Admissibility of Digital Evidence at Trial
This CLE explores the Federal Rules of Evidence applicable to digital evidence. Attendees will learn about relevant case law and how to authenticate or challenge the admission of digital evidence at trial. We will explain how to use digital evidence effectively at trial and how to incorporate it into an overarching story or theory of a case. In Section 1, attorneys will be introduced to the topic and the types of evidence that will be covered in the presentation. Section 2 covers the applicable rules of evidence in the Federal system, particularly rules 901, 801, 803, and 703. Section 3 explores ideas in how to present digital evidence effectively to a judge or jury.
Brian Chase: Hello and welcome. My name is Brian Chase, I am
director of digital forensics at Archer Hall. Today we're going to be talking
about the admissibility of digital evidence at trial. Before I get into our
topic, I want to give you a little background on who we are here at Archer
Hall, who I am, and why I'm even qualified to tell you about the admissibility
of digital evidence. Archer Hall is a digital forensics company. That means we
collect data from digital sources, things like cell phones, computers, tablets,
email accounts, social media accounts, electronic medical records. We collect
that data, we analyze it, and we testify about it at trial. My personal
background, I'm a licensed attorney in the state of Arizona. I practiced law
for about 10 years doing plaintiff personal injury work and criminal defense.
I've been doing digital forensics work for about eight years.
I have tried cases as an attorney. I have testified about 20 as an expert witness, and I teach at the University of Arizona Law School. I actually teach a trial skills course there at the law school. This topic today of admissibility of digital evidence really combines all aspects of my background, that legal background, that trial background, and the digital forensics experience that I have. We're going to start today by going over the Federal Rules of Evidence that generally apply when we're talking about digital evidence. From there, we're going to talk about some cases where courts have ruled on the admissibility of digital evidence. I'm going to talk about them fact-by-fact, introduce the case, and then we'll go over the court's reason in their ruling. This is based on the Federal Rules of Evidence. If you are practicing in a state court, make sure you check for your state court equivalence, or state court case law. Additionally, almost all of the cases we're going to discuss today are criminal cases. That's just because more criminal cases go up on appeal than civil cases.
That being said, the Rules of Evidence apply equally to criminal cases and civil cases. Just because something is a criminal case, doesn't mean it's not going to impact the admissibility of the digital evidence in your civil case. Let's get started here. We're going to start with Rule 901. Rule 901 is the authentication or identifying evidence. The rule says, "In general, to satisfy the requirement of authenticating or identifying an item of evidence, the proponent must produce evidence sufficient to support a finding that the item is what the proponent claims it is." What does that mean? Well, we've got a case here. I picked one. There are many cases that explain Rule 901. The case I picked here is United States versus Vidack, it's 553 F.3d 344. It's a 2009 decision from the 4th circuit.
The court says, "The burden to authenticate under Rule 901 is not high. Only a prima facie showing is required. A district court's role is to serve as gatekeeper in assessing whether the proponent has offered a satisfactory foundation from which the jury could reasonably find that the evidence is authentic." That's the key wording right there. A jury could reasonably find the evidence is authentic. You don't have to prove beyond a reasonable doubt, you don't have to prove by clear and convincing evidence, you don't even have to prove it's more likely than not. You have to offer enough facts that a jury could reasonably conclude that the evidence is authentic.
From Rule 901, we go into Rule 902. Rule 902 is ever evidence that is self-authenticating. You've probably dealt with rules 902(11) and (12) before, that's our self-authenticating business records or records of a regularly conducted activity. That's where you send out your subpoena, along with a declaration for the custodian to fill out. That custodian from the business sign saying, "Yeah, I'm the custodian of records. These records are kept in the normal course of business." You give notice to the other side, you disclose that declaration, and now those business records are self authenticating at trial. You do not need to have live testimony to authenticate it at trial.
