Presentation on theme: "Documentary Heritage in the Cloud"— Presentation transcript:
1Documentary Heritage in the Cloud Simply a Security Matter or an Oxymoron?Luciana Duranti The University of British Columbia International Conference on Cloud Security Management ICCSM 2013Seattle, WA October 2013
2DiplomaticsThe trustworthiness of records of unknown or uncertain origin need to be assessed using scientific methods.Diplomatics (1681), Dom Jean MabillonTrustworthiness based on the process of formation of documents, and on their formal characteristics, structure, and transmission through time and space.The Bella Diplomatica (judicial disputes based on diplomatic rules and on the belief that “documents are much better than navy yards, much more efficacious than munitions factories, as it is finer to win by reason rather than by violence, by right than by wrong” gave origin to the Law of EvidenceBy mid 18th century all faculties of law in Europe taught archival science and diplomatics as “forensic” disciplines
3Archival Diplomatics of Digital Records Dr. Luciana DurantiThe University of British ColumbiaArchival Diplomatics The integration of archival and diplomatic theory about the genesis, inner constitution, and transmission of documents; and about their relationship with the facts represented in them, and with other documents produced in the course of the same function and activities, and with their creators.The Concept of TrustworthinessThe Concept of RecordReliabilityThe trustworthiness of a record as a statement of fact. It exists when a record can stand for the fact it is about.Retrospective UseProspective UseAccuracyThe degree to which data, information, documents or records are precise, correct, truthful, free of error or distortion, or pertinent to the matter.Digital Record CharacteristicsDynamic and Interactive RecordsStable ContentFixed Documentary FormBounded VariabilityAuthenticityidentityintegrityThe trustworthiness of a record as a record; i.e., the quality of a record that is what it purports to be and that is free from tampering or corruption.InitiativeOn the faceOf theRecordInquiryFormal ElementsConsultationFunctions of RecordsProbative/DispositiveSupporting/NarrativeInstructive/EnablingAttributesWorkflow: actio et conscriptioGenesis of the Digital RecordsDigital ComponentsDeliberationDigital SignatureCategories of RecordsManifested:Stored:DeliberationControlForm, Content, and Composition DataMetadataIdentity MetadataIntegrity MetadataExecutionLifecycle of Digital RecordsPhase 1: Records of the creatorPhase 2: Authentic copies of the records of the creatorAs a Means of AuthenticationStatus of TransmissionDraftOriginalAuthenticated originalCopy (e.g., authentic copy)Application: Research ProjectsUBC Project ( )InterPARES 1 ( )InterPARES 2 (2002 – 2006)InterPARES 3 (in application)Authentication: A means of declaring the authenticity of a record at one particular moment in timeLuciana Duranti
4European CommissionLuciana DurantiThe Concept of RecordRecord: any document made or received by a physical or juridical person in the course of activity as an instrument and by-product of it, and kept for action or referenceDocument: recorded information (i.e., information affixed to a medium in an objectified and syntactic form)Information: “intelligence given,” or a message intended for communication across time and spaceData: the smallest meaningful piece of informationBrussels
5Digital Record Components European CommissionLuciana DurantiDigital Record ComponentsAct: an action in which the records participates or which the record supportsPersons Concurring to Its Creation: author, writer, originator, addressee, and creator (human or juridical person accumulating the records made or received and kept in the course of activity and as by-product of it)Archival Bond: explicit linkages to other records inside or outside the systemIdentifiable Contexts: juridical-administrative, provenancial (creator), procedural, documentary, technologicalMedium: necessary part of the technological context, not of the recordFixed Form and Stable ContentBrussels
6European CommissionLuciana DurantiFixed FormAn entity has fixed form if its binary content is stored so that the message it conveys can be rendered with the same documentary presentation it had on the screen when first saved (different digital presentation: Word to .pdf)An entity has fixed form also if the same content can be presented on the screen in several different ways in a limited series of possibilities: we have a different documentary presentation of the same stored record having stable content and fixed form (e.g. statistical data viewed as a pie chart, a bar chart, or a table)Brussels
7European CommissionLuciana DurantiStable ContentAn entity has stable content if the data and the message it conveys are unchanged and unchangeable, meaning that data cannot be overwritten, altered, deleted or added toBounded Variability: when changes to the documentary presentation of a determined stable content are limited and controlled by fixed rules, so that the same query or interaction always generates the same result, and we have different views of different subsets of content, due to the intention of the author or to different operating systems or applicationsBrussels
8Archival Fonds and Archives Archival Fonds: All the records of one creator (human or juridical person: individual or organization)All the records of a legitimate succession of creators exercising the same functionsArchival Fonds are acquired by the archival institution, unit or program responsible by mandate or mission for their permanent preservation as documentary heritage of a society
