Trust in digital records: An increasingly cloudy legal area

https://doi.org/10.1016/j.clsr.2012.07.009Get rights and content

Abstract

Trust has been defined in many ways, but at its core it involves acting without the knowledge needed to act. Trust in records depends on four types of knowledge about the creator or custodian of the records: reputation, past performance, competence, and the assurance of confidence in future performance. For over half a century society has been developing and adopting new computer technologies for business and communications in both the public and private realm. Frameworks for establishing trust have developed as technology has progressed. Today, individuals and organizations are increasingly saving and accessing records in cloud computing infrastructures, where we cannot assess our trust in records solely on the four types of knowledge used in the past. Drawing on research conducted at the University of British Columbia into the nature of digital records and their trustworthiness, this article presents the conceptual archival and digital forensic frameworks of trust in records and data, and explores the common law legal framework within which questions of trust in documentary evidence are being tested. Issues and challenges specific to cloud computing are introduced.

Introduction

Whatever matters to human beings, trust is the atmosphere in which it thrives (Bok, 1999).

Trust has been defined in many ways but, at its core, it involves willingly acting without the full knowledge needed to act. It consists of substituting the information that one does not have with other information that supports confidence in the action. For example, a person who does not have the knowledge necessary to assess the authenticity of a record relies on the credentials of the expert who authenticates it. Traditionally, trust in records is based on four types of knowledge about their creator and/or their custodian: reputation, which results from an evaluation of the trustee’s past actions and conduct; performance, which is the relationship between the trustee’s present actions and the conduct required to fulfil his or her current responsibilities as specified by the truster; competence, which consists of having the knowledge, skills, talents, and traits required to be able to perform a task to any given standard; and confidence, which is an “assurance of expectation” of action and conduct the truster has in the trustee (Sztompka, 1999, Borland, 2009, Duranti and Rogers, 2011).

For over half a century, society has been developing and adopting new computer technologies for business and communications in both the public and private realm. From the early mainframe computers used by government, business, and academia, whose primary function was computation, to ever faster, smaller, cheaper, and more versatile digital devices used by individuals and organizations alike, whose functions now include automation, communication, commerce, entertainment, education, and citizen engagement, we increasingly rely on and live our lives in the digital realm. Our voracious appetite for technological innovation and engagement has raised a host of challenges to privacy, security and trust. Solutions are being debated in the blogosphere, developed in policy debates, and tested in the courts.

The Internet spans the globe, erasing national boundaries for the transmission of data, information, documents and records. The interconnectedness of the Internet is forcing us into one global community without the benefit of gradually getting to know one another. When business is transacted over digital networks between people who do not know each other and likely will never meet, establishing trust becomes paramount. What does that mean in respect of policies and practices regarding the handling of digital records residing with Internet services and social media providers? When such policies exist and are sound, the speed with which digital technologies are changing far outpaces society’s ability to adapt pre-existing structures and norms. In previous centuries technologies developed in the industrial economy over timeframes long enough to allow users to gain comfort with and trust in the new tools and their impact on society. Digital communications technologies have supplanted the industrial economy, based on the production of goods, with the information economy, based on production, ubiquity, and sharing of information. Trust in the digital environment relies on new methods of establishing and authenticating identity, and managing information in a way that supports security and privacy as well as sharing and access.

Today, individuals and organizations conduct their business in the highly networked, easily compromised environment of the Internet, in which cloud computing for record storage and access is becoming increasingly common. However, policies, practices and infrastructure in “the Cloud” do not currently support an assessment of the four types of knowledge used in the past to establish our trust in records. How can we make decisions related to trust in this new environment? Are there grounds for trusting the institutions and/or professionals who hold digital records about us to make the right decisions about keeping them safe and accessible only to those who have a right to see them, using them for good and in a transparent way, disposing of them when required, and selecting reliable Internet providers for storing and managing them? If yes, what are those grounds? Who has established them, and in the context of what values and purpose?

