Response to Request for Comment on Data To Go: An FTC Workshop on Data Portability August 21, 2020

Introduction

Thank you for the opportunity to provide comments as part of the Federal Trade Commission’s Workshop on Data Portability to take place on September 22, 2020. Apple, , , , and collaborate to support the Data Transfer Project (DTP) (d atatransferproject.dev) , which supports direct, service-to-service portability. We appreciate the opportunity to share our work on this Project, including the principles and practical considerations that guide this work, in response to your questions.

Direct portability enables individuals (“users”) to copy data between two authenticated accounts directly, without having to download the data and re-upload it to a new service. D TP is an open-source project that will make it easier for people to switch services, or try new and innovative products, by improving the ease and speed of data portability.

In this comment, we briefly summarize the technical foundations of DTP and explain how our principles guided us toward this approach. More information on these topics, and others, can be found in the DTP White Paper.1 However, this comment primarily provides an update on participation and governance of the Project in response to your questions about how companies are currently implementing data portability; the benefits and costs of data portability; and the security of data in transit between businesses.

1 Data Transfer Project Overview and Fundamentals (July 20, 2018), https://datatransferproject.dev/dtp-overview.pdf.

1

What is the Data Transfer Project

History of the Project

DTP was launched in 2018 to create an open-source, service-to-service data portability platform so that all individuals across the web could easily move their data between online service providers whenever they want. The current partners2 are Google, Microsoft, Twitter, Facebook, and Apple.

The partners believe portability can support innovation and enable users to easily take advantage of the offerings that best suit their needs. For example, DTP provides practical tools that let users backup or archive important information, organize information within multiple accounts, recover from account hijacking, and retrieve data from deprecated services. It is designed to support individual users, as opposed to commercial customers of a provider.

Data portability can also present challenges for data security and privacy, but DTP partners have agreed to support and follow a set of principles to mitigate these concerns. Implementing measures such as encryption in transit guard against unauthorized access, diversion of data, or other types of fraud. The application of privacy principles, such as data minimization and transparency when transferring data between providers, also provide important privacy and security benefits for users.

How Does DTP Work

DTP is a collaboration of organizations committed to building a common framework with open-source code that can connect any two online service providers, enabling a seamless, direct, user initiated portability of data between the two providers.

DTP is powered by an ecosystem of adapters that convert a range of proprietary formats into a small number of canonical formats useful for transferring data. This allows data transfer between any two service providers using the provider’s existing authorization mechanism, and allows each provider to maintain control over the security of their service. A service provider only has to write one adapter for a data type, which will then work with all other service providers that have built adapters for that data type. This also adds to the sustainability of the ecosystem, since companies can attract new customers, or build a user base for new products, by supporting and maintaining the ability to easily import and export a user’s data.

2 To become a partner in the Data Transfer Project, an organization must agree to follow the principles and best practices described in the DTP White Paper, contribute to DTP efforts, and participate in DTP by committing to add and maintain adapters. These organizations have their logos on the DTP website and represent the Project in public conversations.

2

When a user initiates a data transfer, their encrypted information flows from one provider directly to another that is chosen by the user. Only the source service and the destination service (and hosting entity, if it is not the source or destination service) have access to the data. No other DTP partners or third parties have access to a copy of the data as part of the transfer.

It is worth noting that DTP doesn’t include any automated deletion architecture. Once an account holder has verified that the desired data is migrated, they would have to delete their data from their original service using that service’s deletion tool if they wanted the data deleted. The DTP partners each offer deletion tools for their users, and encourage all providers to do the same.

Importing and exporting data directly can benefit users and the broader ecosystem of service providers in a variety of industries. Direct transfer is more practical and efficient for users by shifting the burden of transferring or copying data from their hardware to the service provider’s infrastructure. This is especially important for users in emerging markets, or on slow or metered connections, as our project does not require a user to download and upload the data over what may be low bandwidth connections and at potentially significant personal expense.

