In recent years, Personal Data Stores and dataspaces have emerged with the aim to provide data control and data sovereignty for their users. A method often adopted is to allow users to declare their own access control policies, containing rules for controlling who can perform which action upon what resource. Unfortunately, this does not take into account the full usage of the data, i.e. what happens after given action is performed. Another method, adopted by few, is to allow users to declare usage control policies (UCPs) which, when enforced correctly, allow to govern the full usage lifecycle of data. However, solutions supporting UCPs lack formalisation, thus reliance on specific implementations is required. We aim to provide said formalism to an interoperable usage control policy standard through a practical implementation of the UCP evaluator. Furthermore, we aim to integrate this evaluator into a usage control framework with the objective of working with any kind of resource server. Ultimately, the hope is that this research provides a foundation for future research on UCP enforcement alignment with legislation and improving user understanding of UCP implications.
In the mid-2000s, Web 2.0 emerged, which shifted the focus of the Web to centralized platforms [1]. Compared to the original World Wide Web, which was more consumer-oriented due to the technical expertise required and inherently decentralized by design, it then became easier for general end-users to write on the Web. The centralized model came at the cost of delegating the responsibility of storing, sharing and governance of this data to these new platforms. This shift necessitated users placing trust in upholding these responsibilities by these platforms. However, recent years have shown that this trust was misplaced as there have been multiple cases of data breaches and data misuse in centralized platforms [2,3]. To combat challenges created by centralization, federated and decentralized systems have emerged that empower data sovereignty and control over data [4,5,6]. The latter entails that the producer of data has control over how the data is used and who has access while adhering to the law 1 . In the decentralized spectrum, a plethora of Personal Data Store (PDS) technologies have been created such that end-users achieve control over their data [7]. On the federated side, the idea of dataspaces as a solution that aims to gain data sovereignty.
The common ground of these initiatives allows us to extract several requirements that are important to reach the aim of data control and sovereignty. (i) First, there is a need for enforcing mechanisms pertaining to the use of the data, rather than the access [8,9]. With existing systems users can give access to a certain resource, but they should be able to say that is only for the purpose of verification, only possible for one week and that the data should be removed from their local machine after one week. (ii) A language is required to capture all those constraints in one policy. However, since it is under the control of the user, it means that they must be able to express it. It cannot be expected that everybody is technically gifted, so there is a need for inclusive mechanisms to express usage control policies [10]. (iii) To achieve full data sovereignty, it is not enough that end-users govern the usage of data. They might declare policies that are actually illegal. There is thus a need to verify that the expressed policies conform to the laws of the country [11,12]. (iv) Finally, we are designing this to be used in a decentralized or federated environment. As a result, every node in the environment must be able to interpret and enforce policies the same. Achieving this requires formalism and interoperability regarding both the policy language and the evaluation of the policy in monitoring scenarios and during access requests [13,14]. (v) While all the previously mentioned arguments show the necessity to fundamentally achieve full control over data and data sovereignty, they lack expressing the scalability of such an ideal system. It does not allow to answer questions about how fast should a revocation of consent be handled. In other words how long can end-users be sure that they are still conforming to the policies?
These requirements, correspondingly summarized as usage control over access control enforcement, understandable policies, legal alignment, formalisation and interoperability, and scalability, are the necessary (but not automatically sufficient) conditions identified through the research on data sovereignty and control in decentralized and federated systems. In Section 2, this research on the state-of-the-art is further elaborated. In my Ph.D. I will focus on tackling challenges (i), (iv), and (v) and follow up on the developments of (ii) and (iii) so that they can be integrated with my work. To further narrow down what I will contribute to these challenges, I have formulated two research questions in Section 3. The practical execution plan to provide answers is detailed in Sections 4 and 5. My progress and insights thus far are summarized in Section 6. Finally, I conclude by giving an overview and future prospects regarding data sovereignty and control through decentralized or federated usage control.