Issues of trust are difficult to isolate, and are often bound with more easily identified issues of privacy, security, and jurisdiction. Questions arise about the trustworthiness of digital records, or of organizations, service providers, and networked systems, or the juridical framework in which the organizations and systems operate, and in which or with whom the records are stored. As the United States (U.S.) developed the Internet, for example, its social, political, and economic views became evident in its use and rights policies, and this has rankled other countries. Can we trust our records to Web services without fully understanding what legal framework they will fall under? Several recent examples will serve to illustrate this: (1) in January 2012, U.S. federal prosecutors blocked access to the file-sharing site Megaupload.com on charges that the site violated piracy laws, and New Zealand police arrested Megaupload’s founder based on the U.S. accusations. As a consequence the data of at least 50 million Megaupload users not implicated in the legal action has been seized and is in danger of being erased; (2) convinced that existing laws cannot deal with growing piracy concerns, the U.S. Congress introduced the Stop Online Piracy Act (SOPA), which resulted in protests across the Internet that persuaded Congress to reject the bill (Maes, 2012); (3) Google established a blanket privacy policy for all materials on its cloud (Google, 2012), while Twitter chose to go in the opposite direction and to adopt the policy of the country of origin of the record (Twitter Blog, 2012). Whom can/should we trust?

Regardless of these warning signs, people trust (often blindly) all kinds of organizations (e.g. banks, phone companies, Internet service providers, social media sites, e-commerce sites) to keep and maintain their data/records/archives on their behalf. In effect they have shifted their trust from the filing cabinet or hard drive in their home office to distributed storage in the cloud, and handed over the stewardship of their personal information to others. Where their records actually reside, how well they are being managed, how long they will be available to them… they have no idea! Many organizations are recognizing this shift and becoming concerned about a liability they may not have thought they were assuming (especially as more and more clients abandon their own recordkeeping and place greater reliance and trust on the recordkeeping abilities of the organizations with which they interact).

‘Data’ and ‘records’ are very different in nature. Whereas records are information affixed to a medium in a fixed and stable form (i.e. documents) in the course of activity and kept for further action or reference, data are the smallest meaningful component of information. However, in the digital environment, the issues for records and data coincide. Can the data be trusted? Can the records from which the data are derived be trusted? Are these records complete? Are they authentic? How were they generated, by whom and under what conditions? Is there sufficient contextual information to enable them to be understood? These are some of the questions facing organizations, which are beginning to act on the realization that their data and records holdings are digital assets that need to be managed effectively if they are to be trusted by those making decisions and by clients, customers, citizens, etc. In 2009 the Information Commissioner of Canada wrote: “The poor performance shown by institutions is symptomatic of what has become a major information management crisis. A crisis that is only exacerbated with the pace of technological developments.” (emphasis in original) (Office of the Information Commissioner of Canada, 2009). This is not an isolated occurrence.

The purpose of this article is to present the conceptual frameworks of trust in records and data developed in the context of archival science and digital forensics, and explore the common law legal framework within which questions of trust in documentary evidence is being tested. Of course, the problem of trust in the digital environment is much larger, encompassing authentication frameworks that allow parties to assess identity while protecting privacy, issues of organizational trust and responsibility, and the broader issues of trusted computing and trusted environments. Our intention is to begin the conversation about ways in which the integration of archival knowledge and digital forensics practices can lead to an understanding of the problems and unintended consequences of wholesale adoption of technology – and in particular the developing area of cloud computing. The article focuses specifically on the North American legal tradition, as this is the context in which the authors have conducted their research, but the nature of digital material and the challenges posed by new technologies are applicable in any jurisdiction.