Our Principles

Partners in DTP agree to support and promote the following principles, which are described in the White Paper3 and are listed on our website.4

● Build for users Data portability tools should be easy to find, intuitive to use, and readily available for users. They should also be open and interoperable with standard industry formats, where applicable, so that users can easily transfer data between services or download it for their own purposes.

● Privacy and security Service p roviders on each side of the portability transaction should have strong privacy and security measures—such as encryption in transit—to guard against unauthorized access, diversion of data, or other types of fraud. It is important to apply privacy principles such as data minimization and transparency when transferring data between providers. When users initiate a transfer they should be told in a clear and concise manner about the types and scope of data being transferred as well as how the data will be used at the destination service. Users should also be advised about the privacy and security practices of the destination service. These measures will help to educate users about the data being transferred and how the data will be used at the destination service. More details are in the Privacy and Security section below.

3 Data Transfer Project Overview and Fundamentals (July 20, 2018), https://datatransferproject.dev/dtp-overview.pdf. 4 Data Transfer Project FAQ, h ttps://datatransferproject.dev/faq.

3

● Reciprocity While portability offers more choice and flexibility for users, it will be important to ensure that flexibility is consistent across the ecosystem. A user’s decision to move data to another service provider should not result in any loss of transparency or control over that data. Specifically, individuals should have assurance that data imported to a provider can likewise be exported again, if they so choose. There should not be a dead-end for users in transferring their data, and any service provider that only offers import should be transparent and upfront about this.

● Focus on user’s data Portability efforts should emphasize data and use cases that support the individual user. Focusing on content a user creates, imports, approves for collection, or has control over, reduces the friction for users who want to switch among products or services or use their data in novel ways, because the data they export is meaningful to them. Portability should not extend to data that may negatively impact the privacy of other users, or data collected to improve a service, including data generated to improve system performance or train models that may be commercially sensitive or proprietary. This approach encourages companies to continue to support data portability, knowing that their proprietary technologies are not threatened by data portability requirements. For a detailed taxonomy of such data, see ISO/IEC 19944:2017.

● Respect Everyone We live in a collaborative world: people connect and share on social media, they edit docs together, and they comment on videos, pictures, and more. Data portability tools should focus only on providing data that is directly tied to the person requesting the transfer. We think this strikes the right balance between portability, privacy, and benefits of trying a new service.

We believe these principles promote user choice and encourage responsible product development, maximizing the benefits to users and mitigating the potential drawbacks.

Privacy and Security

One of the questions posed in the request for comment is “who should be responsible for the security of personal data in transit between businesses?” This is a question that DTP necessarily confronted while developing our protocols.

The security and privacy of user data is a foundational principle of DTP. Because there are multiple parties involved in the data transfer (the user, Hosting Entity,5 Providers,6 and partners)

5 A Hosting Entity is the entity that runs a Host Platform of DTP. In most cases it will be the provider sending or receiving the data, but could be a trusted third party that wants to enable data transfer among a specific group of organizations. 6 Providers are any company or entity that holds user data. Providers may or may not be partners. Provider is similar to Cloud Service Provider as defined in ISO/IEC 17788:2014 section 3.2.15.

4

no one person or entity can fully ensure the security and privacy of the entire system. Instead, responsibility is shared among all the participants. Here are some of the responsibilities and leading practices that contribute to the security and privacy of DTP.

Data Minimization

When transferring data between Providers, data minimization should be practiced. Practically, this means that the receiving Provider should only process and retain the minimum data that is needed to provide their service and that the individual requested to be transferred. The sending Provider should provide all needed information, but no more.7

User Notification

The Hosting Entity should configure their Host Platform8 to notify the user that a data transfer has been initiated by the user. Ideally, the user of the source and destination account are the same. However, user notification is designed to help protect against situations where that is not the case, and so notifications alerting the user of the transfer request should be sent to both the source account and the destination account. Depending on the sensitivity of the data being transferred, the Hosting Entity should consider delaying the start of the transfer so that the user has the opportunity to cancel the transfer after receiving the notification.

