Documentary Heritage in the Cloud Simply a Security Matter or an Oxymoron? Luciana Duranti The University of British Columbia International Conference on Cloud Security Management ICCSM 2013 Seattle, WA 17-18 October 2013 Luciana Duranti Principal Investigator Diplomatics The trustworthiness of records of unknown or uncertain origin need to be assessed using scientific methods. Diplomatics (1681), Dom Jean Mabillon Trustworthiness based on the process of formation of documents, and on their formal characteristics, structure, and transmission through time and space. The Bella Diplomatica (judicial disputes based on diplomatic rules and on the belief that “documents are much better than navy yards, much more efficacious than munitions factories, as it is finer to win by reason rather than by violence, by right than by wrong” gave origin to the Law of Evidence By mid 18th century all faculties of law in Europe taught archival science and diplomatics as “forensic” disciplines Luciana Duranti Principal Investigator Archival Diplomatics of Digital Records Dr. Luciana Duranti The University of British Columbia The Concept of Record Archival Diplomatics The integration of archival and diplomatic theory about the genesis, inner constitution, and transmission of documents; and about their relationship with the facts represented in them, and with other documents produced in the course of the same function and activities, and with their creators. Retrospective Use The Concept of Trustworthiness Reliability The trustworthiness of a record as a statement of fact. It exists when a record can stand for the fact it is about. Prospective Use Accuracy Digital Record Characteristics Initiative Formal Elements Attributes Digital Components Lifecycle of Digital Records Phase 1: Records of the creator Phase 2: Authentic copies of the records of the creator Luciana Duranti Email: luciana@interchange.ubc.ca www.interpares.org Genesis of the Digital Records Workflow: actio et conscriptio On the face Of the Record Dynamic and Interactive Records Stable Content Fixed Documentary Form Bounded Variability Inquiry Consultation Functions of Records Probative/Dispositive Supporting/Narrative Instructive/Enabling Authenticity • identity • integrity The trustworthiness of a record as a record; i.e., the quality of a record that is what it purports to be and that is free from tampering or corruption. Deliberation Deliberation Control The degree to which data, information, documents or records are precise, correct, truthful, free of error or distortion, or pertinent to the matter. Digital Signature Categories of Records •Manifested: •Stored: Form, Content, and Composition Data Execution Metadata Identity Metadata Integrity Metadata As a Means of Authentication Application: Research Projects UBC Project (1994 - 1997) InterPARES 1 (1999 - 2001) InterPARES 2 (2002 – 2006) InterPARES 3 (in application) Status of Transmission Draft Original Authenticated original Copy (e.g., authentic copy) Authentication: A means of declaring the Luciana Duranti authenticity of a record at one particular moment in time Principal Investigator The Concept of Record • Record: any document made or received by a physical or juridical person in the course of activity as an instrument and by-product of it, and kept for action or reference • Document: recorded information (i.e., information affixed to a medium in an objectified and syntactic form) • Information: “intelligence given,” or a message intended for communication across time and space • Data: the smallest meaningful piece of information Luciana Duranti Principal Investigator Digital Record Components • Act: an action in which the records participates or which the record supports • Persons Concurring to Its Creation: author, writer, originator, addressee, and creator (human or juridical person accumulating the records made or received and kept in the course of activity and as by-product of it) • Archival Bond: explicit linkages to other records inside or outside the system • Identifiable Contexts: juridical-administrative, provenancial (creator), procedural, documentary, technological • Medium: necessary part of the technological context, not of the record • Fixed Form and Stable Content Luciana Duranti Principal Investigator Fixed Form • An entity has fixed form if its binary content is stored so that the message it conveys can be rendered with the same documentary presentation it had on the screen when first saved (different digital presentation: Word to .pdf) • An entity has fixed form also if the same content can be presented on the screen in several different ways in a limited series of possibilities: we have a different documentary presentation of the same stored record having stable content and fixed form (e.g. statistical data viewed as a pie chart, a bar chart, or a table) Luciana Duranti Principal Investigator Stable Content • An entity has stable content if the data and the message it conveys are unchanged and unchangeable, meaning that data cannot be overwritten, altered, deleted or added to • Bounded Variability: when changes to the documentary presentation of a determined stable content are limited and controlled by fixed rules, so that the same query or interaction always generates the same result, and we have different views of different subsets of content, due to the intention of the author or to different operating systems or applications Luciana Duranti Principal Investigator Archival Fonds and Archives • Archival Fonds: All the records of one creator (human or juridical person: individual or organization) • All the records of a legitimate succession of creators exercising the same functions • Archival Fonds are acquired by the archival institution, unit or program responsible by mandate or mission for their permanent preservation