Many organisations collect sensitive data that cannot be freely shared. Hospitals store brain magnetic resonance imaging (MRI) scans on internal servers; banks keep transaction records behind strict firewalls; agricultural services retain crop images in isolated repositories. Federated learning (FL) allows models to be trained without centralising raw data, yet most existing systems address a single domain and offer limited insight into model behaviour and provenance over time. BlockFedX is a cross-domain federated learning system designed to address three simultaneous tasks: credit card fraud detection on tabular data, brain tumour detection on MRI images, and plant disease recognition on leaf images. These three domains were deliberately selected because they represent the principal data modalities in real-world privacy-sensitive deployments-structured tabular records, greyscale medical images, and colour natural images-and because public benchmark datasets exist for all three, enabling reproducible evaluation. The system uses a shared backbone that is updated only where model layers have compatible tensor shapes, while domain-specific output layers remain local at each client. Explanations are computed at the clients using SHAP feature-attribution for tabular data and Grad-CAM visual heatmaps for images; the server receives only compact statistical summaries. The server also applies a distance-based anomaly test on client updates and records model hashes, explanation summaries, and anomaly flags in a hash-chained ledger. Experiments on three public datasets under non-identical client data distributions show that BlockFedX achieves an average fraud-detection F1-score of 0.92, 74.32% mean validation accuracy on BrainMRI, and 77% test accuracy on PlantVillage, while keeping all raw data local. These results are below strong centralised baselines, as expected under compact models and non-IID splits, but the system simultaneously provides three properties rarely combined in prior work: cross-domain federated training via a shape-safe backbone, client-side explanations integrated into the learning loop, and a lightweight tamper-evident record of model evolution across rounds.
There has been a regulatory movement toward the required use of tamper-evident containers for fresh blue crab meat. North Carolina passed tamper-evident regulations in 1993. Blue crab processors had little information on possible changes in head-space gases, microbial growth, chemical decomposition, sensory quality, or shelf life caused by the new containers. Chemical, microbiological, physical, and sensory changes in fresh crab meat were monitored during 18 days of storage in ice and 13 days of storage refrigerated at 4 degrees C. "Special" blue crab meat, chosen for the study, is the least expensive commercial form of white crab meat. The crab meat was packaged in four retail containers: copolymer polyethylene cups with polyethylene snap-on lids, copolymer polyethylene cups with snap-on polyethylene lids fastened to the cup with heat-shrink low-density polypropylene seals, copolymer polyethylene cans with aluminum easy-open ends, and copolymer polypropylene cups with a tamper-evident pull-tab on the lid. Control samples packaged in industry standard copolymer polyethylene cups maintained higher oxygen levels than meat stored in tamper-evident containers. No consistent differences in quality or shelf life were detected among the containers. Market shelf life was limited to 6 days for meat held at 4 degrees C and 15 days for meat held at 0 degrees C. Sensory quality deteriorated 6 days earlier for crab meat held at 4 degrees C than meat held at 0 degrees C. Collateral work showed that toxin production by Clostridium botulinum neither occurred following 18 days of storage at 4 degrees C nor after 15 days of storage at 10 degrees C. Definite spoilage occurred before any toxin production. The study suggests that blue crab processors can safely use the new tamper-evident packaging, which has little or no effect on product quality or shelf life. Processors may choose appropriate packaging options using price, packaging quality, market appearance, and ease of production as the deciding criteria.
The Food and Drug Administration (FDA) is amending its regulations on tamper-resistant packaging to require that all over-the-counter (OTC) human drug products marketed in two-piece, hard gelatin capsules be sealed using a tamper-evident technology; to change the term "tamper-resistant" in the labeling of all OTC drug products to "tamper-evident;" and to specify that the required OTC drug product labeling statement must refer to all packaging features used to comply with the tamper-evident packaging requirements, including those on the secondary package, the immediate container or closure, and any capsule sealing technologies used. FDA is taking this action as a result of its continuing review of the potential public health threat posed by product tampering and to improve consumer protection by addressing specific vulnerabilities in the OTC drug market.
