Re: Proposal for concepts representing Technologies

This is a rather long email, so tldr - extension providing concepts 
related to technologies in relation with data, operations (processes), 
security, provision, actors, and communication. Motivation and reasoning 
for why this is needed, and how this is different from tech/org measures 
is included. Also attached is a CSV with the concepts.

These relate to discussions taken place in the past few meetings, and 
this email represents the progress to date.

#1 Motivation

Currently in DPV we have `dpv:Technology` and `dpv:hasTechnology` for 
indicating how technologies are used i.e. how is something implemented 
or executed. This is distinct from other concepts which only model the 
_conceptual expression_ rather than the practical implementation of how 
it is achieved i.e. the technology.

For example, processing concept dpv:Collect has implementation 
technology 'Camera' or 'Form on a website', where these are distinct 
from the _location_ in the semantic sense i.e. 'on device' or 'url of 
website'. Similarly, a 'technical and organisational measure' represents 
a _conceptual notation_ for expressing something in the abstract. For 
example, 'Encryption' as a broad category of data transformations 
providing security, which can be implemented using a specific filesystem 
or software - i.e. the implementation technology.

In cases where the broad concept is not sufficient and must be further 
described in terms of how it is implemented, the technology extention 
will provide concepts for such descriptions. This is useful to describe 
practical aspects of data processing, such as tools and software, and 
also the roles of actors involved. For example, to describe processing 
takes place on servers utilising the AWS service, there needs to be a 
distinction between what category of processing from the underlying 
implementations. This is important since in theory the same processing 
will continue while the providers change.

Though these relations are all lumped as Data Processors within GDPR 
(and sometimes as Joint Controllers depending on context), these 'roles' 
regarding technologies are important for future reglations i.e. DSA, 
DGA, AI Act, and so on. Therefore, this proposal also tries to be 
forward looking.

#2 Top concepts

The top concepts for 'Technology' are as below. They relate to 
technologies that relate to (i) Data - this is generalised from personal 
data so as to not restrict the definition and permit reuse in other 
contexts; (ii) Operational - this relates to operations or processes - 
however the term operational is preferred so as to not confuse "process" 
here with "processing"; (iii) Security - this relates to any kind of 
security rather than just that of data; (iv) Management - similar to 
security this relates to any kind of management; (v) ID - 
identification, identity, or identifier related technologies which are a 
special concept because of their important and sensitivity; (vi) 
Surveillance - similar to ID these are of particular interest.

Concept: DataTechnology
     Parent: dpv:Technology
     Technology that uses or interacts with data
Concept: OperationalTechnology
     Parent: dpv:Technology
     Technology that enables or performs or executes operations and 
Concept: SecurityTechnology
     Parent: dpv:Technology
     Technology that enables or provides security
Concept: ManagementTechnology
     Parent: dpv:Technology
     Technology that enables or provides management
Concept: IDTechnology
     Parent: dpv:Technology
     Technology related to identity or identifiers
Concept: SurveillanceTechnology
     Parent: dpv:Technology
     Technology related to surveillance of individuals or people

#3 Data Technologies

The data technologies are mapped onto Processing concepts within DPV in 
a 1:1 form i.e. for each DPV concept, there would be a corresponding 
Technology concept for implementation that processing operation. Below 
are the top concepts in processing expressed as technologies. Note the 
additional "management technology" concept added to all top concepts in 

Concept: DataCopyingTechnology
     Parent: dpv-tech:DataTechnology
     Technology related to copying data
Concept: DataDisclosureTechnology
     Parent: dpv-tech:DataTechnology
     Technology related to disclosing data
Concept: DataObtainTechnology
     Parent: dpv-tech:DataTechnology
     Technology related to obtain data
Concept: DataOrganiseTechnology
     Parent: dpv-tech:DataTechnology
     Technology realted to organising data
Concept: DataRemovalTechnology
     Parent: dpv-tech:DataTechnology
     Technology related to removing data
Concept: DataStorageTechnology
     Parent: dpv-tech:DataTechnology
     Technology related to storing data
Concept: DataTransferTechnology
     Parent: dpv-tech:DataTechnology
     Technology related to transfering data
Concept: DataTransformTechnology
     Parent: dpv-tech:DataTechnology
     Technology related to transforming data
Concept: DataUseTechnology
     Parent: dpv-tech:DataTechnology
     Technology related to using data
Concept: DataSecurityTechnology
     Parent: dpv-tech:DataTechnology,dpv-tech:SecurityTechnology
     Technology related to security of data
Concept: DataManagementTechnology
     Parent: dpv-tech:DataTechnology,dpv-tech:ManagementTechnology
     Technology related to management of data

