ARRANGEMENT WITHIN THE FIELD OF BIOMEDICINE BACKGROUND TO THE INVENTION
In the biotechnology industry, photographs are often used as proof of test results. Thus, it is of the greatest importance that such photographs are as authentic as possible. Even the date of testing is important as evidence of who was first with a result. Furthermore, pharmaceuticals agencies such as the USA's FDA place strict requirements on the administration of tests. Currently, many biotechnology companies and research institutes use a system that involves the photographs being manually signed by the person who carried out the analysis. These may then be countersigned by another person who certifies that everything has been properly executed. The photographs are then manually pasted into books. This normally takes place after the picture has been touched up in an image editing program, e.g. Photoshop. There are legitimate reasons for such adjustments, e.g. to improve contrasts, remove "noise" and other distracting phenomena from the picture, etc. The picture is then printed out, signed and entered in a logbook. Thus, what is stored in the logbook is the image-edited picture. There are several disadvantages with this methodology. For example, the modified picture may not contain elements that the image editor believed to be unimportant, but which another person may have considered important from an overall viewpoint. Unfortunately, small "self deceptions" are more common than is probably imagined and there is sometimes a hair-fine boundary between touching up a picture to accentuate what it shows and removing information that may contradict the claimed result. In individual cases, there may even be reasons (e.g. obtaining research grants, employees feeling the pressure to show results, etc.) for deliberate "cheating". As the original photograph is normally thrown away after use of image editing software, it is very difficult to discover such lapses or cheating. A further disadvantage of this system is that it is not computerised. Administration via logbooks impedes both searching for results and exchanging information inside and outside the company.
DESCRIPTION
The present invention proposes a system that solves these problems and makes it difficult to cheat or to unintentionally adjust pictures incorrectly in the photograph stages.
The system is computerised and comprises a digital logbook in which it is possible to study the unedited, original photograph and various adjusted versions. Thus, in
cases of uncertainty, it is always possible to access the original picture and have an independent party make any adjustments. A further advantage of the system is that every original photograph that is adjusted can be traced back to the point of time when it was saved. The proposed system additionally entails a simple process for administering digital logbooks.
The invention uses a technique involving time stamps and digital signatures. These are detailed hereinafter.
The invention does not modify the customary testing procedures. Use of the invention begins only when a digital photograph of test results is taken. When taken, the photograph is time stamped and signed using a digital signature. It is then sent directly to the change tracker. Time stamping can advantageously be carried out over the internet by an authorised time stamping company. This involves encrypted time information being linked to the picture. The signature is created by the analyst signing with a unique digital signature that automatically links his/her name to the digital picture. This picture is completely unmodified and provides the basis for the photograph of the test results. The picture is given a first version number (e.g. 1.0) and is a digitally unaltered reproduction of the test results. The authenticity of the picture is safeguarded by the time stamp and the digital signature.
From the change tracker, raw data (version 1.0) can be downloaded and touched up in an image editing program, e.g. Photoshop. Work can be done on this picture over several days and saved locally. When all the desired adjustments have been made (e.g. lines sharpened), the picture can be uploaded to the change tracker. The picture is time stamped, signed digitally and then saved (by the change tracker) under a new version number (1.0xxx). This means that several different variants of the picture can be saved in an unambiguous way. The picture with the raw data remains available throughout and it is possible to identify the various aspects that the image editor has chosen to emphasise in other versions.
Consequently, by studying the versions up until the final picture, it is possible to follow the steps that an image editor has taken to achieve a certain result.
All of this ensures increased security in the laboratory. The risk of unintentional errors and "cheating" is considerably reduced. To cheat, the individual now has to manipulate the test itself. Earlier, it was possible to adjust the picture manually, or in Photoshop, and edit out "inconvenient" details.
As information is stored digitally, comparison with other results is facilitated and pictures can be sent to other people via, for example, e-mail. The change tracking system is also accessible to other authorised people in the company and several individuals can work on the same picture and make the adjustments they require. When an individual is satisfied with the changes he/she has made, a version is uploaded to the change tracker. Digital signing means that it is also possible to see who has produced the various pictures.
Digital signatures can be used to: ensure that electronically transmitted information packages are not altered; verify who has sent information; and, prevent the sender later denying the sending of the message. The connection between a digital signature and a definite person can be testified in a certificate. The certificates are issued by a trusted third party, a Certification Authority (CA). A digital signature is a function that guarantees the contents and authenticity of an electronic document. The function is the result of a combination of asymmetric encryption technology and hash function technology. The hash function is used first to create a compressed package of the electronic document. In this package, the document is firmly tied to the original message. The asymmetric encryption, with a private (secret) key, ties the originator to the compressed package.
