A Trust Framework is a combination of software mechanisms, legal contracts and social rules. Together these integrated elements set forth an algorithmic “constitutional system” of governance and enforcement for a given body of information and the people who use it. The trust framework constitutes a voluntary “social contract” governing how that body of information may be shared and used in specific contexts.
Trust, however, cannot simply be mandated. It must be socially earned. It must be cultivated and protected over time, through institutional rules and social norms. The question is how we build and verify trust in our new online social enterprises and institutions.
As there are some inherent limitations to traditional enforcement mechanisms such as current legislation, regulation, civil and criminal lawsuits etc. ID3 believes that voluntary Trust Frameworks offer a more effective system of social ordering, re-establishing trust, and complementing traditional law enforcement.
Whenever possible, governance mechanisms and contracts should be self-executing and self-correcting. This helps minimize exposure to the vagaries of external enforcement (lawsuits, regulatory action, etc.). Management and governance should be designed to adhere to a common and independently verifiable standard of performance.
New laws and regulations in themselves are not the answer because they beg the question of how new rules will be formulated and enforced in the digital sphere. Contemporary policymaking and regulation are notoriously slow and generally incapable of keeping pace with technological change. Rule-making is also dominated by the larger, more sophisticated and politically connected actors. Such external forms of enforcement (courts, regulatory agencies, lawsuits) are time-consuming, costly and more readily “gamed.”
This approach to Trust Frameworks is similar in philosophy and intent to that developed by the United States Government in its National Strategy for Trusted Identities in Cyberspace (NSTIC) (http://www.nist.gov/nstic) which is supported by the White House and the Department of Homeland Security. The Department of Commerce has its Green Paper that is very similar in intent and approach to the NSTIC report (http://www.nist.gov/itl/upload/Cybersecurity_Green-Paper_FinalVersion.pdf).
Fair Information Practices and Policies
Transparency: Organizations should be transparent and notify individuals regarding collection, use, dissemination, and maintenance of personally identifiable information (PII)
Individual Participation: Organizations should involve the individual in the process of using PII and, to the extent practicable, seek individual consent for the collection, use, dissemination, and maintenance of PII Organizations should also provide mechanisms for appropriate access, correction, and redress regarding use of PII
Purpose Specification: Organizations should specifically articulate the authority that permits the collection of PII and specifically articulate the purpose or purposes for which the PII is intended to be used
Data Minimization: Organizations should only collect PII that is directly relevant and necessary to accomplish the specified purposes and only retain PII for as long as is necessary to fulfill the specified purposes
Use Limitation: Organizations should use PII solely for the purposes specified in the notice Sharing PII should be for a purpose compatible with the purpose for which the PII was collected
Data Quality and Integrity: Organizations should, to the extent practicable, ensure that PII is accurate, relevant, timely, and complete
Security: Organizations should protect PII (in all media) through appropriate security safeguards against risks such as loss, unauthorized access or use, destruction, modification, or unintended or inappropriate disclosure
Accountability and Auditing: Organizations should be accountable for complying with these principles, providing training to all employees and contractors who use PII, and auditing the actual use of PII to demonstrate compliance with these principles and all applicable privacy protection requirements
Markers of New Data Ecosystem
- New data-driven commercial, social, political, and cultural processes
- Ubiquitous data surveillance, collection, aggregation and analysis
- Coordination and discovery costs trending towards zero marginal cost
- Ubiquitous 5 billion mobile platforms
- Virtually “free” computing cycles and storage
- Exponentially more intelligent, autonomous and ubiquitous “bots”
- Data has become the “oil” of 21st century economies driving fundamental business and infrastructural processes
- Personal Information as a new “asset class” to be traded and securitized
- Privacy regulation is converging with financial regulation as data is securitized
- Power of regulatory, trust, and security restrictions on data flows to diminish or enable economic growth and effective governance
- End of Gaussian analysis, sampling, black swans and rise of real time, full data set analysis
- “Quantified self” as necessary for new financial, health, social, media and government services
- Public and private data as critical drivers of smart infrastructures – urban, energy, food, government
- Rapid entry and scaling of new categories of data-driven businesses