Documentary Heritage in the Cloud
Simply a Security Matter or an Oxymoron?
Luciana Duranti
The University of British Columbia
International Conference on Cloud Security
Management ICCSM 2013
Seattle, WA 17-18 October 2013
Luciana Duranti
Principal Investigator
Diplomatics
The trustworthiness of records of unknown or uncertain origin need to be
assessed using scientific
methods.
Diplomatics (1681), Dom Jean Mabillon
Trustworthiness based on the process of formation of
documents, and on their formal characteristics, structure,
and transmission through time and space.
The Bella Diplomatica (judicial disputes based on
diplomatic rules and on the belief that “documents are
much better than navy yards, much more efficacious than
munitions factories, as it is finer to win by reason rather
than by violence, by right than by wrong” gave origin to the
Law of Evidence
By mid 18th century all faculties of law in Europe taught
archival science and diplomatics as “forensic” disciplines
Luciana Duranti
Principal Investigator
Archival Diplomatics of Digital Records
Dr. Luciana Duranti
The University of British Columbia
The Concept of Record
Archival Diplomatics
The integration of archival and diplomatic theory about the genesis, inner
constitution, and transmission of documents; and about their
relationship with the facts represented in them, and with other documents
produced in the course of the same function and activities,
and with their creators.
Retrospective
Use
The Concept of
Trustworthiness
Reliability
The trustworthiness of a record as
a statement of fact. It exists when a
record can stand for the fact it is
about.
Prospective
Use
Accuracy
Digital Record Characteristics
Initiative
Formal Elements
Attributes
Digital Components
Lifecycle of Digital Records
Phase 1: Records of the creator
Phase 2: Authentic copies of the
records of the creator
Luciana Duranti
Email:
luciana@interchange.ubc.ca
www.interpares.org
Genesis of the Digital Records
Workflow: actio et conscriptio
On the face
Of the
Record
Dynamic and Interactive Records
Stable Content
Fixed Documentary Form
Bounded Variability
Inquiry
Consultation
Functions of Records
Probative/Dispositive
Supporting/Narrative
Instructive/Enabling
Authenticity
• identity
• integrity
The trustworthiness of
a record as a record;
i.e., the quality of a
record that is what it
purports to be and
that is free from
tampering or
corruption.
Deliberation
Deliberation
Control
The degree to which
data, information,
documents or records
are precise, correct,
truthful, free of error or
distortion, or pertinent
to the matter.
Digital Signature
Categories of Records
•Manifested:
•Stored:
Form, Content, and
Composition Data
Execution
Metadata
Identity Metadata
Integrity Metadata
As a Means of
Authentication
Application: Research Projects
UBC Project (1994 - 1997)
InterPARES 1 (1999 - 2001)
InterPARES 2 (2002 – 2006)
InterPARES 3 (in application)
Status of Transmission
Draft
Original
Authenticated original
Copy (e.g., authentic copy)
Authentication:
A means
of declaring the
Luciana
Duranti
authenticity of a record at one
particular moment in time
Principal Investigator
The Concept of Record
• Record: any document made or received by a physical or
juridical person in the course of activity as an instrument
and by-product of it, and kept for action or reference
• Document: recorded information (i.e., information
affixed to a medium in an objectified and syntactic form)
• Information: “intelligence given,” or a message
intended for communication across time and space
• Data: the smallest meaningful piece of information
Luciana Duranti
Principal Investigator
Digital Record Components
• Act: an action in which the records participates or which the
record supports
• Persons Concurring to Its Creation: author, writer, originator,
addressee, and creator (human or juridical person accumulating
the records made or received and kept in the course of activity
and as by-product of it)
• Archival Bond: explicit linkages to other records inside or
outside the system
• Identifiable Contexts: juridical-administrative, provenancial
(creator), procedural, documentary, technological
• Medium: necessary part of the technological context, not of the
record
• Fixed Form and Stable Content
Luciana Duranti
Principal Investigator
Fixed Form
• An entity has fixed form if its binary content is stored so that the
message it conveys can be rendered with the same
documentary presentation it had on the screen when first
saved (different digital presentation: Word to .pdf)
• An entity has fixed form also if the same content can be
presented on the screen in several different ways in a limited
series of possibilities: we have a different documentary
presentation of the same stored record having stable content and
fixed form (e.g. statistical data viewed as a pie chart, a bar chart,
or a table)
Luciana Duranti
Principal Investigator
Stable Content
• An entity has stable content if the data and the
message it conveys are unchanged and
unchangeable, meaning that data cannot be
overwritten, altered, deleted or added to
• Bounded Variability: when changes to the
documentary presentation of a determined stable
content are limited and controlled by fixed rules, so
that the same query or interaction always generates
the same result, and we have different views of
different subsets of content, due to the intention of the
author or to different operating systems or
applications
Luciana Duranti
Principal Investigator
Archival Fonds and Archives
• Archival Fonds: All the records of one creator
(human or juridical person: individual or
organization)
• All the records of a legitimate succession of
creators exercising the same functions
• Archival Fonds are acquired by the archival
institution, unit or program responsible by
mandate or mission for their permanent
preservation as documentary heritage of a society
Luciana Duranti
Principal Investigator
Archives in the Cloud
Archival institutions and units or programs of a variety of organizations
consider storing records selected for permanent preservation in the Cloud
because:
•
•
•
•
•
Many of the records they are mandated to preserve already exist in the Cloud
Access would be possible from any location to anyone who can use a browser
A trusted digital repository satisfying ISO standards as well as basic archival
preservation requirements is not affordable
The knowledge to deal with records produced by complex technologies is not
commonly available among archival professionals
Strong protection measures are often confused with preservation measures
But, to many, “Archives in the Cloud” is an oxymoron
Luciana Duranti
Principal Investigator
Archives as a Place
Justinian Code (534 A.D.)