To assess whether HL7 FHIR Consent, as currently specified and deployed, is sufficient to support verifiable, regulation-aligned consent governance in distributed and cross-organisational health data sharing. We conducted a qualitative critical analysis of FHIR Consent informed by (i) peer-reviewed implementation literature, (ii) national-scale consent exchange initiatives, and (iii) accountability requirements under GDPR and the European Health Data Space (EHDS). The analysis is organized into four dimensions: semantic interpretability, consent lifecycle management, runtime enforcement, and cross-organisational trust/auditability. FHIR Consent provides an interoperable representation of authorisation intent, but large-scale deployments remain limited by (1) non-canonical semantics across implementations, (2) lack of standardized lifecycle versioning and cross-organisational revocation propagation, (3) heterogeneous translation of declarative consent into enforceable access control, and (4) limited capability for independent verification of consent provenance and historical integrity across institutional boundaries. We derive an architecture pattern that separates (a) standards-based consent representation (FHIR Consent), (b) local policy interpretation/enforcement, and (c) cross-organisational integrity verification. Cryptographic integrity anchoring is discussed as a complementary mechanism for tamper-evident verification of off-chain consent artifacts and lifecycle events, without externalizing consent semantics or personal data.
As counterfeit components become increasingly prevalent, encoded surfaces, particularly physically unclonable functions (PUFs), have emerged as powerful tools for secure part authentication and reliable traceability. However, significant challenges remain in fabricating unclonable surface structures in a high-throughput, scalable, and cost-effective manner while also ensuring robust encryption and secure authentication. This work aims to address the existence gaps by introducing an innovative approach to PUF manufacturing utilizing the cold spray (CS) particle deposition technique, complemented by algorithmic feature extraction and cryptographic surface encoding. In our approach, a mixture of metal and fluorescent microparticles is deposited onto an aluminum (Al 5052) substrate by leveraging the process-specific two-phase (gas-solid) turbulent flow characteristic of the CS process. The inherent stochasticity of the CS flow leads to a random distribution of fluorescent particles, generating unique, physically unclonable luminescent patterns on the target surface. The spatial distribution of the optical fluorescent particles is then captured under UV light (365 nm) exposure and subsequently processed through image binarization. Features are extracted from this distribution by using Voronoi analysis. The extracted features are then encrypted using the SHA-256 cryptographic algorithm to generate a secure "certification key" for part authentication. Experimental results demonstrate the effectiveness of the proposed manufacturing approach for high-throughput, scalable PUF production, confirming its suitability for robust part authentication and its reliability under environmental stressors (e.g., thermal cycling, chemical exposure). The developed method shows strong potential for enabling tamper-evident part authentication solutions to address the growing threat of counterfeiting in critical sectors, such as aerospace, defense, and advanced manufacturing.
Industrial IoT (IIoT) environments face growing cyber threats due to device heterogeneity and cyber-physical integration. This study proposes a Zero Trust-enhanced intrusion detection framework integrating deep learning anomaly detection, differential privacy, lightweight blockchain-inspired hash-chained ledger and Digital Twin-based situational awareness and visualization of device trust states, designed for low-latency inference suitable for near-real-time IIoT monitoring .A unified dataset was constructed by merging NSL-KDD, CICIDS-2017, and IoT-23 (2,513,419 raw samples unified to 143 features, balanced to 100,000 samples across Normal, DoS, Probe, R2L, U2R classes using SMOTE). Mutual information-based feature selection reduced features to 25. Optimized Multilayer Perceptron (MLP) and CNN–BiLSTM models achieved 89–91% accuracy and 0.89–0.91 macro F1-score, with near-perfect rare-attack detection (F1 ≈ 1.00 for R2L/U2R). Differential privacy (Laplace, ε = 25) reduced accuracy to ~ 78%, quantifying the privacy-utility trade-off. The decoupled Zero-Trust Manager dynamically updates trust scores based on prediction confidence, with tamper-evident SHA-256 hash-chained logging adding negligible latency (~ 1.04–1.06 s for 500 samples). This lightweight, centralized design offers strong cross-domain generalization and deployability for resource-constrained IIoT.
