Standards Development

Scope

This document specifies:

— methods to assess how data products can be used;

— systematic restrictions or prohibitions on how data products can be used;

— environments to enforce those restrictions and prohibitions;

— systematic ways to identify whether data products have been manipulated in unexpected ways.

This document is applicable to all types of organizations and systems that use data.

Purpose

Data and data products are all around us. Once thought of as rows and columns in spreadsheets, or words on paper, data comes in a myriad of forms including biometric sensors, voice recordings and video images. The recent releases of powerful artificial intelligence (AI) tools have changed the scale and scope of the products that can be generated from data. Analytic insights, predictors, classifiers and anomaly detectors, have been augmented with report generators, automatic summary compilers, image generators and many more.

The problem is compounded by the abundance of AI driven “deep fake” technologies which can generate synthetic images, documents, videos, or audio based on original source data. These technologies have the potential to entertain but have also been used to defraud unsuspecting users of the faked data products. They also have the potential to create great harm. Faked images have led to a real-world impact on stock markets, or to physiological harms. Whilst these examples give an insight into the types of harms not previously imagined by use of such technologies, the scope of possible harms is beyond imaging. The data products can be very convincing, and potentially very damaging even if eventually identified as synthetically generated fakes.

This project seeks to answer important questions about data and products derived from data:

— How can a user determine if data is fit for the proposed purpose(s)?

— How can a user provide guidance/restrictions/prohibitions for future uses of the data products created from data?

— How can a system enforce restrictions/prohibitions for those future uses of the data products created?

— How can a user determine if a data product has been manipulated in ways that were not expected (e.g. faked)?

The challenge becomes:

— the ability to assess how data or a derived data product can be appropriately used,

— to create guidance, restrictions or even prohibitions on how data products can be used,

— to create environments to enforce those restrictions and prohibitions,

— to create systematic ways to identify if data products have been manipulated in ways which are unexpected leading to ways of rapidly limiting the use of those data products.

In all uses (or sharing) of data and data products, the context of use (or sharing) matters. Context includes the nature of the use, who is using, the environment of the use and what happens once the data or data products are used. These multiple dimensions or “degrees of freedom” create a very wide range of possible considerations.

In April 2024, two international standards were published by ISO/IEC through SC 32: — ISO/IEC 5207:2024, Information technology — Data usage — Terminology and use cases; — ISO/IEC 5212:2024, Information technology — Data usage — Guidance for data usage. These standards are applicable to all industries and sectors of the economy. This project will build on the ISO/IEC standards to explore a number of methods to frame the requirements associated with the four questions posed in this submission and address the associated technological challenges.

The project will consider the capabilities of promising technologies including watermarking of data, extended use of metadata, distributed leger technologies to describe environments with:

— High control, where requirements for sharing and use of data (and derived data) products can be enforced through centralized and distributed means.

— Moderate control, where requirements for sharing and use of data (and derived data) products can largely be enforced through centralized and distributed means.

 — Low control, where recommendations for sharing and use of data (and derived data) products can be encouraged through centralized and distributed means.

— No control, where guidance and recommendations for sharing and use of data (and derived data) products can be encouraged but not enforced.