Record - Academic Conferences Limited

Documentary Heritage in the Cloud 

Simply a Security Matter or an Oxymoron? 

Luciana Duranti 

The University of British Columbia 

International Conference on Cloud Security 

Management ICCSM 2013 

Seattle, WA 17-18 October 2013 


Principal Investigator

Diplomatics 

The trustworthiness of records of unknown or uncertain origin need to be 

assessed using scientific 

methods. 

Diplomatics (1681), Dom Jean Mabillon 

Trustworthiness based on the process of formation of 

documents, and on their formal characteristics, structure, 

and transmission through time and space. 

The Bella Diplomatica (judicial disputes based on 

diplomatic rules and on the belief that “documents are 

much better than navy yards, much more efficacious than 

munitions factories, as it is finer to win by reason rather 

than by violence, by right than by wrong” gave origin to the 

Law of Evidence 

By mid 18 th century all faculties of law in Europe taught 

archival science and diplomatics as “forensic” disciplines 



Archival Diplomatics of Digital Records 

Dr. Luciana Duranti 

The University of British Columbia 

The Concept of Record 

Archival Diplomatics 

The integration of archival and diplomatic theory about the genesis, inner 

constitution, and transmission of documents; and about their 

relationship with the facts represented in them, and with other documents 

produced in the course of the same function and activities, 

and with their creators. 

Retrospectiv 

e Use 

Prospective 

Use 

Reliability 

The Concept of 

Trustworthiness 

The trustworthiness of a record 

as a statement of fact. It exists 

when a record can stand for the 

fact it is about. 

Accuracy 

Digital Record Characteristics 

Formal Elements 

Attributes 

Digital Components 

On the face 

Of the 

Record 

Lifecycle of Digital Records 

Phase 1: Records of the creator 

Phase 2: Authentic copies of the 

records of the creator 


Email: 

luciana@interchange.ubc.ca 

www.interpares.org 

Genesis of the Digital Records 

Workflow: actio et conscriptio 

Initiative 

Inquiry 

Consultation 

Deliberation 

Deliberation 

Control 

Execution 

Application: Research Projects 

UBC Project (1994 - 1997) 

InterPARES 1 (1999 - 2001) 

InterPARES 2 (2002 – 2006) 

InterPARES 3 (in application) 

Functions of Records 

Probative/Dispositive 

Supporting/Narrative 

Instructive/Enabling 

Dynamic and Interactive 

Records 

Stable Content 

Fixed Documentary Form 

Bounded Variability 

Categories of Records 

•Manifested: 

•Stored: 

Form, Content, and 

Composition Data 

Status of Transmission 

Draft 

Original 

Authenticated original 

Copy (e.g., authentic copy) 

Authenticity 

• identity 

• integrity 

The trustworthiness 

of a record as a 

record; i.e., the 

quality of a record 

that is what it 

purports to be and 

that is free from 

tampering or 

corruption. 

Metadata 

Identity Metadata 

Integrity Metadata 


Principal Investigator 

The degree to which 

data, information, 

documents or records 

are precise, correct, 

truthful, free of error 

or distortion, or 

pertinent to the 

matter. 

Digital Signature 

As a Means of 

Authentication 

Authentication: 

A means of declaring the 

authenticity of a record at one 

particular moment in time

The Concept of Record 

• Record: any document made or received by a physical or 

juridical person in the course of activity as an instrument 

and by-product of it, and kept for action or reference 

• Document: recorded information (i.e., information 

affixed to a medium in an objectified and syntactic form) 

• Information: “intelligence given,” or a message 

intended for communication across time and space 

• Data: the smallest meaningful piece of information 



Digital Record Components 

• Act: an action in which the records participates or which the 

record supports 

• Persons Concurring to Its Creation: author, writer, originator, 

addressee, and creator (human or juridical person accumulating 

the records made or received and kept in the course of activity 

and as by-product of it) 

• Archival Bond: explicit linkages to other records inside or 

outside the system 

• Identifiable Contexts: juridical-administrative, provenancial 

(creator), procedural, documentary, technological 

• Medium: necessary part of the technological context, not of the 

record 

• Fixed Form and Stable Content 



Fixed Form 

• An entity has fixed form if its binary content is stored so that the 

message it conveys can be rendered with the same 

documentary presentation it had on the screen when first 

saved (different digital presentation: Word to .pdf) 

• An entity has fixed form also if the same content can be 

presented on the screen in several different ways in a limited 

series of possibilities: we have a different documentary 

presentation of the same stored record having stable content and 

fixed form (e.g. statistical data viewed as a pie chart, a bar chart, 

or a table) 



