Digital Witness Statement Evidential Authenticity Standards



Similar documents
Revised Code of Practice for Disclosure and Barring Service Registered Persons. November 2015

Electronic Commerce ELECTRONIC COMMERCE ACT Act. No Commencement LN. 2001/ Assent

How encryption works to provide confidentiality. How hashing works to provide integrity. How digital signatures work to provide authenticity and

Guide 4 Keeping records to meet corporate requirements

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

CoSign for 21CFR Part 11 Compliance

(b) Why do you believe that those documents relate to a matter relevant to the investigation?

Identity Cards Act 2006

Profession Practice Advice for the Profession

Trustis FPS PKI Glossary of Terms

Chap. 1: Introduction

Notebook guidance Valid from 23 January 2014

ELECTRONIC SIGNATURES AND ASSOCIATED LEGISLATION

Article. Robust Signature Capture Using SigPlus Software. Copyright Topaz Systems Inc. All rights reserved.

1 L.R.O Electronic Transactions CAP. 308B ELECTRONIC TRANSACTIONS

Information Security Basic Concepts

Electronic and Digital Signatures

IY2760/CS3760: Part 6. IY2760: Part 6

Derbyshire Constabulary GUIDANCE ON THE ISSUE OF TRAFFIC OFFENCE REPORTS AND VEHICLE DEFECT RECTIFICATION SCHEME POLICY REFERENCE 05/035

LAW FOR THE ELECTRONIC DOCUMENT AND ELECTRONIC SIGNATURE. Chapter two. ELECTRONIC DOCUMENT AND ELECTRONIC SIGNATURE

Staff Investigation Protocol

An Act to provide for the facilitation of the use of electronic transactions and signatures and for related matters.

[SECURE ZONE REG1.WESTMOUNTCHARTER.COM] Westmount Charter School. Family Zone Reference Extended

Complying with the Records Management Code: Evaluation Workbook and Methodology

Fixity Checks: Checksums, Message Digests and Digital Signatures Audrey Novak, ILTS Digital Preservation Committee November 2006

NOTICE OF THE POWERS TO SEARCH PREMISES AND OF THE RIGHTS OF OCCUPIERS UNDER SECTION 194 OF THE ENTERPRISE ACT 2002 ( THE ACT )

OB10 - Digital Signing and Verification

The legal admissibility of information stored on electronic document management systems

REPUBLIC OF LITHUANIA. LAW ON ELECTRONIC SIGNATURE

U.S. DEPARTMENT OF EDUCATION

Victim Personal Statement. Procedure

Apple Corporate Certificates Certificate Policy and Certification Practice Statement. Apple Inc.

Mapping the Technical Dependencies of Information Assets

Chapter 8 Security. IC322 Fall Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

ROAD TRAFFIC COLLISION - SELF REPORTING SCHEME

SSLPost Electronic Document Signing

Dissecting Electronic Signatures for the Life Sciences

LAWS OF BRUNEI CHAPTER 194 COMPUTER MISUSE ACT

Case CATalyst is digital-signature ready! Introduction What are digital signatures?... 3

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

IMPLEMENTATION OF AN ELECTRONIC DOCUMENT MANAGEMENT SYSTEM

A BILL ENTITLED. AN ACT To Facilitate electronic transactions and for connected matters. PART 1 Preliminary

MANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE

Why is British Standard BIP0008 important for a Document Management System?

Appendix 11 - Swiss Data Protection Act

Advanced Authentication

Electronic Submission of Medical Documentation (esmd) CDA Digital Signatures. January 8, 2013

Digital Continuity in ICT Services Procurement and Contract Management

Digital Continuity to Support Forensic Readiness

ELECTRONIC TRANSACTIONS ACT 1999 BERMUDA 1999 : 26 ELECTRONIC TRANSACTIONS ACT 1999

2.0 Emended due to the change to academy status Review Date. ICT Network Security Policy Berwick Academy

Estonie Loi sur la signature électronique Entrée en vigueur le 15 décembre 2000

BERMUDA ELECTRONIC TRANSACTIONS ACT : 26

University of Birmingham. Closed Circuit Television (CCTV) Code of Practice

ELECTRONIC COMMERCE AND ELECTRONIC SIGNATURE ACT (ZEPEP-UPB1) (Official consolidated text)