Background Clinical randomization requires more than approximate 1:1 allocation. It also requires sequence generation that is difficult to subvert, allocation concealment during enrollment, and an audit trail that can withstand retrospective review. Objective The primary objective of this proof-of-concept technical and methodological evaluation was to assess the inspectability and audit-oriented design of a lightweight Python-based two-arm allocation prototype. Secondary objectives were to characterize its short-run demonstration behavior and compare its transparency, traceability, and operational limitations with common clinical randomization workflows. Methods We performed a static review of the supplied Python source file and a retrospective review of the supplied allocation log. Log analysis included descriptive arm counts, exact binomial testing for 1:1 balance, an exploratory runs test, and lag-1 autocorrelation. The implementation was interpreted in light of the clinical-trial randomization and pseudorandom-number-generator literature. Results The current source code implements a lightweight two-arm allocation randomization prototype with features intended to support auditability and tamper-evident traceability. Each allocation advances a xorshift-inspired 64-bit generator, maps the resulting integer to arm 1 or 2, and records the underlying output and assignment arithmetic in a human-readable log. An example test log was run and contained 2,000 allocations, with 502 versus 498 assignments in the first 1,000 events and 1008 versus 992 assignments overall. The current source code also implements session seed capture and a chained SHA-256 digest intended to strengthen sequential traceability and show evidence of tampering. Conclusions The prototype's principal improvement over many ad hoc local workflows is operational transparency rather than proven statistical superiority. Its strongest contribution is a short, inspectable code path and an audit-oriented logging structure. Additional hardening would be required before use in concealment-sensitive or regulated trial settings.
Electronic Medical Records (EMRs) are crucial to modern healthcare. However, traditional relational databases fail to fulfill increased expectations for integrity, auditability, and compliance in regulated environments. This paper proposes a Hybrid Blockchain Migration Framework that integrates a conventional MySQL-based EMR system (OpenMRS) with a permissioned blockchain network (Hyperledger Fabric). Sensitive data fields are selectively mirrored to the blockchain, ensuring tamper-evident logging while retaining the high performance of SQL for routine operations. A middleware layer, implemented using Java Spring Boot, monitors changes in the EMR and commits cryptographic hashes and metadata to the blockchain in near real-time. We evaluate the hybrid system against both standalone MySQL and full-blockchain implementations using controlled benchmarks, analyzing latency, throughput, resource utilization, and auditability. Results show that the hybrid architecture sustains near-native responsiveness (median 2.1 ms versus 1.6 ms for pure MySQL and 60.5 ms for Fabric) and delivers 480 Transaction Per Second (TPS), while incurring only modest overhead (47% of i7-9750H CPU, 1.15 GB RAM) and enhancing data integrity and compliance with regulations such as Oman's Personal Data Protection Law (PDPL). The framework is extensible to multi-institutional deployments and supports regulatory alignment, making it a viable pathway for blockchain adoption in clinical settings.
Intrusion Detection Systems (IDS) are considered critical security tools in ensuring network infrastructure security. However, recent studies on machine learning-based IDS systems are often constrained by their heavy dependence on a single dataset, lack of reproducibility, and lack of transparency in evaluating their performance. In addressing these challenges, a unified and transparent framework for evaluating IDS systems is proposed, which focuses on integrating feature harmonization, multi-model benchmarking, and statistical validation. In achieving this objective, a preprocessing pipeline is designed to harmonize features of both legacy and contemporary network intrusion datasets, i.e., NSL-KDD and CICIDS2017, respectively. This framework will assess various learning models, including supervised, unsupervised, deep learning, and ensemble-based models, through cross-validation and statistical tests such as Wilcoxon signed-rank, McNemar's, and DeLong tests. Experimental results demonstrate that the Random Forest model performs best in terms of performance metrics, i.e., 98.0% accuracy and 97.0% F1-score on the harmonized data set. Moreover, feature harmonization is found to be the most important factor in improving performance using ablation analysis. Besides, a novel approach of using a cryptographic logging mechanism using SHA-256 hash chaining is proposed for tamper-evident traceability and reproducibility of results in experiments, though it is not as effective as using a blockchain-based approach. Although effective in its application, it is based on manual feature alignment and hence might not be effective in highly heterogeneous data sets.This work provides a unified, reproducible, and statistically grounded framework for evaluating IDS systems, focusing on generalization and transparency in cybersecurity research.
The EHDS Regulation establishes patient opt-out rights for data use, yet current implementations face fragmented registries and limited tamper-proof mechanisms. In this context, opt-out refers to a patient's proactive right to object to the reuse of their health data for purposes beyond direct clinical care. We propose a distributed ledger technology (DLT)-based architecture to enhance opt-out management. Using design research and regulatory analysis of EHDS and TEHDAS, we developed a proof-of-concept leveraging permissioned DLT, smart contracts, and decentralised identifiers for an immutable registry. This architecture aligns with EHDS requirements for tamper-evident audit trails and cross-border verification. This work bridges regulatory mandates with patient-centric governance across the EU.