Stable Content 

• An entity has stable content if the data and the 

message it conveys are unchanged and 

unchangeable, meaning that data cannot be 

overwritten, altered, deleted or added to 

• Bounded Variability: when changes to the 

documentary presentation of a determined stable 

content are limited and controlled by fixed rules, so 

that the same query or interaction always generates 

the same result, and we have different views of 

different subsets of content, due to the intention of the 

author or to different operating systems or 

applications 



Archival Fonds and Archives 

• Archival Fonds: All the records of one creator 

(human or juridical person: individual or 

organization) 

• All the records of a legitimate succession of 

creators exercising the same functions 

• Archival Fonds are acquired by the archival 

institution, unit or program responsible by 

mandate or mission for their permanent 

preservation as documentary heritage of a society 



Archives in the Cloud 

Archival institutions and units or programs of a variety of organizations 

consider storing records selected for permanent preservation in the Cloud 

because: 

•Many of the records they are mandated to preserve already exist in the Cloud 

•Access would be possible from any location to anyone who can use a browser 

•A trusted digital repository satisfying ISO standards as well as basic archival 

preservation requirements is not affordable 

•The knowledge to deal with records produced by complex technologies is not 

commonly available among archival professionals 

•Strong protection measures are often confused with preservation measures 

But, to many, “Archives in the Cloud” is an oxymoron 



Archives as a Place 

Justinian Code (534 A.D.) 

“an archives is locus publicus in quo instrumenta deponuntur (the public 

place where records are deposited), quatenus incorrupta maneant (so that 

they remain uncorrupted), fidem faciant (provide trustworthy evidence), 

and perpetua rei memoria sit (and be perpetual memory of facts)” 

Ahasver Fritsch (1664 A.D.) 

Archives receive trustworthiness from the fact that 1) the place of storage 

belongs to a public sovereign authority, 2) the officer forwarding them to 

such a place is a public officer, 3) the records are placed both physically 

(i.e., by location) and intellectually (i.e., by description) among authentic 

records, and 4) this association is not meant to be broken. 



The Archival Right 

• The right to keep a place capable of conferring archives trustworthiness, and 

therefore authority, was acquired by the bodies to whom sovereignty was 

delegated by the supreme secular and religious powers--cities and churches. 

• Corporations, including universities, deposited their records in the camera 

actorum of the municipality having jurisdiction over them or in the archives of 

ecclesiastical institutions before acquiring the right to “keep archives.” 

• By the French revolution decree of July 25, 1794, the records of defunct 

institutions and organizations were to be preserved by the state and made 

accessible to the people as its documentary heritage. 

• Archival principles: Natalis de Wailly (1841), principle of respect des fonds; 

Max Lehmann (1882), principle of provenance (i.e. original order); Hilary 

Jenkinson, unbroken chain of legitimate custody 



Trusted Postcustodialism? 

The concepts of place, jurisdiction, legitimate custody, and stability are 

embedded in the concept of archives, documentary heritage, and trusted historical 

memory, and are the condition of archival trustworthiness. 

The primary justification for these concepts is historical accountability: the 

people have a right to access the “authentic” documentary evidence of how they 

were governed. For this to happen, the records must be under the unbroken 

physical and intellectual control of a trusted third party ensuring that their 

interrelationships as well as those with their creator are stable. 

If archives were to exist in the Cloud, where responsibility for legal custody and 

intellectual control ensuring stability would be left with the legitimate preserver, 

but physical custody and technological access provisions would be of the Cloud 

provider, could they be considered trustworthy? Can society entrust the Cloud 

with its memory? 



What is Trust? 

• In business, trust involves confidence of one party in another, based on 

alignment of value systems with respect to specific benefits 

• In legal theory, trust is defined as a relationship of voluntary 

vulnerability, dependence and reliance, based on risk assessment 

• In everyday life, trust involves acting without the knowledge needed to 

act. It consists of substituting the information that one does not 

have with other information 

• Trust is also a matter of perception and it is often rooted in old 

mechanisms which may lead us to trust untrustworthy entities 

• On the Internet, the standard of trustworthiness is that of the 

ordinary marketplace, caveat emptor, or buyer beware 

• This is because there is no standard for a trustworthy trustee on the 

Internet 



Trustworthy Trustees 

Trustworthy trustees traditionally present the characteristics of: 

• reputation, which results from an evaluation of the trustee’s past actions and 

conduct; 

• good performance, which is the relationship between the trustee’s present actions 

and the conduct required to fulfill his or her current responsibilities as specified by 

the truster; 

• inspiring confidence, which is an assur-ance of expectation of action and conduct the 

truster has in the trustee; and 

• compe-tence, which consists of having the knowledge, skills, talents, and traits 

required to be able to perform a task to any given standard 

• But not always we have this information and this creates blind trust 



Parameters of Trust 

In the digital environment, technologically-mediated trust cannot rely 

any longer on the four characteristics used in the past. 

