How to maintain data sovereinty if the data is downloaded offline?

[casemsee]

We are getting this question quite often "If a dataspace participant moves data out of the dataspace (e.g., downloads it for offline use), how can control over the data and technical enforcement be maintained?"

For instance, when a provider wants to share a CSV file, if the consumer downloads the data and leaves the trusted environment, traditional access controls become ineffective.

[paullatzelsperger]

you cannot. full stop. that is not meant by "Data Sovereignty", nor is it the goal of EDC.

Theoretically, there could be trusted execution environments, for example signed docker images, that "emit" the data, and stop emitting, once a certain condition is not met anymore, but from the perspective of EDC, such an image would just be a data asset. And it would bring on another different host of problems....
Another option would be providing data through an API, which can be shut off. But even then, the data, that has been "emitted" (or downloaded) is in the wind.

So in short: as soon as data leaves your purview, it's gone, and you have no control over it anymore.

[casemsee]

Let's say if the provider has big data (TB) with Amazon S3 links, how can the data be exchanged while maintaining sovereignty and control? If the provider exposes a downloadable Amazon S3 link, then even without connectors the data can be accessed?

[paullatzelsperger]

no data ever travels through a connector - this is the job of a data plane. Typically, in the scenario you describe, one would use pre-signed URLs together with temporary access credentials, which are revoked as soon as the contract expires or the policy becomes unfulfilled. A HTTP client acts as consumer.
That way, providers can prevent consumers from transmitting more data, but cannot "invalidate" or "retract" data already transmitted.

[casemsee]

Thanks, Paul. So the conclusion is "as soon as data leaves the dataspaces, it's gone, and have no control over it anymore.". Providers/data owners can't control data once it is downloaded. You mentioned about data plane for actual data transfer. Does it log the record of who has downloaded the data?

[paullatzelsperger]

You mentioned about data plane for actual data transfer. Does it log the record of who has downloaded the data?

if you implement it that way, then yes. EDC is not a complete application but a tool box, so you there is no ready-to-go data plane unless you implement one.