Achieving data sovereignty and data control requires usage control, which extends traditional access control by incorporating deontic concepts [8]. Next to permissions and prohibitions, deontic concepts include obligations, a party must do something before or after a certain event, and dispensations, a party is excluded from an obligation. As a consequence, it is not only important to verify compliance at an access request, but also during the whole lifecycle of data use. Indicating the need for mechanisms to facilitate the continuous monitoring and auditing of data use [9]. In their survey on usage control, Akaichi and Kirrane [15] concluded the importance of semantic technologies for encoding usage control policies regarding interoperability. Furthermore, they highlight the need for research on verification and testing tools and the importance of benchmarks with regard to usage control solutions. There exist multiple semantic usage control languages, though, to the best of my knowledge, there is only one which is also a W3C Recommendation, more specifically the Open Digital Rights Language (ODRL) [16]. In an ODRL policy, permission, prohibitions and obligations can be defined as rules. In each rule, the involved parties, possible actions and target resources can be encoded. Constraints facilitate further refinements such as intended purpose, cardinality and temporal limitations. A point of critique stated by multiple researchers is the lack of formalism to this date [13,14,15,17,18,19,20]. However, a W3C Community Group (CG) is formed to create formal semantics for ODRL and create an ODRL evaluator for an access control and policy monitoring scenario2 .
Personal Data Stores (PDSs), a decentralized solution, allow users to store, manage and control their data [7,21]. In the Semantic Web, the most widely adopted technology is the Solid Protocol3 [22]. Solid is built on existing W3C Recommendations and has as its goal, next to control over data, to promote data reuse which is achieved through the decoupling of data and applications. Data is stored in resources on a pod. On this level of granularity, access control rules can be configured using either the Web Access Control (WAC) or the Access Control Protocol (ACP). These specifications only allow to specify access control and not usage control. Thus there is a need in Solid to define proper usage control policies such that the data sovereignty goal can be achieved. Different papers expressed this need, though to this day, no consensus in the Solid CG has been reached on how to fulfill this need [19,23,24,25,26].
In recent years, dataspace initiatives have gained significant attention. One of the core principles of these federated systems is data sovereignty [4]. The International Data Space Association (IDSA) and Gaia-X are the two leading initiatives which have been proposing architectural solutions to standardize and build dataspaces. A recurring concept is the dataspaces connector as an entry point within dataspaces. They facilitate data exchange which is safeguarded by data usage contracts, ensuring data sovereignty. This agreement defines the usage of the data and is the result of negotiation between data consumers and providers prior to the exchange. To the best of our knowledge, they are either expressed or have been heavily influenced by ODRL policies 456 [27,28,29]. Current dataspace connectors have been implementing their interpretation of ODRL 78 due to the lack of formalisation of how to evaluate ODRL.
Recently, technical attempts were undertaken to combine both PDS and dataspace technologies [30,31].
Achieving data sovereignty and control includes the enforcement of the use of the data and the necessity of decentralized or federated systems that can interoperate as one network. As such, the objective of my research is centred around enforceable and interoperable usage control systems. The following research questions aim to contribute to the usage control domain for decentralized and federated systems.
This entails transparency by proving that the data use was correct, is currently correct and will be correct in the future. The first aspect of correctness is the fact that the usage of data can be expressed as a policy in a formal and interoperable language. Interoperability in the sense that every actor within a network must interpret the policies in the same manner and formality in the sense that the rules and constraints of those policies prove that certain action was allowed at a given time. Furthermore, tracking data usage over time allows for the verification and auditing of past actions, and the dynamicity of future actions can be reasoned upon. How would such a proof look like? What are the necessary and sufficient conditions for conformance to a policy which entails both the request, the policy itself but also the state of the world? RQ-II Scalability Optimisation of the theoretical foundation that allows estimating the needs on computation and storage, and the limits of how long policies can be trusted. To the best of my knowledge, there are no benchmarks on usage control policy evaluations. Therefore it is hard to estimate what the requirements and behaviour are for usage control enforcement systems. Performance metrics for usage control systems are vital for ensuring real-time data usage guarantees. This would allow us to determine bounds for the duration of a policy revocation or confirmation, which in turn ensures that every actor uses data under the constraints of the policies at any given time based on their available knowledge. What are the key performance metrics for a benchmark that evaluates a real-time usage control policy enforcement system?
How can we devise scalable simulations for usage control enforcement scenarios that accurately reflect real-world scenarios? How do these simulations compare with usage control on the Web itself, that is do the results reliably translate to Web-scale environments?
The starting point for describing my methodology depends on revisiting the state-of-the-art as they both research questions rely on an interoperable usage control policy model. To this end, a decision has been made to continue with ODRL as a policy model. Answering RQ-I partially aligns with the work completed over the years by the ODRL Formal Semantics CG: the initiative of building an ODRL Evaluator. The idea is that based on a set of policies, performed and requested actions it provides proofs regarding whether usage of data was and is permitted and whether all obligations have been met. My approach to contribute consists of the creation of a test suite for validating the correctness of an ODRL Evaluator. Each test case is a tuple consisting of the input and the expected output of such evaluator. To this day, there exists no formal representation for certain input elements and the output. This indicates that the first task for creating a test suite is to establish models for the performed and requested actions, core attributes relating to constraints such as cardinality, and the conformance report.