Different systems for the assessment of trust are required for different 

contexts – government, business, personal, etc. The parameters of trust 

in one cultural context may be very different from those in another 

context. 

Even within the restricted confines of the Western world, the very limited 

portion of a cultural context which is represented by the legal system is 

broken down in common law and civil law, and each has a different 

approach to trust: in common law it is based on observation of action, 

and in civil law on its documentary residue. 



Balance of Trust 

If we decide to entrust our historical documentary memory to the Cloud, 

we must establish a balance between trust and trustworthiness that is 

valid across jurisdictions, primarily because of the location independence 

which characterizes the Cloud. 

The trustworthiness we should focus on is then not of the trustees but of 

the historical records that are entrusted to them, keeping in mind that 

historical records, a society documentary memory, always start their life 

as current records and their trustworthiness should be protected from 

creation. 

Protecting the trustworthiness of the documentary heritage of society goes 

well beyond security. 



Records Trustworthiness 

Reliability 

The trustworthiness 

of a record as a 

statement of fact, 

based on: 

• the competence of 

its author 

• the controls on its 

creation 

Accuracy 

The correctness and 

precision of a 

record’s content 

based on: 

• the competence of 

its author 

• the controls on 

content recording 

and transmission 

Authenticity 

The trustworthiness of 

a record that is what it 

purports to be, 

untampered with and 

uncorrupted 

based on: 

• identity 

• integrity 

• reliability of the 

system containing it 



Authenticity: Identity 

The whole of the attributes of a record that characterize it as 

unique, and that distinguish it from other records. 

Identity metadata: 

•names of the persons concurring in its creation 

•date(s) and time(s) of issuing, creation and transmission 

•the matter or action in which it participates 

•the expression of its documentary relationships 

•documentary form 

•digital presentation 

•the indication of any attachment(s) 

•digital signature 

•name of the person handling the business matter 



Authenticity: Integrity 

A record has integrity if the message it is meant to 

communicate in order to achieve its purpose is unaltered. 

Integrity metadata: 

• name(s) of persons handling the matter over time 

• name of person(s) responsible for keeping the record over time 

• indication of annotations made to the record 

• indication of technical changes 

• indication of presence or removal of digital signature 

• time of planned removal from the system 

• time of transfer to a the designated preserver or destruction 

• time of access to the public 

• existence and location of duplicates outside the system 



Metadata in the Cloud 

how does metadata follow or trace records in the cloud from the creator 

to the preserver? 

how is this metadata migrated as a preservation activity over time? 

who owns the metadata created by the service providers related to their 

management of the records (integrity metadata)? 

Is metadata intellectual property? Whose? 

How can this metadata be accessed by the public and what are the 

responsibilities of the provider towards archival users? 



Transparency, Stability, Permanence 

An unbroken chain of legitimate custody from the creator to the 

preserver is not possible or demonstrable 

Records reliability cannot be inferred from known processes 

Records authenticity cannot be inferred from their documentary 

context and from a known preservation process 

Archives requires that each record’s context be defined and immutable, 

with all its relationships intact. Such stability is difficult to 

demonstrate in the dynamically provisioned environment of the Cloud. 

What happens when hardware/software become obsolete? Is there a 

known migration plan? 

Termination of contract: how is records portability and continuity 

ensured? 

Termination of provider: how is records sustainability ensured? 



Back to Custody 

A fundamental issue with keeping archives in the Cloud remains the distinction 

between the entity responsible for their permanent preservation and 

accessibility and the entity storing them, and the possibility that the jurisdiction 

under which each exists is different from that in which the individual components 

of each archival fonds (all the records of the same body) exist. 

Example: Europe is approving a right to be forgotten legislation which will affect 

all European archives. That is… exactly what? The archives under the legal 

control of a European archival institution? Those stored by a European Cloud 

provider? Those that happen to be at any given time in servers located in Europe? 

Remember “archives as a place”. Remember the “chain of legitimate 

uninterrupted custody.” The “moral defence of archives” requires transparency, 

stability and permanence. Whose responsibility? 



Models to Consider 

Maritime rules of shipping centered on the recognition of the authority of the 

port state, the flag state and the coastal state 

Early international maritime agreements established that the nationality of the 

transport vessel (the flag state) would establish jurisdiction, and by extension, the 

laws that would be in effect 

Following the abuse of such rule, the port state was given greater control to 

inspect vessels coming within its territorial waters by the Law of the Sea 

Convention in 1982 

Similarly, coastal states through whose waters the flagged vessels transit, have 

authority over the safety and competency of the ship and its crews and are also 

allowed inspection and enforcement while the vessel is in the coastal state’s 

waters regardless of the flag of either the vessel (flag state) or its destination (port 

state) 



Making an Analogy 

A Canadian university could place its archives into the care of an American CSP 

which in turn maintains its data centers in Brazil. Following the maritime 

example then, the American company would be the ‘flag state’ that would be 

‘moving the goods’ to their ultimate destination in the ‘port state’ of Brazil. 