#4 Operational Technologies

These are technologies where processing or activities or operations or 
executions happen or are performed or enabled. This is the technical 
definition of "processing" in its strictest (engineering) term. Top 
concepts here refer to: (i) environment (where the processing takes 
place, for example the operating system or container); (ii) devices as 
equipments; (iii) management of operations (e.g. kernels); (iv) 
application - software or a process; (v) operational management - 
alternative label for management.

Concept: OperationalEnvironment
     Parent: dpv-tech:OperationalTechnology
     Technology that provides an environment for operations to be executed
Concept: OperationalDevice
     Parent: dpv-tech:OperationalTechnology
     Technology that acts as an equipment or mechanism for operations
Concept: OperationalManagement
     Parent: dpv-tech:OperationalTechnology
     Technology that manages operations
Concept: Application
     Parent: dpv-tech:OperationalTechnology
     A computing or digital program
Concept: OperationsManagementTechnology
     Parent: dpv-tech:OperationalTechnology,dpv-tech:ManagementTechnology
     Technology related to management of operations (alt label)

#5 Security Technologies

The top concepts here refer to three concepts related to security: (i) 
PET - privacy enhacing technologies; (ii) Vulnerabilities - How to 
detect, prevent, mitigate, and monitor for them; and (iii) Vulnerability 
Exploitation and its detection, prevention, mitigation, and monitoring.

The (ii) and (iii) in above reprsent typical stages in risk management, 
except there is no modelling of threats, risks, and threat actors, but 
instead focus on risk sources (vulnerabilities), and their consequences 

Concept: PET
     Parent: dpv-tech:SecurityTechnology
     Privacy Enhancing Technologies (PETs) that provide minimisation or 
security related to data and privacy
Concept: VulnerabilityDetection
     Parent: dpv-tech:SecurityTechnology
     Technology related to vulnerability detection
Concept: VulnerabilityPrevention
     Parent: dpv-tech:SecurityTechnology
     Technology related to vulnerability prevention
Concept: VulnerabilityMitigation
     Parent: dpv-tech:SecurityTechnology
     Technology related to vulnerability mitigation
Concept: VulnerabilityMonitoring
     Parent: dpv-tech:SecurityTechnology
     Technology related to vulnerability monitoring
Concept: VulnerabilityExploitationDetection
     Parent: dpv-tech:SecurityTechnology
     Technology related to vulnerability exploitation detection
Concept: VulnerabilityExploitationPrevention
     Parent: dpv-tech:SecurityTechnology
     Technology related to vulnerability exploitation prevention
Concept: VulnerabilityExploitationMitigation
     Parent: dpv-tech:SecurityTechnology
     Technology related to vulnerability exploitation mitigation
Concept: VulnerabilityExploitationMonitoring
     Parent: dpv-tech:SecurityTechnology
     Technology related to vulnerability exploitation monitoring
Concept: SecurityManagementTechnology
     Parent: dpv-tech:SecurityTechnology,dpv-tech:ManagementTechnology
     Technology related to management of security

#6 Provision of Technology

Here, provision refers to how that technology is utilised or provided in 
terms of a model of use. Things such as products, subscriptions, 
algorithms, etc. are modelled under this concept.