Section snippets

Archival science

In archival science, a record is defined as a document1 created (i.e., made or received and set aside for further action or reference) by a physical or juridical person in the course of a practical activity as an instrument or by-product of such activity2

Testing trustworthiness of digital documentary evidence9

Trust is at the root of acceptability of documentary materials as evidence at court. The common law determines the admissibility of evidence by the application of three rules: (1) the authentication rule; (2) the best evidence rule; and (3) the hearsay rule. The application of these rules is severely challenged by an inconsistent understanding of the nature of digital materials. In this section we will discuss the rules of evidence in the common law tradition generally, and the Canadian common

Trust in the cloud

Having discussed the characteristics of digital records, the related trust framework established by archival science and digital forensics, and the challenges encountered by the existing legal system in common law countries in establishing the trustworthiness of digital evidence, we can now return to the aspect of digital technology that was discussed in the beginning as creating both excitement and anxiety for businesses and individuals, and new headaches for the legal profession, namely,

Luciana Duranti ([email protected]), Professor, University of British Columbia, School of Library, Archives, and Information Studies, Irving K. Barber Learning Centre, Suite 470-1961 East Mall, Vancouver, BC V6T 1Z1, +1 604 822 2587.

References (42)

  • S. Mocas

    Building theoretical underpinnings for digital forensics research

    Digital Investigation

    (2004)
  • M.R. Arkfeld

    Electronic discovery and evidence

    (2006)
  • S. Bok

    Lying: moral choice in public and private life

    (1999)
  • J. Borland

    Trusting archivists

    Archivi and Computer

    (2009)
  • S. Brenner

    CYB3RCRIM3: expert testimony, hearsay and the electronic monitoring device

    (2011)
  • A.W. Bryant et al.

    The law of evidence in Canada, Markham, Ont.

    (2009)
  • E. van Buskirk et al.

    Digital evidence: challenging the presumption of reliability

    Journal of Digital Forensic Practice

    (2006)
  • B. Carrier

    Defining digital forensic examination and analysis tools using abstraction layers

    International Journal of Digital Evidence

    (2003)
  • B. Carrier

    Open source digital forensics tools: the legal argument

    (2003)
  • K.L. Chasse

    Electronic evidence

    (2010)
  • K.L. Chasse

    Electronic records as documentary evidence

    Canadian Journal of Law and Technology

    (2007)
  • K.L. Chasse

    The inadequacy of analysis of electronic records management for evidence and discovery

    Asia Law Info

    (2011)
  • B. Darrow

    “Skype of cloud storage” symform nets $11M in funding

    GigaOM

    (2012)
  • E. Denham

    Finding our way through the clouds

    (2011)
  • L. Duranti

    From digital diplomatics to digital records forensics

    Archivaria

    (2009)
  • L. Duranti

    The long-term preservation of authentic electronic records: findings of the InterPARES project

    (2005)
  • L. Duranti et al.

    Digital records forensics: a new science and academic program for forensic readiness

    Journal of Digital Forensics, Security and Law

    (2010)
  • L. Duranti et al.

    Research on permanent authentic records in electronic systems (InterPARES) 2: experiential. Interactive and dynamic records

    (2008)
  • L. Duranti et al.

    Educating for trust

    Archival Science

    (2011)
  • L. Duranti et al.

    Electronic records and the law of evidence in Canada: the uniform electronic evidence act twelve years later

    Archivaria

    (2010)
  • L. Duranti et al.

    The concept of record in interactive, experiential and dynamic environments: the view of InterPARES

    Archival Science

    (2006)
  • Cited by (34)

    View all citing articles on Scopus

    Luciana Duranti ([email protected]), Professor, University of British Columbia, School of Library, Archives, and Information Studies, Irving K. Barber Learning Centre, Suite 470-1961 East Mall, Vancouver, BC V6T 1Z1, +1 604 822 2587.

    Corinne Rogers ([email protected]), PhD candidate, University of British Columbia, School of Library, Archives, and Information Studies, Irving K. Barber Learning Centre, Suite 470-1961 East Mall, Vancouver, BC V6T 1Z1, +1 604 929 0243.

    View full text