XML versions of online federal regulations lack signature of authenticity

The Government Printing Office posted information in a format to allow manipulation of the data while it looks for a way to digitally sign the documents to indicate they have not been altered.

The Government Printing Office, which last week posted the code of federal regulations online, still hasn't developed a method to assure users that the documents are authentic, and is not clear when it will find a solution, said the agency's chief information officer.

GPO posted the regulations last month on government Web sites such as Data.gov, the federal portal for government data sets, and its own federal digital system using the Extensible Markup Language format. XML, the more common way to refer to the software language, is a versatile and machine-readable format that allows individuals to manipulate information to find relationships and other insights within the data. That includes creating so-called mashups, which combine data from different sources to produce new applications.

But the format poses a problem for GPO, the official body that disseminates government documents, because the agency must prove the online documents are authentic interactive versions of the law and have not been changed in any way.

A digital signature, like a wax seal, provides proof that an electronic document is the original and has not been altered. PDF versions of the code of federal regulations can be digitally signed because their content is securely locked down and because reader software on the market facilitates the authentication process.

The inability to read a digital signature in an XML file has raised concerns, especially among some law librarians, that legal information online could be changed and the public would not know it.

But John Joergensen, reference librarian and online law publisher at Rutgers University's School of Law, stressed the benefits of posting the regulations in an XML format despite its limitations. "Although it may be difficult to verify the digital signature of XML files, I have real problems with the fact that people are downplaying its importance and reliability when it is the most useful format for enabling creative uses of information," he said.

A shortage of workable readers are on the market to support digital signatures in XML files even though "the technology is available to create a digital signature in an XML format that won't be broken when the document is reformatted," said Thomas Roessler, security activity lead at the World Wide Web Consortium, an international organization that develops web standards.

Michael Wash, CIO at the Government Printing Office, said the agency plans to hold an industry day this year to develop a solution. GPO will issue a request for information and use the feedback to guide it in how they work with industry partners to come up with a system.

"There is the technology. We're not talking rocket science," Wash said. "There isn't a quick and convenient way to get around this issue. And it will be a matter of time to develop this solution."

On Data.gov, a message states, "The current XML data set is not yet an official format of the Federal Register. Only the PDF and text versions have legal status as parts of the official online format of the Federal Register." It directs users who "require a higher level of assurance" to consult the official version of the Federal Register.