When a file is saved in a file system, the time of saving is also normally saved. Certain applications even save time details inside the file. The document retrieval system also saves different versions and is exact as regards times. However, all these systems suffer from the shortcoming that it is possible (and even easy) to alter the creation and modification dates. For example, the system's clock can be re-set. Using PKI technology, a more stringent time stamp can be obtained. According to the IETF, a "global time stamp" involves a checksum (calculated on the data) and time information being signed by a "trusted third party" (TTP).
The time stamp comprises a checksum, time, signature and information (the "certificate") identifying the trusted third party. Using this time stamp (and the information), any future investigator can determine whether information has been changed after the time stamping. It is perhaps worth noting that only the checksum (and not the information) is sent to the TTP.
SHORT DESCRIPTIONS OF THE DRAWINGS
In the following, the present invention will be described with the assistance of five example designs that are explained in 6 figures.
Figure 1 shows a schematic overview of the system.
Figure 2 shows a block diagram of a first possible design of the invention.
Figure 3 shows a block diagram of a second possible design of the invention.
Figure 4 shows a block diagram of a third possible design of the invention. Figure 5 shows a block diagram of a fourth possible design of the invention.
Figure 6 shows an example of a system design in practice (with an external change tracker, "picture storage provider")
Figure 1 shows a schematic overview of the system. Photographic documentation equipment takes a picture of the laboratory test. This picture is time stamped and signed using a digital signature. It then goes to the change tracking system where a first, unmodified version is stored. Said change tracker comprises a computer that communicates with the time stamping and signature units so that pictures or documents that are uploaded to the system are given a time stamp (corresponding to the time of uploading) and a digital signature. The files, with their attached time stamp and digital signature, are saved digitally on a specially created (for the change tracker) area of a hard disk. The files are given a version number corresponding to the file's "history". In example 1 , the original data from the photographic equipment is given version number "1.0". However, other numbering variants can also be used.
Only original data from the photographic equipment is given a first version number (e.g. 1.0).
Below, a number of designs (FIRST to FOURTH) are described using various block arrangements with the image editor also serving as the change tracker. There is also a FIFTH design where the image editor interacts with an external change tracker (picture storage provider) via a communication medium, e.g. the internet or similar.
FIRST DESIGN
Figure 2 shows a block diagram of a first possible design of the invention. In this design, the time stamping unit (201 ) and the signature unit (203) are built into the reproduction unit. Reproduction unit here means equipment such as cameras and scanners.
One of the photograph documentation components (200) in the reproduction unit scans or photographs the object to be reproduced, e.g. a microplate. How photographing/scanning is carried out is not of importance to the invention. Here, it can be seen that a digital picture is created. This picture is sent directly to time stamping unit 201 , where it receives a time stamp. Time stamping unit 201 calculates a unique hash value for the picture. Via communication unit 202, unit 201 makes contact with an authorised time stamping company and sends a checksum. A time stamp comprising a checksum, time, signature and information is returned to the time stamping unit. Contact can be via the internet, the telephone system or other communication equipment. Under these conditions, both the time stamping unit (201 ) and the communication unit (202) can be software.
Once time stamping unit 201 has stamped the digital picture, the picture is sent to signature unit 203. Signature unit 203's function is to add one or more digital signatures to the digital picture. Via communication unit 202, signature unit 203 requests a code that is necessary for digitally signing the picture. It then signs the picture. This code could be, for example: a personal number combination that is keyed in by the operator; a code based on a fingerprint, DNA or retina scan; or, a
code on a personal card that is read digitally. Signature unit 203 can-also add a reproduction unit unique number to the picture and, to assist the change tracker, a version identification number. Under these conditions, the signature unit (203) can be software.
Via communication unit 202, the time stamped and electronically signed picture is then sent from the reproduction unit to the change tracking system (205). Assigning it a version number, change tracking system 205 saves the time stamped and electronically signed picture. As this picture is based on untreated raw data from photographing/scanning, it is stored as such and cannot be modified without changing the version number. From the change tracking system (205) an image editing program can now download the picture and adjust it as necessary. When worthwhile adjustment has been made, the adjusted picture can be uploaded to change tracker 205 so that a new version of the picture can be stored. To time stamp the new version, change tracker 205 contacts time stamping unit 201 via communication unit 202. The time stamped picture is then sent to signature unit 203 for digital signing. Finally, the picture once again returns (time stamped and electronically signed) to change tracking system 205, where it receives a new version number. Consequently, it is possible to follow the various handling stages through which a picture has gone and see its entire history. The image editing program can thus download both new and old versions as well as create new versions in the way described above.