“an archives is locus publicus in quo instrumenta deponuntur (the public
place where records are deposited), quatenus incorrupta maneant (so that
they remain uncorrupted), fidem faciant (provide trustworthy evidence),
and perpetua rei memoria sit (and be perpetual memory of facts)”
Ahasver Fritsch (1664 A.D.)
Archives receive trustworthiness from the fact that 1) the place of storage
belongs to a public sovereign authority, 2) the officer forwarding them to
such a place is a public officer, 3) the records are placed both physically
(i.e., by location) and intellectually (i.e., by description) among authentic
records, and 4) this association is not meant to be broken.
Luciana Duranti
Principal Investigator
The Archival Right
•
The right to keep a place capable of conferring archives trustworthiness, and
therefore authority, was acquired by the bodies to whom sovereignty was
delegated by the supreme secular and religious powers--cities and churches.
•
Corporations, including universities, deposited their records in the camera
actorum of the municipality having jurisdiction over them or in the archives of
ecclesiastical institutions before acquiring the right to “keep archives.”
•
By the French revolution decree of July 25, 1794, the records of defunct
institutions and organizations were to be preserved by the state and made
accessible to the people as its documentary heritage.
•
Archival principles: Natalis de Wailly (1841), principle of respect des fonds;
Max Lehmann (1882), principle of provenance (i.e. original order); Hilary
Jenkinson, unbroken chain of legitimate custody
Luciana Duranti
Principal Investigator
Trusted Postcustodialism?
The concepts of place, jurisdiction, legitimate custody, and stability are
embedded in the concept of archives, documentary heritage, and trusted historical
memory, and are the condition of archival trustworthiness.
The primary justification for these concepts is historical accountability: the
people have a right to access the “authentic” documentary evidence of how they
were governed. For this to happen, the records must be under the unbroken
physical and intellectual control of a trusted third party ensuring that their
interrelationships as well as those with their creator are stable.
If archives were to exist in the Cloud, where responsibility for legal custody and
intellectual control ensuring stability would be left with the legitimate preserver,
but physical custody and technological access provisions would be of the Cloud
provider, could they be considered trustworthy? Can society entrust the Cloud
with its memory?
Luciana Duranti
Principal Investigator
What is Trust?
• In business, trust involves confidence of one party in another, based on
alignment of value systems with respect to specific benefits
• In legal theory, trust is defined as a relationship of voluntary
vulnerability, dependence and reliance, based on risk assessment
• In everyday life, trust involves acting without the knowledge needed to
act. It consists of substituting the information that one does not
have with other information
• Trust is also a matter of perception and it is often rooted in old
mechanisms which may lead us to trust untrustworthy entities
• On the Internet, the standard of trustworthiness is that of the
ordinary marketplace, caveat emptor, or buyer beware
• This is because there is no standard for a trustworthy trustee on the
Internet
Luciana Duranti
Principal Investigator
Trustworthy Trustees
Trustworthy trustees traditionally present the characteristics of:
• reputation, which results from an evaluation of the trustee’s past actions and
conduct;
• good performance, which is the relationship between the trustee’s present actions
and the conduct required to fulfill his or her current responsibilities as specified by
the truster;
• inspiring confidence, which is an assurance of expectation of action and conduct the
truster has in the trustee; and
• competence, which consists of having the knowledge, skills, talents, and traits
required to be able to perform a task to any given standard
• But not always we have this information and this creates blind trust
Luciana Duranti
Principal Investigator
Parameters of Trust
In the digital environment, technologically-mediated trust cannot rely
any longer on the four characteristics used in the past.
Different systems for the assessment of trust are required for different
contexts – government, business, personal, etc. The parameters of trust
in one cultural context may be very different from those in another
context.