9Archives in the CloudArchival institutions and units or programs of a variety of organizations consider storing records selected for permanent preservation in the Cloud because:Many of the records they are mandated to preserve already exist in the CloudAccess would be possible from any location to anyone who can use a browserA trusted digital repository satisfying ISO standards as well as basic archival preservation requirements is not affordableThe knowledge to deal with records produced by complex technologies is not commonly available among archival professionalsStrong protection measures are often confused with preservation measuresBut, to many, “Archives in the Cloud” is an oxymoron
10Archives as a PlaceJustinian Code (534 A.D.) “an archives is locus publicus in quo instrumenta deponuntur (the public place where records are deposited), quatenus incorrupta maneant (so that they remain uncorrupted), fidem faciant (provide trustworthy evidence), and perpetua rei memoria sit (and be perpetual memory of facts)” Ahasver Fritsch (1664 A.D.) Archives receive trustworthiness from the fact that 1) the place of storage belongs to a public sovereign authority, 2) the officer forwarding them to such a place is a public officer, 3) the records are placed both physically (i.e., by location) and intellectually (i.e., by description) among authentic records, and 4) this association is not meant to be broken.
11The Archival RightThe right to keep a place capable of conferring archives trustworthiness, and therefore authority, was acquired by the bodies to whom sovereignty was delegated by the supreme secular and religious powers--cities and churches.Corporations, including universities, deposited their records in the camera actorum of the municipality having jurisdiction over them or in the archives of ecclesiastical institutions before acquiring the right to “keep archives.”By the French revolution decree of July 25, 1794, the records of defunct institutions and organizations were to be preserved by the state and made accessible to the people as its documentary heritage.Archival principles: Natalis de Wailly (1841), principle of respect des fonds; Max Lehmann (1882), principle of provenance (i.e. original order); Hilary Jenkinson, unbroken chain of legitimate custody
12Trusted Postcustodialism? The concepts of place, jurisdiction, legitimate custody, and stability are embedded in the concept of archives, documentary heritage, and trusted historical memory, and are the condition of archival trustworthiness. The primary justification for these concepts is historical accountability: the people have a right to access the “authentic” documentary evidence of how they were governed. For this to happen, the records must be under the unbroken physical and intellectual control of a trusted third party ensuring that their interrelationships as well as those with their creator are stable. If archives were to exist in the Cloud, where responsibility for legal custody and intellectual control ensuring stability would be left with the legitimate preserver, but physical custody and technological access provisions would be of the Cloud provider, could they be considered trustworthy? Can society entrust the Cloud with its memory?
13What is Trust?In business, trust involves confidence of one party in another, based on alignment of value systems with respect to specific benefitsIn legal theory, trust is defined as a relationship of voluntary vulnerability, dependence and reliance, based on risk assessmentIn everyday life, trust involves acting without the knowledge needed to act. It consists of substituting the information that one does not have with other informationTrust is also a matter of perception and it is often rooted in old mechanisms which may lead us to trust untrustworthy entitiesOn the Internet, the standard of trustworthiness is that of the ordinary marketplace, caveat emptor, or buyer bewareThis is because there is no standard for a trustworthy trustee on the Internet
14Trustworthy TrusteesTrustworthy trustees traditionally present the characteristics of:reputation, which results from an evaluation of the trustee’s past actions and conduct;good performance, which is the relationship between the trustee’s present actions and the conduct required to fulfill his or her current responsibilities as specified by the truster;inspiring confidence, which is an assurance of expectation of action and conduct the truster has in the trustee; andcompetence, which consists of having the knowledge, skills, talents, and traits required to be able to perform a task to any given standardBut not always we have this information and this creates blind trust
15Parameters of TrustIn the digital environment, technologically-mediated trust cannot rely any longer on the four characteristics used in the past. Different systems for the assessment of trust are required for different contexts – government, business, personal, etc. The parameters of trust in one cultural context may be very different from those in another context. Even within the restricted confines of the Western world, the very limited portion of a cultural context which is represented by the legal system is broken down in common law and civil law, and each has a different approach to trust: in common law it is based on observation of action, and in civil law on its documentary residue.