Concept: TechnologyProvisionMethod
     Parent: dpv:Concept
     Method associated with provision or use of technology
Concept: hasProvisionMethod
     Specifies the provision or usage method of technology
Concept: FixedUse
     Parent: dpv-tech:TechnologyProvisionMethod
     Technology that can be used a fixed numner of times
Concept: Subscription
     Parent: dpv-tech:TechnologyProvisionMethod
     Technology that is provided or used as a periodic subscription
Concept: Product
     Parent: dpv-tech:TechnologyProvisionMethod
     Technology that is provided as a product
Concept: Goods
     Parent: dpv-tech:TechnologyProvisionMethod
     Technology provided or used as goods
Concept: Services
     Parent: dpv-tech:TechnologyProvisionMethod
     Technology provided or used as services
Concept: Algorithmic
     Parent: dpv-tech:TechnologyProvisionMethod
     Technology provided as an algorithm or method
Concept: System
     Technology provided as a system
Concept: Component
     Technology provided as a component

#7 Actors

Actor is an Entity with a specific Role. In DPV, we use Entity since 
there can be multiple roles. However, in technology, the term Actor 
would be preferable since we utilise specific roles in context to the 
technology being modelled. If this is confusing or better to be 
consistent with DPV, we can change this back to Entity.

The Actors below represent different roles associated with how 
technology is developed and used. It reflects a simplification of the 
roles defined in the AI Act.

The concept "user" can have different connotations depending on how it 
is used. For example, a technology user could refer to someone who 
operates it. A "subject" would be someone who the technology is applied 
on. For example, on a immigration system at a border, the immigration 
officer would be user and the person entering/leaving would be the subject.

Concept: TechnologyActor
     Parent: dpv:Entity
     Actors and Entities involved in provision, use, and management of 
Concept: TechnologyProvider
     Parent: dpv-tech:TechnologyActor
     Actor that provides Technology
Concept: hasProvider
     Parent: dpv:hasEntity
     Indicates technology provider
Concept: TechnologyDeveloper
     Parent: dpv-tech:TechnologyActor
     Actor that develops Technology
Concept: hasDeveloper
     Parent: dpv:hasEntity
     Indicates technology developer
Concept: TechnologyUser
     Parent: dpv-tech:TechnologyActor
     Actor that uses Technologoy
Concept: hasUser
     Parent: dpv:hasEntity
     Indicates technology user
Concept: TechnologySubject
     Parent: dpv-tech:TechnologyActor
     Actor that is subject of use of Technology
Concept: hasSubject
     Parent: dpv:hasEntity
     Indicates technology subject

#8 Location

We already have `dpv:Location` as the concept which can be reused here. 
To provide more specific forms of locations, such as "on device" and "on 
a server", it would be better to provide them within main DPV as they 
also are useful for expressing locations of other concepts.

Some examples include: LocationFixture, FixedLocation, 
FixedSingularLocation, FixedMultipleLocations, VariableLocation, 
FederatedLocations, DecentralisedLocations, RandomLocation, 
LocationLocality, LocalLocation, RemoteLocation, WithinDevice, 
CloudLocation, ServerLocation, ServerlessLocation

If the location of technology is to be explicitly defined, then the 
concept would be modelled as follows:

Concept: TechnologyUsageLocation
     Parent: dpv:Location
     Location for where technology is provided or used
Concept: hasLocation
     Parent: dpv:hasLocation
     Indicates location of technology usage or provision

#9 Communications

Communication is important to express how technologies send and receive 
data. These are modelled as a separate concept from Technology.

Concept: CommunicationMechanism
     Parent: dpv:Concept
     Communication mechanism used or provided by Technologoy
Concept: hasCommunicationMechanism
     Indicates communication mechanisms used or provided by technology
Concept: Networking
     Parent: dpv-tech:CommunicationMechanism
     Technology utilising networking communication
Concept: LocalNetwork
     Parent: dpv-tech:Networking
     Technology utilising local networking communication
Concept: Internet
     Parent: dpv-tech:Networking
     Technology utilising internet communication
Concept: WiFi
     Parent: dpv-tech:Networking
     Technology utilising wifi wireless networking communication
Concept: Bluetooth
     Parent: dpv-tech:Networking
     Technology utilising bluetooth communication
Concept: CellularNetwork
     Parent: dpv-tech:Networking
     Technology utilising cellular networking communication
Concept: GPS
     Parent: dpv-tech:CommunicationMechanism
     Technology utilising GPS communication

