Releasing Data Rights Protocol Version 0.7

Today we’re releasing v0.7 of the Data Rights Protocol (DRP) technical specification. This release represents major progress towards implementing our security model which we designed with Kevin Riggle at Complex Systems Group, as well as in consultation with our technical partners at DRP consortium member companies.

The major change in the DRP 0.7 release is a move away from JSON Web Tokens for authenticated identity tokens towards Ed25519 signatures implemented by libsodium. The libsodium library has language bindings for virtually all common programming languages and provides a simple and safe to wield cryptography API. We believe libsodium is the best choice for enabling a secure, performant, and trustworthy system.

Another major change in DRP v0.7 is which data gets cryptographically signed. In previous protocol versions, Authorized Agents presented a signed attestation of only the consumer’s identity. In version 0.7 onward, however, the entire Data Rights Request is cryptographically signed by the Agent to provide not only attestation of the identity of a consumer but that the request was made by the authorized agent submitting it.

In addition to cryptographic changes, we determined v0.7 was a good time to re-organize the DRP API endpoints towards a versioned “REST-ful” method of submitting and identifying data rights requests. This web design style will be understandable to anyone who has written code to interact with or provide Web APIs, and will allow us to ensure that the API remains legible and well organized for future developments.

There are two sets of resources provided by Privacy Infrastructure Providers which Authorized Agents can act against: /v1/data-rights-request and /v1/agent, each with a few actions like submitting a data request: Sending a POST request to /v1/data-rights-request with a properly formatted libsodium object in the body will generate a response including a request id (1e8118ae-782c-4310-9220-1303156c61bc, for example). This request ID can then be used to fetch the status of that request by requesting /v1/data-rights-request/1e8118ae-782c-4310-9220-1303156c61bc.

Consumer Reports’ Open Source Reference Implementation for Authorized Agents (OSIRAA) was recently updated to the 0.6 “stepping stone” version of the protocol and will be updated in the coming weeks to support the changes we’ve made here in version 0.7.

As we get close to a production-ready 1.0 version of the technical protocol and business practices, the Data Rights Protocol working group will be developing a set of “Service Directories” which will be used to provide discovery of businesses implementing the Data Rights Protocol and serve as the root of trust for Authorized Agents within the system.

Businesses interested in integrating the Data Rights Protocol to streamline their Data Subject Requests and join a growing consortium of Authorized Agents should check out our website. The protocol is developed openly on GitHub.

Get the latest on Innovation at Consumer Reports

Sign up to stay informed

We care about the protection of your data. Read our Privacy Policy