At the Society of American Archivists (SAA) Annual Meeting, one of the discussions focused on electronic discovery and the context of electronic records in the workplace.
The panel included:
Chairperson, Luciana Duranti, the University of British Columbia / Archival Studies
Panelist, Corinne Rogers, the University of British Columbia
Panelist, Donald C. Force, the University of British Columbia
Corinne Rogers presented “Trust Me!” I’m a Digital Record, a slide deck on the three-year Digital Records Forensics Project, a collaboration among the University of British Columbia's School of Library, Archival and Information Studies (SLAIS), the UBC Faculty of Law, and the Computer Forensics Division of the Vancouver Police Department.
The project embraced the challenge of bringing together records management, archives and the police:
- to integrate the knowledge of archival diplomatics, computer forensics and evidence law;
- to identify “records” among all the digital objects created in and by a complex system; and,
- to establish their authenticity, particularly in cases where they have been removed from the originating system.
The final point is significant because records managers, lawyers and judges understand authenticity differently. It is evident from the literature in the domains of law and digital forensics that there is lack of consensus on definitions despite that the amount of digital material references in the professional literature and the laws governing documentary evidence increases.
The research objectives (from the website):
- to develop concepts and methods that will allow the records management, archival, legal, judicial, and law enforcement professions to recognize records among all kinds of digital objects produced by digital technologies once they have been removed from the original system;
- to develop concepts and methods for determining the authenticity of records no longer in the original system and/or in the original format;
- to develop methods for maintaining records acquired from crime scenes or created by police to pursue crime over the long term so that their authenticity will not be questioned; and
- to develop the theoretical and methodological content of a new discipline, called “Digital Records Forensics,” resulting from an integration of Archival Diplomatics, Computer Forensics and the Law of Evidence with the project’s newly developed knowledge.
Besides a literature review, a series of interviews were held. Admittedly, the sample size was small (twenty interviews): records professionals in law enforcement or judicial systems, digital forensics, judges, and lawyers -- all selected by reference or because of their interest in or knowledge of digital evidence issues. Each questionnaire was tailored to the four disciplines and intended to reveal how law enforcement and legal professionals are coping with digital evidence.
- What do you consider to be a digital record?
- When do you consider digital records to be authentic?
- What are the characteristics of authentic digital records?
- Do you see challenges to maintaining authenticity of digital records over time?
- Lack of consensus or consistency on the definition of digital records in the legal environment, and
- Lack of consensus on the meaning of digital records’ authenticity.
The Project’s Theoretical Framework
- Archival Diplomatics;
- Definitions of records and authenticity (identity on one end of the scale and authenticity on the other); and
- InterPARES: Benchmark research supporting the presumption of authenticity; baseline research supporting the production of authentic copies of electronic records (See InterPARES 2 Project Ontology C: trustworthiness of a record.
- Variables: role
- What is the professional role of the respondent?
- Records professional
- Digital forensics
- What is the professional role of the respondent?
- Variable: recordDef
- What is the respondent’s definition of a digital record?
- Response: basically anything stored in digital media
- Variable: authenticityWhen
- When does the respondent consider a digital record to be authentic?
- Variable: authenticityArchival
- Does the respondent have an “archival” view of authentic?
- Variables: authenticityChallengesWith, authenticityConcernLongTerm
- Does the respondent see challenges to maintaining authenticity over time?
- Variables: digitalChallengesWith; digitalChallengePreservation
- Variable: digitalChallegnesKnowledge
Analysis of Survey Responses
What is a digital record? 55% think a record is anything on digital media. 83% of records managers responding said “purpose specific” or archival.
When is digital material authentic? Records professionals said 2-1 a record is always authentic. Those working with lawyers in the courts said they don’t have to consider authenticity points. Judges were concerned that records are authentic, but they didn’t care about the abstract.
Identified characteristics of authentic digital records: what do you consider to be the main characteristic? Authentication was equated with authenticity. Records professionals identified specific points of authenticity (for example, dates created).
What are the challenges with maintaining authenticity over the long term? For each respondent type, they acknowledged anything in general, but several denied there are challenges in maintaining over time.
Are there challenges with digital environments/preservation? Yes. Everyone thought there were challenges with digital evidence, but judges, lawyers and forensics professionals said they didn’t care -- the issues weren’t their concern.
Note: all agreed that special knowledge is required, but they were split as to what percentage of technical understanding versus records-related knowledge was best.
The definition of a record is context-specific within each domain. Authenticity is often presumed, and if/when it’s discussed, it’s in terms of the specific system producing the record.
A more detailed survey with a larger sample size is needed. This study could support educational programs and curriculum development for records professionals.
Donald Force continued the session with What ‘Best Evidence’? Archival Discourse and Judicial Decisions.