This study examines physicians' perceptions of privacy and data protection in Turkey's national personal health record system, e-Nabız. While e-Nabız enhances continuity of care through centralized access to prescriptions, laboratory results, imaging, and clinical records, its centralized governance model raises concerns regarding unauthorized access, accountability, and alignment with professional privacy norms. To empirically investigate these concerns, we conducted a survey with 309 healthcare professionals. The results reveal a pronounced usage-trust paradox: although system usage is high (87%), only 56% of respondents consider existing data-protection mechanisms adequate, and a substantial proportion express concerns about potential misuse or leakage of health data. Importantly, physicians' concerns are not primarily directed at the absence of role-based access control (RBAC), but at the lack of verifiable enforcement, transparent oversight, and tamper-evident auditability of access decisions. This indicates a perceived misalignment between expected information flows grounded in the physician-patient confidentiality context and the opaque governance of access practices within the system. Based on these findings, the study derives a governance-oriented design implication: a supplementary layer in which RBAC decisions and access events are recorded through blockchain-supported immutable logs and smart contracts to enhance accountability and auditability. The proposed approach does not store medical data on the blockchain; rather, it aims to make authorization and access histories verifiable and resistant to manipulation. The study contributes a physician-centered empirical assessment of privacy governance in a nationwide digital health system and highlights the importance of transparent, enforceable access governance for sustaining professional trust.
Artificial Intelligence (AI) is increasingly being implemented in pharmaceutical sciences and has the potential to improve efficiency across the value chain, from drug candidate discovery to manufacturing, quality monitoring, and regulatory process support. Nonetheless, the integration of AI within the pharmaceutical sector encounters persistent obstacles, such as data interoperability and fragmentation, the necessity for model validation and governance to satisfy compliance standards, the potential for bias and accountability concerns, and deficiencies in workforce skills. This review consolidates significant advancements in AI applications, such as generative AI, laboratory automation, and the digital twin concept, highlighting that effective implementation relies on workflow integration, data quality and integrity, and sufficient human-in-the-loop mechanisms. We propose strategic recommendations centred on human resource readiness, governance structures, and technology maturity assessment to assist readers in differentiating feasible solutions from aspirational frameworks. Moving forward, research and adoption will likely highlight precision medicine and regulatory-industry collaboration mechanisms for AI evaluation. The integration of AI with supporting technologies such as tamper-evident provenance/audit layers (such as blockchain) remains exploratory and generally limited to pilots.
Electronic health records are distributed across different hospitals that work on powerful AI models but cannot be shared due to HIPAA and GDPR regulations. Federated learning (FL) avoids raw data sharing, yet lacks tamper-evident consent governance, adversarial robustness, and verifiable differential privacy (DP) accounting leaving regulatory compliance undemonstrated. To develop and externally validate BlockFedMed, a blockchain-orchestrated FL framework providing cryptographically verifiable consent, model-update integrity, and on-chain DP audits for multi-site ICU mortality prediction, and to quantify its operational clinical impact beyond algorithmic performance. BlockFedMed integrates Hyperledger Fabric v2.5 with a federated bidirectional LSTM and Gaussian DP (ε=3.2, δ=10-5). Three smart contracts govern consent (CMC), integrity (Mic), and incentive (Idc). The Byzantine fault-tolerant aggregator FedMed-Bft accepts only Mic-verified updates. Design-phase training used MIMIC-IV (n=52,167 ICU admissions). External validation used the entirely independent eICU Collaborative Research Database (n=200,859; 208 hospitals), unseen during model development. On external eICU validation, BlockFedMed achieved an AUROC of 0.841 (95% CI: 0.828-0.854) for in-hospital mortality, which was 7.4 points above Local-Only (p<0.001) and within 3.1% of the regulatory-prohibited centralised upper bound. Simulated consent-management latency fell 71% (from 28.3 min to 8.2 min per cohort) under controlled workflow conditions; prospective clinical measurement remains as future work. The Fabric network sustained 1240 TPS at 1.83 s latency. FedMed-Bft maintained AUROC ≥0.836 under six simultaneous Byzantine participants, all correctly flagged on-chain. BlockFedMed delivers externally validated ICU mortality prediction with cryptographically auditable privacy and consent governance, demonstrating that blockchain-FL provides strong promise for meeting both clinical performance and regulatory compliance requirements simultaneously, pending prospective multi-centre deployment validation.
