What is the most credible timestamp I can create for a digital file?
Just last week I heard of this Proof of Existence service that makes a secure digest of your file and gets it added to the public Bitcoin blockchain.
So henceforth and forevermore (or until Bitcoin is cracked or abandoned), you'll have publicly-certified, publicly-verifiable proof that THAT particular instance of your file existed at that time. Even if the Proof of Existence web service goes away, you could conceivably use a blockchain explorer tool to show the earliest date that your secure digest showed up in the blockchain.
Much like with public key crytography, where you are relying upon some trusted authority for identity, there are timestamp authorities. An organization can setup one internally or could rely on a trusted third party (or multiple trusted third parties) to sign a document.
If the timestamp authority is trusted, then you can provide reasonable assurance of the time it was stamped (not necessarily created or modified). A timestmap generally relies upon crytographically signing a hash and crytographically signing of token for the timestamp. In this way you have some trusted authority validating the time and the document.Acrobat and other PDF programs allow you to point to a timestamp server which you can then use when signing files (or just timestamp them). There are also ways of doing this manually against a file.
A good place to start is with RFC 3161 + RFC 3628 and this article on "trusted timestamps". Check out a related question on Stack Overflow, and this one on Crypto.
For any specifics on legality and court admissibility, please reach out to specific legal counsel familiar with that particular court's requirements.
Some laws and directives for various regions:
- Directive 1999/93/EC / European Directive on a community framework for Electronic Signatures (Europe)
- The Electronic Signatures in Global and National Commerce Act, 2000 (USA)
There are also a lot of SaaS solutions where you can click to sign, but you rely upon the mechanisms of the service, which may not tie to any standard. I have been asked to sign documents using the DotLoop service, but have not evaluated their tech specs.
One possible solution is to make a cryptographic hash, e.g. SHA256, of whatever data you want to use the timestamp with and then publish that hash; maybe on the internet which includes saving by the wayback machine or google cache, etc., or have it signed by a trusted party.
In many cases, the person whose potential later lawsuit you want to defend against has some relationship with you that may give him an incentive to sign it himself. In many cases, it may even be possible to put the burden entirely on that person simply by keeping a public log (website?) of such published hashes.
Whilst I am no lawyer, I believe even just continuing to consistently carry out such logging will help your case at least somewhat. That is the solution you asked for, providing some proof that you did not backdate the timestamp into the past because you could not know the hash (a one-way function) without having the data you wanted timestamped.