Data trusts and co-operative credentials

Some initial thoughts on whether data trusts and co-operative credentials are complimentary.

Data Trust

A data trust is simply legal structure and a database. The legal structure of the data trust is the key bit. A “trust” is a concept from common law jurisdictions (primarily the U.K. and its former colonies). It involves a relationship between a “Trustee”, in this case the entity holding the data, and the “Beneficiaries”, the entities who have a beneficial interest in the data (e.g. the data is about them).

The trustee holds a “fiduciary duty” to the beneficiaries vis-a-vis the subject of the trust (i.e. the data). A fiduciary duty is one of the the most onerous types of duty in common law systems and there are serious penalties for breach of those duties. The content of the duty depends on the structure of the trust, but typically they involve

  • Proactively acting in the best interests of the beneficiaries
  • Strictly avoiding conflicts of interest
  • Acting according to “proper purposes” as determined by the trust

How does a data trust work across common and civil law jurisdictions?

Most legal systems, for example most European countries, use a “Civil law” system. Famously, civil law systems do not recognise the concept of a trust. This is debatable from a legal perspective (there are concepts in civil law similar to a trust), however it does raise the question of how an international data trust would operate from a legal perspective.

If an initiative is set up with the explicit aim of serving a set of international beneficiaries, i.e. co-operatives, does using a common law legal structure disadvantage beneficiaries from non-common law jurisdictions? Perhaps, but not necessarily. Indeed, pairing a data trust with a standard like verifiable credentials (which, incidentally, attract the significant interest in the EU), could ameliorate the problem.

Verifiable Credentials and Data Trusts

Verifiable credentials are explained at length elsewhere. Prima facie they may seem to be concepts in tension, as a data trust is centralised and verifiable credentials are decentralised. However this superficial distinction breaks down when you see them as complimentary parts of a larger system. I’ll just quickly point out a few ways they can work together.

The data trust provides the claims for credential issuance

Simply put, when a credential is issued, the claims required to fill the credential need to come from a datastore. That datastore could be managed by a data trust. In fact for data integrity, particularly when it comes to credential “Refreshing”, would arguably be improved by such a structure.

The data trust is the verifiable data registry

See Verifiable Credentials Use Cases

verifiable data registry

A role a system might perform by mediating the creation and verification of identifiers, keys, and other relevant data, such as verifiable credential schemas, revocation registries, issuer public keys, and so on, which might be required to use verifiable credentials. Some configurations might require correlatable identifiers for subjects. Some registries, such as ones for UUIDs and public keys, might just act as namespaces for identifiers.

Sometimes this role is played by a blockchain, however in the case of co-operatives, a blockchain may not be appropriate as co-operatives need easier access to the data for compliance purposes.

Verifiable credentials serve as a means of communication between the datastore and the beneficiaries.

If you store data from various beneficiaries in one place the question arises how that data is retrieved from, and used by, the various beneficiaries. Especially how you do this in a secure and privacy respecting fashion. Verifiable Credentials are tailor made for this purpose.

1 Like

Thanks Angus! Great perspective!

I think the role of governance and authority in the the data trust concept is also important: In decentralised identity, self-issued claims have little weight. They aren’t of much value to a ‘relying party’ unless the claim can be verified with a trusted source:

“I can drive!”.
“Who says so?”
“My friend.”
“No, sorry, please show me a verifiable document from x-authority… And prove that you are the person on it”

X-authority acts like a data trust in that it has ‘fiduciary’ duties on behalf of the ecosystem it serves. It has fiduciary and human rights duties both to other relying parties (other verifiers) and the beneficiaries (holders or subjects). In the field of identity, the typical responsibilities of such an authority as a ‘credential service provider’ are well defined, including various levels of assurance: see NIST for example:

https://pages.nist.gov/sp800-63-3.html

These ecosystems can be complex, multi-stakeholder affairs. It make sense for a specialist multi-stakeholder co-operative to govern it, particularly if a ‘data commons’ is involved. I.e. where no single stakeholder can be said to ‘own’ the data, and it is more a question of individual relationships with data held in common.

1 Like

This is the closest example of something that fits our use case nicely so far and harks back to some of the things I mentioned in my sign up survey.

Whilst the question of ‘who is in my coop?’ and ‘what coops are they also in?’ are okay for us, it’s generally not that high on the list and many of the use cases that are good go-tos (mostly cross-selling and marketing) aren’t our big problems.

However, issuance and trust around specific credentials that might be of interest between multiple co-ops is very exciting. Understanding how we might empower different co-operatives to take on the role of an issuer (and do it successfully, being recognised in wider society) seems like an extremely empowering thing to be going after. (I think) it embodies the co-operative principles, as well as ideals for a decentralised web and could be an excellent springboard for co-operatives in general.

The massive thing getting in the way is: how do you convince an org to take on the responsibility of being an issuer and how do you convince others to put their faith in them? It seems like you’ve tackled this specifically for Co-Operative Credentials (i.e. creds to show membership of a co-operative) in more detail, but I’d love to see/be involved in more work on this in wider topics. Data Trusts are the closest I’ve seen so far to these ideas stretching a bit further outwards.

4 Likes

I’m wondering if there might be an intersection worth exploring between Credit Unions and VC applications? Perhaps VC could extend Credit Union KYC protocols and other matters of trust?

They would seem to be well-positioned to support commercial transactions and secure accounting between various entities at low-cost. Credit Unions are traditionally organized as Co-ops with nominally democratic governance structures serving a social or communitarian mission rather than profit-seeking.

I have been in some conversations recently where the parties are exploring Credit Unions as natural potential financial partners to co-operative enterprise.

2 Likes

There is also an existing SSI project among US credit unions (originally CU Ledger, built on Evernym / Sovrin) that enables CU’s to work across states and offer financial services across memberships.

The product they offer to members is memberpass, built on Evernym’s verifiable credentials / hyperledger infrastructure

And they are on our research list, but we haven’t approached them yet, although we have some good mutual contacts for an introduction.

2 Likes