Passive Wi-Fi localization for critical-infrastructure security operations centers (SOCs) faces three interconnected limitations. First, many existing methods produce single-point coordinate estimates without calibrated uncertainty, making them unsuitable for automated SOC response. Second, localization pipelines often lack an evidentiary chain of custody, limiting reliable post-incident auditability. Third, SOC automation cannot safely rely on uncalibrated confidence values because erroneous high-impact actions and missed escalations carry asymmetric operational costs. This study presents a Blockchain-Enabled Uncertainty-Aware Passive Wi-Fi Localization framework for heterogeneous sensor networks composed of stationary sensors, mobile receivers, and UAV-assisted collection nodes. Instead of producing a single coordinate estimate, the method derives a posterior spatial distribution with calibrated uncertainty from monitor-mode observations, including RSSI aggregates, management/control frame features, channel occupancy indicators, and receiver logs. The framework combines three tightly coupled components: (i) Bayesian coordinate estimation with robust loss functions and range-dependent error modeling; (ii) uncertainty calibration that converts posterior confidence into operational SOC response modes (AUTO, VERIFY, and OBSERVE) via empirical coverage metrics and reliability diagrams; and (iii) a permissioned evidentiary logging layer that anchors integrity-relevant metadata and policy labels on-chain while keeping raw telemetry off-chain for tamper-evident auditability and scalability. The coupling between layers is explicit: calibrated confidence scores govern smart-contract gating conditions, and smart-contract policy thresholds feed back into the calibration stage. Field validation shows that localization performance degrades markedly beyond approximately 40 m, indicating a practical boundary for confident automated action. The proposed framework integrates passive sensing, uncertainty-aware localization, and blockchain-based evidentiary trust for secure critical-infrastructure sensor networks. Its key contributions are: (1) a posterior-distribution-based passive localization pipeline; (2) empirical coverage metrics for calibrating SOC response thresholds; (3) a hybrid on-chain/off-chain architecture linking localization outputs to a permissioned ledger; and (4) field validation establishing the 40 m operational validity boundary.
Aircraft engine blade maintenance relies on inspection records shared across manufacturers, airlines, maintenance organizations, and regulators. Yet current systems are fragmented, difficult to audit, and vulnerable to tampering. This paper presents BladeChain, a blockchain-based system providing immutable traceability for blade inspections throughout the component life cycle. BladeChain is the first system to integrate multi-stakeholder endorsement, automated inspection scheduling, AI model provenance, and cryptographic evidence binding, delivering auditable maintenance traceability for aerospace deployments. Built on a four-stakeholder Hyperledger Fabric network (OEM, Airline, MRO, Regulator), BladeChain captures every life cycle event in a tamper-evident ledger. A chaincode-enforced state machine governs blade status transitions and automatically triggers inspections when configurable flight hour, cycle, or calendar thresholds are exceeded, eliminating manual scheduling errors. Inspection artifacts are stored off-chain in IPFS and linked to on-chain records via SHA-256 hashes, with each inspection record capturing the AI model name and version used for defect detection. This enables regulators to audit both what defects were found and how they were found. The detection module is pluggable, allowing organizations to adopt or upgrade inspection models without modifying the ledger or workflows. We built a prototype and evaluated it on workloads of up to 100 blades, demonstrating 100% life cycle completion with consistent throughput of 26 operations per minute. A centralized SQL baseline quantifies the consensus overhead and highlights the security trade-off. Security validation confirms tamper detection within 17 ms through hash verification.