16Balance of TrustIf we decide to entrust our historical documentary memory to the Cloud, we must establish a balance between trust and trustworthiness that is valid across jurisdictions, primarily because of the location independence which characterizes the Cloud. The trustworthiness we should focus on is then not of the trustees but of the historical records that are entrusted to them, keeping in mind that historical records, a society documentary memory, always start their life as current records and their trustworthiness should be protected from creation. Protecting the trustworthiness of the documentary heritage of society goes well beyond security.
17Records Trustworthiness ReliabilityThe trustworthiness of a record as a statement of fact,based on:the competence of its authorthe controls on its creationAccuracyThe correctness and precision of a record’s contentbased on:the competence of its authorthe controls on content recording and transmissionAuthenticityThe trustworthiness of a record that is what it purports to be, untampered with and uncorruptedbased on:identityintegrityreliability of the system containing it
18Authenticity: Identity The whole of the attributes of a record that characterize it as unique, and that distinguish it from other records.Identity metadata:names of the persons concurring in its creationdate(s) and time(s) of issuing, creation and transmissionthe matter or action in which it participatesthe expression of its documentary relationshipsdocumentary formdigital presentationthe indication of any attachment(s)digital signaturename of the person handling the business matter
19Authenticity: Integrity A record has integrity if the message it is meant to communicate in order to achieve its purpose is unaltered.Integrity metadata:name(s) of persons handling the matter over timename of person(s) responsible for keeping the record over timeindication of annotations made to the recordindication of technical changesindication of presence or removal of digital signaturetime of planned removal from the systemtime of transfer to a the designated preserver or destructiontime of access to the publicexistence and location of duplicates outside the system
20Metadata in the Cloudhow does metadata follow or trace records in the cloud from the creator to the preserver?how is this metadata migrated as a preservation activity over time?who owns the metadata created by the service providers related to their management of the records (integrity metadata)?Is metadata intellectual property? Whose?How can this metadata be accessed by the public and what are the responsibilities of the provider towards archival users?
21Transparency, Stability, Permanence An unbroken chain of legitimate custody from the creator to the preserver is not possible or demonstrableRecords reliability cannot be inferred from known processesRecords authenticity cannot be inferred from their documentary context and from a known preservation processArchives requires that each record’s context be defined and immutable, with all its relationships intact. Such stability is difficult to demonstrate in the dynamically provisioned environment of the Cloud.What happens when hardware/software become obsolete? Is there a known migration plan?Termination of contract: how is records portability and continuity ensured?Termination of provider: how is records sustainability ensured?
22Back to CustodyA fundamental issue with keeping archives in the Cloud remains the distinction between the entity responsible for their permanent preservation and accessibility and the entity storing them, and the possibility that the jurisdiction under which each exists is different from that in which the individual components of each archival fonds (all the records of the same body) exist. Example: Europe is approving a right to be forgotten legislation which will affect all European archives. That is… exactly what? The archives under the legal control of a European archival institution? Those stored by a European Cloud provider? Those that happen to be at any given time in servers located in Europe? Remember “archives as a place”. Remember the “chain of legitimate uninterrupted custody.” The “moral defence of archives” requires transparency, stability and permanence. Whose responsibility?
23Models to ConsiderMaritime rules of shipping centered on the recognition of the authority of the port state, the flag state and the coastal state Early international maritime agreements established that the nationality of the transport vessel (the flag state) would establish jurisdiction, and by extension, the laws that would be in effect Following the abuse of such rule, the port state was given greater control to inspect vessels coming within its territorial waters by the Law of the Sea Convention in 1982 Similarly, coastal states through whose waters the flagged vessels transit, have authority over the safety and competency of the ship and its crews and are also allowed inspection and enforcement while the vessel is in the coastal state’s waters regardless of the flag of either the vessel (flag state) or its destination (port state)
24Making an AnalogyA Canadian university could place its archives into the care of an American CSP which in turn maintains its data centers in Brazil. Following the maritime example then, the American company would be the ‘flag state’ that would be ‘moving the goods’ to their ultimate destination in the ‘port state’ of Brazil. This analogy becomes problematic not only because the Canadian University owning the archives would have no jurisdiction, but also with regards to the rights of the coastal state, in that the ‘pipe’ used to move the records can transit through several countries (coastal states) as they are routed along the way. Traditionally, ‘coastal states’ have not been granted access to inspecting packets of records as they move along the internet. The rules of conduct then become very difficult, if not impossible, to enforce by any of the parties involved.
