Level 1 in the registry, Koodos Labs, as well as our first company to reach Trust Level 2, complete with a SOC2 report, Fabric.io. Many thanks to these partners for working through our earliest draft processes.

What’s Next

We’ve got plenty of plans for the Data Trust Registry! It can be a springboard to better standardization and interoperability, because it’s easy for companies to put interoperability information in there. We can use it to raise the visibility and interoperability of certain interfaces, like the ones offered by the Data Transfer Project, or public standards where those exist. It can be a springboard to better testing and smoother deployment rather than testing every 1-to-1 connection separately.

Our first priority for the next couple of years will be adding partners and growing out the critical mass to make this all worthwhile. We look forward to working with startups who want access to large platform personal data, as well as large platforms that store and grant access to personal data, as well as other kinds of personal data ecosystem participants such as researchers seeking study participants who are able to donate personal data. To join us, check out https://dt-reg.org and apply or contact us with questions.



Previous Post

Catch up on the latest from DTI

  • trust-registry,
  • trust
Announcing DTI’s Data Trust Registry
  • policy
In pursuit of a global data portability ecosystem
  • ecosystem
Data Portability for the Benefit of Society - Health, Environment and Beyond
  • AI
The path forward for AI personal data portability
  • engagement
Tea, ID, and You
  • policy
Global Portability Regulatory Round-Up
  • policy
Reciprocity, and when it matters most
  • events
DTI to Europe - reporting back from events
  • engagement
What does it look like if we get this right?
  • policy
Anyone for a game of ping pong?