1. Data Portability: Law and Code
State-of-the-art and future directions for groupware
data portability using JMAP-related standards
CalConnect Virtual Conference, October 13th, 2020
Hans-Jörg Happel, audriga
2. Agenda
• Law and context: From early Data Portability to GDPR
• Code and standards: What‘s there and what can be done?
2
4. Definitions
Data Portability
"The right to data portability allows
individuals to obtain and reuse their
personal data for their own purposes
across different services. It allows them
to move, copy or transfer personal data
easily from one IT environment to
another.." (ico.org.uk)
→ Data Portability is more focused on
actual data
→ One user, using one service at a time
→ May include unforeseen usage
Interoperability
“Interoperability is a characteristic of a
product or system, whose interfaces are
completely understood, to work with
other products or systems, present or
future, in either implementation or
access, without any restrictions.”
(interoperability-definition.info)
→ Interoperability is more focused on
systems and tools
→ Multiple users using multiple services
→ (Well-)defined usage context
4
5. A short and incomplete history of Data Portability
• 1998: RFC 2425/2445 (vCard/iCalendar)
• 2007: DataPortability project
• 2011: Google Takeout
• 2011/2012: US "My Data Initiative" (Blue/Green/Red Button)
• 2016/2018: EU General Data Protection Regulation (GDPR)
• 2018: Data Transfer Project
5
6. EU General Data Protection Regulation (GDPR)
• EU regulation for processing personal data
• Replacing prior legislation from 1995
• Article 20 („Right to data portability“) goes beyond core data
protection
• Motivated to improve consumer choice / fight vendor lock-in
• Inspired by Social Network monopolies and mobile phone number transfer
• GDPR Timeline
• Proposed 2012
• Adopted 2016
• Effective since May 2018
6
7. GDPR – Article 20
„Right to data portability“
1. The data subject shall have the right to receive the personal data
concerning him or her, which he or she has provided to a controller,
in a structured, commonly used and machine-readable format and
have the right to transmit those data to another controller without
hindrance from the controller to which the personal data have been
provided, where: (…)
2. In exercising his or her right to data portability pursuant to
paragraph 1, the data subject shall have the right to have the
personal data transmitted directly from one controller to another,
where technically feasible.
(…)
7
8. GDPR – Status quo
• Implementation can be perceived by any EU citizen in daily life
• GDPR influences legislation in other countries (e.g., CCPA)
• Article 20 adoption is rather slow
• Many companies merely stating rights (→ manual export process)
• Some companies refering to vCard/iCalendar download options
• However, attention is increasing
• Virtual workshop by the US FTC in September 2020
• Growing interesting in certain application domains (partially due to laws)
• EU launching Data Portability and Services Incubator (DAPSI)
8
9. Data Portability – Open Issues
• GDPR Article 20 is rather general/vague regarding several details:
• Exact scope of personal data
• What defines a „commonly used format“
• Structured format „export“ vs. „direct transfer“
• Data Portability for consumers vs. business customers
• Even broader notion of Data Portability: enable advanced future use cases
• Decentral/local storage of personal data („PIMS“) instead of storage by vendor
• Additional use cases beyond switching (e.g., usage analysis/switch assitance)
• Holy grail of data portability: how to achieve portability esp. for less
standardized, dynamic application domains?
9
10. EU Data Portability and Services Incubator (DAPSI)
• “Program to empower top internet innovators to develop human-
centric technology solutions addressing the challenge of personal
data portability on the internet as foreseen under the GDPR”
• Three rounds of funding for up to 15 projects in each round (Overall
funding: 7m EUR)
• 11 projects funded in round one, which started in September 2020
• Part of the European Commission’s Next Generation Internet (NGI)
initiative
https://dapsi.ngi.eu
10
12. Data Portability
Status quo on technology and tooling
• Groupware is perhaps the domain with the most mature and well-
defined standards available – also thanks to CalConnect!
• vCard
• iCalendar
• Data Transfer Project
• Open Source initiative by Google/Apple/Microsoft/Facebook/Twitter
• Still in early stage; strong focus on photo transfer up to now
12
13. Data Portability issues with vCard/iCalendar
Data level (vCard/iCalendar)
• Outdated base technologies
• Vendor-specific extensions
• Vendor-specific bugs (date
formats...)
• Unstable identifiers (user ids,
aliases)
• Tools often silently swallowing
differences (or applying defaults)
Protocol level (CardDAV/CalDAV)
• Outdated base technologies
• Brittle service/path discovery
(→ TC-Autodiscover)
• Unstandardized aspects (e.g.,
folder structures)
• Not designed for import
• Ability to supress notifications
• Not all data writable
• Lack of admin authentication
13
14. OpenXPort: Open export of data across different systems
and providers
• audriga-initiated project funded by DAPSI
• Idea: use forthcoming JMAP suite of standards for data portability
• „Modern successor“ of CardDAV/CalDAV (more suitable for browser and mobile)
• Evolving ecosystem of client software and groupware systems supporting JMAP
• Work-in-progress
• Connect JMAP to audriga migration framework (→ Data Transfer Project)
• Add JMAP/JSContact support to Roundcube Webmail
• Provide/improve Open Source libraries to help others adoptig data portability
• Supporting JMAP for data portability might foster client adoption and vice versa
14
15. OpenXPort – Data Portability best practices
• Collecting best practices for data portability
• C.f. Calendar migration BoF at CalConnect XLIV Zurich
• Might become CalConnect BCP document?
→ Candidate TC CLIENT activity?
15
16. OpenXPort – open technical issues
• What are lessons learned from 20+ years of vCard/iCalendar?
• Several JMAP-related questions
• Roadmap / status w.r.t „mature“ parts (contacts, calendards)
• Roadmap/plans w.r.t extensions (e.g., tasks)
• Best approach for discussing/suggesting best practices and improvements
• API path
• (Admin auth)
• ...
16
17. It‘s all about the standards!?
"[Pushing standards] might be 60%, 80%, or 90% of
the work that has to get done. (..) That's where the
portability will happen or won't happen. So a much
bigger fraction of the work should be (to) get the
standards in place for secure and effective transfer
even though nobody is gonna wanna do it."
Peter Swire at FTC Data-To-Go Workshop 2020-09
17
18. Summary
• Data Portability is increasingly gaining momentum
• Ubiquituous application to any system dealing with personal
data – worldwide
• CalConnect can continue to take a pionieering role in shaping
Data Portability concepts and standards
• Thanks for your attention!
The project has received funding from the European Union's Horizon 2020
research and innovation program under grant agreement No 871498.
18