Thus, the Federal Rules have, despite their nod to the best
evidence rule, made way for a lively courtroom use of electronic
evidence in all its many forms. Questions of admissibility turn
not on whether the data before a court is on a hard drive, a duplicate
floppy disk, or a printout of either one. Instead, courts must
ask whether the original data is authentic and whether any copies
offered are accurate.
Table of Contents Main Federal Guidelines
C. AUTHENTICATING ELECTRONIC DOCUMENTS
Of course, every time trial lawyers offer any piece of evidence,
they must be ready to show that, as the authentication rule, Fed.
R. Evid. 901(a), states, "the matter in question is what
its proponent claims." Clearly, there are many ways to do
this, including the ten illustrations offered by Fed. R. Evid.
901(b).
Table of Contents - Main Federal Guidelines
1. "Distinctive" Evidence
One of the most common methods for authenticating evidence
is to show the item's identity through some distinctive characteristic
or quality. Indeed, the authentication requirement of Fed. R.
Evid. 901(a) is satisfied if an item is "distinctive"
in its "appearance, contents, substance, internal patterns,
or other distinctive characteristics, taken in conjunction with
circumstances." Fed. R. Evid. 901(b)(4). In fact, it is
standard practice to use this method to authenticate some kinds
of evidence which may now be digitally created, stored, and reproduced.
For example, attorneys offering photographs into evidence invariably
just ask a "witness with knowledge" (under Fed. R. Evid.
901(b)(1)) whether a particular photo is "a fair and accurate
representation" of something or someone. But should the
process of authenticating photographs recognize that, with the
advent of digital photography, it is now possible to alter an
electronic image without leaving a trace? Consider the following
example.
Agents and prosecutors were shown a photograph of a body--twisted
on the floor, a gaping wound in the chest. Across the room, on
the floor, was a large pistol. On the white wall above the victim's
body, scrawled in the victim's own blood, were the words, "I'll
kill again. You'll never catch me."
Unlike conventional photographs, however, this picture was
not created with film, but with a digital camera. The entire
picture was made up of binary digits, ones and zeros, which could
be altered without detection. So two law enforcement agents,
using commercially available software, started rearranging the
digits. They "cleaned" the wall, removing the bloody
words. They closed the chest wound, choosing instead to have
blood trickling from the victim's temple. Last, they moved the
gun into the victim's hand. The case was now solved: the report
would claim, and the photograph would "prove," the victim
committed suicide.
This was, of course, only a demonstration, which took place
in the summer of 1991 at a meeting of the Federal Computer Investigations
Committee. The Committee had been established by a handful of
federal and state law enforcement personnel who were among the
first to appreciate how emerging technologies were both providing
new opportunities for criminals and creating new challenges for
law enforcement officials. For this group, the point of this
demonstration was apparent: not only could ordinary photographs
not be trusted in the same old way to be reliable, but an ordinary
agent might be duped if he or she were not technologically astute
enough to realize the potential for sophisticated digital alteration.
The key, of course, is that there is no negative, and the alteration
leaves no tracks.
Nor will these authenticity problems be limited to photographs.
For example, some package delivery services now allow recipients
to sign for their packages on a hand-held device which creates
a digital copy of the recipient's signature. Although this makes
it easy to transfer the information to a computer, it also enables
the computer to recreate the signature. If the hand-held device
measures and records the pressure applied by the signer and if
the computer reprints that signature with an ink-based printer,
the computer-generated copy will look absolutely authentic--even
to the author.
Despite these examples, there will be many times when electronic
evidence--whether photographs or documents--will indeed be identifiable
based on distinctive characteristics alone. An eyewitness can
just as easily identify a digital photograph of a person as he
could a conventional photo. The question for both judge and jury
will be the witness's ability and veracity in observing and recalling
the original person, photo, scene, or document with which he compares
the in-court version. The fact that it is possible to alter a
photo--for example, to extend the skid marks at an accident scene--is
far less significant if the authenticating witness is independently
sure from observing the site that the skid marks were, in fact,
ten feet long. Similarly, the recipient of a discarded electronic
ransom note may recall the content of the original note well enough
to authenticate a printout from the accused's computer.
But to the extent that in-court photos or documents support
incomplete or fading witness memories--or even substitute for
witness memory altogether--lawyers must realize that "distinctive
characteristics" in electronic evidence may be easy to alter,
and may not, depending on the circumstances, satisfy a court.
What witness can independently verify the distinctive accuracy
of long lists of names or numbers? Can he say that a digital
photo is "a fair and accurate representation of a crime scene"
in all details--no matter how minor they may have seemed at the
time? While he will probably be able to remember whether there
was a knife sticking out of a body, will he be able to verify
the precise location of a shoe across the room? An eyewitness
who picked out the defendant at a line-up should be able to look
at a photograph of the array and find the defendant again. But
can she say for sure, when testifying at a hearing on defendant's
motion to suppress an allegedly suggestive line-up, that all the
other people in the picture are exactly as she saw them? Has
there been no mustache added in this picture, no height or weight
changed in any way? And although the recipient of a ransom note
may well be able to recall the exact words of the note, will he
recall the type face?