The Canadian health care sector contributes 4.6% of national greenhouse gas emissions, with medications accounting for 25% of that amount. Reducing waste from high-cost multidose items such as eye drops and inhalers can lower environmental and health care costs. To evaluate tamper-proofing practices in hospital pharmacy departments in British Columbia and to explore opportunities for standardization to reduce medication waste. Site visits were conducted at 13 hospitals across 3 health authorities in British Columbia-Vancouver Coastal Health, Providence Health Care, and Fraser Health-to gather data on tamper-proofing practices in hospital pharmacy departments. Methods of tamper-proofing varied across departments. Key recommendations for improvement include the implementation of adhesive stickers or other tamper-evident features, standardization of the placement of tamper-evident adhesive stickers, prioritization of patient-specific medications for tamper-proofing, and development of and adherence to policies/procedures for most multidose medications before they leave the pharmacy. Standardizing tamper-proofing practices can reduce medication waste and environmental impact, with potential for broader adoption across hospitals. Le secteur des soins de santé canadien est responsable de 4,6 % des émissions de gaz à effet de serre nationales et les médicaments représentent 25 % de ce chiffre. La réduction du gaspillage des articles multidoses coûteux tels que les gouttes pour les yeux et les inhalateurs peut diminuer les coûts environnementaux et de santé. Évaluer les pratiques en matière d’inviolabilité dans les départements de pharmacie hospitalière en Colombie-Britannique et explorer les possibilités de standardisation pour réduire le gaspillage de médicaments. Des visites des lieux ont été réalisées dans 13 hôpitaux répartis sur 3 autorités sanitaires en Colombie-Britannique – Vancouver Coastal Health, Providence Health Care et Fraser Health – afin de collecter des données sur les pratiques en matière d’inviolabilité dans les départements de pharmacie hospitalière. Les méthodes d’inviolabilité variaient d’un département à l’autre. Les principales recommandations d’amélioration comprennent la mise en place d’autocollants ou d’autres témoins d’intégrité, la standardisation du positionnement de ces témoins d’intégrité, la priorisation des médicaments spécifiques aux patients pour l’inviolabilité, ainsi que l’élaboration et le respect de politiques/procédures pour la plupart des médicaments multidoses avant leur sortie de la pharmacie. La normalisation des pratiques d’inviolabilité peut réduire le gaspillage de médicaments et l’impact environnemental, avec un potentiel d’une adoption plus large dans les hôpitaux.
Artificial intelligence (AI) has shown promise in supporting clinical decision making, yet adoption in healthcare remains limited by concerns regarding transparency, verifiability, and accountability of AI-generated recommendations. In particular, generative and data-driven CDS systems often provide outputs without clearly exposing the evidentiary basis or reasoning process underlying their conclusions. This article presents a conceptual framework for auditable and source-verified AI-based clinical decision support, grounded in principles from evidence-based medicine, data provenance, and trustworthy AI. The proposed architecture integrates a curated medical knowledge base with explicit provenance metadata, a retrieval-augmented reasoning (RAG) engine that links generated recommendations to identifiable clinical guidelines and peer-reviewed sources, and a tamper-evident audit logging mechanism that records system inputs, retrieved evidence, and inference steps for retrospective review. This work does not introduce a new algorithm nor report a prototype implementation; rather, it synthesizes existing technical approaches into a coherent system design intended to improve traceability, clinician trust, and regulatory readiness. Key feasibility challenges are discussed, including knowledge-base governance and updating, citation fidelity in RAG architectures, bias propagation from underlying evidence, latency and usability trade-offs, privacy considerations, and alignment with emerging regulatory frameworks such as FDA Software as a Medical Device guidance and the European Union Artificial Intelligence Act. The article concludes by outlining a staged evaluation roadmap involving simulation studies and clinician-centered user research to guide future implementation and empirical validation.
Artificial intelligence is reshaping breast imaging, yet progress is constrained by data scarcity, privacy restrictions, and uneven representation. This narrative review synthesizes evidence (2020-April 2025) on synthetic data and generative AI-principally GANs and diffusion models-in mammography and related modalities. We examine how synthetic images enable data augmentation, class balancing, external validation, and simulation-based training; summarize reported gains in detection performance; and assess their potential to mitigate or, if misapplied, amplify bias across subgroups (age, density, ethnicity). We analyze threats to validity, including enriched cohorts, distribution shift, and unverifiable realism, and address medico-legal exposure, image provenance, and deepfake risks. Finally, we outline task-specific validation and reporting practices, equity auditing across density and demographics, and governance pathways aligned with EU/US regulatory expectations. Synthetic data and generative AI can enhance performance, training, and data sharing; however, responsible clinical adoption requires rigorous validation, transparency on failure modes, tamper-evident provenance, and shared accountability models.