What is the most credible timestamp I can create for a digital file?

Question

Is it possible to create a timestamp that is so hard to fake, that it could be used as proof or simply strong evidence in a court of law, that something was not created after a certain point in time?

The file could be anything; a word document, an image, an audio file, a software specific file, ie. PSD.

Some ways I think might work are by uploading it to a reputable cloud or social networking site but what if by some twist of fate the large company goes bust and I can no longer prove it?

What is the most secure, hardest-to-fake, longest lasting (not likely to become invalid anytime soon) way to prove that a digital file was not created after a certain point in time?

It could still be possible to fake, but preferably by some highly advanced means that makes it unlikely.

---

The use case I'm essentially envisioning is:

A simple 'your word against theirs' situation.

Against all sane advice, I create a file on a pay-if-you-like-it basis, with no written contract. They like it and use it, but don't pay.

I want to sue them with very strong evidence that I created the file before them (if they're trying to argue that they made it themselves - like a simple branded word template).

I'm not looking for advice from a legal standpoint, but expertise about timestamps, and how to create one with strong authenticity (I think).

Answer 1

Just last week I heard of this Proof of Existence service that makes a secure digest of your file and gets it added to the public Bitcoin blockchain.

So henceforth and forevermore (or until Bitcoin is cracked or abandoned), you'll have publicly-certified, publicly-verifiable proof that THAT particular instance of your file existed at that time. Even if the Proof of Existence web service goes away, you could conceivably use a blockchain explorer tool to show the earliest date that your secure digest showed up in the blockchain.

Answer 2

Much like with public key crytography, where you are relying upon some trusted authority for identity, there are timestamp authorities. An organization can setup one internally or could rely on a trusted third party (or multiple trusted third parties) to sign a document.

If the timestamp authority is trusted, then you can provide reasonable assurance of the time it was stamped (not necessarily created or modified). A timestmap generally relies upon crytographically signing a hash and crytographically signing of token for the timestamp. In this way you have some trusted authority validating the time and the document.Acrobat and other PDF programs allow you to point to a timestamp server which you can then use when signing files (or just timestamp them). There are also ways of doing this manually against a file.

A good place to start is with RFC 3161 + RFC 3628 and this article on "trusted timestamps". Check out a related question on Stack Overflow, and this one on Crypto.

---

For any specifics on legality and court admissibility, please reach out to specific legal counsel familiar with that particular court's requirements.

Some laws and directives for various regions:

• Directive 1999/93/EC / European Directive on a community framework for Electronic Signatures (Europe)
• The Electronic Signatures in Global and National Commerce Act, 2000 (USA)

---

There are also a lot of SaaS solutions where you can click to sign, but you rely upon the mechanisms of the service, which may not tie to any standard. I have been asked to sign documents using the DotLoop service, but have not evaluated their tech specs.

Answer 3

One possible solution is to make a cryptographic hash, e.g. SHA256, of whatever data you want to use the timestamp with and then publish that hash; maybe on the internet which includes saving by the wayback machine or google cache, etc., or have it signed by a trusted party.

In many cases, the person whose potential later lawsuit you want to defend against has some relationship with you that may give him an incentive to sign it himself. In many cases, it may even be possible to put the burden entirely on that person simply by keeping a public log (website?) of such published hashes.

Whilst I am no lawyer, I believe even just continuing to consistently carry out such logging will help your case at least somewhat. That is the solution you asked for, providing some proof that you did not backdate the timestamp into the past because you could not know the hash (a one-way function) without having the data you wanted timestamped.

Answer 4

There are two ways I currently like the most:

• Submit online in: http://www.originstamp.org not only they submit to the Bitcoin blockchain (you can pay $1 to make the publishing faster, or it will be submitted at servers midnight to the blockchain), but also publishes the SHA256 hash of the file at Twitter adding additional proof that the file did exist at least at that time.

• Use a free program called XolidoSign Desktop available at: http://www.en.xolido.com/lang/productosxolidosign/ where you can sign with your private key with or without the secure timeStamp (so you can proof it is yours, use the TimeStamping if it is important to proof the time of existence), or just sign it with a TimeStamp from a trusted third party (if you don't have a private key to sign or you don't want to use it, but just need to proof that the file did exist at some point in time... unless the file itself contain your personal information it may be difficult to proof it was yours, but you may not want to proof it was yours but only that existed at some point in time).

For this XolidoSign Desktop program I have set a few trusted third partys... remember that a court may not accept the certificate authority as valid if the local law specified what are the company's/ government services that can be used for that purpose, consult the local law or a lawyer to make sure you make it correctly. I have set all to use SHA256 (go to the sign or timestamp and from there go to the options > configuration). Some timestamp servers are available but I can't post here because of the limit to new users like me. Nothing forbids you from using more that one, but you will need to spend time to manually (or with some additional program) or sending to some different folder in order to separate the signature files.

Answer 5

If it doesn't rely on a reputable external sources for validation, I do not think it's possible. As long as the data (timestamp) is stored in local, the data will be stored in some part of the hard disk. And any part of the hard disk data can be easily overwritten with special tools like hex editor as long as you have physical access to the hard disk. And in this case I believe the lawyer or professional expertise will question the integrity of the data (reputation and possibly of tampering and etc).

Unless it's a Read only drive, if not there's no way to prevent the data to be "fake" or overwritten in this case. However a read only memory here is impossible as you need to write the timestamp into the data.

Or unless there's some new special memory technology that would allow permanently writing data only once and can't be altered after writing once, if not there is no way you can do it.

Answer 6

Essentially, no.

Caveat H@x0r: I.A.N.A.L. *

Timestamps are essentially numbers. A number that represents how many seconds after an arbitrary time&date the event (which the time stamp refers to) occurred. This "arbitrary" time is known as an epoch: https://en.wikipedia.org/wiki/Epoch_(reference_date)

A timestamp is simply a number. Data. A value. And values can change, or be changed. So no, creating a "time stamp" itself that is indisputable in a court of law is not really possible.

A court of law (civil or criminal) is not really about the absolute truth, but what the rules, the system, the precedents, and the lawyers arguments and positions can achieve.

As for a timestamp that does not require external validation or sources but is trusted by everyone? Not humanly possible. You would have to get all external parties (i.e. EVERYONE and EVERYTHING else) to agree on your system and methodology. Sorry. You are asking borderline philosophical questions in the Legal and Security realms here; there are no easy answers.

* I Am Not A Lawyer

* EDITs to my answer after edits to the question *

The best you are probably going to be able to do is going to require external sources. You will want to do some hashing, of the file and attributes as well as a message from an external source. That external message will be the "key" that you have no control over, and use to validate the integrity of your file and timestamp attribute.

The key/external message needs to come from a source that you have no influence over, and can rely on to provide that key again, including its origin metadata (when it was used, etc.) in the future if subpoenaed.

I'm thinking something like the secure NTP time sync from an official (i.e. government) source. I don't know enough about NTP or the heirarchy, but believe you can get digitally signed/secured updates from some sources; if so, that is probably the path you need to explore.

The next problem is putting that hash somewhere that can be validated and viewed by others, so you cant change things over time without being noticed. You are basically painting yourself into a corner...

Note: THIS IS NOT A COMPLETE ANSWER. I have a good grounding in crypto concepts, but I'm not a math guy nor a crypto-geek. These are basic, journeyman concepts. You have a lot of research to do.