A recent decision of the Bankruptcy Appeals Panel of the 9th Circuit (VEE VINHNEE v. AMEX: Dec 16, 2005) seems to suggest that adequate controls to protect audit logs must be in place in order to prove the authenticity of digital information.
I have heard some conclude that this leads directly towards cryptographic protections, but it seems plausable to me that proper access controls and strong identity management might also be argued to be sufficient, if not compensatory.
The testimony by AMEX employees who routinely accessed the data was non-expert, and it suggests that they could only assume controls were in place but did not know/verify. This appears to have opened up the possibility that the data could not be proven to be authentic.
The decision explores the issue of authenticity and has some interesting citations such as “George L. Paul, The “Authenticity Crisisâ€? in Real Evidence, 15 PRAC. LITIGATOR No. 6, at 45-49 (2004). It also calls out a specific “scientific” methodology to help examine the “validity of the theory underlying computers and of their general reliability”:
Professor Imwinkelried perceives electronic records as a form of scientific evidence and discerns an eleven-step foundation for computer records:
1. The business uses a computer.
2. The computer is reliable.
3. The business has developed a procedure for inserting data into the computer.
4. The procedure has built-in safeguards to ensure accuracy and identify errors.
5. The business keeps the computer in a good state of repair.
6. The witness had the computer readout certain data.
7. The witness used the proper procedures to obtain the readout.
8. The computer was in working order at the time the witness obtained the readout.
9. The witness recognizes the exhibit as the readout.
10. The witness explains how he or she recognizes the readout.
11. If the readout contains strange symbols or terms, the witness explains the meaning of the symbols or terms for the trier of fact.
The decision then suggests that step four is of particular importance, given the lack of proof that controls existed to ensure the accuracy of data:
The testimony of the records custodian at trial regardingthe computer equipment used by American Express was vague, conclusory, and, in light of the assertion that “[t]here’s no way that the computer changes numbers,� unpersuasive.
If you read the testimony yourself, you can see the issue the decision is referring to…
I couldn’t testify to exactly what – what the model is or anything like that. It’s – you know, our computer system that we’ve used for, you know, quite some time to produce the documents, to gather the information, to store the information and then, you know, produce the statements to the card members. And we – you know, it’s highly accurate. It’s based on the fees that go in. There’s no way that the computer changes numbers or so.
I can imagine a million ways to be more convincing/prepared with regard to the controls used to protect the data in question. But the real question, I guess, is whether cryptographic controls should now be considered a minimum requirement?