Rate Limiting

Hosting Entities, as well as Providers, should consider rate limiting the number and frequency of transfers for a given user. This approach can help limit the impact of an account compromise. The tradeoff between ease of use and security with this method means there is not a one size fits all answer as to what rate limit should be set. Instead, Providers and Hosting Entities should evaluate the sensitivity of the data, as well as known and possible attacks, when determining the appropriate rate limiting.

Token Revocation

When a transfer is completed, DTP will attempt to revoke the authorization tokens used for the transfer. Providers should ensure their API supports token revocation. This approach ensures that if one of the security mechanisms is compromised, a second layer is in place to provide protection (defense in depth) to ensure that if a token is leaked, its effectiveness will be limited to the duration of the transfer.

7 DTP won’t delete data from the sending Provider as part of the transfer. However, participating Providers should allow users to delete their data after a successful transfer has been verified, using their normal process for deleting account data. 8 A Host Platform is the technical environment where a DTP instance can be hosted. This can be a cloud environment, enterprise infrastructure, or local. As of August 2020, the supported cloud host platforms include and .

5

Minimal Scopes for Authentication Tokens

Providers should offer granular scopes for their authentication tokens. This provides two benefits: first, providing transparency into exactly what data will be moved; second, as a defense in depth mechanism so that if tokens are somehow leaked they have the minimal possible privilege. At a minimum there should be read-only versions of all the scopes so no write/modify/delete access is granted on the sending Provider.

Data Retention

The DTP system stores data only for the duration of the transfer job. Also, all data handled within the system is encrypted both at rest and in transit. Specifically, all data stored at rest as part of the transfer process within the DTP system is encrypted with a per-user session key, and the key is valid only for the duration of that user’s specific transfer job. The Hosting Entity and Provider are responsible for ensuring that any stored aggregated statistics maintain user privacy.

Abuse

Providers and the Hosting Entity (if separate from the Provider) should have strong abuse protections built into their . Due to the fact that DTP retains no user data beyond the life of a single transfer, and that there might be multiple Hosting Entities utilized in an attack, the Providers have the best tools to be able to detect and respond to abusive behavior. Providers should carefully control which Hosting Entities are able to obtain API keys. Providers are also encouraged to have strong security around granting authentication tokens. Examples of this include requiring a reauthentication or asking security challenge questions before granting access.

Shared Responsibilities Table: Security and Privacy

Task User Provider- Provider- Hosting Entity DTP System exporter Importer

Data Selects data to Provides granular Discards any Configure only N/A Minimization transfer controls of what data not appropriate data to export needed for transfer Providers their service

Rate Limiting N/A Implements N/A Sets reasonable Supports Provider limits to prevent specific rate abuse limiting

User Receives and N/A N/A Configure mail Send notification, Notification reviews sender and delay optionally with notification of policy delay to allow for transfer cancellation

6

Task User Provider- Provider- Hosting Entity DTP System exporter Importer

Token May need to Support Token Support Token N/A Revoke Auth Revocation manually Revocation Revocation tokens after use revoke tokens (if supported by if Provider Providers) doesn’t support automated revocation

Minimal Verify Implements Implements N/A Requests minimal Scopes for Appropriate granular scopes granular scopes for each Auth Tokens Scopes scopes transfer requested

Data Transfer of Store only data Only retain Configures system Retains no data Retention data is not needed to imported data to not retain any after transfer deletion, user prevent fraud and in compliance identifiable completed should delete abuse with privacy information source data if policies; Store desired metadata needed to prevent fraud and abuse

Abuse Protect Implement Implement Implement Encrypts data in account appropriate fraud appropriate appropriate fraud transit and at rest credentials and abuse fraud and and abuse in the DTP (strong protections on abuse protections on UI process using passwords, APIs protections on ephemeral key; two-factor APIs Uses authentication, isolated/dedicated etc.) VMs per transfer

Participation

There are many ways to be involved in DTP. Participation in DTP is open to any entity that wants to provide export (and ultimately import) functionality for some or all of their users’ data through APIs. DTP’s codebase is open source, so anyone can use it to implement import and export functionality regardless of their level of participation in the Project.

