CC BY
44
УДК 004.75+004.9
ДОВЕРИЕ К ДАННЫМ И АРХИВАМ В ОБЛАКЕ: НОВЫЙ ЭТАП ПРОЕКТА INTERPARES
TRUST IN RECORDS AND ARCHIVES IN THE CLOUD:
A NEW PHASE OF THE INTERPARES PROJECT
© Лучиана Дуранти
Luciana Duranti университет Британской Колумбии, Ванкувер, Канада. The University of British Columbia,Vancouver, Canada.
В статье рассмотрен новый этап международного междисциплинарного научно-исследовательского проекта InterPARES, целью которого является разработка мер по долгосрочному сохранению электронных данных. Проект финансируется до 2019 г. Исследовательским советом социальных и гуманитарных наук Канады и многими другими учреждениями и организациями по всему миру и является четвертым этапом исследовательского проекта InterPARES, начатого в 1998 г.
Ключевые слова: электронные документы, цифровые архивы, достоверность, надёжность, облачные вычисления.
In April 2013, a new international multidisciplinary project involving universities, governments, businesses, and cultural heritage institutions in six continents and thirty countries began its research activities, which are funded until 2019 by the Social Sciences and Humanities Research Council of Canada and by all participating partners. This is the fourth phase of a research project initiated in 1998, called International research on Permanent Authentic Records in Electronic Systems (InterPARES) [1], and addresses the issue of trust in records and archives created, used, maintained and/or permanently preserved online, thereby taking the name of InterPARES Trust.
Because records and archives entrusted to the Internet must satisfy the requirements of reliability, authenticity (i.e. identity and integrity), accuracy, usability, accessibility, and preservability, so that transparency and accountability (legal, administrative, and historical) are ensured, and documentary evidence is protected together with the documentary sources for history, the collaboration of all disciplines concerned with these qualities
И luciana.duranti@ubc.ca
This paper presents the goal, objectives, research questions, and methodologies of a new international interdisciplinary research project called InterPARES Trust, whose purpose is to develop a universal framework for the online creation, use, management and long term preservation of reliable, accurate and authentic records and archives, to ensure that they can be trusted by all those who need to use them now and in the future. In the process, the paper shows how digital forensics can support such goal, particularly the security and protection aspects of it, if used prospectively rather than only retrospectively, and how the integration of the theory of records and archives in its body ofknowledge can further develop digital forensics as a discipline and help it in accomplishing its purposes.
Key words: digital records, digital archives, digital preservation, authenticity, trustworthiness, trust, transparency, digital forensics theory, cloud computing.
of records and archives is necessary to the success of InterPARES Trust, and among them digital forensics has a special role in determining the outcome of this research project.
In contemporary practice individuals and organizations are increasingly saving and accessing records in the highly networked, easily hacked environment of the Internet, where current policies, practices and infrastructure prohibit us from being able to assess our trust in records as evidence and in archives as sources by relying on the paradigms of the past, that is, on four types of information about their custodian: reputation, which results from an evaluation of the trustee’s past actions and conduct; performance, which is the relationship between the trustee’s present actions and the conduct required to fulfill his or her current responsibilities as specified by the trustor; competence, which consists of having the knowledge, skills, talents, and traits required to be able to perform a task to any given standard; and confidence, which is an assurance of expectation of action and conduct the trustor has in the trustee [2]. How
can we make decisions related to trust in this new environment? Are there grounds for trusting the institutions and/or professionals who hold digital records about us to make the right decisions about keeping them safe and accessible only to those who have a right to see them, using them for good and in a transparent way, disposing of them when required, and selecting reliable Internet providers for storing and managing them? If yes, what are those grounds? Who has established them, and in the context of what values and purpose?
The interconnectedness of the Internet is forcing us into one community without the benefit of gradually getting to know one another. As the United States developed the Internet, its social, political, economic views are reflected in its management, thereby rankling other countries. What does that mean in terms of policies and practices regarding the handling of digital records residing with Internet services and social media providers? Even when such policies exist and are sound, there is a big issue with technology outpacing society. For example, the United States Telecommunications Act of 1996 formally ushered in deregulation of the telecommunications market, mandating that existing carriers make their infrastructure, including networks, space and equipment, available to their competitors—the motivation being economies of scale. However, at that time, no one considered that with aggregation they were creating single points of failure in the telecommunications infrastructure— potential vulnerabilities that could put entire regions at economic risk [3].