There is an equivalent for digital evidence under the Federal Rules. Those are rules 902(13) and (14). Rule 902(13) are certified records generated by an electronic process or system. Very similar to Rule 902(11) and (12). If you have a qualified person write a declaration stating these records were generated by an electronic process or system, then it is self-authenticating at trial. As long as you follow the requirements, the notice requirements of Rule 902(11). Rule 902(14) is where things get a little bit more interesting. This is where most of our work is as digital forensic examiners.
Rule 902(14) is certified data copied from an electronic device, storage medium, or file. Essentially the rule says, "If you have a qualified individual obtain data from a digital medium, like a cell phone, a file server, or computer, they can write a declaration stating that that evidence was acquired in a forensically sound manner." Now you don't need to bring that expert to testify. This rule saves you money. There are so few rules out there that actually save you money in litigation, but this is one of them. If you are having an expert obtain data from a digital medium, make sure they're familiar with this rule so that they can write this declaration, and then you don't have to bring them to testify about authentication. That's not to say you won't need them at all. You still might need them for other things, which we'll get to in a bit, but for authentication, that declaration will suffice.
How we do this, how we prove things are done in a forensically sound manner is through what we call a hash value. I pulled a definition of a hash value from Microsoft. What Microsoft says is, "A hash value is a numeric value of a fixed length that uniquely identifies data." Hash values represent large amounts of data as much smaller numeric values, so they are used with digital signatures. Well they're used in digital forensics to show data has not been altered. What we do is when we acquire data from a digital medium, let's say a hard drive, we take a hash value of that hard drive. Then we take a hash value of our copy of that hard drive. Those hash values should be identical. Meaning our copy is mathematically proven to be exactly the same as the original.
Give you another example. Let's take a Word document, because you can take a hash value of any amount of data. It can be as small as a Word document. We can take that Word document and run it through this hash algorithm. These are freely available online, you can download programs like HashMyFiles that will allow you to do this. Nothing magical about these algorithms. You run this Word document through the hash algorithm and you get a resulting hash, this long string of letters and numbers that represent that file. If we were to go open that Word document, scroll to the end and add a space, then save the document. We've made a slight change, something that you might not even notice as a user, seeing that space at the very end, easily overlooked.
But if you were to run that word document through that hash algorithm again, you're going to have a completely different resulting hash. It's going to look nothing like the original one. It's going to tell us that that new document, that one with the space in it has different than the original. It does not tell us what changed, only that something changed. Hash values are our way of proving a chain of custody. Proving that a document has been unaltered since it was acquired, through analysis, all the way through production. It proves the document is the same as the original.
Let me give you an example of a case where this happened. This is a 2020 case, pretty recent case from the 6th circuit United States v. Dunnican. Here, agent Snyder, ATF agent Snyder had acquired data from the defendant's cell phone, and he wrote a declaration certifying that he extracted data from the defendant's phone using specialized forensic software. That software generated a hash. That hash indicated the download was successful, complete, and accurate. The government then gave notice to the defense under Rule 902(11) that they did not intend to call agent Snyder at trial. Instead, they were going to rely on his certification to admit the evidence under Rule 902(14). They did that at trial. The defense objects, says agent Snyder needs to testify, delay that authentication testimony, and they lose that objection. Goes up on appeal and the 6th circuit affirms the trial court and says that agent Snyder did not need to testify. The government complied with rules 902(11) and (14). They provided notice, they provided that declaration, the data is self-authenticating. It does not require a live testimony.
All right, let's move on now to hearsay. Because once you've authenticated the data, chances are, the reason you want to use that data in trial is because there's some statement in it. It's an email that asserts something, a text message, it's a chat message, a Facebook post, a Twitter post. There's some sort of assertion, so then we have to deal with hearsay. Hearsay is Rule 801 and 802. 801 are our definitions of hearsay, "Any out of court statement offered to prove the truth of the matter asserted," that's hearsay. Rule 802 says, "Hearsay is inadmissible, unless there is some statute or rule that says otherwise." Hearsay is generally inadmissible, but there's a few ways that we're able to deal with hearsay. The first, this is often referred to as a hearsay exception, although technically it is not. It is statements by party opponent. This is Rule 801(d)(2). 801(d)(2) is a definition. 801 being our definitions of hearsay. This is not an exception because it's in that definition section. By definition, statements by the party opponent are not hearsay.