Status Quo

Since the July 2018 launch, in addition to significant additional investment in DTP’s open source protocols, several partners have launched product features powered by DTP. Specifically, Facebook9 and Google1 0 have each built implementations that enable users to directly transfer

9 Facebook, D ata Transfer Project: Enabling portability of photos and videos between services ( Dec. 2, 2019), h ttps://engineering.fb.com/security/data-transfer-project/. 10 Tool, h ttps://takeout.google.com/takeout/transfer/custom/plus_photos; Help, h ttps://support.google.com/accounts/answer/9666875.

7

photos and videos to other services. Twitter has been testing a similar implementation. Apple will also begin rolling out a similar feature this year. Microsoft has released an open source log viewing tool built on top of the core DTP components that allows Office 365 enterprise customers to view and edit personal data for their users. All partners develop or maintain adapters to enable data transfers within DTP.

The engineering work we’ve done through DTP has highlighted the importance of working with many diverse stakeholders to develop guidelines around portability. Several companies, developers, and individuals have made significant contributions and implementations of DTP since it launched. Specifically:

● More than two dozen contributors from a combination of partners and the open source community have inserted more than 186,000 lines of code and changed more than 8,500 .

● Twenty-five releases of new versions or updates to of the protocols in the past year,1 1 including adding new verticals, and making existing use cases more efficient.

● DTP Maintainers (a group of engineers and product managers from the respective companies) have added framework features such as Cloud logging and monitoring to enable production use of DTP at companies developing new features.

● DTP Maintainers have updated integrations for new APIs from and Smugmug that will enable users to move their photos between these services.

● DTP Maintainers have added new integrations for Deezer, Mastodon, and Solid.

Expanding Participation

In addition to the public channels described in the final section of this comment, partner organizations have undertaken considerable direct efforts to expand participation in DTP. In many cases, these conversations are centered around an upcoming launch of a particular data type (e.g., reaching out to photo service providers before we launched a photos implementation). Additionally, DTP partners have proactively started conversations with companies of various sizes, independent developers across the globe, leaders of related projects (i.e., Solid), and civil society thought leaders to seek their feedback and encourage them to participate in DTP in a variety of ways.

In addition to one-to-one outreach, representatives from DTP have presented the Project around the world to help build understanding and drive interest in participating. Specifically, we

11 GitHub Repository, h ttps://.com/google/data-transfer-project/releases.

8

have presented the Project at events in Ottawa,1 2 London,1 3 Amsterdam,1 4 Helsinki,1 5 Brussels,1 6 DC,1 7 Silicon Valley,1 8 Berlin,1 9 and Madrid2 0 where we hoped to drive awareness of and participation in the Project.

Through these efforts, DTP partners proactively help build understanding of the Project for other companies and encourage them to participate. However, we have confronted a few consistent challenges throughout these conversations. Specifically:

● Technical Challenges: D espite the work that DTP has done to make direct-data-portability a lightweight engineering challenge, some organizations are concerned that the technical burden may be significant. We continue to work to make the integration as simple as possible including by building adapters to some services that enable import directly.

● Product Uncertainty: S ome companies, particularly those that don’t already offer portability for their users, are concerned about the impact of export of data on their platforms. To help address this concern, DTP partners have prioritized building export functions in our own implementations. It is also worth noting that DTP does not delete data from the source service provider, but rather creates a copy for a new service. In this way, the service creates an opportunity for individual users to try new services without necessarily leaving current ones.

● Unclear Prioritization: T he relative urgency that regulators attach to different service categories is not entirely clear. In light of this, some companies that offer just one service might be hesitant to start working on direct data transfer until they see that regulators attach urgency to that category.