Courts are overcome by the sheer volume of documentation. We’re seeing electronic records move so quickly and move so fast and the law grows at a snail’s pace, he said. Then Force outlined Article 10 of the Federal Rules of Evidence (Rules 1001—1008). The courts do acknowledge that we’re only human. If you lose records by accident, these things happen. But if you purposefully destroy when you know you should be retaining, you’re in hot water -- which is basically what Rule 1004 is about.
For example, see USA V. Diaz-Lopez. This is a good example of how electronic records are multiplying in such high volumes that the courts can’t keep up. Judges are responding on the cuff. Lawyers aren’t technically savvy people, either. The Best Evidence rule is designed for the admissibility of evidence, and Best Evidence is being applied in the discovery phase of litigation. When your organization is disclosing relevant documentation to each other, discovery is wide open as to what’s relevant.
In truth, Force said, metadata is the big controversy. Judge Grimm of the District Courts in Maryland (Lorraine V. Markel) agrees. Disclose the not-best evidence in the beginning -- at the top of the process. Just because you disclose doesn’t mean it will be admitted. Force restated FRC 26 (b)(1) and defined metadata. Then, he offered the following:
- Williams V. Sprint/United Management Co.: evidence should be produced with metadata intact -- but unfortunately not all courts have subscribed to this approach.
- Ky. Speedway, LLC V. NASCAR: the court says “in most cases and for most documents, metadata does not provide relevant information.” Not all courts are convinced. Incidentally, the basis for the decision was pulled from Principle 12 of The Sedona Principles 2nd Edition.
- Wyeth V. Impax Laboratories, Inc.: “Therefore, the producing party must preserve the integrity of the electronic documents it produces.” Courts say you could justify not paying attention to the integrity of evidence, but on the other hand, be aware how it is rendered and accessed.
- Lake V. City of Phoenix: Lake sought police notes plus its metadata. Lake asked if metadata fit within the definition of public record according to the state of Arizona. Its Supreme Court said yes.
- • Although Judge Scheindlin has withdrawn her decision on National Day Laborer Organization Network V. U.S. Immigration and Customs Enforcement Agency, and therefore it has no precedential value whatsoever, for the first time the courts attempted to define the most appropriate metadata to accompany evidence:
- File name
- Source device
- Source path
- Production path
- Modified date
- Modified time
- Time offset value
- Dates sent
- Time sent
- Date received
- Time received
“No two organizations are the same,” Judge Scheindlin said. “But you have to justify why you are different.”
Force said, the Best Evidence rule continues to evolve. Not all electronic records are equal. Unfortunately the courts still lack understanding of the role of metadata and its relationship to electronic records.
Luciana Duranti commented:
What does all this mean? Why should we care? Records managers and increasingly archivists must care. Many e-Discovery issues affect archives. Archivists made records inadmissible by changing original order (in Arizona). The biggest issue is integrity. When archivists speak about integrity, they mean leaving a message intact. But forensics professionals are more specific: they understand data integrity, system integrity, duplication integrity and system integrity -- even bit-wise integrity which must be maintained in exact order. A hash digest maintains order and volume -- documents to digest, but not vice versa.
On the obsolescence of the digest, they must be migrated continuously. Forensics rely on versions, especially when redactions are made and privacy is protected. Metadata must also be kept and preserved. Even so, everyone has said in the forensics environment it’s impossible to maintain integrity…instead there must be an inference made from integrity of the system in which the record resides. The integrity of the system is also based on some technical gates, such as users permissions, passwords, access, transaction, audit logs, etc. but ultimately even those can be easily bypassed by those who know how.
Ultimately the most important kind of integrity that must be protected is the record system by proving it functions as it is supposed to according to written procedures. Process integrity is most important, which forensics is not familiar with. That’s where our knowledge comes in, why records integrity can be supported partly by tech means and partly by the application of Diplomatics concepts. Integrity of the system can be insured in addition to technical means coupled with our understanding of records management. Duplication integrity is especially important because we can’t preserve digital records when we duplicate them. We change the integrity of records when we duplicate.
An interdisciplinary approach requires forensics, records management and archives knowledge. We conclude we can integrate all three knowledges in one new integrated discipline and we’re doing just that at the University. We’re teaching digital records forensics this year for the first time at the University of British Columbia. We will see a stream within the curriculum changes. We’re even partnering with the University of Washington in Seattle where the forensics students take the archival / records management courses and our students take their forensics. The entire project was meant to understand what knowledge is needed.”
To learn more about the 2011 program for the Society of American Archivists Annual Conference, visit SAA’s website here.
Editor's Note: You may also be interested in reading:
- Information Management: Born-Digital Archives in Collecting Repositories #SAA11
- Interview: Top SharePoint Records Management Blogger, Don Lueders, Has Some Choice Words For You
- How Effective is Your Records Management Program?