Frequently asked questions
HOW IS THE STORED DATA PROTECTED FROM LOSS OR DAMAGE (E.G. IN CASE OF HARDWARE FAILURE)?
We prevent the loss of material in custody on several levels. We store data in the form of a secure archive mirrored in two geographically separated repositories – Prague and Olomouc. A cyclical consistency check of the files is carried out independently in each of them. In case of any extraordinary event (e.g. failure of storage availability), a precise procedure is defined to correct and restore the entire storage system to its original state.
HOW IS THE SOURCE CODE PROTECTED FROM DISCLOSURE?
Our source code protection uses asymmetric cryptography. The material is encrypted using the public key of the software user. This makes the user the only entity able to decrypt the material. However, the user has access to the encrypted material only after it has been released from escrow. Our source code escrow technology thus fulfills a fundamental principle of security technology – the combination of knowledge of secrets (private key) and ownership (access to the material).
COULD IT BE THAT UP>SAFE ISSUES SOURCE CODES INDEPENDENTLY OR TO SOMEONE ELSE?
The conditions in the escrow agreement for the release of source code must always be objectively measurable and clearly set. The recipient of the source codes is also precisely defined and it is UP>SAFE’s responsibility to identify him. Typical events for the issuance of source codes are:
(i) software manufacturer bankruptcy
(ii) breach of SLA
(iii) termination of product support
HOW DO UP>SAFE SERVICES DIFFER FROM ADVOCATE CARE SERVICES?
At the outset, we can say that law firms, with few exceptions, do not have the technical means or procedural procedures for archiving and long-term management of digital data. At the same time, the activity of archiving digital data is also not an object of the practice of law. It is now quite clear that the storage of, most often, an optical data carrier or flash drive with an often indefinite lifetime is completely outside any data archiving standards. The security standards of physical data access, georedundancy requirements, audit trails of data over time and more are then completely obliterated.
Source code escrow at a law firm is one of the most widely used solutions to ensure the integrity of digital data and its release only if the escrow conditions are met.
Attorney’s custody is a specially regulated institution, but let us look at its legislative framework. Act No. 85/1996 Coll., on advocacy, as amended, regulates attorney’s custody as follows:
§56 (1) An attorney is authorised to administer other people’s property, including the taking of money and documents into custody for the purpose of their delivery to other persons and the performance of the functions of an insolvency administrator under a special legal regulation. ..
§ 56a (1) Money, securities or other property received by an advocate for administration shall be deposited by the advocate in a special account with a bank or other person authorised under special legal regulations to receive deposits or to administer securities or other property. ..
The Advocacy Act does not even mention the possibility of taking digital data or a data carrier as a custodial item. Only by a very extensive interpretation could we claim that a physical data carrier is merely an attachment to a document (e.g. a transfer protocol).
An equally important source of regulation are the regulations of the Czech Bar Association, namely “Resolution of the Board of Directors of the Czech Bar Association No. 7/2004, on the custody of money, securities or other client property by an attorney”.
Safekeeping of securities and other assets
(1) Securities or other property taken into custody by the lawyer shall be deposited by the lawyer in a safe deposit box leased in his name from a bank (hereinafter referred to as the “safe deposit box”). If an advocate practises in an association (Section 14 of the Act), the safe deposit box may be leased in the name of one of the advocates who is a participant in the association. If the law so permits, securities or other property taken into custody may also be deposited in the lawyer’s safe deposit box, provided that sufficient protection is provided in this way. ..
Here it is evident that the state regulations do not actually allow the use of modern (common) tools for data archiving.
Last but not least, law firms do not have sufficient technological know-how. Therefore, they cannot verify in any way that the stored data is indeed source and usable code. In contrast, we offer two levels of verification of the stored material, thanks to which we can verify that the stored e.g. source codes really belong to the application that the customer has installed in live operation.
IS IT POSSIBLE TO USE THE REPOSITORY FOR OTHER TYPES OF DIGITAL MATERIAL THAN SOURCE CODE?
Our escrow services can be used by anyone to store various types of digital materials. The important thing is that he has agreed with his counterparty what is the subject of the escrow and under what conditions these escrowed contents will be released. In addition to the escrow of source codes, our escrow services are therefore well suited for the escrow of, for example, the implementation documentation of various construction and engineering projects, which carry certain intellectual property of the contractor and are not handed over to the customer. Similarly, it can be a variety of production plans, design documents, technical documentation, which after some time make it much easier to modify the final product. Another suitable use is the custody of original photographs and source documents that lead to the creation of, for example, various marketing materials. Here again, the customer receives from the professional photographer usually only the final product, which is various flyers, templates, billboards… if after some time he requires only minor adjustments, he is forced to ask for the photographer to edit. Escrow services find their justification in such producer-customer relationships where the producer is forced to protect his know-how and the associated risks for the customer exceed an acceptable level. Anything can happen to the contractor without anyone wishing it.
BY DECOMPILING THE BINARIES IT IS POSSIBLE TO GET THE SOURCE CODE. SO WHY SHOULD WE KEEP THEM?
In principle, this is indeed possible. Unfortunately, decompiling machine code produces source code that is not easily readable (e.g. the programmer’s comments are not preserved). Moreover, source code alone is far from sufficient. Other program elements such as build scripts, build guides, development tool configurations, technical documentation, third-party tools are important… In practice, the software decompilation procedure could be successful only for small, non-complex software programs.