25AlternativesThe territoriality principle is not applicable because it is not possible to know the location of the records at any given time The nationality principle is not applicable because nationality is an attribute of persons, not records, and the principle cannot be used to connect persons to records The power of disposal principle, which “connects any data to the person or persons that obtain sole or collaborative access and that hold the right to alter, delete, suppress or to render unusable as well as the right to exclude others from access and any usage whatsoever” can be considered By analogy, it could be possible to consider a power of preservation principle that identifies the institutions controlling the archives as the trusted custodian and the place guaranteeing authenticity, but jurisdiction without responsibility defeats its entire purpose, even in a community cloud
26Records In the Cloud (RIC) A 4-year collaboration , supported by a Social Sciences and Humanities Research Council of Canada, betweenthe University of British Columbia (UBC) School of Library, Archival and Information Studies,the UBC Faculty of Law,the UBC Sauder School of Business,the University of Washington School of Information,the University of North Carolina at Chapel Hill School of Information and Library Science,the Mid-Sweden University Department of Information Technology and Media,the University of Applied Sciences of Western Switzerland School of Business Administration, andthe Cloud Security Alliance
27RIC Objectivesto identify and examine in depth the theoretical, methodological, management, operational, legal, and technical issues surrounding the storage and management of records/archives in the Cloud;to determine what policies and procedures a provider should have in place for fully implementing the records/archives management regime of the entity outsourcing the records/archives storage, for responding promptly to its needs, and for detecting, identifying, analyzing and responding to incidents; andto develop guidelines to assist institutions and organizations in assessing the risks and benefits of outsourcing records/archives storage and processing to a cloud provider, for writing contractual agreements, certifications and attestations, and for the integration of outsourcing with the organization's records management and information governance programsToday you will hear about initial findings of the research project.
28InterPARES Trust (ITrust) A 6-year multidisciplinary collaboration among 30 countries in 6 continents, comprising about 250 researchers. The project aims at producing the frameworks that will support the development of integrated and consistent local, national and international networks of policies, procedures, regulations, standards and legislation concerning digital records entrusted to the Internet, to ensure public trust grounded on evidence of good governance, and a persistent digital memory.
29ITrust studiesTo support solutions to the archival issues raised today, ITrust has initiated research on, among other matters,Metadata, to investigate to what degree “the human and machine readable assertions about records” existing in the cloud contribute to maintaining and assessing the authenticity of those records (Tennis)Authenticity, to find a method for calculating, associating with records, and presenting trust parameters and the provenance of those parameters (Cohen)Trust relationships, from the perspective of creators, preservers and users of records/archives (Foscarini)Model contractual provisions dealing with technological change; inter-jurisdictional and government regulation; accessibility; intellectual ownership; protection of confidentiality and privacy; agreed remedies in the event of breach of contract; “privity” of contract and subcontracting, to identify just a few of the contentious areas (Sheppard)
30ConclusionWe need to work towards resolution of issues as they present themselves, with the aim of developing solutions framed as a balance of trust.To establish a “balance of trust” requires enabling the development of trustworthy procedures and contractual conditions, in addition to secure technologies. We need to do so byidentifying the changes required in our paradigms of trust in records/archives and preservation systems, anddeveloping an internationally shared trust framework that both providers and users can live by, because the current framework within which the Cloud operates and security concerns are addressed is inconsistent within and across jurisdictional and disciplinary boundaries.Only then we can require and expect stability, transparency, accountability, and permanence in addition to security and economy, develop a Trust in the Cloud founded on the Trustworthiness of the material it stores, and conclude that “documentary heritage in the Cloud” is not an oxymoron.