Thursday 15 March 2012

Top 10 Pitfalls in Protecting Digital Content: The Reasons for Failure

Introduction

The need to prove the provenance, integrity and authenticity of an electronic document has become an area of increasing interest over the last few years. This includes the ability to prove times and dates of the creation and any modification of the documents. But is all this really necessary? Do businesses need to have this sort of functionality in place? Until recently, electronic records were treated much like their paper counterparts, at least in terms of their admissibility as evidence in a court of law. But this seems to be changing and quickly. In several landmark rulings, electronic business records that earlier would have been routinely admitted into evidence have been excluded because of questions as to their authenticity.
The December 2006 amendments to the Federal Rules of Civil Procedure have caused corporate IT departments to spend huge sums building systems to respond to eDiscovery requests. But if the authenticity of the documents so produced is challenged, that might be money down the drain. As a result, authenticity challenges around electronic records are emerging as a serious problem for attorneys. They can also represent an opportunity, once counsel begins to understand the new litigation tactics that can be used to win cases or drive settlements.

There are a few key areas in which a solution that performs these key authenticity functions is useful. They are:
·         Compliance
·         Copyright
·         Intellectual property protection
·         Protection of your legal position
Even from this short list it appears that there are an abundance of reasons as to why you should invest in a solution which reduces the burden of compliance, and which acts as a proof of ownership and copyright.  But what is the flipside? Are there any reasons not to introduce a solution for this purpose?

We’ve compiled a list of 10 reasons why you shouldn’t digitally fingerprint and protect your documents:

You don’t foresee an event where you will have to prove a document’s integrity.


And why would you? Nobody ever expects things like this to happen to them.
However, you may just be looking at this from the wrong perspective. For example, ask yourself this question: “Why have I got motor insurance?” Most people think that they will never have a car crash.  So why do they insure their cars? Ok we hear you, it’s the law and it could cost you a fortune not to have it in place. Proving a document’s integrity is similar however. You don’t realise you have to have a solution in place until it’s too late. Should a situation arise (e.g. a court case) where you must prove the authenticity and integrity of a particular document having a solution in place could save your organisation a fortune in legal fees, fines and compensation payments for example.

You like going to court.

Everybody likes a day off work and a trip to a courtroom can be quite fun on occasion. Whether you’re the plaintiff or the defendant, your day out of the office will be far less enjoyable if you don’t have the ability to prove the integrity of a document which is being used as evidence. If this document is the smoking gun your case is built on, you’re in serious trouble as it will probably be thrown out of court. Whether or not spoliation has occurred it is your ability to prove the document’s integrity that matters. The risk to you personally as an employee can be quite high especially if this is a document which should have been protected by you or your department (e.g. an employment contract if you are a HR manager, financial reports if you are a CFO). Not only could this potentially cost your organisation millions you are probably going to lose your job. On the bright side, a few more days off work.  But if this is not what you want, you have to ask yourself, “Have I covered all the bases?”

You enjoy falling foul of compliance regulations

It’s almost as good as being a teenager rebelling against your parents again. The only issue is that it’s a little more risky. Failing to comply with regulations such as Sarbanes-Oxley (SOX) or the Federal Rules of Civil Procedure (FRCP) can land a company in hot water leading to penalties including fines and jail time depending on the situation. There are so many different compliance regulations, across virtually every industry, that it has become extremely difficult to make sure you are compliant with them all. By being able to prove the integrity and authenticity of a document you are ensuring you are able to prove your compliance around many regulations concerned with spoliation, falsification of documents, ownership and much more.

You like to risk major financial penalties

“Our company is doing well we can afford legal fees, a few fines and compensation payments.” And maybe you can. But wouldn’t it be better to avoid the situation altogether and invest a comparatively small amount in protecting your legal position with the ability to prove the authenticity of your documents.

You don’t have the cash flow.

Ok fair enough. In the current economic climate businesses need to make savings wherever possible. But you really have to think long and hard about what you can afford not to have and what is essential. Think about our last point. Can you afford a financial penalty down the road from not being able to prove the authenticity and integrity of your document? It’s unlikely, cash is the life blood of business, without it your business could go under and even if it doesn’t your cash flow will not be in a healthy position.