It is important to remember that the traditional process
of authenticating an item through its uniqueness often carries
an unspoken assumption that the thing--the murder weapon, the
photo, or the letter, for example--is a package deal. It either
is or is not the thing the witness remembers. Thus, if the witness
can identify particular aspects of the item with certainty (such
as the content of the ransom note), the other aspects (such as
the type face) usually follow along without much debate. Of course,
there are times, even with conventional photography, when an
authenticating witness will be asked about internal details:
"When you saw the crime scene at 5:30, were the shoes both
on the right side of the room?" In those circumstances,
attorneys and judges naturally tend to be more exacting in establishing
that the witness can authenticate not only part of the package,
but all the parts that matter.
But with digital photography, this rather minor problem of
authentication takes on a new life. Depending on the way electronic
evidence has been produced, stored, and reproduced, the collection
of ones and zeros that constitutes the "package" of
the photograph is infinitely and independently variable--not by
moving shoes at the crime scene, but by changing any digits at
any time before the exhibit photo is printed. Perhaps judges
will find themselves admitting digital photographs and documents
based on "distinctive characteristics" if a witness
with knowledge can identify and authenticate the item in all relevant
detail. But that, of course, requires a judge to know in advance
which details will be relevant to the case and which are insignificant.
If the characteristic that makes the item distinctive is not
the same one that makes it relevant, judges might and should be
wary about admitting digital evidence in this way. Even if judges
are satisfied, attorneys who cross examine an authenticating witness
on minute details of digital photographs may affect the witness's
credibility with the jury, especially if the attorney shows how
easily the evidence could be altered.
One of the potential solutions to this problem which arises
from the nature of electronic evidence may actually be electronic:
digital signatures. The Digital Signature Standard, proposed
by the National Institute of Standards and Technology (NIST) in
the Department of Commerce, would allow authors to encrypt their
documents with a key known only to them. Assuming the author
has not disclosed his password to others, this identifying key
could serve as a sort of electronic evidence seal. In that event,
the signature would be just the kind of distinctive characteristic
the rules already recognize.
For the time being, however, most computer evidence can still
be altered electronically--in dramatic ways or in imperceptible
detail--without any sign of erasure. But this does not mean that
electronic evidence, having become less distinctive, has become
any less admissible. It simply may require us to authenticate
it in other ways.
Table of Contents - Main Federal Guidelines
2. Chain of Custody
When prosecutors present evidence to a court, they must be
ready to show that the thing they offer is the same thing the
agents seized. When that evidence is not distinctive but fungible
(whether little bags of cocaine, bullet shell casings, or electronic
data), the "process or system" (to use the language
of Fed. R. Evid. 901(b)(9)) which authenticates the item is a
hand-to-hand chain of accountability.
Although courts generally have allowed any witness with knowledge
to authenticate a photograph without requiring the photographer
to testify, that may not suffice for digital photos. Indeed,
judges may now demand that the proponent of a digital picture
be ready to establish a complete chain of custody--from the photographer
to the person who produced the printout for trial. Even so, the
printout itself may be a distinctive item when it bears the authenticator's
initials, or some other recognizable mark. If the photographer
takes a picture, and then immediately prints and initials the
image that becomes an exhibit, the chain of custody is just that
simple. But if the exhibit was made by another person or at a
later time, the proponent should be ready to show where the data
has been stored and how it was protected from alteration.
Table of Contents - Main Federal Guidelines
3. Electronic Processing of Evidence
When data goes into computers, there are many methods and
forms for getting it out. To the extent that computers simply
store information for later retrieval, a data printout may qualify
as an original document under Fed. R. Evid. 1001(3). Where the
computer has merely acted as a technological file cabinet, advocates
must be ready to authenticate the in-court version of the document
as genuine, but the evidentiary issues (at least those connected
to the computer) do not pertain to the substance or content of
the document.
But in many cases, attorneys want to introduce evidence that
the computer has not only stored, but has also processed in some
fashion. If the computer, its operating system, and its applications
software have reorganized the relevant information--by comparing,
calculating, evaluating, re-grouping, or selectively retrieving--this
processing has altered at least the form of the information, and
probably the substance as well.
The fact that the computer has changed, selected, or evaluated
data naturally does not make the resulting product inadmissible,
but it does require another analytical step. The computer processing
itself often creates a new meaning, adds new information--which
is really the equivalent of an implicit statement. If an advocate
wishes to introduce this processed product, he usually offers
it for the truth of the conclusion it asserts. For example, when
the telephone company compiles raw data into a phone bill for
a subscriber, the bill is literally a statement: "The following
long distance calls (and no others) were placed from your phone
to these numbers on these days and times."
If the computer has created a hearsay statement by turning
raw evidence into processed evidence, its proponent should be
ready to show that the process is reliable. Computers process
data in many different ways by running programs, which can be
commercially or privately written. Any of these programs can
contain logical errors, called "bugs," which could significantly
affect the accuracy of the computer process. And even if there
is no error in the code, a technician may run the program in a
way that creates a false result. For example, a particular computer
search program may be "case sensitive," which means
that the upper- and lower-case versions of any given letter are
not interchangeable. If an author working in WordPerfect (a popular
word-processing program), searches a document for the word "Evidence,"
the computer will not find the word "evidence," because
the letter "e" was not capitalized. What does it mean,
then, when the computer reports that the word was "not found"?