Regardless, people in general trust all kinds of organizations (e.g. banks, phone companies, hospitals) to keep and maintain their data/records/ archives on their behalf. In effect they have shifted their trust from the central records repository in their home or office to distributed archives online, the stewardship for which is entrusted to others. Where their records actually reside, how well they are being managed, how long they will be available to them... they have no idea! Many organizations are recognizing this shift and becoming concerned about a liability they may not have thought they were assuming (especially as more and more clients abandon their own recordkeeping and place greater reliance and trust on the recordkeeping abilities of the organizations with which they interact). Furthermore, organizations like Bell, Rogers, or Amazon are amassing huge volumes of data that they use to provide a host of services, many of which focus on marketing and securing competitive advantage. This is the evolving world of big data’, the exploitation of seemingly innocuous records (e.g. call center records, purchase orders, etc.) to produce data that can be re-manipulated to serve a host of purposes, also called ‘data mining.’ Big
data are introducing a view of records that flips our traditional view on its head: certain records can grow in value if it is recognized that their accumulation through time will enable the production of data that themselves will grow in value as their potential to support organizational priorities (especially strategic priorities) is realized. However, big data also fosters a range of democratic objectives, from promoting government transparency to supporting research to contributing to public-private sector goals and priorities and in this sense their accumulation and use should be encouraged.
The issues for data and records coincide. Can the data be trusted? Can the records from which the data are derived be trusted? Are they complete? Are they authentic? How were they generated, by whom and under what conditions? Is there sufficient contextual information to enable them to be understood? These are questions faced by quite a number of organizations that are beginning to act on the realization that their data holdings (and the records from which those data are generated) are digital assets that need to be managed effectively if they are to be trusted by those making decisions and by clients, customers, citizens, etc. One of the catch words in this arena is ‘traceability’, that is, the ability of an organization to trace back from the data it is using for decision-making, service delivery, etc. to the source records from which the data are derived. The issue of traceability of data to trusted records is becoming huge and constitutes the foundation of trust in data.
The goal of InterPARES Trust is to generate the theoretical and methodological frameworks that will support the development of integrated and consistent local, national and international networks of policies, procedures, regulations, standards and legislation concerning digital records entrusted to the Internet, to ensure public trust grounded on evidence of good governance, a strong digital economy, and a persistent digital memory.
The objectives of this research are:
- to discover how current policies and practices regarding the handling of digital records by institutions and professionals affect the public’s trust in them, in light of the exponential growth of and reliance on Internet services;
- to anticipate problems in maintaining any trust in digital records under the control of entities suffering a waning level of confidence from the public (including legal, law enforcement, financial, medical, broadcasting, “hacktivist,” and governmental organizations and professionals);
- to establish what significance national/ cultural contexts have with regard to the level of trust digital records on the Internet enjoy;
- to articulate model policies, procedures, and practices for creating, managing, accessing,
and/or storing records on the Internet, especially in social media and cloud computing environments and through mobile technologies, and test them in a variety of contexts so that, from them, international standards, guidelines and best practices can be developed, and
- to formulate proposals and models for law reform, and functional requirements for the systems in which Internet providers store and manage digital records.
Although the focus will be on the relationship between organizations (both not-for-profit and for-profit) and particular client groups (citizens, customers, readers, students, etc.), with client groups becoming concerned about the degree of ‘trust’ they can place on records generated and/or stored and accessed on the Internet and organizations becoming concerned about establishing and maintaining that trust, the same themes will also be addressed within the context of organization to organization and client group to client group relationships. We will also consider the relationship between an organization and its own employees and the extent to which issues of trust are growing here as well, that is, how much employees can trust their own records or the records produced by others in their same organization, especially considering 1) the increasing popularity of “bring your own device” policies, according to which organizations would not provide employees with information technologies but ask them to use their own androids, laptops, etc. for business purposes; 2) the expansion of mobile computing within organizations, and 3) the proliferation of “apps,” which are substantially changing employees’ use of software while menacing corporate control of Information and Communication Technologies (ICT) and the records they produce [4].
