Re: Proposal for concepts representing Technologies from Georg Philip Krog on 2022-06-01 (public-dpvcg@w3.org from June 2022)

From: Georg Philip Krog <georg@signatu.com>
Date: Wed, 1 Jun 2022 13:43:03 +0200
To: "Harshvardhan J. Pandit" <me@harshp.com>
Cc: Data Privacy Vocabularies and Controls Community Group <public-dpvcg@w3.org>
Message-ID: <CAPOUEw=2XpwX1Np=rpziB9zDVRL21r1zDgTa_qpO010ZXzmXVw@mail.gmail.com>
Hi Harsh,

I welcome this extension.

Best regards,
Georg

On Sat, May 28, 2022 at 1:57 PM Harshvardhan J. Pandit <me@harshp.com>
wrote:

> Hello.
> This is a rather long email, so tldr - extension providing concepts
> related to technologies in relation with data, operations (processes),
> security, provision, actors, and communication. Motivation and reasoning
> for why this is needed, and how this is different from tech/org measures
> is included. Also attached is a CSV with the concepts.
>
> These relate to discussions taken place in the past few meetings, and
> this email represents the progress to date.
>
> ------------------------------------------
> #1 Motivation
> ------------------------------------------
>
> Currently in DPV we have `dpv:Technology` and `dpv:hasTechnology` for
> indicating how technologies are used i.e. how is something implemented
> or executed. This is distinct from other concepts which only model the
> _conceptual expression_ rather than the practical implementation of how
> it is achieved i.e. the technology.
>
> For example, processing concept dpv:Collect has implementation
> technology 'Camera' or 'Form on a website', where these are distinct
> from the _location_ in the semantic sense i.e. 'on device' or 'url of
> website'. Similarly, a 'technical and organisational measure' represents
> a _conceptual notation_ for expressing something in the abstract. For
> example, 'Encryption' as a broad category of data transformations
> providing security, which can be implemented using a specific filesystem
> or software - i.e. the implementation technology.
>
> In cases where the broad concept is not sufficient and must be further
> described in terms of how it is implemented, the technology extention
> will provide concepts for such descriptions. This is useful to describe
> practical aspects of data processing, such as tools and software, and
> also the roles of actors involved. For example, to describe processing
> takes place on servers utilising the AWS service, there needs to be a
> distinction between what category of processing from the underlying
> implementations. This is important since in theory the same processing
> will continue while the providers change.
>
> Though these relations are all lumped as Data Processors within GDPR
> (and sometimes as Joint Controllers depending on context), these 'roles'
> regarding technologies are important for future reglations i.e. DSA,
> DGA, AI Act, and so on. Therefore, this proposal also tries to be
> forward looking.
>
> -------------------------
> #2 Top concepts
> -------------------------
>
> The top concepts for 'Technology' are as below. They relate to
> technologies that relate to (i) Data - this is generalised from personal
> data so as to not restrict the definition and permit reuse in other
> contexts; (ii) Operational - this relates to operations or processes -
> however the term operational is preferred so as to not confuse "process"
> here with "processing"; (iii) Security - this relates to any kind of
> security rather than just that of data; (iv) Management - similar to
> security this relates to any kind of management; (v) ID -
> identification, identity, or identifier related technologies which are a
> special concept because of their important and sensitivity; (vi)
> Surveillance - similar to ID these are of particular interest.
>
> Concept: DataTechnology
>      Parent: dpv:Technology
>      Technology that uses or interacts with data
> Concept: OperationalTechnology
>      Parent: dpv:Technology
>      Technology that enables or performs or executes operations and
> processes
> Concept: SecurityTechnology
>      Parent: dpv:Technology
>      Technology that enables or provides security
> Concept: ManagementTechnology
>      Parent: dpv:Technology
>      Technology that enables or provides management
> Concept: IDTechnology
>      Parent: dpv:Technology
>      Technology related to identity or identifiers
> Concept: SurveillanceTechnology
>      Parent: dpv:Technology
>      Technology related to surveillance of individuals or people
>
> -------------------------
> #3 Data Technologies
> -------------------------
>
> The data technologies are mapped onto Processing concepts within DPV in
> a 1:1 form i.e. for each DPV concept, there would be a corresponding
> Technology concept for implementation that processing operation. Below
> are the top concepts in processing expressed as technologies. Note the
> additional "management technology" concept added to all top concepts in
