Jaroslav Pullmann | Christian Mader | Andreas Eitel |
The research project „Industrial Data Space“ [1] aims at establishing a „network of trust“ for a secure and reliable exchange of sensitive data among business partners. It involves a consortium of several Fraunhofer institues, among them FIT, IAIS and IESE. Reflecting their core competencies, these three partners contribute to key research challenges in the Industrial Data Space project. These are development of (i) a decentral platform architecture (IAIS), (ii) an information model based on Linked Data technologies for supporting data publication and exchange (FIT + IAIS), and (iii) integration of a framework to enforce usage control policies (IESE).
On the Industrial Data Space, data offerings are annotated with structured metadata that support individual stages of data provision, among others its publication, search, negotiation, commoditization, delivery, and the subsequent usage. Usage control statements expressed as ODRL [2] rules are of particular importance, since they encode formal, machine-readable contracts stating the permitted type of usage and related pre- and post-obligations to be obeyed by the data consumer.
We argue, that the theoretical work on usage control [3] has gained an important momentum by standardization of the W3C ODRL Information Model and ODRL Vocabulary [4] but it still misses an appropriate evaluation and adoption, partly because of a missing community of practice.
Inline with the agenda of the ODRL Community group [5] we propose to establish such a community of practice, e.g., by implementing some of proposed action points:
–Scope: The ODRL UCR document [6] predominantly lists use case from the media domain. Feedback from other domains (B2B data marketplaces, „collaborating industrial agents“ in scope of Digital factory scenarios etc.) should be sought extending ODRL domain coverage.
–Specification: the existing specifications should be augmented by directives supporting an unambiguous evaluation and enforcement of the ODRL rules. They should for example state how to handle partial definitions and implicit knowledge.
–Guidance: a document providing hints on intended usage and interpretation of ODRL constructs should be created. Built around a structured collection of recurrent samples it should provide a reference of ODRL modelling patterns. The samples should reflect issues of legal restrictions (GDPR [7]) and „data residency“ [8] considerations etc. Further, applicability and relation of ODRL to statements of common (open-source) licences should be elaborated. Extensibility options (addition of actions, operands etc.) and goverance processes of the ODRL vocabulary based on ODRL profiles should be documented.
–Implementation: The ODRL Implementation report [9] apparently focuses on validation. The evaluation process should be elaborated further towards a support of (semi)automatic enforcement of ODRL rules with links to components, processes and and runtime prerequisites of an established architecture like the XACML 3.0 Data-flow model [10]. The requirements of a continuous constraint evaluation, action monitoring and obligation testing should be made explicit in terms of required (context) information, assertions and pseudo-code etc.
–Legal aspects: The relation of (digitally signed) ODRL policies to written contracts should be examined. Could ODRL express formal equivalent to written contracts with a comparable legal liability? What assumptions apply in order to establish the liability of such a digital contract e.g. to identify the signing parties (X.509 certificate), to guarantee the immutability of the contract (blockchain) etc.?
[1] Fraunhofer-Gesellschaft: Industrial Data Space. URL: https://www.fraunhofer.de/en/research/lighthouse-projects-fraunhofer-initiatives/industrial-data-space.html. Accessed February 23, 2018.
[2] Iannella, Renato; Villata, Serena. ODRL Information Model 2.2. 15 February 2018. W3C Recommendation. URL: https://www.w3.org/TR/odrl-model/. Accessed February 23, 2018.
[3] Lazouski, Aliaksandr; Martinelli, Fabio; Mori, Paolo. Usage control in computer security: A survey. In: Computer Science Review, 4 (2010), Nr. 2, S. 81-99. URL: https://www.sciencedirect.com/science/article/pii/S1574013710000146. Accessed February 23, 2018.
[4] Iannella, Renato; Steidl, Michael; Myles, Stuart; Rodríguez-Doncel, Víctor. ODRL Vocabulary & Expression 2.2. 15 February 2018. W3C Recommendation. URL: https://www.w3.org/TR/odrl-vocab/. Accessed February 23, 2018
[5] Iannella, Renato: ODRL is coming back! 2 February 2018. URL: https://lists.w3.org/Archives/Public/public-odrl/2018Feb/0000.html. Accessed February 23, 2018
[6] Steidl, Michael; Steyskal, Simon; Whittam Smith, Benedict. POE Use Cases and Requirements. 23 February 2017. W3C Working Draft. URL: https://www.w3.org/TR/poe-ucr/. Accessed February 23, 2018
[7] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) Official Journal of the European Union, Vol. L119 (4 May 2016), pp. 1-88. URL: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L:2016:119:TOC. Accessed February 23, 2018
[8] Object Management Group (OMG). Data Residency Working Group.
URL: http://www.omg.org/data-residency/. Accessed February 23, 2018
[9] W3C Permissions and Obligations Expression (POE) WG: ODRL Candidate Recommendation - Implementation Report. 13 November 20187. URL: https://w3c.github.io/poe/test/implementors. Accessed February 23, 2018
[10] OASIS. eXtensible Access Control Markup Language (XACML) Version 3.0 Plus Errata 01. Edited by Erik Rissanen. 12 July 2017. OASIS Standard incorporating Approved Errata. URL: http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-en.html. Accessed February 23, 2018