You are not worried who tampers with your digital content

Do you even have a reason to worry? You probably don’t think you do. The problem with digital documents is the ease which they can be changed and the fact that these changes are often undetectable. There’s little that you can do to stop a document being altered once somebody else is in control of it. However, if you know it has been changed, as well as what has been changed and when it has been changed, it can allow you to take the appropriate action to rectify the situation. The only way to do this is introduce a solution which digitally fingerprints, time stamps, verifies and authenticates the document’s integrity highlighting when a change has occurred to your document. Whether it’s your web site content, your blog, your images or critical data your organisation and 3rd parties like customers or regulators make decisions on you want to know its valid content.

You like other people taking credit for your work

Some people are just modest in nature. If you produce any piece of work such as website content, reports, articles, music and photos to name but a few, the last thing you want is another person to pass it off as their own original work.  You can’t stop this happening but with digital fingerprint technology you can make sure you can prove ownership and copyright of your work and get the credit and financial rewards you are entitled to or simply prevent the person or organisation for using your work without permission.

You don’t want to make financial gains from your intellectual property

There could be many people in the world like you who just are not interested in making money. But if you are sitting on a gold mine and really want to make the most of your idea or invention you need to be able to prove the copyright of your intellectual property. Although you own the copyright as soon as the idea is recorded if you cannot prove when and in what form the idea was recorded, you are leaving yourself open to the risk of somebody stealing it and using it themselves. Ever heard of Antonio Meucci? Most people haven’t. He is the man who invented the telephone. However, he was unable to pay the patent caveat for the telephone (it was $10 at the time) and a worker in the patent office decided that this telephone wasn’t such a bad idea. Of course we all know who is credited with being the “inventor” of the telephone, Alexander Graham Bell. For years, the two fought out legal battles (including some on their behalf posthumously) about who had invented the telephone, a situation that could have been avoided had the technology of digitally fingerprinting documents been around back in them days. Had this been the case Antonio Meucci and Alexander Graham Bell would have been able to comprehensively prove who had invented the telephone first.

You are not worried whether others trust you or your content

Maybe your digital content has no value in your eyes and is not intended to inform, advise, protect or cause action. But if it is, then you want the users of the content to be confident in and trust the integrity of you digital content. As digital content is so easily manipulated, often in an undetectable way, you also need to have confidence in the content you produce, knowing that you can reliably prove its provenance, authenticity and integrity.

You don’t rate your competition

If you are an SDK developer you want to have every possible advantage over your competitors. If your product is in a sphere where being able to prove the integrity, authenticity and provenance could be important, adding a function that digitally fingerprints your electronic documents could give you the competitive advantage you need. However, if you don’t rate your competitors you probably don’t have to worry, unless of course they add the function to their SDK.

Cases

Amex v. Vinhnee, December 2005

In this case, American Express claimed that Mr.Vinhnee had not paid his credit card bills, and took legal action in order to recuperate the money. However, the judge decided that American Express had failed to authenticate the electronic records being used as evidence, and that therefore Amex’s business records were inadmissible as evidence.
American Express tried to have the records admitted as evidence a second time and they were yet again told the records were inadmissible on the grounds that they failed to sufficiently establish a foundation of authenticity for the records offered into evidence. Finally, American Express appealed this judgement and lost a third time. Interestingly, the defendant didn’t show up for the court date, and wasn’t even represented by counsel.
This decision is considered significant because it said, in effect, that electronic records are not automatically presumed to be admissible (in court) unless you can prove that the electronic document submitted is identical to the original record. The decision also meant that courts and counsel would require parties submitting digital documents as evidence to show some way of testing and proving the authenticity of those electronic documents.
In this case, the judges made it clear that the digital records presented by Amex were “too vague” to be admissible as evidence, in essence, asking the court to accept so-called “inferred authenticity” which was judged to be insufficient.
The judge pointed out that, “... the focus is not on the circumstances of the creation of the record, but rather on the circumstances of the preservation of the record … so as to assure that the document being proffered is the same as the document that originally was created…. Ultimately, however, it all boils down to the same question of assurance that the record is what it purports to be.”