The research theoretical framework is adapted from archival and diplomatics theory, in particular the ideas that are foundational to trusting records [5]. However, it also relies on theories adopted by the information systems management field to understand better the issues and address them. From an organizational point of view, success in the use of the online environment is based on three categories of benefits: strategic, economic, and technological. In business, trust generally refers to one party in the relationship having confidence in the other party, based on alignment of value systems with respect to those benefits [6]. The business view stresses the fact that choices like that of keeping an organization’s records on the Internet must be based on capabilities that go well beyond physical and human assets to include leadership, business-systems thinking, relationship building, architecture planning, contract facilitation and monitoring, etc. [7]. Thus, the project uses resource-based theory, which focuses on the importance of
technical, managerial, and relational capabilities for leveraging resources to maximize competitive advantage [8]. Resource-based theory shows performance differences among organizations in the way they leverage these resources and can help to identify and capitalize on the resources unique to cultures, societies, and types of organizations to articulate models that can work internationally.
Another framework relied upon by the information systems management field, among many other fields, is that of risk management, an area of study that complements that of trust and in a way represents its counterpart in the context of making decisions in an uncertain environment. Several models of trust exist but few have explored the relationship between risk and trust [9]. Research and practice in the field of risk management offer both an operational and a social perspective on trust. Operationally, risk managers reference the ISo 31000 Risk Management - Principles and Guidelines on Implementation framework, and, like record managers, seek to build best practices into business processes in order to support good governance and accountability processes in organizations. Over the last decade, archivists and records managers have leveraged risk management expertise to expand their understanding of risk beyond the loss of records through disaster or problems due to the environment to include other threats, vulnerabilities, and mitigations [10]. Of particular importance to the archival profession is the threat of technological obsolescence, investigated in prior InterPARES projects, while records managers have focused on such issues as data loss and data protection. Socially, factors that contribute to the establishment and erosion of trust are of interest to risk management scholars. From climate change to sustainable development to environmental technology, the public is asked to trust governments and organizations, while watching large-scale oil spills, corrupt regimes, and food scandals devolve in the news.
Finally, as one of the InterPARES Trust objectives is to design model policies that can be adapted within cultures, societies, and organizations that are fundamentally different but need to interact through their digital records, the project draws upon design theory. This is necessary because the proposed policies will need to address challenges arising from future technological interactions that we can’t yet imagine. Design theorists are adept at taking principled action in situations with many unknowns [11]. Design theorists Rittel and Webber argue that the best way of dealing with this sort of “wicked problem” is to adopt an “argumentative process in the course of which an image of the problem and of the solution emerges gradually among the participants, as a product of incessant
judgment, subjected to critical argument” [12]. Thus, we plan to start a conversation taking into account design perspectives, not just in terms of utilizing design theory, but through direct engagement with the designers of digital information technologies.
This research necessitates multi-faceted, diversified, and dynamic approaches: multifaceted in order to deal with the polymorphism of digital records produced by fix and mobile devices; diversified in order to accommodate varying requirements in different social, cultural, and organizational contexts; and dynamic to respond to continuing changes in ICT and its uses and in future user expectations and needs [13].
Records, as evidence of actions and thoughts, are the account of and raw material for observation. We believe that evidence provided by records allows us to communicate across space and time. This stance is firmly rooted in empiricism. Thus, we approach our research in the same manner we approach records. In the process of investigating trust in digital records residing on the Internet we employ a research methodology based on empirical observation (case studies), drawing on records of research observation generated through an ethnographic approach, and on surveys and interviews. We observe cases where trust manifests itself or not, and in so doing document the changes in evidentiary value of digital records. We gather, analyze and interpret data from a wide cross-section of organizations and institutions worldwide in order to explore the nature of trust relationships on the Internet, and the risks, weaknesses, and fault-lines inherent in record management and storage in rapidly changing technologies where authorship, ownership, and jurisdiction may be questioned. At the conclusion of each study the results will be represented using activity and entity modeling, an analytic tool that enables understanding of the situational realities and work processes before and after modifications have been introduced to address problems. Activity and entity modeling will be accompanied by diplomatic and archival analysis, textual analysis, and visual analytics.
While conducting case studies, each of the Teams constituting the International Alliance (North America, Latin America, Europe, Asia, Africa, Australasia and Multinational Institutions) will do studies that will help them to contextualize the case studies. These studies will identify relevant legislation, policy and other existing regulatory documents within each jurisdiction and analyse them; seek relevant bibliographic resources outside the immediate purview of the disciplines involved in the research; survey existing practices; reconcile terminology across domains, cultures and languages; research cultural issues that may affect solutions to problems or articulation of policies; look at
economic, ethical, and other factors that may impact the International Alliance decisions, and, in general, investigate issues that the International Alliance will consider important to support its work.