as documentary heritage of a society Luciana Duranti Principal Investigator Archives in the Cloud Archival institutions and units or programs of a variety of organizations consider storing records selected for permanent preservation in the Cloud because: • • • • • Many of the records they are mandated to preserve already exist in the Cloud Access would be possible from any location to anyone who can use a browser A trusted digital repository satisfying ISO standards as well as basic archival preservation requirements is not affordable The knowledge to deal with records produced by complex technologies is not commonly available among archival professionals Strong protection measures are often confused with preservation measures But, to many, “Archives in the Cloud” is an oxymoron Luciana Duranti Principal Investigator Archives as a Place Justinian Code (534 A.D.) “an archives is locus publicus in quo instrumenta deponuntur (the public place where records are deposited), quatenus incorrupta maneant (so that they remain uncorrupted), fidem faciant (provide trustworthy evidence), and perpetua rei memoria sit (and be perpetual memory of facts)” Ahasver Fritsch (1664 A.D.) Archives receive trustworthiness from the fact that 1) the place of storage belongs to a public sovereign authority, 2) the officer forwarding them to such a place is a public officer, 3) the records are placed both physically (i.e., by location) and intellectually (i.e., by description) among authentic records, and 4) this association is not meant to be broken. Luciana Duranti Principal Investigator The Archival Right • The right to keep a place capable of conferring archives trustworthiness, and therefore authority, was acquired by the bodies to whom sovereignty was delegated by the supreme secular and religious powers--cities and churches. • Corporations, including universities, deposited their records in the camera actorum of the municipality having jurisdiction over them or in the archives of ecclesiastical institutions before acquiring the right to “keep archives.” • By the French revolution decree of July 25, 1794, the records of defunct institutions and organizations were to be preserved by the state and made accessible to the people as its documentary heritage. • Archival principles: Natalis de Wailly (1841), principle of respect des fonds; Max Lehmann (1882), principle of provenance (i.e. original order); Hilary Jenkinson, unbroken chain of legitimate custody Luciana Duranti Principal Investigator Trusted Postcustodialism? The concepts of place, jurisdiction, legitimate custody, and stability are embedded in the concept of archives, documentary heritage, and trusted historical memory, and are the condition of archival trustworthiness. The primary justification for these concepts is historical accountability: the people have a right to access the “authentic” documentary evidence of how they were governed. For this to happen, the records must be under the unbroken physical and intellectual control of a trusted third party ensuring that their interrelationships as well as those with their creator are stable. If archives were to exist in the Cloud, where responsibility for legal custody and intellectual control ensuring stability would be left with the legitimate preserver, but physical custody and technological access provisions would be of the Cloud provider, could they be considered trustworthy? Can society entrust the Cloud with its memory? Luciana Duranti Principal Investigator What is Trust? • In business, trust involves confidence of one party in another, based on alignment of value systems with respect to specific benefits • In legal theory, trust is defined as a relationship of voluntary vulnerability, dependence and reliance, based on risk assessment • In everyday life, trust involves acting without the knowledge needed to act. It consists of substituting the information that one does not have with other information • Trust is also a matter of perception and it is often rooted in old mechanisms which may lead us to trust untrustworthy entities • On the Internet, the standard of trustworthiness is that of the ordinary marketplace, caveat emptor, or buyer beware • This is because there is no standard for a trustworthy trustee on the Internet Luciana Duranti Principal Investigator Trustworthy Trustees Trustworthy trustees traditionally present the characteristics of: • reputation, which results from an evaluation of the trustee’s past actions and conduct; • good performance, which is the relationship between the trustee’s present actions and the conduct required to fulfill his or her current responsibilities as specified by the truster; • inspiring confidence, which is an assurance of expectation of action and conduct the truster has in the trustee; and • competence, which consists of having the knowledge, skills, talents, and traits required to be able to perform a task to any given standard • But not always we have this information and this creates blind trust Luciana Duranti Principal Investigator Parameters of Trust In the digital environment, technologically-mediated trust cannot rely any longer on the four characteristics used in the past. Different systems for the assessment of trust are required for different contexts – government, business, personal, etc. The parameters of trust in one cultural context may be very different from those in another context. Even within the restricted confines of the Western world, the very limited portion of a cultural context which is represented by the legal system is broken down in common law and civil law, and each has a different approach to trust: in common law it is based on observation of action, and in civil law on its documentary residue. Luciana Duranti Principal Investigator Balance of Trust If we decide to