Even within the restricted confines of the Western world, the very limited
portion of a cultural context which is represented by the legal system is
broken down in common law and civil law, and each has a different
approach to trust: in common law it is based on observation of action,
and in civil law on its documentary residue.
Luciana Duranti
Principal Investigator
Balance of Trust
If we decide to entrust our historical documentary memory to the Cloud,
we must establish a balance between trust and trustworthiness that is
valid across jurisdictions, primarily because of the location independence
which characterizes the Cloud.
The trustworthiness we should focus on is then not of the trustees but of
the historical records that are entrusted to them, keeping in mind that
historical records, a society documentary memory, always start their life
as current records and their trustworthiness should be protected from
creation.
Protecting the trustworthiness of the documentary heritage of society goes
well beyond security.
Luciana Duranti
Principal Investigator
Records Trustworthiness
Reliability
Accuracy
The trustworthiness The correctness and
of a record as a
precision of a
statement of fact,
record’s content
based on:
based on:
• the competence of • the competence of
its author
its author
• the controls on its • the controls on
creation
content recording
and transmission
Authenticity
The trustworthiness of
a record that is what it
purports to be,
untampered with and
uncorrupted
based on:
• identity
• integrity
• reliability of the
system containing it
Luciana Duranti
Principal Investigator
Authenticity: Identity
The whole of the attributes of a record that characterize it as
unique, and that distinguish it from other records.
Identity metadata:
•names of the persons concurring in its creation
•date(s) and time(s) of issuing, creation and transmission
•the matter or action in which it participates
•the expression of its documentary relationships
•documentary form
•digital presentation
•the indication of any attachment(s)
•digital signature
•name of the person handling the business matter
Luciana Duranti
Principal Investigator
Authenticity: Integrity
A record has integrity if the message it is meant to
communicate in order to achieve its purpose is unaltered.
Integrity metadata:
• name(s) of persons handling the matter over time
• name of person(s) responsible for keeping the record over time
• indication of annotations made to the record
• indication of technical changes
• indication of presence or removal of digital signature
• time of planned removal from the system
• time of transfer to a the designated preserver or destruction
• time of access to the public
• existence and location of duplicates outside the system
Luciana Duranti
Principal Investigator
Metadata in the Cloud
 how does metadata follow or trace records in the cloud from the creator
to the preserver?
 how is this metadata migrated as a preservation activity over time?
 who owns the metadata created by the service providers related to their
management of the records (integrity metadata)?
 Is metadata intellectual property? Whose?
 How can this metadata be accessed by the public and what are the
responsibilities of the provider towards archival users?
Luciana Duranti
Principal Investigator
Transparency, Stability, Permanence
 An unbroken chain of legitimate custody from the creator to the
preserver is not possible or demonstrable
 Records reliability cannot be inferred from known processes
 Records authenticity cannot be inferred from their documentary
context and from a known preservation process
 Archives requires that each record’s context be defined and immutable,
with all its relationships intact. Such stability is difficult to
demonstrate in the dynamically provisioned environment of the Cloud.
 What happens when hardware/software become obsolete? Is there a
known migration plan?
 Termination of contract: how is records portability and continuity
ensured?
 Termination of provider: how is records sustainability ensured?
Luciana Duranti
Principal Investigator
Back to Custody
A fundamental issue with keeping archives in the Cloud remains the distinction
between the entity responsible for their permanent preservation and
accessibility and the entity storing them, and the possibility that the jurisdiction
under which each exists is different from that in which the individual components
of each archival fonds (all the records of the same body) exist.
Example: Europe is approving a right to be forgotten legislation which will affect
all European archives. That is… exactly what? The archives under the legal
control of a European archival institution? Those stored by a European Cloud
provider? Those that happen to be at any given time in servers located in Europe?
Remember “archives as a place”. Remember the “chain of legitimate
uninterrupted custody.” The “moral defence of archives” requires transparency,
stability and permanence. Whose responsibility?
Luciana Duranti
Principal Investigator
Models to Consider
Maritime rules of shipping centered on the recognition of the authority of the
port state, the flag state and the coastal state
Early international maritime agreements established that the nationality of the
transport vessel (the flag state) would establish jurisdiction, and by extension, the
laws that would be in effect
Following the abuse of such rule, the port state was given greater control to
inspect vessels coming within its territorial waters by the Law of the Sea
Convention in 1982
Similarly, coastal states through whose waters the flagged vessels transit, have
authority over the safety and competency of the ship and its crews and are also
allowed inspection and enforcement while the vessel is in the coastal state’s
waters regardless of the flag of either the vessel (flag state) or its destination (port
state)
Luciana Duranti
Principal Investigator
Making an Analogy
A Canadian university could place its archives into the care of an American CSP
which in turn maintains its data centers in Brazil. Following the maritime
example then, the American company would be the ‘flag state’ that would be
‘moving the goods’ to their ultimate destination in the ‘port state’ of Brazil.