Once the researchers will have identified solutions, they will draft model policies, procedures, and processes, and ask the test bed partners to test them. This five-year process is iterative in character and will continue until the partnership will be satisfied with each of the results. During the last year, the partnership will draw its conclusions and write proposals for law reform and other infrastructural reform, model policies, procedures, and practices for creating, managing, accessing, and/or storing records on the Internet, and functional requirements for the systems in which Internet providers store and manage digital records.
Certainly, reading through the description of InterPARES Trust many have noticed a glaring absence, that of digital forensics. But more than an absentee, digital forensics is a stone guest. The ancient expression “stone guest” refers to a looming but invisible presence, silent and therefore disturbing and unpredictable, of which everyone is aware but which no one mentions. While it is clear that digital forensics practices and procedures would be useful in carrying out this research project— especially the component regarding security and protection, it is difficult when outlining a theoretical and methodological approach to research to refer to specific activities or processes rather than to the body of knowledge of a discipline. And digital forensics is hardly perceived as an autonomous discipline. There is a vast literature on the concept of discipline that proposes very different definitions and interpretations. Liles et al. build upon the analysis of the existing definitions and suggest that a discipline must have “six basic characteristics: (1) a focus of study, (2) a world view or paradigm, (3) a set of reference disciplines used to establish the discipline, (4) principles and practices associated with the discipline, (5) an active research or theory development agenda, and (6) the deployment of education and promotion of professionalism” [italics in the original text]1. Digital forensics has some of these characteristics but what separates it from a full-fledged discipline is its reactive approach, its retrospective outlook, which, very much like diplomatics in the 17th century, confines it to the examination of what exists.
Diplomatics developed as a practice for establishing the authenticity of documents of unknown origin used to prove the existence of patrimonial rights. The exercise of such practice resulted in the accumulation of a large
1 Liles, D.H., Johnson, M. E., Meade, L. M., and Ryan, D.: Underdown. Enterprise Engineering: A Discipline? (1995), http://webs.twsu.edu/enteng/ENTENG1.html.
body of knowledge which began to be taught in faculties of law in the 18th century in Germany and France and eventually became the foundation of the law of evidence as we know it today. However, diplomatics was considered only an auxiliary method of other disciplines, like history and law, a reference discipline, till such time when it abandoned its retrospective outlook and began to use its body of knowledge in a prospective way, that is, prescribing what should exist rather than simply describing what exists. Thus, the knowledge acquired about what makes a record reliable and authentic came to be used to design record forms, records procedures, and records systems, to define the roles of all persons involved with the records, and types of acts and functions, to identify and distinguish relevant contexts, to establish methods of authentication, and to determine functional requirements. The parallel with Digital Forensics is clear [14].
A couple of decades after its recognition as an established practice, Digital Forensics has accumulated a large body of knowledge that can allow it to identify recurring concepts, ideas, and principles capable of guiding the design of systems for data, records and archives created and/or kept on the Internet, systems that do not have to trade transparency for safety, or control for economy.
In addition, several of those concepts are likely shared with diplomatics, to which digital forensics is complementary. In an effort to demonstrate this complementarity, this author initiated in 2008 a research project called Digital Records Forensics, which also attempted to move Digital Forensics into a prospective mode by designing a procedure integrating it with diplomatics and archival science [15]. This initiative was picked up by Barbara Endicott-Popovsky in relation to
Библиографический
1. International Research on Permanent Authentic Records in Electronic Systems, Available at: http:// www.interpares.org .
2. Borland J.: Trusting Archivists. Archivi and Computer, XIX(1), 94-106 (2009).
3. Endicott-Popovsky B., Frincke D., and Taylor C.:
A theoretical framework for organizational network forensic readiness. The Journal of Computers, 2(3), 1-11 (2007).
4. Greenfield A.: Everyware: the Dawning Age of Ubiquitous Computing, New Riders, Berkeley (2006)
5. Duranti L. and Preston R., eds. InterPARES 2: Interactive, Dynamic and Experiential Records. ANAI: Padova (2008).
6. Grover V., Chen M.J., Teng J.T.C.: The effect of service quality and partnership on the outsourcing of information systems. Journal of Management of Information Systems, 12, 4:89-116 (1996).