#10 Maturity / Innovativeness

This concept relates to how proven a technology is, or whether it 
represents something that is untested or is innovative and new. These 
are relevant since they raise specific concerns regarding risks and 
impacts. Rather than defining new qualitative terms, we can reuse 
existing ones such as the TRL which indicates "maturity" of technology 
in terms of what stage of development and use it is. There is an ISO 
standard defining such levels.

Concept: TechnologyReadinessLevel
     Parent: dpv:Technology
     Indication of maturity of Technology (ISO 16290:2013)
Concept: hasTRL
     Indicates technology maturity level

#11 Discussed Concepts

The below are some concepts which we discussed in the previous meetings. 
These are provided here with their parent concept to see whether the 
structure makes sense and to identify limitations/lapses.

Concept: Database
     Parent: dpv-tech:DataStorageTechnology
     A database, database management system (DBMS), or application database
Concept: Cookie
     Parent: dpv-tech:LocalStorage
     A HTTP or web or internet cookie
Concept: FileSystem
     Parent: dpv-tech:DataStorageTechnology
     A data storage and retrieval interface provided by an operating system
Concept: LocalStorage
     Parent: dpv-tech:DataStorageTechnology
     Data stored 'locally' within a context
Concept: DeviceStorage
     Parent: dpv-tech:LocalStorage
     Data stored 'on device' as in in the device's storage
Concept: ApplicationStorage
     Parent: dpv-tech:LocalStorage
     Data stored 'in app' as in within the application's storage
Concept: RemoteStorage
     Parent: dpv-tech:DataStorageTechnology
     Data stored 'remotely' i.e. not locally within a context
Concept: CloudStorage
     Parent: dpv-tech:RemoteStorage
     Data stored 'on cloud' i.e. internet-based access to data
Concept: ServerStorage
     Parent: dpv-tech:CloudStorage
     Data stored on a server i.e. a remote cloud-based storage mechanism

Concept: SmartphoneApplication
     Parent: dpv-tech:Application
     A computing or digital program on a smartphone device
Concept: DigitalService
     Parent: dpv-tech:Service
     A service that is provided digitally
Concept: OnlineService
     Parent: dpv-tech:Service
     A service that is provided through or based on internet i.e. online 
Concept: TrackingCookie
     Parent: dpv-tech:SurveillanceTechnology,dpv-tech:Cookie
     Cookies used for tracking
Concept: TrackingPixel
     Parent: dpv-tech:SurveillanceTechnology
     Pixels or web beacons or similar techniques used for tracking
Concept: PIMS
     Parent: dpv-tech:DataManagementTechnology
     system that helps to give individuals more control over their 
personal data by managing their personal data in secure, on-premises or 
online storage systems and sharing it when and with whomever they choose
Concept: PersonalDataStore
     (Q: service OR data manegement system) that lets an individual 
store, manage and deploy their personal data
Concept: IdentityManagementTechnology
     Parent: dpv-tech:IDTechnology,dpv-tech:ManagementTechnology
     Technologies providing identity provision, verification, 
management, and governance
Concept: IdentityWallet
     product and service that allows the user to store identity data, 
credentials and attributes linked to her/his identity, to provide them 
to relying parties on request and to use them for authentication, online 
and offline, and to create qualified electronic signatures and seals

Concept: OvertSurveillanceTechnology
     Parent: dpv-tech:SurveillanceTechnology
     Surveillance that is overt i.e. visible or apparent or explicit
Concept: CovertSurveillanceTechnology
     Parent: dpv-tech:SurveillanceTechnology
     Surveillance that is covert i.e. invisible or non-apparent or implicit


Harshvardhan J. Pandit, Ph.D
Research Fellow
ADAPT Centre, Trinity College Dublin

Received on Saturday, 28 May 2022 11:57:26 UTC