This analogy becomes problematic not only because the Canadian University 

owning the archives would have no jurisdiction, but also with regards to the rights 

of the coastal state, in that the ‘pipe’ used to move the records can transit through 

several countries (coastal states) as they are routed along the way. 

Traditionally, ‘coastal states’ have not been granted access to inspecting packets 

of records as they move along the internet. The rules of conduct then become 

very difficult, if not impossible, to enforce by any of the parties involved. 



Alternatives 

The territoriality principle is not applicable because it is not possible to know 

the location of the records at any given time 

The nationality principle is not applicable because nationality is an attribute of 

persons, not records, and the principle cannot be used to connect persons to 

records 

The power of disposal principle, which “connects any data to the person or 

persons that obtain sole or collaborative access and that hold the right to alter, 

delete, suppress or to render unusable as well as the right to exclude others from 

access and any usage whatsoever” can be considered 

By analogy, it could be possible to consider a power of preservation principle 

that identifies the institutions controlling the archives as the trusted custodian and 

the place guaranteeing authenticity, but jurisdiction without responsibility 

defeats its entire purpose, even in a community cloud 



Records In the Cloud (RIC) 

A 4-year collaboration , supported by a Social Sciences and Humanities 

Research Council of Canada, between 

– the University of British Columbia (UBC) School of Library, Archival and 

Information Studies, 

– the UBC Faculty of Law, 

– the UBC Sauder School of Business, 

– the University of Washington School of Information, 

– the University of North Carolina at Chapel Hill School of Information and Library 

Science, 

– the Mid-Sweden University Department of Information Technology and Media, 

– the University of Applied Sciences of Western Switzerland School of Business 

Administration, and 

– the Cloud Security Alliance 



RIC Objectives 

• to identify and examine in depth the theoretical, methodological, management, 

operational, legal, and technical issues surrounding the storage and 

management of records/archives in the Cloud; 

• to determine what policies and procedures a provider should have in place for 

fully implementing the records/archives management regime of the entity 

outsourcing the records/archives storage, for responding promptly to its needs, 

and for detecting, identifying, analyzing and responding to incidents; and 

• to develop guidelines to assist institutions and organizations in assessing the 

risks and benefits of outsourcing records/archives storage and processing to a 

cloud provider, for writing contractual agreements, certifications and 

attestations, and for the integration of outsourcing with the organization's 

records management and information governance programs 

Today you will hear about initial findings of the research project. 



InterPARES Trust (ITrust) 

A 6-year multidisciplinary collaboration among 30 countries in 6 

continents, comprising about 250 researchers. 

The project aims at producing the frameworks that will support the 

development of integrated and consistent local, national and international 

networks of policies, procedures, regulations, standards and legislation 

concerning digital records entrusted to the Internet, to ensure public trust 

grounded on evidence of good governance, and a persistent digital 

memory. 



ITrust studies 

To support solutions to the archival issues raised today, ITrust has initiated 

research on, among other matters, 

•Metadata, to investigate to what degree “the human and machine readable 

assertions about records” existing in the cloud contribute to maintaining and 

assessing the authenticity of those records (Tennis) 

•Authenticity, to find a method for calculating, associating with records, and 

presenting trust parameters and the provenance of those parameters (Cohen) 

•Trust relationships, from the perspective of creators, preservers and users of 

records/archives (Foscarini) 

•Model contractual provisions dealing with technological change; interjurisdictional 

and government regulation; accessibility; intellectual ownership; 

protection of confidentiality and privacy; agreed remedies in the event of breach 

of contract; “privity” of contract and subcontracting, to identify just a few of the 

contentious areas (Sheppard) 



Conclusion 

We need to work towards resolution of issues as they present themselves, with 

the aim of developing solutions framed as a balance of trust. 

To establish a “balance of trust” requires enabling the development of 

trustworthy procedures and contractual conditions, in addition to secure 

technologies. We need to do so by 

•identifying the changes required in our paradigms of trust in 

records/archives and preservation systems, and 

•developing an internationally shared trust framework that both providers 

and users can live by, because the current framework within which the Cloud 

operates and security concerns are addressed is inconsistent within and across 

jurisdictional and disciplinary boundaries. 

Only then we can require and expect stability, transparency, accountability, 

and permanence in addition to security and economy, develop a Trust in the 

Cloud founded on the Trustworthiness of the material it stores, and conclude 

that “documentary heritage in the Cloud” is not an oxymoron. 



www.recordsintheclouds.org 

www.interparestrust.org

Record - Academic Conferences Limited

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?