10

I need to receive some important documents from another person. It may be important to be able to prove (in justice) which files exactly I received from that person at a specific moment.

My first guess was to ask the person to send me the files via email. By this I would be able to prove which files I had received, when, by this specific person.

The problem with emails is that it doesn't work for larger files. e.g. 200MB.

It would be nice if the method is easy. (e.g. no additional software, services, working on Windows, Mac, Linux, easy to understand on how to proceed for the sender).

Improve this question
10
  • 1
    Very important information you have forgotten to given: Do you have physical access to this person, or only online? Because a mobile drive would definitely be the easiest way if you can physically meet the person. Commented Jul 18, 2024 at 5:59
  • 4
    @security_paranoid How would handing over a USB-stick in person provide any proof that the transfer happened at some specific time or contained a specific list of files? Commented Jul 18, 2024 at 11:35
  • 1
    Is this not good enough? They send you an email (well-verified) of which files they are sending and their hashes, then afterward you reply with an email (well-verified) confirming receipt of those files with those hashes. Commented Jul 18, 2024 at 17:14
  • 2
    In both cybersecurity and law, this is known as non-repudiation Commented Jul 19, 2024 at 0:46
  • 2
    IMHO, for most people the way to go would be to use one of the many services offered by companies that do this as their job (things like DocuSign etc). The companies have all the certifications and legal knowledge to handle cases in which the other party tries to repudiate the documents signed. Sure, you can DYI this but it means a high chance of bugs, and even if there are no bugs you need to make a third party review what you did to ensure that everything was really how you describe. If you use a third party well-known service it should be way easier to work in a court of law. Commented Jul 20, 2024 at 8:09

4 Answers 4

Reset to default
33

If it's actually important that you can provide legal evidence, then you should discuss this with a (specialized) lawyer. While we can come up with all kinds of technical approaches, that doesn't mean any of them will hold up in court. We're not legal experts.

From a purely technical standpoint, you could ask the other person to upload the documents to a public file sharing service like Dropbox (encrypted if necessary) and then send you an e-mail with the link and a cryptographic hash (e.g., using a SHA-2 or SHA-3 algorithm) of the file content. Ideally, the sender should obtain an S/MIME certificate from a trusted Certificate Authority (CA) and sign their mail. This demonstrates the other person sent you the link to a particular file (identified through the hash). The hash ensures that the file content cannot secretly be changed afterwards.

You can also use the Time-Stamp Protocol (TSP) to obtain a cryptographically verifiable timestamp for a particular piece of data. The idea is that you send a cryptographic hash of the data to a Time Stamping Authority (TSA). In response, you get a TSA-signed timestamp token which contains the data hash and the timestamp determined by the TSA. Many commercial certificate authorities also act as TSAs and run TSP servers. You don't have to install any special software. Of course you'll have to decide which information you want timestamped, e.g., a hash of the file content and a public link.

But again, this is just the technical perspective. If you need to convince a judge, then other approaches might be more suitable (e.g., a written contract where both parties agree on exchanging certain documents at certain points in time).

Improve this answer
2
  • 1
    This is basically making a message authentication code, transmitted via a different channel (email). And the same considerations for choice of hash apply -- using for example a CRC32 would not suffice. Commented Jul 19, 2024 at 18:18
  • I've changed “hash” to “cryptographic hash” to make this clear. Commented Jul 20, 2024 at 2:09
26

The more complicated you make it technically, even if perfectly correct and tamper-proof, the more you have the problem that a judge will need to listen to one sides "technical expert" and then the other sides "technical expert" and will have to believe one of them because it goes way over their head. Whether that is your expert in the end has very little to do with whether your process was correct.

You should consult a lawyer for the juristiction you think you would need to present your case in.

My guess would be that the proven way is to meet with a notary, bring the documents, have the notary make a physical copy they keep safe and then part ways. This way the notary can attest that those were the documents exchanged, who was present and when it happened.

Improve this answer
1
  • 1
    The service of "digital", "remote" or "online" notarization seems to exist (I have no personal experience with it though), but it may make it possible to get most of the benefits of official notarization while avoiding the need to physically meet (see e.g. en.wikipedia.org/wiki/ENotary) Commented Jul 19, 2024 at 20:57
2

(I'm not adressing here the issues of the "specific person", it is I believed addressed well enough by other answers, whether electronically or in the real world)

You are here dealing with notarization. You need a "legally trusted" 3rd party, that is a 3rd party whose statement will be accepted by a court in the jurisdiction(s) you are interested in.

When you say "at a specific moment", it's a bit of tricky question. Like Ja1024 said, using a 3rd party service like Dropbox might do the job for you, you would need to talk to a lawyer.

Now I'm wondering if your question is properly asked.

You could want to prove that you got a file "before a specific moment". That's the easy one. A lot of notarization services could do the job (typically with hashes). Or you can go for the the "all out" solution: in some jurisdictions, you could leave a copy of the files to a legal officer who will keep your files in a safe and give you a certified document they were deposited at such date. In others, leaving the document with your lawyer might be enouh. Using the hash solutions, I know jurisdictions where you could write the hash of the file (and size) on a paper, and just get a doctor to sign that you presented them the paper at a specific date.

If you want to proof that you got the file at a specific time, meaning "not before, not after", that's the above, plus proving you DIDN'T get the files BEFORE a specific moment, or in another words you got them "after a given moment", and this is virtually impossible. That would mean having someone certify that at no point did you get those files before, which basically implies monitoring your every interaction prior to that moment...

Improve this answer
1
  • In order to prove that the document you are receiving did not exist before the sender can include something that wasn't there (and they couldn't have guessed). Qubes Canaries follows this approach, where they include the headings of multiple newspapers as well as the state of bitcoin chain. So that specific file couldn't have been given to you. OTOH, they could always have provided the contents separately without using your system at all, and you cannot prove that. Commented Jul 20, 2024 at 2:39
1

This problem is actually in 3 parts:

  • audit trail with privacy, integrity and authorisation and for each step.
  • Full transmission and receiving of files over a (inter-)network
  • Independent verifiable evidence of the result.

The first part is simple, use TLS 1.3 on each connection, together with a encryption at rest system to store the data in (such as AWS S3 or minio could provide)

The second part requires that you make (multiple) hashes of the data, even before the first transmission and verify at each step the hashes still check out (you need the hashes in your audit trail too)

The last part is the hardest, and best done through the use of Time-Stamp protocol and a Time-Stamp authority to stamp both the data itself and 1 of the audit hashes. This will ensure you can than later still provide evidence of what data was received in a tamper resistant way.

Be advised, this is one of the hardest solutions in IT, so:

  • don’t roll your own solution unless you must (as in use as many audited libraries as you can)
  • Have your code audited by at least 2 independent parties.
  • re audit this code regularly.
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.