12 Competition Bureau Canada, Twitter (May 30, 2019, 3:17 PM), https://twitter.com/CompBureau/status/1134176951650983936. 13 Campus Startup School: Getting To Grips With Data Portability, (Sept. 4, 2018), https://eventil.com/events/campus-startup-school-getting-to-grips-with-data-portability. 14 European Commission, C loud stakeholder working groups start their work on cloud switching and cloud security certification (April 16, 2018), https://ec.europa.eu/digital-single-market/en/news/cloud-stakeholder-working-groups-start-their-work-clou d-switching-and-cloud-security. 15 MyData 2018, h ttps://mydata2018.org/presentations/. 16 IAPP Europe Data Protection Congress 2019. 17 FTC Hearings on Competition and Consumer Protection in the 21st Century, D iscussion on the Role of Access, Deletion and Correction in Connection with Consumer Privacy (April 10, 2019), https://www.ftc.gov/news-events/audio-video/video/ftc-hearing-12-april-10-session-1-panel-discussions-rol e-notice-choice. 18 Internet Identity Workshop, D ata Transfer Project – Universal Data Portability for All, https://iiw.idcommons.net/Data_Transfer_Project_%E2%80%93_Universal_Data_Portability_for_All; https://iiw.idcommons.net/IIW_27_Session_Notes#Session_3_2. 19 Stiftung Datenschutz, Data Portability in Practice Workshop (Oct. 1, 2019), https://stiftungdatenschutz.org/fileadmin/Redaktion/Datenportabilitaet/SDS_Datenportabilitaet-PolicyPape r2020-05-22_EN.pdf. 20 Universidad San Pablo, h ttps://www.uspceu.com/investigacion/catedras-investigacion/google.

9

● Some Regulatory Risk: S ome companies see regulatory risk in importing personal data from other services as they would assume data protection responsibilities for this data.

As mentioned, DTP provides considerable technical coordination and resources in support of developing infrastructure (including adapters that enable companies to engage with the system) to more easily enable all companies to support direct data transfers. Companies ultimately decide for themselves the degree to which they participate.

Portability raises unique challenges for data governance in that it relies on the decisions of other companies to be effective. A single company has limited options to enable direct portability; this technology requires a reciprocal import function to truly deliver user benefits. The process of encouraging participation in DTP has consistently underlined this “chicken and egg” issue. While DTP partners have taken steps (described above) to help establish an ecosystem solution, current laws that include data portability rights or obligations ensure that account holders can export their data f rom a service provider, but do not require a provider to import data. There are meaningful substantive questions to be asked about why import is not currently prioritized by organizations (even without a regulatory forcing function), as well as a robust debate on whether this would be an acceptable outcome. By raising this issue, we do not suggest that regulators or other thought leaders should ignore those questions, but rather we share the observation that there are relatively few import features available to users as a statement of fact about the status quo. We’d encourage policymakers to keep the whole ecosystem in mind when designing portability incentives or obligations—clarity, harmonization, and reciprocity can help drive more participation in portability.

Governance

DTP is committed to transparency, and perhaps the strongest evidence of this is that the codebase is open source and available on GitHub for all developers to collaborate. For the implementations driven by the partners themselves, there is a process for discussing options and determining priorities.

Logistics

The partner organizations have regular conversations, with the bulk of the decision making about priorities happening in conversations among DTP Maintainers. The DTP Maintainers meet regularly to troubleshoot implementation issues and discuss what new data types can be added, guided by the values described below. Decisions made among this group are the primary driver of the implementation of DTP among participating companies.

Similarly, the partner companies convene a regular call among policy and legal representatives to ensure visibility into decisions made by the DTP Maintainers, to discuss policy issues, and to collaborate on participation in public forums. For example, through this conversation we have

10

shared information about DTP in response to requests for comment in the US,2 1 Australia, and Singapore.2 2 In some cases, third-party stakeholders have acknowledged the contributions of DTP in forums attended by policymakers. For example, Sir Tim Berners-Lee mentioned DTP in his remarks at the 2018 International Conference of Data Protection and Privacy Commissioners conference.2 3

Case Study: Data Type Prioritization

As an example, we wanted to share a deeper look at how the partners make decisions around what data type to prioritize and collaborate on in our own implementations. The partners are committed to portability wherever it is feasible, but the implementation process requires prioritization to align and focus our efforts. The simplest criteria to align on is data type; this is why, for example, the current set of implementations of the Project are focused on photo and video data among participants.