PART 33 EXPERT EVIDENCE

AlixPartners, LLP. General Data Protection Statement

THIRD SUPPLEMENT TO THE GIBRALTAR GAZETTE No. 4,167 of 7th May, 2015

Digital Signatures The Silver Bullet for E-Signature Laws

ATTORNEY GENERAL S GUIDELINES ON PLEA DISCUSSIONS IN CASES OF SERIOUS OR COMPLEX FRAUD

Danske Bank Group Certificate Policy

Digital Signature Verification using Historic Data

NEMA Standards Publication PS 3 Supplement 41. Digital Imaging and Communications in Medicine (DICOM) Digital Signatures

How to Time Stamp PDF and Microsoft Office 2010/2013 Documents with the Time Stamp Server

Ford Motor Company CA Certification Practice Statement

Document Management Getting Started Guide

Recruitment Sector. Consultation on prohibiting employment agencies and employment businesses from advertising jobs exclusively in other EEA countries

Policy on Public and School Bus Closed Circuit Television Systems (CCTV)

Publicly trusted certification authorities (CAs) confirm signers identities and bind their public key to a code signing certificate.

Electronic Transactions Law

ELECTRONIC PRESENTATION AND E-SIGNATURE FOR ELECTRONIC FORMS, DOCUMENTS AND BUSINESS RECORDS ALPHATRUST PRONTO ENTERPRISE PLATFORM

LAW FOR THE ELECTRONIC DOCUMENT AND ELECTRONIC SIGNATURE

THE ELECTRONIC TRANSACTIONS LAW,

Installing your Digital Certificate & Using on MS Out Look 2007.

IP AUSTRALIA B2B ONLINE TRANSACTION SYSTEM AGREEMENT

Certipost Trust Services. Certificate Policy. for Lightweight Certificates for EUROCONTROL. Version 1.2. Effective date 03 May 2012

Automation for Electronic Forms, Documents and Business Records (NA)

IN THE SUPREME COURT OF THE STATE OF NEVADA

CONDITIONS FOR ELECTRONIC DATA EXCHANGE VIA ČSOB MULTICASH 24 SERVICE

Electronic Signature, Attestation, and Authorship

Invest NI Document Scanning Policy

the parties may request a review of the provisions of this MoU.

Electronic Documents Law

[Brought into force by appointed day notice on 16 th June 2003.]

APGO GUIDANCE ON DOCUMENT AUTHENTICATION. Table of Contents

Hong Kong E-Account Registration Requirements and Procedure

Direct Recruitment Privacy Policy

EPA Classification No.: CIO 2155-P-3.0 CIO Approval Date: 04/04/2014 CIO Transmittal No.: Review Date: 04/04/2017

Public Audit (Wales) Act 2004

ELECTRONIC TRADING FACILITIES SUPPLEMENTAL TERMS AND CONDITIONS OF TRADING

Electronic Transactions Law

Unsolicited visits and surprise requests for information by the Financial Services Authority. April 2009

Electronic And Digital Signatures

DATA PROVIDER AGREEMENT For supply of data to the Royal Botanic Gardens Kew for display in the Millennium Seed Bank Partnership Data Warehouse

Annex 4 Operational Certification Procedures. Rule 1 Definitions

HKUST CA. Certification Practice Statement

CERTIFICATION PRACTICE STATEMENT UPDATE

CERTIMETIERSARTISANAT and ELECTRONIC SIGNATURE SERVICE SUBSCRIPTION CONTRACT SPECIFIC TERMS AND CONDITIONS

IMPLEMENTATION OF AN ELECTRONIC DOCUMENT MANAGEMENT SYSTEM TECHNICAL SPECIFICATIONS FOR AGENCIES AND BROKERS ACTING ON THEIR ACCOUNT

MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE

Transcription:

Digital Witness Statement Evidential Authenticity Standards Version: 2.1 Publication Date: 26/06/2014 Description: Author: The standards and associated tools required to create, transport and store a Digital Witness Statement (DWS) with sufficient evidential authenticity and integrity. Paul Filby For more information regarding this standard, please contact: openstandards@homeoffice.gsi.gov.uk Crown copyright 2014 This information is licensed under the Open Government Licence v2.0. To view this licence, visit www.nationalarchives.gov.uk/doc/open-government-licence/version/2 or write to the Information Policy Team, The National Archives, Kew, Richmond, Surrey, TW9 4DU. DWS Evidential Authenticity Standards v2.1 Page 1 of 10

Change control Version Date Record of change Author 0.1 19/11/2013 Initial Draft Paul Filby 0.2 19/02/2014 Amendments following peer review Paul Filby / Mark Osborne / John Hughes 0.3 25/02/2014 Amendments following peer review Paul Filby / Mark Osborne / John Hughes 1.0 02/04/2014 Signed off Version Paul Filby 2.0 21/05/2014 Final Version Paul Filby 2.1 23/06/2014 Released under the Open Government Licence Mark Osborne/ Peter Barden Controlling documents Description Revision Digital Witness Statement Business Process V 1.1 Legal Guidance on digital working across Criminal Justice System October 2012 DWS Evidential Authenticity Standards v2.1 Page 2 of 10

Document Set This document forms part of a set of documents defining the requirements for an EWS application. The documents must be used and implement as one. They are:- Description Revision Digital Witness Statement Business Process V 1.1 DWS Evidential Authenticity Standards v2.1 Page 3 of 10

Summary The standards and associated tools required to create, transport and store a Digital Witness Statement (DWS) with sufficient evidential authenticity and integrity are well established and feasible to implement and use. To prove the chain of authenticity of a DWS requires a secure hash to be created for the entire witness statement. This will provide the capability for ensuring integrity of the statement. Additionally, a signing process is the preferred method of providing authenticity to the witness statement. By providing these it will be possible to verify that the witness statement has not been tampered with and has originated from a recognised source. It is both feasible and practical to apply the technical solution for integrity and authenticity in a standalone solution using free and open-source tools that implement industry standards, with content versioning presenting the most likely area for bespoke development. These technical features could provide an affordable and compliant solution for evidential weight and legal admissibility. Terms Used In this section there are four commonly used terms. They are must, recommended, should and could. For clarity in the rest of this document these mean:- Must / Required o This is used when the process or functionality is mandatory and its absence will mean non compliance with the standard Recommended or Should o Could o This is used when the process or functionality is highly desirable and although not mandated its exclusion would be the exception and cause for justification This is used where the process of functionality is suggested and would enhance the application. DWS Evidential Authenticity Standards v2.1 Page 4 of 10

Key Requirements 1: that the industry standard secure hash algorithm SHA-256 must be used for the purposes of witness statement integrity. 2: the witness must be fully aware of the implications of signing. 3: the mechanism for proving a document must be agreed by the National Prosecution Team. 4: where vector representations of signatures are used, these shall use open standards and must also include a simple image of the signature. Note: SHA-256 is a cryptographic hash function used to determine whether data has been accidentally or intentionally altered. Designed by the U.S. National Security Agency. DWS Evidential Authenticity Standards v2.1 Page 5 of 10

Current position These technical standards for DWS have been developed following feedback from EWS users, other Police forces and the CPS. They specifically detail: 1. Platform agnostic technical standards and/or solutions required to support the creation, transport and storage of witness statements; 2. Methods for proving the chain of authenticity of witness statements for evidential use; The standards provided within this document will support the creation of an information management policy required to demonstrate compliance with the code of practice for legal admissibility and evidential weight of information transferred and stored electronically. The following assertions are made on the current paper based wet-signature process and their part in establishing integrity and authenticity. 1. Paper based statements are entered into a computer system (by scanning handwritten statements or typed directly). This electronic version is not the master statement and wet-signatures replaced with typed text. These electronic copies are typically those used in court and their authenticity is never challenged as the signed paper version is regarded as the authentic master copy. 2. Each page of the paper statement has a witness signature and, possibly, a witnessed-by signature. The requirement to record the witnessed-by signature is determined by local policy. 3. The signature at the bottom of each page is there for the purpose of authenticity where a statement may span pages. 4. A witness signature, and possibly an Appropriate Adult signature, is required for witness consent purposes. 5. The signature captured is used to evidence the witness acceptance that the entire statement is accurate (authentic) and duplicating the signature after the last word of the statement provides integrity. This document contains the following sections: 1. Proving the chain of authenticity of a witness statement. 2. Versioning 3. Transfer and Storage 4. Location and Mobility DWS Evidential Authenticity Standards v2.1 Page 6 of 10