Lorraine v. Markel, May 2007

In this case, a couple took their insurance company to court in a dispute over the cause and amount of damage to their yacht which had been struck by lightning. Both parties petitioned the court for summary judgment, and Judge Paul Grimm dismissed both of these motions, because the digital documents at the center of the case could not be authenticate and therefore were inadmissible as evidence.
In his opinion, Judge Grimm wrote, “The primary authenticity issue in the context of business records is on what has, or may have, happened to the record in the interval between when it was placed in the files and the time of trial. In other words, the record being proffered must be shown to continue to be an accurate representation of the record that originally was created.”
There has been a major rise in the amount of federal judges that are concerned that electronic documents have been manipulated or altered before being produced for use in litigation or that the programs and procedures used to create and maintain these digital documents cannot be relied upon to protect these documents from manipulation by corporate insiders.
This ruling makes it clear that while some courts will continue to view electronic business records much as paper documents (which are rarely challenged on grounds of authenticity), attorneys should be prepared to face more frequent challenges to e-records in the coming years. Judge Grimm wrote, “Unless counsel knows what level of scrutiny will be required, it would be prudent to analyze electronic business records that are essential to his or her case by the most demanding standard. The cases further suggest that during pre-trial discovery counsel should determine whether opposing counsel will object to admissibility of critical documents.”
“The logical questions extend beyond the identification of the particular computer equipment and programs used,” the judge wrote. “The entity’s policies and procedures for the use of the equipment, database, and programs are important… how changes in the database are logged or recorded, as well as the structure and implementation of backup systems and audit procedures for assuring the continuing integrity of the database, are pertinent to the question of whether records have been changed since their creation.”
He concluded, “Further, although ‘it may be better to be lucky than good,’ as the saying goes, counsel would be wise not to test their luck unnecessarily. If it is critical to the success of your case to admit into evidence computer stored records, it would be prudent to plan to authenticate the record by the most rigorous standard that may be applied.”

About Digiprove

How it works?
Digiprove is a service that supplies independent time-stamped proof of digital content (without the need to send or store the content with us thus maintaining full confidentiality). Think of it as a Digital Notary. It automatically takes the digital fingerprint of all content submitted to it and provides certification of its existence.
It does this by encoding and time-stamping the relevant digital content and issuing a digitally signed certificate referencing this content. The service is based on a patented process and the proof is indisputable.
Auto-Protect uses the proven core technology of Digiprove and is designed to be deployed within organisations as a background process that just runs automatically without manual intervention. All you need to do is record your digital data according to the folder structure you have chosen (you are probably already doing this).
Note that although the Digiprove service itself is SaaS (Software as a Service), it co-exists with your existing office automation and business software and hardware – you do not have to discard your existing investment in software and hardware in fact you can point autoprotect to your current application data and it will also be automatically protected
The beauty about the way this has been set up is that there is the absolute minimum amount of dependence on you or your staff to run backups or do housekeeping tasks. The main task that requires manual intervention is the process of indexing all newly created or amended documents (incoming and outgoing). To make all this work, you will need to adopt a standardised folder structure and file naming conventions.
Independent Expert Opinion
The Digiprove service has been independently examined and tested by Georgia Tech who are one of the foremost world experts in digital security, and they had this to say:
“… the process described in the patent does indeed provide a tamper-proof way to show that digital data has not changed since its timestamp. The process also provides a provision to validate any alteration made after it has been time stamped… the software does faithfully implement the patented 'Digiprove' process providing an authenticated method for establishing proof of existence and possession of digital content of any kind.”
For more information
Email info@digiprove.com

Monday 5 March 2012

Irish Internet Copyright Order Signed Into Law

An Irish ministerial order that allows copyright holders to seek legal injunctions against some Internet service providers was signed into law last week. The law allows plaintiffs seek legal injunctions against Internet service providers that allow access to websites that contain copyrighted material.

The Irish Minister for Research and Innovation, Sean Sherlock, said upon signing the amendment, “I believe that in Ireland we must build on our very substantial achievements in the creative and digital media industry, and become a model of international best practice for innovation in the area.”

Online copyright concerns
The law comes after concern over Internet copyright boomed in 2011. With online media a major growth point, music industry and entertainment industry officials have been pushing for more stringent controls over the use of media online.