Information Assurance [16] and by Fred Cohen in relation to the development of a digital forensic theory and consistent terminology [17]. Much has still to be done to ensure that Digital Forensics knowledge can be used to prevent rather than to detect cybercrime, but the key is active collaboration with allied disciplines in the context of multidisciplinary projects like InterPARES Trust. Digital Forensics experts could study concepts, laws and models from the other fields involved with the research project to foster useful transfers to their own field, to encourage the development of a digital forensic theory in emerging areas of endeavor and investigation, to eliminate the duplication of theoretical efforts in different fields, and to promote consistency of scientific knowledge.
However, in order to develop the knowledge of digital forensics, when experts bring those extraneous concepts, laws and models into their body of knowledge, they have to make them consistent with all of its parts (i.e., confront them with forensics concepts, principles, practice and scholarship), subject them to a feedback process, and insert them into the fundamental structure of their knowledge system. Only in this way will they be able to build up digital forensics as a discipline, maintaining its integrity and continuity while at the same time fostering its enrichment and growth. This paper is an invitation to start this process of growth and change and to do it by helping records professionals to ensure that records and archives on the Cloud can be protected without renouncing transparency, accountability, and accessibility.in a word, democracy.
Материалы поступили в редакцию 03.09.2013 г. список (References)
7. Garrison G., Kim S., Wakefield R. L.: Success Factors for De-ploying Cloud Computing. Communications of the ACM, vol. 55, no. 9: 62-68 (2012).
8. Ireland R., Camp S., Sexton D., eds., Creating a New Mindset: Integrating Strategy and Entrepreneurship Perspectives. John Wiley and Sons Inc.: New York (2002).
9. J0sang A., Lo Presti S.: Analysing the Relationship between Risk and Trust. Lecture Notes in Computer Science, V. 2995, Trust Management: 135-145 (2004).
10. Lemieux V. L. and Krumwied E.: Managing Records Risks in Global Financial Institutions, in: Coleman, L., Lemieux, V., Stone, R. and Yeo, G. Eds. Managing Records in Global Financial Mar-kets: Ensuring Compliance and Mitigating Risk. Facet Publishing: London (2011).
11. Nathan L. and Shaffer E.: Preserving Social Media: Opening a multi-disciplinary dialogue. In: Duranti L. and Shaffer E. eds. Pro-ceedings of ‘The Memory of the World in the Digital Age: Digitization and Digital Preservation’: 410-418. UNESCO: Paris (2013).
12. Rittel H., and Webber M.: Dilemmas in a General Theory of Planning, in: Policy Sciences, 4, Elsevier Scientific Publishing Company, Inc., Amsterdam:
162:155-169.
13. Thibodeau K.: Wrestling with Shape-Shifters: Perspectives on Preserving Memory in the Digital Age. In: Duranti L. and Shaf-fer E. eds. Proceedings
of ‘The Memory of the World in the Digital Age: Digitization and Digital Preservation’: 15-23. UNESCO: Paris (2013).
14. Duranti L.: From Digital Diplomatics to Digital Records Fo-rensics, Archivaria 68: 39-66 (2009).
15. Digital Records Forensics, Available at: http:// www.digitalrecordsforensics.ca.
16. Duranti L. and Endicott-Popovsky B.: Digital Records Foren-sics: A New Science and Academic Program for Forensic Readi-ness. Journal of Digital Forensics, Security and Law, 5, 2: 45-63 (2010).
17. Cohen F.: Digital Forensic Evidence Examination”, ASP Press: Livermore CA, 4th ed, (2012).
Саратовский государственный социально-экономический университет предлагает обучение в аспирантуре лицам, имеющим образование не ниже высшего (специалитет или магистратура)
Подготовка в аспирантуре засчитывается в стаж научно-педагогической и научной работы. Обучение осуществляется на бюджетной основе или с оплатой стоимости обучения физическими и юридическими лицами.
Подготовка ведётся по 10 научным отраслям и 16 востребованным научным специальностям:
- экология;
- вычислительные машины, комплексы и компьютерные сети;
- отечественная история;
- экономическая теория;
- экономика и управление народным хозяйством;
- финансы, денежное обращение и кредит;
- бухгалтерский учет, статистика;
- математические и инструментальные методы экономики;
- теория языка;
- финансовое право, налоговое право, бюджетное право;
- административное право, административный процесс;
- теория и методика профессионального образования;
- психология труда, инженерная психология, эргономика;
- экономическая социология и демография;
- социология управления;
- политические институты, процессы и технологии.
Поступление в аспирантуру - реальный шанс реализовать потенциал научных знаний и практических навыков, добиться признания научным сообществом и присуждения учёной степени.
Тел.: (8452) 211-757
