With the current design, the HAT API endpoints exchange clear-text data with HAT-enabled users and applications. As a result, the HAT server process needs to have full access and visibility of all data in the HAT.
That is not an issue for the “hard hat” scenario where the HAT owner hosts this process and controls access to it on her own hardware. However, a useful deployment scenario might involve running the HAT server process on cloud infrastructure. In that case, a significant amount of trust has to be placed in the infrastructure provider (whose ability to protect the privacy of the data he is entrusted with may be constrained by law enforcement requirements).
A possible solution to this problem could be end-to-end-encryption, whereby only encrypted data is exchanged via the API, and the API endpoint server process is not given the capability to inspect the cleartext. Only the users and applications that are the actual producers and recipients of a piece of data will be able to do that (locally on their end, after receiving the encrypted data from the API). The current process of data debit contract would need to be augmented by peer-to-peer key exchange between the involved parties (without the central HAT process being part of that, except maybe as a messaging bus).
Is there something like this on the roadmap?