This analogy becomes problematic not only because the Canadian University
owning the archives would have no jurisdiction, but also with regards to the rights
of the coastal state, in that the ‘pipe’ used to move the records can transit through
several countries (coastal states) as they are routed along the way.
Traditionally, ‘coastal states’ have not been granted access to inspecting packets
of records as they move along the internet. The rules of conduct then become
very difficult, if not impossible, to enforce by any of the parties involved.
Luciana Duranti
Principal Investigator
Alternatives
The territoriality principle is not applicable because it is not possible to know
the location of the records at any given time
The nationality principle is not applicable because nationality is an attribute of
persons, not records, and the principle cannot be used to connect persons to
records
The power of disposal principle, which “connects any data to the person or
persons that obtain sole or collaborative access and that hold the right to alter,
delete, suppress or to render unusable as well as the right to exclude others from
access and any usage whatsoever” can be considered
By analogy, it could be possible to consider a power of preservation principle
that identifies the institutions controlling the archives as the trusted custodian and
the place guaranteeing authenticity, but jurisdiction without responsibility
defeats its entire purpose, even in a community cloud
Luciana Duranti
Principal Investigator
Records In the Cloud (RIC)
A 4-year collaboration , supported by a Social Sciences and Humanities
Research Council of Canada, between
– the University of British Columbia (UBC) School of Library, Archival and
Information Studies,
– the UBC Faculty of Law,
– the UBC Sauder School of Business,
– the University of Washington School of Information,
– the University of North Carolina at Chapel Hill School of Information and Library
Science,
– the Mid-Sweden University Department of Information Technology and Media,
– the University of Applied Sciences of Western Switzerland School of Business
Administration, and
– the Cloud Security Alliance
Luciana Duranti
Principal Investigator
RIC Objectives
•
to identify and examine in depth the theoretical, methodological, management,
operational, legal, and technical issues surrounding the storage and
management of records/archives in the Cloud;
• to determine what policies and procedures a provider should have in place for
fully implementing the records/archives management regime of the entity
outsourcing the records/archives storage, for responding promptly to its needs,
and for detecting, identifying, analyzing and responding to incidents; and
• to develop guidelines to assist institutions and organizations in assessing the
risks and benefits of outsourcing records/archives storage and processing to a
cloud provider, for writing contractual agreements, certifications and
attestations, and for the integration of outsourcing with the organization's
records management and information governance programs
Today you will hear about initial findings of the research project.
Luciana Duranti
Principal Investigator
InterPARES Trust (ITrust)
A 6-year multidisciplinary collaboration among 30 countries in 6
continents, comprising about 250 researchers.
The project aims at producing the frameworks that will support the
development of integrated and consistent local, national and international
networks of policies, procedures, regulations, standards and legislation
concerning digital records entrusted to the Internet, to ensure public trust
grounded on evidence of good governance, and a persistent digital
memory.
Luciana Duranti
Principal Investigator
ITrust studies
To support solutions to the archival issues raised today, ITrust has initiated
research on, among other matters,
• Metadata, to investigate to what degree “the human and machine readable
assertions about records” existing in the cloud contribute to maintaining and
assessing the authenticity of those records (Tennis)
• Authenticity, to find a method for calculating, associating with records, and
presenting trust parameters and the provenance of those parameters (Cohen)
• Trust relationships, from the perspective of creators, preservers and users of
records/archives (Foscarini)
• Model contractual provisions dealing with technological change; interjurisdictional and government regulation; accessibility; intellectual ownership;
protection of confidentiality and privacy; agreed remedies in the event of
breach of contract; “privity” of contract and subcontracting, to identify just a
few of the contentious areas (Sheppard)
Luciana Duranti
Principal Investigator
Conclusion
We need to work towards resolution of issues as they present themselves, with
the aim of developing solutions framed as a balance of trust.
To establish a “balance of trust” requires enabling the development of
trustworthy procedures and contractual conditions, in addition to secure
technologies. We need to do so by
• identifying the changes required in our paradigms of trust in
records/archives and preservation systems, and
• developing an internationally shared trust framework that both
providers and users can live by, because the current framework within
which the Cloud operates and security concerns are addressed is inconsistent
within and across jurisdictional and disciplinary boundaries.
Only then we can require and expect stability, transparency, accountability,
and permanence in addition to security and economy, develop a Trust in the
Cloud founded on the Trustworthiness of the material it stores, and conclude
that “documentary heritage in the Cloud” is not an oxymoron.
Luciana Duranti
Principal Investigator
www.recordsintheclouds.org
www.interparestrust.org
Luciana Duranti
Principal Investigator