Often people say these are admissions by the party opponent. It doesn't have to be an admission. It just has to be a statement offered against the party opponent at trial. If you are trying to introduce statements by the party opponent that were made in emails or text messages, those are not hearsay. One of the common hearsay exceptions that we see in digital evidence is business records, Rule 803(6). Technically this rule is called Records of Regularly Conducted Activity, but commonly people refer to it as the business record exception. For the business record exception to apply, you need to show that the record was made at or near the time of the event by somebody with knowledge. That the record was kept in the regular course of business, and that making this record was a regular practice of that activity. Then finally you need to have that declaration from the custodian of records, or live testimony to assert those three prior elements.
That's a common way we're dealing with digital evidence, is we're often dealing with records that were generated by a business in their normal course of business, emails, memos, product testing, all these kinds of things you'd expect businesses to maintain. But be careful about emails, not every email is a business record. If I were to go email one of my colleagues here at Archer Hall and say, "Hey, you want to go grab drinks after work?" That's not a business record, has nothing to do with the regular practice of Archer Hall. Just because something is an email from one employee to another, doesn't make it a business record. There's a couple of cases on point here. There's United States v. Daneshvar, and I'm not sure I'm pronouncing that correctly. It's a 6th circuit case from 2019, and there's United States v. Cone, a 4th circuit case from 2013.
Both of these cases say that just because it was an email that was made by an employee or part of a business, doesn't make it a business record. It still has to relate to the regular practice of that business. Going back to my example, if I were to email my colleague here at Archer Hall and say, "We have a new phone coming in on this date and time, I need you to handle the chain of custody for that phone." That would be a business record. That's our normal course of business, that is a record we normally maintain. It would go into the file to show how we were handling that evidence. But that email asking about a social event or happy hour, that's not the regular course of business, that's not going to be a business record.
Let me give you another example here. This is a criminal case from the 5th circuit in 2019, it's 917 F.3d 394. In this case, the district court admitted emails that were produced by Google and Yahoo purporting to be from the defendants in this criminal case. The government also obtained certifications from both Google and Yahoo saying they kept these emails in the regular course of business. The court admitted the emails saying the document itself was self-authenticating under rules 902(11) and (12) and 803(6), our hearsay exception. Then the court ruled, the content of the email was admissible under Rule 801(d)(2). They were statements by the opposing party, the defendant, and they were statements in furtherance of a conspiracy, both things that are defined as not hearsay under Rule 801.
The court is saying here, the document itself was a business record, but the contents of the document had nothing to do with the regular activity of Google or Yahoo, those were statements by the defendant and therefore those statements were not hearsay. What the court did not address here is what foundation is required to show that it was the defendants that authored the document. We're going to come back to that when we go through some more cases later in this CLE. But keep that in mind, how do you prove the emails came from the defendant?
Let's first move on to the expert witness rules. Rules 701, 702, 703. Rule 701 says, "Lay witnesses can provide opinions based on their perception. They cannot provide testimony based on scientific, technical, or other specialized knowledge. That requires expert testimony." How does this relate to digital evidence? Well, many courts have ruled that GPS data, things like Google Timeline or Apple Maps data does not require expert testimony. They found that juries understand this data. They use Google Maps, they use Apple Maps. It doesn't require an expert to explain how those work. Therefore, a lay witness can testify about those things.
Take text messages, juries understand text messages. A lay witness could testify that they made or received text messages. They could probably provide the foundation required for those text messages. But a lay witness would not be able to testify about the databases that store text messages, and how they work, and how deleted text messages are recovered. That's technical knowledge that would require expert testimony. Where that line is between lay witness testimony and expert testimony, well, that's still up for debate a bit when it comes to certain types of digital evidence. Be sure to check local case law on this. Different states have ruled differently when it comes to these aspects of digital evidence. Check your local case law, see if there's anything on point. But those examples I gave you, those tend to be the areas where courts are going right now.
