TRAPEZE - TRAnsparency, Privacy and security for European citiZEns

TRAPEZE sought to reconstruct the concept of “control” in traditional data economies built on personal data processing. To that end, the project provided innovative solutions where such solutions are needed the most, enabling citizens to regain control of their security and privacy.

With the ambitious goal of driving a cultural shift in the protection of the European data economy, TRAPEZE aimed to achieve this by reconstructing the concepts of control, transparency, and compliance through technical and methodological, citizen-first, innovations. The project outcomes contributed to Digital Inclusion for a better EU society as well as empowering citizens in the European digital economy by equipping them with the necessary knowledge to understand and manage the security and privacy risks pertinent to such an economy

TRAPEZE’s proposed architecture and tools were developed and evaluated under real-world conditions (TRL7) in three pilot scenarios in government, telecommunication and IT services, and banking. All three pilots involved the processing and aggregation of large amounts of personal data from various data sources, with policies specified at different levels of granularity.

The project targeted European citizens as participants in contemporary data economies: service providers throughout the public and private sectors; data protection authorities; government administrations processing authoritative data of their citizens; responsible data controller teams (CSIRTs) or authorities (DPAs); legislation institutions and regulators in charge of developing policies linked to data security aspects; research communities; technology companies; and privacy commissioners.

Sticky or Persisting Policies, a concept of gluing policy information to the payload data persistently, were further enhanced and secured by the application of blockchain. Persisting Policies expressed in OWL2.0 were mapped to an intermediate strictly defined JSON format and then into the Hyperledger blockchain Smart Contracts entries. Following the above approach, the GDPR vocabulary was mapped and integrated. In addition, the basic ontology vocabulary was expanded and instantiated per use case. The follow-up steps included the performance evaluation of the compliance mechanism over the blockchain. The results of these findings and their analysis were widely shared through various publications, thus laying the groundwork for further research and exploration within the scientific community.

The fundamental contribution of the TRAPEZE project is to provide transparency and control to European citizens over their personal information. Transparency empowers citizens to comprehend the processing of their data, including the methods, purposes, and extent to which it occurs. Control empowers citizens to either halt the processing of their personal data entirely or regulate it to a level they find satisfactory. The entirety of WP4 activities are based around the TRAPEZE privacy dashboard - a web application that establishes both transparency and control. The input from the EU citizens was at the core of the privacy dashboard. A broad range of insights from the surveys among citizens in several European countries were analysed, prioritised, and reflected in the two major delivery stages of the privacy dashboard.

No matter how good the privacy dashboard is designed or how secure and advanced the blockchain or sticky policy solution is, the citizens have to understand their data protection risks and use digital tools competently. WP5 aimed at understanding and improving the competence of citizens' control of data protection risks. Users with different professional and educational backgrounds were evaluated and trained with a number of tools that are accessible through TRAPEZE’s citizen-centric help desk.

Performance testing constitutes a highly significant element within the system development life cycle. When executed effectively, it guarantees that the system operates under ideal conditions, factoring in aspects such as response time, scalability, downtime, and infrastructure expenses. This functional and non-functional testing was performed within WP6 activities that not only focused on the internal assessment by the consortium experts. But also set up public penetration and hacking challenges to crowdsource the domain knowledge while bringing more citizen’s and organizations trust into the developed solution through absolute transparency.

Clustering and networking activities in the second period of the project were intensified as the COVID restrictions were lifted. The consortium members participated in and organised a variety of events that concentrated on deepening the relations with relevant projects and organisations. Research and innovation possess value only when disseminated or exploited through the relevant community or target audience. The project's IP was assessed by various factors such as innovation, market potential, legal basis, sustainability and societal impact.

TRAPEZE achieved its ambition to extend beyond the state of the art in six major areas:

1) Policy Languages (PL), Legal Vocabularies, and Data Handling addressed two main aspects: (1) how to encode the policies in a machine-readable way to enable automated enforcement, real-time response to consent updates, and the explanation of enforcement decisions; (2) how to present the policies to data subjects in a "clear and intelligible" way, as required by the GDPR.

2) Transparency and Compliance: Both were improved by TRAPEZE by introducing dynamic consent and sticky policies in their full generality.

3) Protecting Citizens’ Data With Privacy-enhancing Tools for All: TRAPEZE solutions have gone beyond the existing privacy-enhancing alternatives in delivering a citizen-focused security and privacy dashboard that addresses the technical, legal, usability, and sociological requirements of a real-world data processing environment. To address this specific issue, specific algorithms were developed to inspect the blockchain ledger and the accompanying Linked Data graph and show the most relevant data to the user.

4) Raising Citizen’s Awareness and Competence: Data subjects involved in traditional security awareness education in their work environment make use of posters, videos, short animations, newsletters or PowerPoint slides, but without tools or methodologies to monitor its effectiveness. TRAPEZE combined concepts taken from classical education, like reinforcement and testing, with modern learning techniques, like automation and gamification. Among those, gamification is a key, accounting for both reframing peoples’ attitudes and building new behavioral patterns, and creating strong emotional ties, contributing to motivation to learn.

5) Securing Citizen’s Data at Rest, in Use, and in Motion: Mobile applications included in the TRAPEZE platform, for devices equipped with Android or iOS operating systems, are “protected by design”.

6) Establishing End-to-End Trust with Linked Data and Blockchain: Lately, with the promise of putting the citizen back in control of their data, much emphasis in the data privacy world has been put on the importance of decentralized and distributed solutions. TRAPEZE, on the other hand, enables a steady transition to a more trusted data environment for all by delivering an innovative semantic Blockchain platform that acknowledges the world as-is.