Friends, Gangbangers, Custody Disputants, Lend me your Passwords

Whenever parties seek to introduce out-of-court statements, evidentiary issues of hearsay and authentication will arise. As methods of communication expand, the Rules of Evidence must necessarily keep pace. The rules remain essentially the same, but their application vary with new modes of communication. Evidence law has been very adaptable in some ways, and notoriously conservative, even stodgy, in others. Although statements on Facebook and other social media raise some interesting questions concerning the hearsay rule and its exceptions, there has been little concern about applying the hearsay doctrine to such forms of communication. By contrast, such new media have triggered what could be characterized as a judicial freak-out concerning how to authenticate statements made via social media. Part II defines and explains the function of social media and Part III discusses where evidence from social media currently appears in modern trials. (The short answer is everywhere). Part IV discusses hearsay questions raised by statements on Facebook and Twitter, arguing that with some small exceptions, the rules are perfectly well-suited to deal with such new media and that courts face few problems in doing so. Part V documents the divergent approaches courts have taken to authenticating evidence from social media. Although some argue that the capacity for false authorship and fraud is so great that new rules are necessary, the majority of scholars and practitioners believe that the current rules of authentication are adequate, though there is much disagreement about their application. After setting out the evidence standard for authentication and the various approaches of recent cases, Part IV criticizes the overly cautious and stingy approach of some courts. Part VI advocates for the more open approach to authenticating social media adopted by some courts. It goes further, arguing for a rebuttable presumption of authenticity barring credible evidence of appropriation or hacking. As with other types of technology when first introduced — photographs, telephone calls, x-rays — an inevitable transition period exists as courts gradually become familiar with the new mode of transmitting information and less fearful of undetectable fraud. In the meantime, it is satisfying to reflect how the Rules of Evidence, properly applied, continue to be an excellent source for accommodating new and sometimes challenging forms of out-of-court communication

Anonymity and trust in the electronic world

Privacy has never been an explicit goal of authorization mechanisms. The traditional approach to authorisation relies on strong authentication of a stable identity using long term credentials. Audit is then linked to authorization via the same identity. Such an approach compels users to enter into a trust relationship with large parts of the system infrastructure, including entities in remote domains. In this dissertation we advance the view that this type of compulsive trust relationship is unnecessary and can have undesirable consequences. We examine in some detail the consequences which such undesirable trust relationships can have on individual privacy, and investigate the extent to which taking a unified approach to trust and anonymity can actually provide useful leverage to address threats to privacy without compromising the principal goals of authentication and audit. We conclude that many applications would benefit from mechanisms which enabled them to make authorization decisions without using long-term credentials. We next propose specific mechanisms to achieve this, introducing a novel notion of a short-lived electronic identity, which we call a surrogate. This approach allows a localisation of trust and entities are not compelled to transitively trust other entities in remote domains. In particular, resolution of stable identities needs only ever to be done locally to the entity named. Our surrogates allow delegation, enable role-based access control policies to be enforced across multiple domains, and permit the use of non-anonymous payment mechanisms, all without compromising the privacy of a user. The localisation of trust resulting from the approach proposed in this dissertation also has the potential to allow clients to control the risks to which they are exposed by bearing the cost of relevant countermeasures themselves, rather than forcing clients to trust the system infrastructure to protect them and to bear an equal share of the cost of all countermeasures whether or not effective for them. This consideration means that our surrogate-based approach and mechanisms are of interest even in Kerberos-like scenarios where anonymity is not a requirement, but the remote authentication mechanism is untrustworthy

Managing Identity Management Systems

Although many identity management systems have been proposed, in- tended to improve the security and usability of user authentication, major adoption problems remain. In this thesis we propose a range of novel schemes to address issues acting as barriers to adoption, namely the lack of interoper- ation between systems, simple adoption strategies, and user security within such systems. To enable interoperation, a client-based model is proposed supporting in- terworking between identity management systems. Information Card systems (e.g. CardSpace) are enhanced to enable a user to obtain a security token from an identity provider not supporting Information Cards; such a token, after en- capsulation at the client, can be processed by an Information Card-enabled relying party. The approach involves supporting interoperation at the client, while maximising transparency to identity providers, relying parties and iden- tity selectors. Four specific schemes conforming to the model are described, each of which has been prototyped. These schemes enable interoperation be- tween an Information Card-enabled relying party and an identity provider supporting one of Liberty, Shibboleth, OpenID, or OAuth. To facilitate adoption, novel schemes are proposed that enable Informa- tion Card systems to support password management and single sign on. The schemes do not require any changes to websites, and provide a simple, intu- itive user experience through use of the identity selector interface. They fa- miliarise users with Information Card systems, thereby potentially facilitating their future adoption. To improve user security, an enhancement to Information Card system user authentication is proposed. During user authentication, a one-time pass- word is sent to the user's mobile device which is then entered into the com- puter by the user. Finally, a universal identity management tool is proposed, designed to support a wide range of systems using a single user interface. It provides a consistent user experience, addresses a range of security issues (e.g. phishing), and provides greater user control during authentication.EThOS - Electronic Theses Online ServiceGBUnited Kingdo