When faced with decisions about what data types will be considered next, the partners discuss the options collectively at the meetings described above, and consider several factors in our decision.

These conversations center around core values:

● User-First: As described in our principles, building tools that speak to user needs and values is our number one priority. This guides our decisions about what data types to prioritize: it must be a type of data that is popular among consumer products.

● Possible and Practical: Many data types have established sets of file types and other technical foundations that make them easier to transfer from one service to another (i.e., photos), where they can be readily used in the receiving service. This foundation gives these data types an edge in our evaluation.

● Partner Relevance: For the purpose of maximizing the immediate impact and relevance of the work, data types that are featured in products by at least two of the partner companies are a higher priority.

Transferring data using canonical formats will not necessarily mitigate problems such as formatting limitations or inconsistent feature support. However, our approach illustrates that a substantial degree of industry-wide data portability can be achieved without dramatic changes to

21 DTP Comment, FTC Hearings on Competition and Consumer Protection in the 21st Century (Aug. 20, 2018), https://www.ftc.gov/system/files/documents/public_comments/2018/08/ftc-2018-0051-d-0032-154924.pdf. 22 S ee edia Release, Singapore Personal Data Protection Commission, S ingapore Releases Data Portability Discussion Paper ( Feb. 25, 2019), https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Press-Room/2019/Media-Release---Singapore-R eleases-Data-Portability-Discussion-Paper---250219.pdf?la=en. 23 Tim Berners-Lee on the huge sociotechnical design challenge, https://www.what-is-new.info/2018/10/24/tim-berners-lee-on-the-huge-sociotechnical-design-challenge/.

11

existing products or authorization mechanisms, while still providing a flexible enough platform to adapt and expand to support new formats and use cases brought by future innovation.

This is the process and general rubric that guided the initial DTP implementation of direct portability focused on photo and video data. We are currently working on a similar evaluation of potential additional data types, including evaluating the possibility to add user-created music playlists and other data to the list of DTP implementations by the partner companies.

How to Get Involved

We welcome everyone to participate, the more expertise and viewpoints we have contributing to the Project the more successful it will be. There are four ways to join DTP:

● Partner: T o become a partner in DTP, an organization must agree to follow the principles and best practices described in the DTP White Paper, contribute to DTP efforts, and participate in DTP by committing to add and maintain adapters. These organizations have their logos on the DTP website and represent the Project in public conversations.

● Provider: A provider is an organization integrated into the Project, either because it developed its own adapter or had a public API another developer integrated with the Project. Data can move into and out of these organizations subject to the terms of the provider APIs.

● Contributor: A s an open source project, anyone can contribute to the code repository comprising the DTP codebase.

● Thought leadership: D TP meets regularly with thought leaders, other interested members of the public, and the research community. Anyone can join the mailing list at (DTP Discuss) and (Slack Channel) to stay informed of developments and discussions.

We also have several channels for developers and interested members of the public to learn more about the Project, and specifically to investigate the process of integrating DTP into your own products. Specifically:

● The DTP Developer Guide2 4 explains how individual developers can contribute technically to the Project. Technical developments are documented on our GitHub page.2 5

● Developers can join [email protected] to express interest and learn more about the best way to join the Project; anyone can sign up for [email protected] to follow the latest developments with the Project.

24 DTP Developer Guide, https://github.com/google/data-transfer-project/blob/master/Documentation/Developer.md. 25 GitHub Repository, h ttps://github.com/google/data-transfer-project.

12

● Our Integration Guide2 6 provides guidance for companies that want to add an integration to allow their users to easily import and export data.

Conclusion

DTP appreciates the FTC analyzing this important topic and the opportunity to provide comments.

26 DTP Integration Guide, https://github.com/google/data-transfer-project/blob/master/Documentation/Integration.md.

13