Rule 702 is testimony by experts. If you are trying to introduce how text messages work, how deleted messages are recovered, that's going to require expert testimony under Rule 702. Experts can testify about scientific, technical, or other specialized knowledge, so long as that testimony is based on sufficient facts and data. That the testimony is a product of reliable principles and methods, and the expert has reliably applied those principles and methods to the facts of this case. That's essentially our Daubert standard. If the expert meets those requirements, then they can testify about their opinions regarding their scientific, technical, or other specialized knowledge. Rule 703 allows the expert to base their opinions on inadmissible data. An expert is not confined by simply what would be admissible at trial.
Additionally, if the expert does base their opinion on otherwise inadmissible facts or data, the court could allow the expert to testify about that inadmissible facts and data, if the court finds that the probative value of those facts substantially outweighs any prejudicial effect. This is the reverse of Rule 403. Rule 403 being evidence that is substantially more prejudicial than probative is not admissible. Under Rule 703, the evidence has to be substantially more probative than it is prejudicial. It's the reverse of Rule 403. Let me give you an example. Let's say I am hired to download a witness's cell phone in a case. I go out to meet with that witness to download that cell and the witness says, "I'm really sorry, last night I dropped my phone in the toilet and it won't turn on anymore." My opinion could be that I will never be able to recover data from that phone due to the damage the phone obtained during that fall, the water damage, and the encryption on the phone.
So I'm basing it on several things. The witness statement about how she dropped the phone in the toilet, along with my technical knowledge about what happens when a phone has water damage. The court would allow me to give my opinion that I'm not going to be able to obtain data from that phone, even though my opinion is partially based on hearsay. Additionally, the court could allow me to testify that the witness told me that she dropped the phone in the toilet. As long as the court deems that those facts are substantially more probative than prejudicial in helping the jury assess my opinion. In that situation, it's pretty unlikely that a court would find that those statements are prejudicial. So the court would likely allow me to tell the jury that the witness told me the phone was dropped in the toilet, and that's how I know there's water damage.
All right, the last set of rules we're going to go over here before we switch to covering some cases is the best evidence rules, Rules 1001, 1002 and 1003. These rules are not commonly used. There's very little case law out there on these rules, especially when it comes to using these rules for digital evidence. Rule 1001 is our definitions of best evidence. Rule 1002 is the requirement for an original. Meaning, if you want to produce a photograph, a document, text messages, you need the original. Rule 1003 says, "Well, you can also use a duplicate." It says, "A duplicate is admissible, to the same extent as the original, unless a genuine question is raised about the original's authenticity or the circumstances make it unfair to admit the duplicate."
This comes up a lot when we deal with screenshots of evidence. A screenshot of an email, or a screenshot of a text message, or a printout of an email, those are not the original, they are duplicates and they are duplicates that are easily modified and faked. So there could be genuine questions about the duplicate. It doesn't contain the metadata that helps us authenticate it and prove that it is real. It can be altered with programs like Photoshop. This comes up all the time, and yet there's very little case law on it. Anytime you're not dealing with an original, or you're not dealing with a duplicate made by a forensic examiner under Rule 902(14), you want to be thinking about best evidence. Is there a genuine question about the authenticity of this duplicate, of this screenshot, or printout, or PDF version? If so, you want to be raising best evidence challenges.
All right, let's talk about some cases. We're going to go through these cases, almost all of them are federal court cases. There's a couple state court cases from Arizona where I am. But Arizona does follow the Federal Rules of Evidence, so while they're state court cases, I do think they're helpful in analyzing Federal Rules. Let's get to our first case. This is a case involving Facebook and YouTube pages. In this case, the government introduced screenshots of the defendant's Facebook and YouTube page. The Facebook screenshots show the defendant's biographical information with listings of their interests. Things like where they went to school, their friends, their family, sports teams they follow, things like that that you see on Facebook. Those interests match the defendant's true interest and true biographic information.