Under what circumstances should a computer's conclusion be admissible
in court?
Consider a failure-to-file tax case. If a prosecutor asks
the IRS to search its databanks to see whether a taxpayer filed
a return in a particular year, the IRS may give her two very different
products. If the taxpayer filed electronically, the IRS can produce
either an original document from its computers (a printout of
the filing) or an admissible duplicate in the form of an electronic
copy. In that case, the IRS computers simply acted as storage
cabinets to hold and reproduce the information that was entered
by the taxpayer. Tax return in; tax return out.
But if, on the other hand, the IRS searches its databanks
and finds nothing, the IRS's negative report is clearly a hearsay
statement which results from a computer process--the electronic
search for the taxpayer's tax return. The hearsay rule (Fed.
R. Evid. 803(10)) allows the absence of a public record to be
shown by testimony "that diligent search failed to disclose
the record. . . ." But testimony in what form? Will the
negative computer report suffice, or should the technician who
ran the search testify? Must the technician explain not only
what keystrokes he entered to conduct the search, but also establish
the error-free logic of the program he used? Must he know not
only that the program searches for both lower-and upper-case versions
of the taxpayer's name, but also exactly how it accomplishes that
task? While the absence of a record is often admitted in evidence,
prosecutors can expect that as attorneys become more computer-literate,
defense counsel will raise new challenges in this area. Indeed,
the accuracy or inaccuracy of the IRS's negative report rests
on many different components, including the reliability (both
human and technical) of the computer process.
Certainly, the mathematical validity of any program is a
question of fact--a question which the opponent of a piece of
processed evidence should have an opportunity at some point to
explore and to contest. Similarly, the methods and safeguards
involved in executing the program must also be fair ground for
analysis and challenge. While it would clearly be both unnecessary
and burdensome to prove every step of a computer process in every
case, courts must also be ready to look behind these processes
when the facts warrant. As lawyers and judges learn more about
all the variables involved in creating evidence through computer
processing, this area may become a new battleground for technical
experts.
Table of Contents - Main Federal Guidelines
D. THE HEARSAY RULE
Most agents and prosecutors are familiar with the business
records exception to the hearsay rule. Fed. R. Evid. 803(6).
Generally speaking, any "memorandum, report, record, or
data compilation" (1) made at or near the time of the event,
(2) by, or from information transmitted by, a person with knowledge,
is admissible if the record was kept in the course of a regularly
conducted business activity, and it was the regular practice of
that business activity to make the record.
A business computer's processing and re-arranging of digital
information is often part of a company's overall practice of recording
its regularly conducted activity. Information from telephone
calls, bank transactions, and employee time sheets is regularly
processed, as a fundamental part of the business, into customer
phone bills, bank account statements, and payroll checks. Logic
argues that if the business relies on the accuracy of the computer
process, the court probably can as well.
This is different, however, from using a company's raw data
(collected and stored in the course of business, perhaps) and
electronically processing it in a new or unusual way to create
an exhibit for trial. For example, banks regularly process data
to show each account-holder's transactions for the month, and
most courts would readily accept that monthly statement as a qualifying
business record. But may a court presume a similar regularity
when the same bank runs a special data search for all checks paid
from the account-holder's account over the past year to an account
in Switzerland? In this case, even though the report was not
made at or near the time of the event, the document is probably
admissible as a summary under Fed. R. Evid. 1006. That rule allows
courts to admit a "chart, summary, or calculation" as
a substitute for "voluminous writing, recordings, or photographs."
Nonetheless, other parties still have the right to examine and
copy the unabridged original data, and to challenge the accuracy
of the summary. Of course, this also opens the way to challenges
of any computer process which created the summary.
In most other respects, of course, the hearsay rule operates
with computer evidence exactly as it does with any other sort
of evidence. For instance, statements for purposes of medical
treatment, vital statistics, or statements against interest may
all qualify as exceptions to the hearsay rule, whether they are
oral, written, or electronic. Clearly, an electronic statement
against interest must also be authenticated properly, but it does
not fail as hearsay. Conversely, a correctly authenticated electronic
message may contain all sorts of hearsay statements for which
there are no exceptions.
The key is that computer evidence is no longer limited to
business records, and the cases that carry that assumption are
distinguishable when advocates work with other kinds of electronic
evidence. But even with business records, a trial lawyer well
versed in the technological world who knows how to ask the right
questions may find that the "method or circumstances of preparation
indicate lack of trustworthiness," under Fed. R. Evid. 803(6),
to such a degree that a court will sustain, or at least consider,
a challenge to the admissibility of the evidence. Computers and
their products are not inherently reliable, and it is always wise
to ask, in any particular case, what computers do and how they
do it.
Go to . . .
Table of Contents - Main Federal Guidelines
CCIPS || Justice Home Page
Page updated May 9, 1999
usdoj-jmd/irm/css/imc