The move has encountered a lot of opposition, however, and has been dubbed the “Irish Sopa” in reference to the US Stop Online Piracy act, which was defeated after a robust campaign from major websites and activists. Those who were opposed to the “Irish Sopa” say that it’s a bad move because it doesn’t solve the legal problem of uncertainty that this law is suggested to solve.

Minister Sherlock went on to say that “Ireland is home to some of the world’s most innovative Internet companies, and we are determined to grow our reputation as a location where smart people and smart companies can innovate in this fast-moving area”.

An answer to the Internet copyright issue
There is a large amount of concern over Internet copyright law. Particularly for those who post content online like blogs, articles, white papers and video, there is not much by way of protection or comeback when these kinds of content are stolen, reproduced or plagiarized. Government policy remains murky.

There is now an answer to the online copyright question for organizations. Companies can take advantage of Digiprove’s Autoprotect technology to create a unique digital fingerprint & timestamp and legitimize online content in order to prove its origins, without the need to upload the content (It remains confidential to the owner/author).

www.digiprove.com


Embed Trust, Compliance & Protection in Software & Data

Introduction

Your software whether COTS or Bespoke brings to your client’s or your own organisation the benefits of automation and the flexibility of digital processes & content, these benefits are indirect when you consider the primary drivers are likely to be Improve Financial Performance, Customer or Citizen Service, or carry out tasks that would not be practical to carry out manually.

Software Applications or Information systems are central to the creation and flow of Information in every aspect of business life today, they support every function in the organisation and decision making at every level from the front line or shop floor up to the board room and for external parties.

Your business/organisation is providing these software products and IT solutions to your client’s/end user’s and they are central to their business processes, legal and regulatory compliance. So why is there so much emphasis on printing and signed paper records? The answer is “Trust”. Digital data & content can be easily manipulated accidentally or maliciously even with what would be perceived as good IT security. A professional malicious hacker can circumnavigate most standard security and the use of elaborate security solutions can be very costly and make usability an issue.

How do you bring trust to the digital content your application creates, handles or uses, in a simple cost effective manner? If your software ticks all the boxes below, then you have a compelling proposition, if you don’t tick all the boxes then don’t worry by doing a quick free integration of Digiprove technology or alternatively installing Autoprotect from Digiprove you can secure the trust of any user or 3rd party in the information your solution provides:

þ Provenance of any digital content can be established (Origin)
þ Digital content can be verified as it is used or at any time on and off line (Tamper evidence)
þ Tamperproof & Auditable logs of content history (Life cycle events)
þ Content does not leave its operating environment (Remains Confidential)
þ Meets Legal and evidential requirements for eDiscovery, Spoilation identification and preservation.
þ Meets business and regulatory requirements for digital signatures, digital records, and Integrity.
þ Creates unique digital fingerprint and certification for any type of digital content.

What Value will the integration of Digiprove into our solution bring?

·         It enables your software solution stand out from the competition by ticking all the boxes above.
·         It enables trust and confidence for all stakeholders in the digital content integrity, its provenance is assured and any tampering identified.
·         It secures the evidential value of digital content for business decisions and for any 3rd party investigation (which may include eDiscovery)
·         It will enable compliance with 3rd Party requirements, such as regulators, government & auditors.
·         It will allow you operate without any paper in your process
·         It will differentiate your software solution.

How does Digiprove achieve this? And what is Digiprove’s evidence?

Digiprove is a unique patented technology process that without the need to transmit your digital content to Digiprove, creates a unique digital fingerprint of your digital file(s), it securely registers the fingerprint with the metadata such as owner, Date, Time, Location and creates an audit trail so that should the digital content be altered in anyway it will be evident on verification. Verification can be completed on or off line or can be fully automated using a component from the Digiprove Software Developers Kit.

Our evidence is that we already have over 5000 users and specifically using our SDK it has been integrated into software/solutions with applications in compliance such as Financial Services, Human Resource Management, Financial and legal. In addition The Georgia Technology Institute, the world’s leading authority on Digital Security has tested and verified Digiprove’s technology and here is what they say:

“… the process described in the patent does indeed provide a tamper-proof way to show that digital data has not changed since its timestamp. The process also provides a provision to validate any alteration made after it has been time stamped… the software does faithfully implement the patented 'Digiprove' process providing an authenticated method for establishing proof of existence and possession of digital content of any kind.”