DIGITAL DATA AUDITS

Before we discuss the concept of digital audits we should first look at the definition of an audit. In plain terms, an audit provides the means for ascertaining in the physical world that an event or transaction took place, and may include the process components or elements, which comprise that transaction. It is also characteristic that an audit process necessitates a human element of supervision or recordation in order to validate, or witness, that process. The most relied upon type of audit is of course an independent audit, a validation process in which the supervisory or recordation activities are undertaken by a disinterested party in whom trust is implied because of its very nature as a third party. As a direct result of the interposition of a trusted third party, the data contained in such independent audits by convention is relied upon by other third parties who make sensitive decisions (both financially and otherwise) based upon such audited data.

An independent auditor conducts its audit at unique scheduled points in time, and such times are easily verified and validated. However, the notion of time as it relates to audit functions or processes is usually accorded scant attention, except to the extent that the time to conduct any such audit may be governed by law, industry practice or by mandate internal to an organization. Any audit not conducted within a prescribed timeframe may be deemed invalid, ultimately because it fails to reflect the status or condition of the audited entity as prescribed by legal, accounting or industry convention.

There is however, a core component to the conduct of a real world independent audit, which is so fundamental that it is taken for granted and therefore never challenged. That component involves the linear (or sequential) and unique nature of real world time. In the real world, once a moment in time passes, it can never happen, or be created, again. Nor can time be started or stopped. In the real world, therefore, an audit might take place on Friday, April 13, 2001; but once that date passes, that audit can never again be taken again on Friday April 13, 2001. In the physical world, any challenge to this assumption would inevitably lead to suggestions of early and extended sabbaticals. No human factor can exert control over the element of time, or its inseparable attributes of uniqueness and linearity, and as such, time in the real world is inherently trustworthy, and trusted.

In the digital world, however, just the opposite is true. Time is inherently untrusted, and inherently untrustworthy. This is because in any digital data-generating environment, the owner of the data-generating device has the power to control time. Much like Chronos, the god of time in Greek Mythology, the owner may start, stop turn back or go forward in time in accordance with his or her whim. In the real world, if time (and therefore an audit) could be recreated, it would be impossible to assert as a non-repudiable fact that the data gathered in that audit was the only data which could have been collected at that time, because it would require proving the negative assertion. That negative assertion is that no person or entity at any time thereafter could have recreated time. Although credible testimony could be taken in support of such assertions, a credibility or appearance of propriety attack could be made because it is undeniable that such data could have been changed. This inherent control over time in the digital world robs any data created within such an environment of uniqueness and linearity, and therefore renders such data inherently untrusted, and untrustworthy.

The digital world turns all such conventions on their heads. In the digital universe, therefore, the formerly inseparable attributes of uniqueness and linearity are stripped from time because time can be set and reset by an owner having control of a data-generating device. If the attributes of linearity and uniqueness are missing, the distinguishing characteristics of "then" and "now" have no meaning, because data can be created nunc pro tunc, or "now for then." If time can be recreated in the digital universe, there is therefore no way to ascribe attributes of linearity and uniqueness to that data. An inescapable consequence of this is that any digital data generated by a user on any data-generating device is neither trusted nor trustworthy because its uniqueness as a function of time is missing. Any such data thus generated will always be open to credibility challenges as to time and content.

Mountains of paper data have been and continued to be converted to digital media (as zeroes and ones) each day. In addition, huge amounts of new digital data are also being generated daily. Since current data generating devices employ user-resettable clocks to generate such data, that data will be open to content challenge in court, because that data could have been changed since creation/revisions, etc. There will therefore always be a scintilla of a possibility that such a change was made. First, because the data could have been changed (even if by insiders), it is not non-repudiable or immune from content challenge as a prima facie matter. Because the data is subject to repudiation and challenge, a factual issue is created, and it will be up to a jury in most cases to decide the issue. The dangers inherent in this scenario are obvious. Second, a jury could find that the data was altered after the fact, and therefore impose liability and damages (including potential punitive damages). Third, a jury could find that the data was altered after the fact (even if it wasn't) and award compensatory and punitive damages because it favored the plaintiff, or disliked the defendant. Finally, and at a minimum, such a Court contest will necessarily entail costly litigation and legal expenses.

A simple and cost effective solution to the problems presented in making digital data auditable, and thereby reliable in a legal sense can be found in local secure trusted timestamping technology. This technology can immunize digital data from hearsay exclusions, content challenges, and provide at least the imputation of institutional authorship. A local secure trusted timestamping deployment is a single purpose and self contained PKI, and, in many instances, it is possible that this technology can be used as a low cost (and low maintenance) alternative to a PKI deployment.