1. Proving the chain of authenticity of a witness statement There are a number of criteria to sufficiently protect a digital document throughout its life. These are access, authorisation, accountability, integrity, authenticity and nonrepudiation. This document focuses on integrity (how do you know if the statement has been changed), authenticity (how do you know where the document came from) and non-repudiation (can the witness deny signing the document). Integrity To maintain the integrity of a digital document a secure hash, essentially a fingerprint for a file, must be created. The SHA-256 algorithm 1 must be used. This is an official standard with an open specification and publically available test suites. This is consistent with the integrity solution being applied to digital interview recordings. With a hash integrated into the original digital document, a recipient can determine if the message was altered by recalculating the hash and comparing the result to the attached hash. The value generated is one-way, you cannot determine what the text is from the code, and it is significantly different even for minor changes to text as illustrated below. The hash values created will be collision resistant/unique. Test case This is the original text that we need to ensure is versioned. This is the updated text that we need to ensure is versioned. SHA-256 hash value ae0039cf404404b5aa541c99107044d1df554138720381bf145009b134f6847d 5b000af7f8ceff3588c68f2ec51fd5b81d1a716683692e4b4c6e57fa986a1ff4 Digital document integrity is not technically complex and achievable in short timeframes. SHA-256 is a FIPS 180-4 approved hash algorithm. SHA-256 is generally recommended for high-security applications and is required here for consistency with the technical approach of the file integrity standard for digital interviewing. Typically MD5 or SHA1 would be used for file integrity and authenticity purposes. These algorithms must not be used for digital witness statements. The digital interview process takes the approach that, at the conclusion of the interview, the hash-value is displayed and made available to the interviewee to assure authenticity. This process mirrors the existing procedure which makes a copy of the tape available. It is not recommended that witness statements follow the same model. Statements can be taken anywhere, without access to printers, and handwritten (or SMS or email messages) are not considered to significantly add to the authenticity of the statement. Requirement 1: that the industry standard secure hash algorithm SHA-256 must be used for the purposes of witness statement integrity. 1 SHA-256 is a cryptographic hash function used to determine whether data has been accidentally or intentionally altered. Designed by the U.S. National Security Agency. The SHA-2 family of algorithms is patented in US 6829355. The United States has released the patent under a royalty-free license. DWS Evidential Authenticity Standards v2.1 Page 7 of 10

Authenticity To prove the authenticity of an electronic document the source of the document needs to be proven. Ideally that source would be linked to an identifiable individual via a smartcard, but could also be achieved by authenticating the device used to send the data and relying on that device to authenticate the individual. In either case, it is recommended that system should integrate with a police force authentication regime (i.e. Active Directory) when identifying who the individual taking the statement is. The authentication technique must be active at the point of capture of the statement. Signatures To achieve authentication to an identifiable individual entity (be that a person or a device), it is a requirement that a process for incorporating or associating a signature is used. The signature capture process and resulting product are of equal importance and should reflect the sequence of events leading to the document being signed. Prior to signing the witness should be instructed how to independently review the document. Any requested changes being made immediately. On presenting the device for signature capture the witness should be informed that: The entry made will be incorporated into or logically associated with this statement. By making an entry here you are agreeing to the following declaration which is also within the statement:- o This statement (consisting of x pages(s) each signed by me) is true to the best of my knowledge and belief and I make it knowing that if it is tendered in evidence I shall be liable to prosecution if I have wilfully stated in it anything which I know to be false, or do not believe to be true. Be warned that after an entry is made no alterations can be made and amendments will require a further statement. Should digital signatures be used as part of the implementation, then as with hash-value created for integrity purposes, the resulting digital signature should be stored alongside the original file. The above should be considered the minimum standard to be applied and more advanced methods of signature capture should be encouraged. Requirement 2: Witness will be made fully aware during the signing procedure of how, why, where the signature is used and the overall importance of the signature. Once a signature has been obtained the document sealed and no amendments will be made. NOTE: Should digital signatures be used as part of the implementation then personal certificates can be held on smartcards, or on the device. Requirement 3: Where vector representations of signatures are used, these shall use open standards and must also include a simple image of the signature. DWS Evidential Authenticity Standards v2.1 Page 8 of 10