> technology.
>
> Concept: DataCopyingTechnology
>      Parent: dpv-tech:DataTechnology
>      Technology related to copying data
> Concept: DataDisclosureTechnology
>      Parent: dpv-tech:DataTechnology
>      Technology related to disclosing data
> Concept: DataObtainTechnology
>      Parent: dpv-tech:DataTechnology
>      Technology related to obtain data
> Concept: DataOrganiseTechnology
>      Parent: dpv-tech:DataTechnology
>      Technology realted to organising data
> Concept: DataRemovalTechnology
>      Parent: dpv-tech:DataTechnology
>      Technology related to removing data
> Concept: DataStorageTechnology
>      Parent: dpv-tech:DataTechnology
>      Technology related to storing data
> Concept: DataTransferTechnology
>      Parent: dpv-tech:DataTechnology
>      Technology related to transfering data
> Concept: DataTransformTechnology
>      Parent: dpv-tech:DataTechnology
>      Technology related to transforming data
> Concept: DataUseTechnology
>      Parent: dpv-tech:DataTechnology
>      Technology related to using data
> Concept: DataSecurityTechnology
>      Parent: dpv-tech:DataTechnology,dpv-tech:SecurityTechnology
>      Technology related to security of data
> Concept: DataManagementTechnology
>      Parent: dpv-tech:DataTechnology,dpv-tech:ManagementTechnology
>      Technology related to management of data
>
> -------------------------
> #4 Operational Technologies
> -------------------------
>
> These are technologies where processing or activities or operations or
> executions happen or are performed or enabled. This is the technical
> definition of "processing" in its strictest (engineering) term. Top
> concepts here refer to: (i) environment (where the processing takes
> place, for example the operating system or container); (ii) devices as
> equipments; (iii) management of operations (e.g. kernels); (iv)
> application - software or a process; (v) operational management -
> alternative label for management.
>
> Concept: OperationalEnvironment
>      Parent: dpv-tech:OperationalTechnology
>      Technology that provides an environment for operations to be executed
> Concept: OperationalDevice
>      Parent: dpv-tech:OperationalTechnology
>      Technology that acts as an equipment or mechanism for operations
> Concept: OperationalManagement
>      Parent: dpv-tech:OperationalTechnology
>      Technology that manages operations
> Concept: Application
>      Parent: dpv-tech:OperationalTechnology
>      A computing or digital program
> Concept: OperationsManagementTechnology
>      Parent: dpv-tech:OperationalTechnology,dpv-tech:ManagementTechnology
>      Technology related to management of operations (alt label)
>
> -------------------------
> #5 Security Technologies
> -------------------------
>
> The top concepts here refer to three concepts related to security: (i)
> PET - privacy enhacing technologies; (ii) Vulnerabilities - How to
> detect, prevent, mitigate, and monitor for them; and (iii) Vulnerability
> Exploitation and its detection, prevention, mitigation, and monitoring.
>
> The (ii) and (iii) in above reprsent typical stages in risk management,
> except there is no modelling of threats, risks, and threat actors, but
> instead focus on risk sources (vulnerabilities), and their consequences
> (exploitations).
>
> Concept: PET
>      Parent: dpv-tech:SecurityTechnology
>      Privacy Enhancing Technologies (PETs) that provide minimisation or
> security related to data and privacy
> Concept: VulnerabilityDetection
>      Parent: dpv-tech:SecurityTechnology
>      Technology related to vulnerability detection
> Concept: VulnerabilityPrevention
>      Parent: dpv-tech:SecurityTechnology
>      Technology related to vulnerability prevention
> Concept: VulnerabilityMitigation
>      Parent: dpv-tech:SecurityTechnology
>      Technology related to vulnerability mitigation
> Concept: VulnerabilityMonitoring
>      Parent: dpv-tech:SecurityTechnology
>      Technology related to vulnerability monitoring
> Concept: VulnerabilityExploitationDetection
>      Parent: dpv-tech:SecurityTechnology
>      Technology related to vulnerability exploitation detection
> Concept: VulnerabilityExploitationPrevention
>      Parent: dpv-tech:SecurityTechnology
>      Technology related to vulnerability exploitation prevention
> Concept: VulnerabilityExploitationMitigation
>      Parent: dpv-tech:SecurityTechnology
>      Technology related to vulnerability exploitation mitigation
> Concept: VulnerabilityExploitationMonitoring
>      Parent: dpv-tech:SecurityTechnology
>      Technology related to vulnerability exploitation monitoring
> Concept: SecurityManagementTechnology
>      Parent: dpv-tech:SecurityTechnology,dpv-tech:ManagementTechnology
>      Technology related to management of security
>
> -------------------------
> #6 Provision of Technology
> -------------------------
>
> Here, provision refers to how that technology is utilised or provided in
