Trust Registry Policy
The DTI team evaluates every application based on the following criteria
- Trust Criteria
We've collabrated with a stellar techinical & legal team to establish an objective five-pillar framework
- Threat Model
We evaluated several potential threats and incorporated them into our risk assessment
- Trust Framework Participation
We are transparent with stakeholders and firmly committed to building a registry that serves all
Trust Criteria
1. Transfer Party AuthenticationThe Transfer Party must have a legal entity and legal representatives. They must be able to be authenticated during the setup of a data transfer, via known domain and service URLs that can be securely contacted and communicated with.
2. JurisdictionThe Transfer Party's legal jurisdiction has laws and regulatory agencies that impact the security and privacy of user data transferred to or from the Transfer Party. Additionally, some compliance organizations can be opted into which then constrain the Transfer Party.
3. Data SecurityData Security criteria are concerned with how the user's data is protected from unauthorized access, before, during or after a data transfer. Cybersecurity programs and related documentation can demonstrate data security practices.
4. TransparencyA Transfer Party's use of data after acquiring it should be disclosed to users via appropriate transparency measures such as privacy policies, and Terms and Conditions from the service.
5. End User Authentication and AuthorizationTransfer Parties should be able to demonstrate that their service authenticates users and receives informed consent from the user before transfering data in or out.
Threat Model
The Trust Criteria are developed to address the following threats, which cannot always be prevented through technical means alone
- Unauthorized Transfer of data;
- Inadequate Transparency around the transfer of data to the End User;
- Denial of Service;
- Elevation of Privilege by malicious actors through the use of the Transfer Mechanism;
- Non-compliance with applicable regulations due to receiving Transfer Data;
- Harmful Content within the Transfer Data;
- Spoofing of the End User or Transfer Party and related bad actor activity; and
- End User Permission and access control challenges.
Trust Framework Participation
As the Trust Registry operators build the registry itself, development of the trust frameworks for different kinds of user content must proceed with input from stakeholders. Users, regulators, policy-makers, large platforms and small service providers all have a stake in how the Trust Framework is defined and how it applies. The earliest areas considered will be:
- Personal photos and videos
- Personal notes and tasks
- Social Media posts (especially ActivityPub)
- Music playlists
To participate in the Trust Framework development, contact DTI to join our community.