entrust our historical documentary memory to the Cloud, we must establish a balance between trust and trustworthiness that is valid across jurisdictions, primarily because of the location independence which characterizes the Cloud. The trustworthiness we should focus on is then not of the trustees but of the historical records that are entrusted to them, keeping in mind that historical records, a society documentary memory, always start their life as current records and their trustworthiness should be protected from creation. Protecting the trustworthiness of the documentary heritage of society goes well beyond security. Luciana Duranti Principal Investigator Records Trustworthiness Reliability Accuracy The trustworthiness The correctness and of a record as a precision of a statement of fact, record’s content based on: based on: • the competence of • the competence of its author its author • the controls on its • the controls on creation content recording and transmission Authenticity The trustworthiness of a record that is what it purports to be, untampered with and uncorrupted based on: • identity • integrity • reliability of the system containing it Luciana Duranti Principal Investigator Authenticity: Identity The whole of the attributes of a record that characterize it as unique, and that distinguish it from other records. Identity metadata: •names of the persons concurring in its creation •date(s) and time(s) of issuing, creation and transmission •the matter or action in which it participates •the expression of its documentary relationships •documentary form •digital presentation •the indication of any attachment(s) •digital signature •name of the person handling the business matter Luciana Duranti Principal Investigator Authenticity: Integrity A record has integrity if the message it is meant to communicate in order to achieve its purpose is unaltered. Integrity metadata: • name(s) of persons handling the matter over time • name of person(s) responsible for keeping the record over time • indication of annotations made to the record • indication of technical changes • indication of presence or removal of digital signature • time of planned removal from the system • time of transfer to a the designated preserver or destruction • time of access to the public • existence and location of duplicates outside the system Luciana Duranti Principal Investigator Metadata in the Cloud how does metadata follow or trace records in the cloud from the creator to the preserver? how is this metadata migrated as a preservation activity over time? who owns the metadata created by the service providers related to their management of the records (integrity metadata)? Is metadata intellectual property? Whose? How can this metadata be accessed by the public and what are the responsibilities of the provider towards archival users? Luciana Duranti Principal Investigator Transparency, Stability, Permanence An unbroken chain of legitimate custody from the creator to the preserver is not possible or demonstrable Records reliability cannot be inferred from known processes Records authenticity cannot be inferred from their documentary context and from a known preservation process Archives requires that each record’s context be defined and immutable, with all its relationships intact. Such stability is difficult to demonstrate in the dynamically provisioned environment of the Cloud. What happens when hardware/software become obsolete? Is there a known migration plan? Termination of contract: how is records portability and continuity ensured? Termination of provider: how is records sustainability ensured? Luciana Duranti Principal Investigator Back to Custody A fundamental issue with keeping archives in the Cloud remains the distinction between the entity responsible for their permanent preservation and accessibility and the entity storing them, and the possibility that the jurisdiction under which each exists is different from that in which the individual components of each archival fonds (all the records of the same body) exist. Example: Europe is approving a right to be forgotten legislation which will affect all European archives. That is… exactly what? The archives under the legal control of a European archival institution? Those stored by a European Cloud provider? Those that happen to be at any given time in servers located in Europe? Remember “archives as a place”. Remember the “chain of legitimate uninterrupted custody.” The “moral defence of archives” requires transparency, stability and permanence. Whose responsibility? Luciana Duranti Principal Investigator Models to Consider Maritime rules of shipping centered on the recognition of the authority of the port state, the flag state and the coastal state Early international maritime agreements established that the nationality of the transport vessel (the flag state) would establish jurisdiction, and by extension, the laws that would be in effect Following the abuse of such rule, the port state was given greater control to inspect vessels coming within its territorial waters by the Law of the Sea Convention in 1982 Similarly, coastal states through whose waters the flagged vessels transit, have authority over the safety and competency of the ship and its crews and are also allowed inspection and enforcement while the vessel is in the coastal state’s waters regardless of the flag of either the vessel (flag state) or its destination (port state) Luciana Duranti Principal Investigator Making an Analogy A Canadian university could place its archives into the care of an American CSP which in turn maintains its data centers in Brazil. Following the maritime example then, the American company would be the ‘flag state’ that would be ‘moving the goods’ to their ultimate destination in the ‘port state’ of Brazil. This