> terms of a model of use. Things such as products, subscriptions,
> algorithms, etc. are modelled under this concept.
>
> Concept: TechnologyProvisionMethod
>      Parent: dpv:Concept
>      Method associated with provision or use of technology
> Concept: hasProvisionMethod
>      Parent:
>      Specifies the provision or usage method of technology
> Concept: FixedUse
>      Parent: dpv-tech:TechnologyProvisionMethod
>      Technology that can be used a fixed numner of times
> Concept: Subscription
>      Parent: dpv-tech:TechnologyProvisionMethod
>      Technology that is provided or used as a periodic subscription
> Concept: Product
>      Parent: dpv-tech:TechnologyProvisionMethod
>      Technology that is provided as a product
> Concept: Goods
>      Parent: dpv-tech:TechnologyProvisionMethod
>      Technology provided or used as goods
> Concept: Services
>      Parent: dpv-tech:TechnologyProvisionMethod
>      Technology provided or used as services
> Concept: Algorithmic
>      Parent: dpv-tech:TechnologyProvisionMethod
>      Technology provided as an algorithm or method
> Concept: System
>      Parent:
>      Technology provided as a system
> Concept: Component
>      Parent:
>      Technology provided as a component
>
> -------------------------
> #7 Actors
> -------------------------
>
> Actor is an Entity with a specific Role. In DPV, we use Entity since
> there can be multiple roles. However, in technology, the term Actor
> would be preferable since we utilise specific roles in context to the
> technology being modelled. If this is confusing or better to be
> consistent with DPV, we can change this back to Entity.
>
> The Actors below represent different roles associated with how
> technology is developed and used. It reflects a simplification of the
> roles defined in the AI Act.
>
> The concept "user" can have different connotations depending on how it
> is used. For example, a technology user could refer to someone who
> operates it. A "subject" would be someone who the technology is applied
> on. For example, on a immigration system at a border, the immigration
> officer would be user and the person entering/leaving would be the subject.
>
> Concept: TechnologyActor
>      Parent: dpv:Entity
>      Actors and Entities involved in provision, use, and management of
> Technology
> Concept: TechnologyProvider
>      Parent: dpv-tech:TechnologyActor
>      Actor that provides Technology
> Concept: hasProvider
>      Parent: dpv:hasEntity
>      Indicates technology provider
> Concept: TechnologyDeveloper
>      Parent: dpv-tech:TechnologyActor
>      Actor that develops Technology
> Concept: hasDeveloper
>      Parent: dpv:hasEntity
>      Indicates technology developer
> Concept: TechnologyUser
>      Parent: dpv-tech:TechnologyActor
>      Actor that uses Technologoy
> Concept: hasUser
>      Parent: dpv:hasEntity
>      Indicates technology user
> Concept: TechnologySubject
>      Parent: dpv-tech:TechnologyActor
>      Actor that is subject of use of Technology
> Concept: hasSubject
>      Parent: dpv:hasEntity
>      Indicates technology subject
>
> -------------------------
> #8 Location
> -------------------------
>
> We already have `dpv:Location` as the concept which can be reused here.
> To provide more specific forms of locations, such as "on device" and "on
> a server", it would be better to provide them within main DPV as they
> also are useful for expressing locations of other concepts.
>
> Some examples include: LocationFixture, FixedLocation,
> FixedSingularLocation, FixedMultipleLocations, VariableLocation,
> FederatedLocations, DecentralisedLocations, RandomLocation,
> LocationLocality, LocalLocation, RemoteLocation, WithinDevice,
> CloudLocation, ServerLocation, ServerlessLocation
>
> If the location of technology is to be explicitly defined, then the
> concept would be modelled as follows:
>
> Concept: TechnologyUsageLocation
>      Parent: dpv:Location
>      Location for where technology is provided or used
> Concept: hasLocation
>      Parent: dpv:hasLocation
>      Indicates location of technology usage or provision
>
> -------------------------
> #9 Communications
> -------------------------
>
> Communication is important to express how technologies send and receive
> data. These are modelled as a separate concept from Technology.
>
> Concept: CommunicationMechanism
>      Parent: dpv:Concept
>      Communication mechanism used or provided by Technologoy
> Concept: hasCommunicationMechanism
>      Parent:
>      Indicates communication mechanisms used or provided by technology
> Concept: Networking
>      Parent: dpv-tech:CommunicationMechanism
>      Technology utilising networking communication
> Concept: LocalNetwork
>      Parent: dpv-tech:Networking
>      Technology utilising local networking communication
> Concept: Internet
>      Parent: dpv-tech:Networking
>      Technology utilising internet communication
> Concept: WiFi
>      Parent: dpv-tech:Networking