To tackle the benchmark aspect for RQ-II, further analysis of usage control systems in the decentralized and federated systems is required. The evaluator could then either be included in an existing modular continuous usage control enforcement system or, based on the knowledge gained, such a system must be designed and created to integrate the evaluator. Finally, a multitude of use cases where usage control enforcement is required such that the system as a whole can be tested.
In the previous section, the method for answering RQ-I consists of creating multiple test cases with as output a conformance report. As ODRL contains three classes for rules representing the deontic concepts of permission, prohibition and obligation, a sub-task is to make a bottom-up test-suite for an ODRL permission evaluation. It allows us to define the necessary and sufficient conditions for this single deontic concept. Using this knowledge, a revision of the ODRL Evaluator can be created to support prohibitions. Any limitations to the conformance report can be picked up to adapt the model. Finally, a last iteration will be executed for obligations. This iterative approach, where the intermediate version of the conformance report is continuously refined, ensures that all aspects of the proof are included. This allows us to provide an answer to RQ-I and additionally results in an implementation for an ODRL Evaluator and accompanying a reference test suite that can be reused for the implementation of other evaluators.
To evaluate a usage control system in a network, it must not only be possible to measure all the different components in that system, but the communication must also be evaluated. For this, the plan is to have different scenarios. First, a baseline must be created against which each other different scenario will be evaluated. Then for each next scenario, variety will be introduced in one domain. At this time, the following scenarios are envisioned where a range is introduced to vary the number of nodes in the network, the number of constraints per policy, the number of policies per node, and the number of revocations. After measuring everything, it should be possible to answer which of those metrics are important and thus be able to answer RQ-II. However, if the data is not conclusive, new scenarios need to be investigated.
The results of my current research span both decentralized and federated systems. Initially, my focus was on Solid and its interoperability. It began with research on usage control agnostic approaches for storing real-time data over Solid pods [32]. This was under the assumption that services could inherently have the appropriate access rights, recognize that they possess these rights, and encode the purpose of data use. The next phase evolved creating an ecosystem over these pods using Web agents [33], operating under the same assumptions regarding access rights and data use. However, this assumption proved incorrect, revealing amongst others the limitations of Solid current access control protocols and the tight coupling to its interface [34].
To introduce usage control enforcement in Solid, I initially attempted to do so externally using personal agents [25]. However, I discovered that not all types of usage control policies, such as the purpose of data use, can be enforced as a service over the Solid protocol. Given that full usage control via external services is unfeasible, I have shifted my focus to exploring its feasibility within a Solid server while still adhering to the Solid specification. By implementing the Request Flow from the Solid Open ID Connect primer 9 , we can separate a Solid server into an Authorization Server 10 following the User-Managed Access (UMA) specification 11 and a Resource server [35]. This approach seems promising but requires more research.
My research on usage control for federated systems began with a project centered around sharing sensitive data among multiple actors within a dataspace. This led to the design of a Usage Control Framework [20], which each actor can incorporate to continuously enforce usage control policies. While this approach envisions continuous enforcement, it currently lacks implementation, preventing evaluation of performance and scalability.
Continuation of these research efforts relies on the proof of data use at any point in time, emphasizing the necessity for an ODRL Evaluator and addressing RQ-I. Since the Usage Control Framework provides a blueprint for the creation of a system that can be benchmarked it might provide answers for RQ-II. Once the framework is in place, I plan to integrate it into the UMA server. Since the UMA specification is agnostic of the Resource Server it integrates with, this should enable continuous usage control enforcement for both Solid (through integration with the Community Solid Server [36]) and dataspaces (by integration into an IDS connector).
I have elaborated the research plan for my Ph.D. where I aim to contribute to the formalisation of ODRL evaluations and building the modular continuous usage control enforcement system.
Future work entails legal and usability to be combined with the UMA server making it possible to manage policies, and change policies that are compliant to the legislation of the country. This will make it possible to have true data sovereignty and control facilitated in both decentralized and federated systems.
Supported by SolidLab Vlaanderen (Flemish Government, EWI and RRF project VV023/10). I thank my supervisers Pieter Colpaert and Ruben Verborgh. Furthermore, I thank Beatriz Estevez, Julian Rojas, Ruben Dedecker and Jos De Roo for the discussions.