A SECOND DESIGN
Figure 3 shows a block diagram of a second design. The principle difference between the first and second designs is the introduction of a timer (304) into the reproduction unit. In this design, time stamping unit 301 time stamps the picture using the time it receives from timer 304. Timer 304 is a clock, the time of which cannot be altered.
It is powered by an in-built battery that lasts throughout the timer's service life. To ensure its credibility, communication is encrypted internally using a key that is installed during the production of the timer. Time stamping unit 301 uses the time from timer 304 and enters encrypted time information and a checksum. These make it possible for an independent examiner to determine the point of time at which the information was created. The advantage of this design is that the equipment is not dependent on a continuous connection to an authorised time stamp provider. Time stamping unit 304 can be software.
It would also be possible to update and check the clock after a certain period of use. Such updating/checking could be effected using encrypted communication with an outside party (e.g. over the internet, via the telephone system or other means of communication).
The encryption key can be time limited and replaced using encrypted key updating from an external party. This key transfer can also take place over the internet, the telephone system or other type of communication means. In this way, the timer can receive a time limited certificate that can itself be updated at a later date.
A THIRD DESIGN
Figure 4 shows a block diagram of a third possible design. In the third design, time stamping and signing takes place in a unit that is separate from the reproduction unit. Communication between the reproduction unit and this separate unit is encrypted. Said communication can take place via various communication channels, e.g. series port, parallel port, ethernet, USB, firewire or other communication means. As with the external communication in the previous designs, the encryption of the communication between the reproduction unit and the external unit is analogue.
The reproduction unit sends an encrypted digital picture to communication unit 401. The picture then goes to time stamping unit 402 to be time stamped. Time stamping unit 402 calculates a unique hash value for the picture and, via communication unit 401 , makes contact with an authorised time stamping company and sends a checksum. A time stamp comprising a checksum, time, signature and information is returned to time stamping unit 402. Contact can be via the internet, the telephone system or other communication equipment. Under these conditions, both the time stamping unit (402) and the communication unit (401 ) can be software.
Once time stamping unit 402 has stamped the digital picture, the picture is sent to signature unit 403. Signature unit 403's function is to add one or more electronic signatures to the digital picture. Via communication unit 404, signature unit 403 requests a code that is necessary for electronically signing the picture. It then signs the picture. Signature unit 403 can also add a reproduction unit unique number to the picture and, to assist the change tracker, a version identification number. Under these conditions, the time signature unit (403) can be software.
Via communication unit 404, the time stamped and electronically signed picture is then sent from the reproduction unit to the change tracking system (405). With the difference that communication is via communication unit 404, communication between the change tracking system and the separate unit is as per design one. Under these conditions, both the time signature unit (403) and the communication unit (404) can be software.
A FOURTH DESIGN
Figure 5 shows a block diagram of a fourth possible design. The principle difference between the third and fourth designs is that the timer (504) has been placed in the separate unit.
In this design, time stamping unit 502 time stamps the picture using the time it receives from timer 504. Timer 504 is a clock, the time of which cannot be altered. It is powered by an in-built battery that lasts throughout the equipment's service life. To ensure its credibility, communication is encrypted internally using a key that is installed during the production of the timer. Time stamping unit 502 uses the time from timer 504 and enters an encrypted time and a checksum. These make it possible for an independent examiner to determine the point of time at which the information was created. The advantage of this design is that the equipment is not dependent on a continuous connection to an authorised time stamp provider. Time stamping unit 502 can be software.
It would also be possible to update and check the clock after a certain period of use. Such updating/checking could be effected using encrypted communication with an outside party (e.g. over the internet, via the telephone system or other means of communication).
The encryption key can be time limited and replaced using encrypted key updating from an external party. This key transfer can also take place over the internet, the telephone system or other type of communication means. In this way, the timer can receive a time limited certificate that can itself be updated at a later date.
A FIFTH DESIGN
Figure 6 shows a diagram of a design with an external change tracker, here called "picture storage provider" or "storage provider". This design integrates into the selected program and technology solutions set out in the designs described above. The description below introduces slightly different terminology such as "operator" (the picture creator), etc. These are made clear in the text. See figure 6.
The main actor is the operator, e.g. a research laboratory or a DNA analysis laboratory that has prepared an object (1 ) that it wishes to be pictorially documented.
This object (1 ) is here sketched as being placed on a table with a suitable background, lighting, etc. The operator has an appropriate system (software, chip with microcode, account with a storage provider, etc.). The camera (2) is connected, via an interface (3), to the operator's computer (4). To help in composing the picture, this shows what the camera sees. Via the chosen communication medium, e.g. the internet, the interface (3) can communicate directly with the picture storage provider.