The Facebook page had links to the YouTube page that the government was claiming also belonged to the defendant. Finally... or I shouldn't say finally, not yet. The certification from the custodian of records from Facebook or Google verified that the pages had been maintained in the regular course of business. There was a certification, Facebook said, "Yeah, we kept this page in the normal course of business." Google said, "Yes, we kept this YouTube page in the normal course of business." Now we get to the finally part. Finally, tying the accounts to the defendant's IP address. There was information that tied the defendants to the IP... or the defendant's IP address to both accounts. The ruling in this case, admissible. The court said, "There was no abuse of discretion in admitting the Facebook pages and YouTube pages." It's U.S. v. Hasan, 742 F.3d 104.
I think the critical fact in this case was that IP address information. Let me tell you a little bit about IP addresses and why they are important. An IP address is like your street address on the internet. When you plug in your cable modem or your DSL modem in your home, you plug in that box to your phone line or your cable connection, that box reaches out to your internet service provider, companies like Comcast, Verizon, Cox, CenturyLink. It says, "Hey, I'm here. Please give me an IP address." Your internet service provider assigns your home a public IP address, meaning a public facing, like your street address.
How that works, let's say you're sitting at your computer and you go to cnn.com in your browser. So you type in cnn.com. What your computer does in the background is it looks up CNN's public IP address, its address on the internet. Then it sends a request like a letter to CNN, it's actually called a packet. It addresses that packet, just like it would address an envelope, to CNN's address. In this case, their IP address. Then in that packet, it says, "Hey, I would like a copy of your website. I want to view the front page." Sends that off in the internet. That packet gets routed just like the mail. It goes from server to server, or from post office to post office, until it gets to CNN. CNN then gets that packet. They see up in the top corner of like that envelope, your return address, your return IP address, your public IP address is in that packet.
Technically, it's a series of packets, it's not just one, but that doesn't really matter for our purposes today. CNN gets that packet, they open it up and say, "Oh, this IP address would like our website." They package up their website, they shove it back in that packet, and then they return it. They send it to your public IP address, to your return address. Then it gets routed back through the internet, back through the mail system, until it arrives back at your home, and then your computer displays cnn.com. Of course, all of that happens nearly instantaneously. That's how the IP addresses work. In this case, there was data from Facebook and from YouTube that had the same IP address. Mean the same person was logging into these accounts.
Let me give you a caveat though. Not necessarily the same person under that IP address. Everyone in your home is using the same IP address. Every device that's connected to that modem is using the same public IP address. What happened in this prior case is they had IP addresses from Facebook, from YouTube. They see the same IP address logged into both accounts, logged into that Facebook account, logged into that YouTube account. Then what they do is they trace the IP address. They say, "Okay, who owns this?" Let's say Verizon owns that IP address. They go to Verizon, they send Verizon a subpoena or a warrant. They say, "Verizon, tell us which customer you gave this IP address to on this date and time." The date and time that the YouTube video was uploaded, or the Facebook page was logged into. Verizon says, "Oh yeah, we assigned that to our customer, Joe Smith at 123 Main Street."
Now the government's taken this kind of anonymized data, this anonymized Facebook data or YouTube data, they've taken that IP address and they've translated it back into a street address. If the defendant lives at that home, that's a pretty good indication that the defendant's the one responsible. It's not proof, could be the defendant's roommate, could be their family members or friends that were over at the home. But remember, Rule 901 doesn't require that you prove it came from the defendant. You have to provide sufficient facts from which a jury could reasonably conclude that the data is authentic. Certainly in this case, you've got the defendant's name associated with these accounts, the defendant's true biographical information on that Facebook account, and then an IP address that traces back to the defendant's home. A jury certainly could reasonably conclude the defendant is the one responsible for that Facebook and YouTube page. Therefore, that data was admissible.
