● “Datascores” generated by NumDiag will take into account a range of criteria, such as data transmission methods, server locations, information on users, accountability for the design of devices and the level of information provided to users.
● A software prototype for NumDiag will be available by the end of 2024, and pilot testing will begin in 2025. Scores generated by the new tool will initially be based on first-party declarations but may later be audited with the possible collaboration of the French data watchdog CNIL. An interview with IT researcher Anne Laurent.
What motivated you to develop a digital trust rating system?
Gwenaëlle Donadieu and I initially worked together on the HUman at home projecT (HUT), in which we investigated the impact of living in a home equipped with a wide range of sensors on privacy and how it could be protected. We realised that when you move into an apartment, it has an energy performance certificate to tell you about its power use, but you are not given an easy-to-understand indicator that tells you whether your personal data will be at risk there or not. And this is true of all kinds of environments: tramways, apartment buildings, cities and so on. For an indicator of this kind, computing and technological considerations need to play a role, but it should also take into account how connected environments are organized with regard to their users: the information they have been given and whether their consent has been obtained for the use of technological devices. So that was our starting point: to create an appropriate indicator with a human dimension that combines information provided to users with legal and technical considerations. And that is how NumDiag and Datascore came about.
The idea is to follow the data all the way from the user’s local environment to the service provider
Your system sounds a lot like a digital Nutri-Score. What criteria are you planning to take into account?
Just looking at individual IoT devices does not tell us all that we need to know, and their assessment criteria will be different depending on where they are located: for example, a camera installed in a French university will not have the same rating as one installed in a Chinese university, even if it is exactly the same device. In practice, we need answers to many questions: what about methods of data transmission, for example between cameras and servers? Where are the servers located? In a sovereign cloud or in third countries? Are users who pass under cameras informed of their presence? Will servers be destroyed when cameras are taken down? Can we be certain that hard drives will be destroyed with a drill? Have the systems in question been responsibly designed?
You are aiming to establish a score that takes into account complex heterogeneous criteria but is still easy to understand…
That’s right. The idea is to follow the data all the way from the user’s local environment to the service provider. And the challenge is to find the right method to combine all the elements that are measured into a single readable score, while bearing in mind that some of these will need to be weighted differently. For example, we cannot afford to give too high a score if any aspect of data protection has been neglected.
When will this solution be made available?
We are in the process of finalising the evaluation criteria and weightings with a view to a releasing a prototype application by the end of 2024, which will begin pilot deployment in 2025. Our aim is to raise public awareness of Datascore — even though that may not be the final name — to encourage its adoption by service providers. We are also hoping that some companies will be eager to make use of it to draw attention to their own data protection initiatives, or simply as an objective framework for the improvement of their existing safeguards.
Will Datascores be audited?
Initially, Datascores will simply be based on service provider declarations, so they will not be certifying. However, we are planning a framework in which audits will be carried out by officially approved auditors, who will pay to make use of our software. We have also been talking to the CNIL [editor’s note: the French National Commission on Informatics and Liberty], who could put pressure on organisations to take up the challenge and also play a role in the auditing process. Our discussions with the CNIL have been very positive: they appreciate the human dimension of Datascore and are willing to help with the project.