2. Versioning When completing a statement as in any other part of an investigation the Criminal Procedures and Investigation Act 1996 must be considered in respect of the pre-trial disclosure to the defence. The issue of disclosure is an integral part of a Student Officer training and is emphasised in a number of areas and reinforced during the module on statement taking. The use of a DWS does not change or remove the need to use notes as part the statement taking process. They must be retained and disclosed as unused material as per CPIA and the local process. This is a formal part of Student Officer training nationally. It is the responsibility of the officer taking the statement to disclose to the CPS any items of inconsistently which occur during the investigation. Should inconsistencies be identified by an officer during the taking of a statement they will inform the CPS. During the recording of the statement the content should be considered an incomplete document capable of being added to, changed and deleted. At the point of signing where the opportunity to correct, alter or add has taken place and the content of the declaration been viewed versioning should take place and the document then referred to as a record. This record is now the Original or Master statement. 3. Transfer and Storage Consideration could be given to the implementation of the BS 10008 Evidential Weight and Legal Admissibility of Digital Evidence; however this does not guarantee legal admissibility of digital documents. The Legal Guidance of October 2012 clearly states Creation Any doubts as to the provenance, authenticity or integrity of a digital document containing a digital signature would need to be tested in the same way that they would be tested in respect of a traditional wet signature on paper by the calling of relevant evidence. All witness statements, irrespective of their format, must have a SHA-256 secure hash value associated with it at the point of completion and submission. Any compound data in the witness statement such as an image of the hand-written witness signature must be treated as a separate object and a hash-value associated with it. Hash-values of image signatures must also form part of the calculation of the overall hash-value of the witness statement. Transport The basis for compliance is met by implementing the integrity and authenticity advice provided in section 1. Data transfer should be controlled by application software and incorporate a file integrity check mechanism. Transfer should also incorporate a mechanism to ensure files are from authorised sources. To ensure the authenticity of the date and time of the transfer and receipt the data must be obtained and applied by the system and not entered by the officer. To ensure DWS Evidential Authenticity Standards v2.1 Page 9 of 10

accuracy the device used to record the statement must have been sufficiently synchronised with a trusted time source. Sender and recipient authentication requirements can be met by appropriate articulation that the sender (officer) and recipient (Force staff, courts) are trusted entities. Storage The authenticity of the witness statements should be established when importing them into an information/records management system. This is achieved by either providing a hash-value or digital signature of the document when it was created and being provided along with the statement. Storage of digital witness statements must be accompanied by associated metadata. This must include agreed document format, time and date stamps, sender and recipient details, checksums and hash-value or digital signatures. Files that can be self-modifying, such as those containing macros must be avoided as it will be difficult to assess the evidential weight if changes to the file are saved. Macros and/or code would be acceptable providing dynamic content is not generated, for example, date changes when the document is opened for reading. 4. Location and Mobility An important aspect to consider when deciding on the appropriate solution is where the witness statement could be taken. Some locations or areas on the United Kingdom do not have appropriate mobile connectivity; therefore all solutions should be capable of operating in a standalone configuration. Standalone options tend not to be web-based applications due to the restrictions on saving data to the client. While it would be possible to have a standalone web-based application they are likely to introduce platform specific aspects. When the HTML5 standard is fully supported by modern-browsers a standalone and platform agnostic web-based application for witness statements may be possible and should be a consideration for the future. For standalone systems the management of stored data that is at rest on the client capture device becomes a key requirement. All devices must download any unsubmitted signed witness s statements as soon as connectivity is achieved. Once synchronised the stored data will be delete from the device. Data at rest on the capture device and other aspects of mobile security should follow general best practice on the use of mobile devices and local policies and procedures applied by the Information Security Officer. DWS Evidential Authenticity Standards v2.1 Page 10 of 10

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information