All right, let's talk now about website printouts. In this case, it's a printout of a website. The witness who is on the stand has not previously seen the printout or the website, but the printout is from the American Board of Emergency Medicine. The witness agrees that the American Board of Emergency Medicine is an authoritative and trusted organization. You might be thinking along the lines of a learned treatise under the hearsay exceptions. In fact, this website is only used on cross. The learned treatise exception only applies to cross. You can confront a witness with a learned treatise and you can read portions of it into the record. You think, "Okay, maybe here, the attorney's going to be able to read in portions of this printout from the American Board of Emergency Medicine." Yet the ruling in this case is not admissible.
This case is O'Connor versus Newport Hospital, it is a Rhode Island Supreme Court case from 2015. Here, what they said is that, "We don't get to the question of hearsay, because we can't lay that authentication testimony. The witness has never seen this printout. The witness doesn't know if this printout is accurate, or if it's been modified. There's no information here for this to be authenticated. We don't get to the issue of hearsay until we deal with authentication." Now clearly, this was an important website for this case. This issue was preserved for appeal. This attorney printed this out, presumably himself, or maybe a staff member. Thought, "I'm going to use this on cross. I'm going to get this expert." Then it failed. This obviously was important if this issue went up on appeal. Don't be this lawyer. Make sure you're thinking about admissibility of digital evidence when you are gathering it.
He did not have a witness that could introduce this document, that could lay the proper authentication for it. The question is, what authentication is needed to introduce a website? Well, there's a treatise out there by Christopher Mueller. It's in the 5th version of Federal... Or sorry, 4th edition of Federal Evidence. It has three possible elements for introducing a printout of a website. Now this is just a treatise, it's not case law, but it's a good guide. What the author suggest is that the printout accurately reflects the computer image of the page as of a specified date, essentially the same foundation you would introduce for a photograph. A witness saying, "Yes, this picture accurately reflects what I saw on this date and time." The same thing here, a witness saying, "Yes, this printout accurately reflects what I saw on that website on January 5th, 2020."
Next element, the website where the posting appears is owned or controlled by a particular person or entity. In our prior case, that that website was actually owned or controlled by the American Board of Emergency Medicine. The final element, the authorship of the web posting is reasonably attributable to that person or entity. How do we know that that document was actually written by the American Board of Emergency Medicine? Was it a guest post or a blog written by somebody else? Was it an opinion piece submitted by some physician that's not actually supported in the industry? You need to know who the author is.
There are many websites out there, Medium being one of the biggest, medium.com, where people can write their own articles and publish them to the website. You might say, "This document came from Medium," but that doesn't mean anything because Medium has hundreds or thousands or tens of thousands of authors. You still have to figure out who the author is. If you have the author, and the website, and a witness to say that this website accurately reflects what was on the computer screen on that date and time, then you have enough to authenticate. But you still have hearsay to deal with, only talking about authentication here.
Let me give you another example. Here, in this case, we have a printout of a website after a terrorist attack. The printout or the website was relied on by an expert to say an individual acted on behalf of the organization. The printout of this website, really the website was saying it was from the organization claiming credit for the actions of the individual. The individual who carried out this terrorist attack said nothing. They didn't say who they were acting on behalf of, but the organization said, "Yeah, that guy over there who committed this heinous act, he was acting on our behalf."
But the expert testifies that scholars, journalists, and law enforcement all rely on this website. The ruling here about this printout was that it was admissible. Here there was that authentication testimony. The expert could say, "I printed this. I found it. Yes, this is what the website looked like. Yes, it came from this organization." But then we get to hearsay. Well, how do we know there's any truth here? How can we trust this document? It's hearsay statement from this organization. Well, keep in mind who's testifying, it's an expert witness. Rule 703 allows experts to base their conclusion on inadmissible data, on hearsay. Additionally, that data that they base their opinion on can be admitted if it is substantially more probative than it is prejudicial. The court in this case found that that data was substantially more probative than it was prejudicial in helping the jury assess the expert's opinions. Therefore, this printout was admissible. It was authenticated, and then it came in under Rule 703, despite the fact that it might have been hearsay.