analogy becomes problematic not only because the Canadian University owning the archives would have no jurisdiction, but also with regards to the rights of the coastal state, in that the ‘pipe’ used to move the records can transit through several countries (coastal states) as they are routed along the way. Traditionally, ‘coastal states’ have not been granted access to inspecting packets of records as they move along the internet. The rules of conduct then become very difficult, if not impossible, to enforce by any of the parties involved. Luciana Duranti Principal Investigator Alternatives The territoriality principle is not applicable because it is not possible to know the location of the records at any given time The nationality principle is not applicable because nationality is an attribute of persons, not records, and the principle cannot be used to connect persons to records The power of disposal principle, which “connects any data to the person or persons that obtain sole or collaborative access and that hold the right to alter, delete, suppress or to render unusable as well as the right to exclude others from access and any usage whatsoever” can be considered By analogy, it could be possible to consider a power of preservation principle that identifies the institutions controlling the archives as the trusted custodian and the place guaranteeing authenticity, but jurisdiction without responsibility defeats its entire purpose, even in a community cloud Luciana Duranti Principal Investigator Records In the Cloud (RIC) A 4-year collaboration , supported by a Social Sciences and Humanities Research Council of Canada, between – the University of British Columbia (UBC) School of Library, Archival and Information Studies, – the UBC Faculty of Law, – the UBC Sauder School of Business, – the University of Washington School of Information, – the University of North Carolina at Chapel Hill School of Information and Library Science, – the Mid-Sweden University Department of Information Technology and Media, – the University of Applied Sciences of Western Switzerland School of Business Administration, and – the Cloud Security Alliance Luciana Duranti Principal Investigator RIC Objectives • to identify and examine in depth the theoretical, methodological, management, operational, legal, and technical issues surrounding the storage and management of records/archives in the Cloud; • to determine what policies and procedures a provider should have in place for fully implementing the records/archives management regime of the entity outsourcing the records/archives storage, for responding promptly to its needs, and for detecting, identifying, analyzing and responding to incidents; and • to develop guidelines to assist institutions and organizations in assessing the risks and benefits of outsourcing records/archives storage and processing to a cloud provider, for writing contractual agreements, certifications and attestations, and for the integration of outsourcing with the organization's records management and information governance programs Today you will hear about initial findings of the research project. Luciana Duranti Principal Investigator InterPARES Trust (ITrust) A 6-year multidisciplinary collaboration among 30 countries in 6 continents, comprising about 250 researchers. The project aims at producing the frameworks that will support the development of integrated and consistent local, national and international networks of policies, procedures, regulations, standards and legislation concerning digital records entrusted to the Internet, to ensure public trust grounded on evidence of good governance, and a persistent digital memory. Luciana Duranti Principal Investigator ITrust studies To support solutions to the archival issues raised today, ITrust has initiated research on, among other matters, • Metadata, to investigate to what degree “the human and machine readable assertions about records” existing in the cloud contribute to maintaining and assessing the authenticity of those records (Tennis) • Authenticity, to find a method for calculating, associating with records, and presenting trust parameters and the provenance of those parameters (Cohen) • Trust relationships, from the perspective of creators, preservers and users of records/archives (Foscarini) • Model contractual provisions dealing with technological change; interjurisdictional and government regulation; accessibility; intellectual ownership; protection of confidentiality and privacy; agreed remedies in the event of breach of contract; “privity” of contract and subcontracting, to identify just a few of the contentious areas (Sheppard) Luciana Duranti Principal Investigator Conclusion We need to work towards resolution of issues as they present themselves, with the aim of developing solutions framed as a balance of trust. To establish a “balance of trust” requires enabling the development of trustworthy procedures and contractual conditions, in addition to secure technologies. We need to do so by • identifying the changes required in our paradigms of trust in records/archives and preservation systems, and • developing an internationally shared trust framework that both providers and users can live by, because the current framework within which the Cloud operates and security concerns are addressed is inconsistent within and across jurisdictional and disciplinary boundaries. Only then we can require and expect stability, transparency, accountability, and permanence in addition to security and economy, develop a Trust in the Cloud founded on the Trustworthiness of the material it stores, and conclude that “documentary heritage in the Cloud” is not an oxymoron. Luciana Duranti Principal Investigator www.recordsintheclouds.org www.interparestrust.org Luciana Duranti Principal Investigator