>      Technology utilising wifi wireless networking communication
> Concept: Bluetooth
>      Parent: dpv-tech:Networking
>      Technology utilising bluetooth communication
> Concept: CellularNetwork
>      Parent: dpv-tech:Networking
>      Technology utilising cellular networking communication
> Concept: GPS
>      Parent: dpv-tech:CommunicationMechanism
>      Technology utilising GPS communication
>
> -------------------------
> #10 Maturity / Innovativeness
> -------------------------
>
> This concept relates to how proven a technology is, or whether it
> represents something that is untested or is innovative and new. These
> are relevant since they raise specific concerns regarding risks and
> impacts. Rather than defining new qualitative terms, we can reuse
> existing ones such as the TRL which indicates "maturity" of technology
> in terms of what stage of development and use it is. There is an ISO
> standard defining such levels.
>
> Concept: TechnologyReadinessLevel
>      Parent: dpv:Technology
>      Indication of maturity of Technology (ISO 16290:2013)
> Concept: hasTRL
>      Parent:
>      Indicates technology maturity level
>
> -------------------------
> #11 Discussed Concepts
> -------------------------
>
> The below are some concepts which we discussed in the previous meetings.
> These are provided here with their parent concept to see whether the
> structure makes sense and to identify limitations/lapses.
>
> Concept: Database
>      Parent: dpv-tech:DataStorageTechnology
>      A database, database management system (DBMS), or application database
> Concept: Cookie
>      Parent: dpv-tech:LocalStorage
>      A HTTP or web or internet cookie
> Concept: FileSystem
>      Parent: dpv-tech:DataStorageTechnology
>      A data storage and retrieval interface provided by an operating system
> Concept: LocalStorage
>      Parent: dpv-tech:DataStorageTechnology
>      Data stored 'locally' within a context
> Concept: DeviceStorage
>      Parent: dpv-tech:LocalStorage
>      Data stored 'on device' as in in the device's storage
> Concept: ApplicationStorage
>      Parent: dpv-tech:LocalStorage
>      Data stored 'in app' as in within the application's storage
> Concept: RemoteStorage
>      Parent: dpv-tech:DataStorageTechnology
>      Data stored 'remotely' i.e. not locally within a context
> Concept: CloudStorage
>      Parent: dpv-tech:RemoteStorage
>      Data stored 'on cloud' i.e. internet-based access to data
> Concept: ServerStorage
>      Parent: dpv-tech:CloudStorage
>      Data stored on a server i.e. a remote cloud-based storage mechanism
>
> Concept: SmartphoneApplication
>      Parent: dpv-tech:Application
>      A computing or digital program on a smartphone device
> Concept: DigitalService
>      Parent: dpv-tech:Service
>      A service that is provided digitally
> Concept: OnlineService
>      Parent: dpv-tech:Service
>      A service that is provided through or based on internet i.e. online
> connectivity
> Concept: TrackingCookie
>      Parent: dpv-tech:SurveillanceTechnology,dpv-tech:Cookie
>      Cookies used for tracking
> Concept: TrackingPixel
>      Parent: dpv-tech:SurveillanceTechnology
>      Pixels or web beacons or similar techniques used for tracking
> Concept: PIMS
>      Parent: dpv-tech:DataManagementTechnology
>      system that helps to give individuals more control over their
> personal data by managing their personal data in secure, on-premises or
> online storage systems and sharing it when and with whomever they choose
> Concept: PersonalDataStore
>      Parent:
> dpv-tech:DataStorageTechnology,dpv-tech:DataManagementTechnology
>      (Q: service OR data manegement system) that lets an individual
> store, manage and deploy their personal data
> Concept: IdentityManagementTechnology
>      Parent: dpv-tech:IDTechnology,dpv-tech:ManagementTechnology
>      Technologies providing identity provision, verification,
> management, and governance
> Concept: IdentityWallet
>      Parent:
> dpv-tech:IdentityManagementTechnology,dpv-tech:DataStorageTechnology
>      product and service that allows the user to store identity data,
> credentials and attributes linked to her/his identity, to provide them
> to relying parties on request and to use them for authentication, online
> and offline, and to create qualified electronic signatures and seals
>
> Concept: OvertSurveillanceTechnology
>      Parent: dpv-tech:SurveillanceTechnology
>      Surveillance that is overt i.e. visible or apparent or explicit
> Concept: CovertSurveillanceTechnology
>      Parent: dpv-tech:SurveillanceTechnology
>      Surveillance that is covert i.e. invisible or non-apparent or implicit
>
> -------------------------
>
> Regards,
> --
> ---
> Harshvardhan J. Pandit, Ph.D
> Research Fellow
> ADAPT Centre, Trinity College Dublin
> https://harshp.com/



-- 
Georg Philip Krog

signatu <https://signatu.com>
Received on Wednesday, 1 June 2022 11:43:38 UTC