All right, let's talk now about the emails. Emails are probably one of the most common types of digital evidence that we see/ they're all over the place. In this case, defendants were involved in a business, with the business name of MTE. There were emails sent from [email protected] The sender name of that email account was Hayward Borders. Hayward was a board member of MTE. At trial, no one could say they saw Hayward author the emails. But the contents of the emails were consistent with Hayward's and with MTE's actions. Meaning the emails were describing actions they were taking in the physical world. The emails contained facts known by Hayward and known by the defendant's MTE.
The ruling in this case, admissible. The court says, "Authentication can be established in a variety of ways under Rule 901. It can be done by distinctive characteristics, such as appearance, contents, substance, internal patterns taken in conjunction with the circumstances." In this case, the contents of the email had facts known by the defendants. They described actions that matched the circumstances of the case. The actions described in the emails where the actions MTE was taking.
That's enough that a jury could reasonably conclude that these emails came from Hayward, came from MTE. Despite the fact that that's a really generic business address, [email protected] I mean, that is not a very professional looking address. Certainly somebody could go on to Hotmail right now and create something similar, maybe [email protected] How do you know this really came from Hayward? Well, you can look at the contents of the emails and the circumstances of the case. You don't have to prove that Hayward or MTE were the true authors. You have to provide sufficient facts and data such that the jury could conclude, MTE was the author here. There were sufficient facts and data.
Now emails are really problematic. It is really, really easy to fake emails. There are services online that allow you to generate fake emails. Or you can send an email to yourself, you go into your sent mailbox, you then edit that email to send it to somebody else to make it look like it was sent to somebody else. You edit the contents of the email to change it. If that email is then printed and disclosed, there's going to be no way to detect those alterations. We want to keep it in its original digital form so that we can detect those alterations.
I'll give you another example. You can create what looks like an email in Microsoft Word. I've done this before in a case where there was a criminal prosecution against a defendant for violating a restraining order by emailing the victim. The only disclosure was a printout of that email. I was being called to challenge the authenticity of that email. So I created an email from the judge to the prosecutor in Microsoft Word. I then printed that email and brought it with me to court. Well, gave it to my client who can disclose it, but we brought it to court. That email was to show the judge, "Look how easy it is to fake something. This looks perfectly legitimate. It looks like a real email, and yet it was created in Microsoft Word."
We want to keep those emails in their original digital format so that we can establish the authenticity of them. We can look for signs of editing. We can look to establish who it was from, who it was to, and confirm it really was an email. How do we get that data? Well, we can retrieve it from the computer that sent the email. We go to a forensic exam of that computer, that Outlook account, and we look to see if we can get it there. Or maybe we don't need to go to that level. Maybe you just have a witness who saw the email being authored. You could put that witness on the stand and they could say, "Oh yeah, I saw Joe Smith author that email." That's certainly sufficient to authenticate it. A jury could easily reasonably conclude that Joe Smith was the author if a witness says, "Yeah, I saw Joe Smith write that email."
Maybe it was an email that was sent via something like Gmail. So you could go to Google with your warrant or with a subpoena complying with the Stored Communications Act subpoena. That would mean a subpoena plus a signed authorization from the account holder. Then Google can produce that email. Say, "Yeah, here's the email." Then Google could also produce the IP address of the person who sent that email. Then you could do what we talked about before, trace that IP address back. Find out who owns it, maybe it's AT&T. You send your subpoena to AT&T and say, "Hey, AT&T, which customer had this IP address on this date and time?" Now you've taken that otherwise kind of anonymous Gmail email, and you've traced it back to a physical location. Keep those things in mind when you're dealing with emails. They are incredibly easy to fake. You really want to keep them in digital format. The Federal Rules of Civil Procedure suggest that they be kept in their original native format. You don't want to rely on printouts because they are so easy to manipulate.