In its turn, the computer (4) is connected, via a secure line (5), to the communication medium (6) - internet, telephone line/broadband modem, fibre cable, etc. - to the picture storage provider (7). The picture storage provider, in its turn, is connected (8) to the medium and, thereby, also to an external time information provider (9) or to its own, secure time delivery system (10). In this sketch, all checking and execution of picture identification/authenticity programs using algorithms, encryption, etc. has been placed with the picture storage provider. The picture storage provider may have access to, and also be connected to, other suppliers (12) of, for example, encryption programs or other programs of interest to the picture storage provider, operator or any customers to which, for the purpose of obtaining copies of pictures, the operator has granted access to the picture storage provider's service. Naturally enough, there is nothing to prevent the operator being connected (11 ) to the time information provider, even if this does not relate to the authentication creation process.
The operator, who is on-line with the picture storage provider, decides when the object is ready to be photographed. When the picture storage provider receives the go-ahead from the operator, the provider sends a trigger signal to the interface (3) and the operator's computer. The time of the trigger signal is unknown to the operator, but it is within milliseconds of the go-ahead. The trigger signal is processed in the interface. Via a signal to the camera, this commences the picture taking process. The signal may carry encrypted time information that the interface obtained directly from the picture storage provider and which can only be interpreted by the software in the interface. The security of the software can be safeguarded by, for example, microcode in a unique chip (or any other accepted means).
The picture taken at this point is automatically "defined" as the original and is instantaneously sent to the storage provider where it is provided (integrated) with encrypted time information, a picture identification code, information on the connected operator, etc. It is then stored in a register of originals and also in a
physically separate service register at the picture storage provider's premises. Before storage, the calculation/attribution of picture authentication codes, etc. takes place partly in the interface and partly within the picture storage provider's facilities. This process cannot be affected by the operator (i.e. the creator of the picture). The picture defined as the original is physically tied to the added picture security information. This latter cannot be removed from the original without the original becoming unusable or it being readily obvious that the picture is not classed as an original and that it has been modified/manipulated.
The picture storage provider holds the authentic original and, at the same time, a copy defined as original. As a "picture service", this can be made available, in accordance with the operator's wishes and own needs, to stipulated "interested parties". The service embraces dispatch and reception of pictures (copies, etc.), each request or event being automatically logged with, amongst other things, time, identity, account, storage, etc. information.
The first copy (in all respects "authenticity safeguarded") is automatically and immediately sent back to the operator. Neither the operator nor anyone else can remove the authenticity information. Similarly, it cannot be called up in any way that makes it understandable and accessible for public purposes. However, the operator can modify/manipulate the picture and instruct the storage provider that the modified picture is to be stored and (with the new picture's authenticity information revealed and available for public purposes) made accessible to others, etc. (as per any agreements on scope, etc.).
When the storage provider, at a time after the taking of the original picture, receives a modified copy, this is given new picture authenticity information, number, time information, etc. It is also provided with information declaring that the picture deviates from the original (but it is not stated how or to what extent). Deviation is calculated/quantified by the picture storage provider and linked to the relevant picture in the storage medium. It is only made available on order and, for example, in different classes (as per agreement with the operator).
The essentials of the above-detailed application of the invention are that: a) the operator and picture storage provider have separate roles. b) picture taking is effected in a system that is controlled entirely by the picture storage provider.
c) picture taking occurs after the object, camera, etc. have been correctly adjusted, but otherwise without the operator's participation. It is also automatic through online connection via an unbroken, electronic communication line that itself senses if it is incorrectly connected. d) an externally involved party acts as the authorised issuer of the definition and the authenticity information of the original picture, e) each copy receives its own authenticity declaration and sequence number through an external party (the picture storage provider/change tracker) and not through the operator or any other party. f) there is a visible guarantee of authenticity with the possibility of classing the authenticity of all published pictures. An example of such a class is "for public purposes" - which cannot be manipulated or modified, but which can be traced to, or tested against, the original (or is even indicated as such on the picture supplied by the picture storage provider).
Obviously, it is not possible to eliminate the possibility of subsequent photographic manipulation, e.g. by taking a picture of the electronic picture supplied by the picture storage provider and cutting and pasting said picture. If the picture identification is cut away, the picture has no value as an authenticated picture. Where the picture does have identification, it has putative "authenticated value", which can be checked by connecting up to the picture storage provider. The provider can then supply an original picture or receive the picture to be examined and immediately give a verdict on deviations from the original, etc.
What has above been outlined in respect of picture documentation can be equally applied to all electronically transferable information (documents, etc.) that can have their authenticity safeguarded in a corresponding manner.