#portability4trust: How we will bring data portability to trust frameworks this quarter.

Dial or Skype details for this Wednesday’s Conference Call to start before IIW.

Here’s how you can bring the ideas in our data portability policy to hundreds of millions of people. I’ll need your help in May and June to start. In short: build portability principles into boilerplate identity contracts.

What’s a trust framework?

Trust frameworks are the many contracts that say how all the parties who move your personal data should behave.

For example, there are contracts between you and organizations that hold and use your data. These can be a Facebook, a bank, a hospital, a phone company, a government agency, a school or a library. These organizations help you use your identity with them, like your Facebook ID, to prove who you are to third-parties.

Trust frameworks describe the contracts between you and each identity provider, between the identity provider and the relying parties who receive and change your data. Trust frameworks improve clarity and accountability and lower the cost and effort of sharing data well and safely.

These are the legal and policy counterparts to the technical protocols like OAuth used to sign you in among web sites and to move your data. There are a few trust frameworks live and more on the way. The contracts promise things like keeping your data safe or asking for permission before selling your data.

I believe they should include data portability practices among the promises made to users.

Why now?

NSTIC is an international program to encourage everyone to build and use trust frameworks. NSTIC is short for the National Strategy for Trusted Identity in Cyberspace. Here is the full text of the NSTIC strategy document. Last week the White House moved the NSTIC project office to the US Department of Commerce’s NIST, the National Institute of Standards and Technology. Corporate, startup and NGO interest are high.

The World Economic Forum launched a three year “Rethinking Personal Data” project, including data portability. Their first report, Personal Data: The Emergence of a New Asset Class, shows their directions.

The Personal Data Ecosystem Consortium is picking up members, traction, and launching three programs over the next few weeks.

What can we do as the DataPortability Project?

We can give organizations building trust frameworks the raw material they need to define data portability in practice and in enforceable contracts. They are writing standard language for millions of contracts right now.

Data Portability Trust Framework Documents

Teams building trust frameworks with data portability need our Project to draft, validate, refine, and publish these seven documents.

  • A portability principles manifesto. Listing the principles of data portability and why they matter.
  • A portability policy pledge. A short, direct promise to support the data portability principles.
  • A portability policy template. Like the questions found at PortabilityPolicy.org, a structured way to assure all data portability principles are addressed and disclosed, whether they are supported or not.
  • A portability policy minimum disclosure. Describe the least amount of disclosure required by a trust framework.
  • A portability policy minimum practice. Describe required data portability practices. This is prescriptive.
  • A portability policy recommended practice. Describe portability practices above and beyond the required. With time and support of the trust framework’s organization, recommended practices may become required.
  • A portability glossary. Defining our terms.  

Some of these documents should and can be in simple, plain language. For example the manifesto should explain data portability persuasively.

Others should be sufficiently specific that a third-party could verify portability claims in practice. So if you say you delete all a user’s data on request, the minimum practice lists how that would be proved.

We’ll version these documents and bring them through stages of maturity, from proposed to draft to final, or a similar approach. This way everyone knows exactly what they sign up for.

The next 30 days.

Now through June. Project volunteers will write and edit the documents.

27 April. I’ll host a Portability for Trust Frameworks conference call Wednesday to get things started.

3-5 May. The Internet Identity Workshop (IIW12). We will have data portability working sessions to scope, write, edit, and test the documents. See you there.

10-13 May. European Identity Conference. Munich. Not yet scheduled, but we’re hoping for a birds-of-a-feather session to discuss this work and recruit EU contributors. More than five hours of this EIC are on trust frameworks.

11-13 May. Telco 2 and Personal Data 5. London. I hope some of the Personal Data unconference attendees will schedule a working session on day three.

19-21 May. Privacy, Identity, Innovation 2011 conference (PII), with PrivacyCamp on Saturday. We’ll have working sessions during PrivacyCamp. Silicon Valley.

What you should do now.

  1. Put time on your calendar for our events and conference calls. (5 minutes)
  2. Join our low volume Google group (2 minutes).
    Subscribe to "Data Portability Trust Framework"
    Visit this group
  3. Re-read the 10 Questions on PortabilityPolicy.org so you are familiar with the baseline documents. (10 minutes)
  4. Invite fellow authors to work on this.
  5. #Portability4Trust is our hashtag. Spread the word that we need help, please.
  6. Cash. Some of this work will involve travel and professional services. The DataPortability Project is a 501(c)3 California charitable corporation. Underwrite our work with donations and in-kind legal services.

As always, I’m available to talk in private. +1-510-316-9773, skype:evanwolf, @evanwolf. – Phil Wolff.

A draft of slides for IIW below…

1 comment to #portability4trust: How we will bring data portability to trust frameworks this quarter.