Let's move on now to text messages. We're going to talk about a few cases here involving text messages. Text messages are interesting, they have the same issue when you're dealing with screenshots, as emails. You can create fake text message screenshots online easily. Go to a website like ifaketextmessage.com, and it will allow you to generate fake text message screenshots. You could also even take a real screenshot and then edit it in tools like Photoshop to change the contents, change the date and time, change the sender of those text messages. They are really easy to manipulate, screenshots.
Let's talk about our fur first text message case. Here, we have pictures of text message from an informant's cell phone. It's not a screenshot, these are pictures. These pictures of the phone of the text messages were taken by a police officer. The officer testifies, he was with the informant when she was texting. The officer testifies that he saw her send and receive text messages from a contact in her phone named Joseph Davis. However, there was no evidence presented that Joseph Davis' contact was in fact the same phone number as Joseph Davis, the defendant. Meaning that witness, that informant could have told her friend, "Hey, I got to go fool this cop in a little bit. I'm going to change your name in my phone to Joseph Davis. I need you to pretend to be Joseph when I text you later today."
Then the cop would be seeing these messages coming in and out with that name, Joseph Davis, but in fact, it's the informant's friend. We need that information to tie Joseph Davis, the real Joseph Davis' phone number to the contact in the informant's phone. Now, there's more information in this case. That text message exchange between the informant and the contact labeled Joseph Davis described a location where they're going to meet up, and then Joseph Davis showed up there. The ruling here, admissible. Because there is sufficient data from which a jury could reasonably conclude that Joseph Davis was on the other end of the text messages, he showed up at the location where the informant told him to show up.
That's really good evidence that Joseph Davis was on the other end of these text messages, despite the fact that we don't have the phone number information tying him to the text messages. That is sufficient for a jury to reasonably conclude that Joseph Davis was on the other end of these messages. Therefore, these messages were admissible. They're not hearsay, because Joseph Davis is the defendant. So it's statements by party opponent under Rule 801(d)(2). Now, could there be a question about best evidence rule? Maybe, that was not raised in this case. But we don't really have a genuine question here, the officer took the pictures. The officer could testify nothing was modified, and we have Joseph Davis showing up at that meetup location. Our next case... Oh, I should give you the citation for that one. That was U.S. v. Davis, is a 4th circuit case from 2019.
All right. Our next case. This case is United States v. Barnes, 5th circuit, 2015. This is printouts of Facebook and text messages. We already discussed the problems with printouts, they're easily manipulated and a whole bunch of tools. We've got printouts of Facebook messages and text messages, alleged to be from the defendant. The defendant, Mr. Barnes, is a quadriplegic. But a witness testifies that the defendant can operate a phone using his mouth and limited movement of the right arm, so he is able to operate electronic devices. The witness testifies that Facebook messages matched the defendant's manner and style of communicating. His mannerisms in those messages were the same. The witness further testified that she had spoken to the defendant on the phone, and that the phone number she had used to talk to the defendant matched the phone number of those text messages. She said that she had seen the defendant use that Facebook account.
So we've got this witness tying the defendant to the phone number and the text messages, and tying the defendant to the Facebook account. The ruling here, well, it's admissible. That is enough that a jury could reasonably conclude that those messages came from the defendant. Don't have to prove beyond a reasonable doubt, don't have to prove by clear and convincing evidence, or preponderance of the evidence, just sufficient facts from which a jury could reasonably conclude that the messages were authentic. When we get to hearsay, well, they're statement by the party opponent. These were offered by the government against the defendant, it's Rule 801(d)(2), statements by a party opponent. We don't have hearsay to deal with here.
All right, our next case. This is an Arizona case, State v. Fell. It's from the Arizona Court of Appeals in 2017, it's 242 Arizona 134. These are text messages between a defendant and the alleged victim, transcribed by the probation officer. The probation officer who saw these text messages could not recall how he viewed them. Didn't a program he used to view the text messages. So the probation officer's there saying, "I viewed these. I can't tell you how, but I did, and then I typed them up. That's how we have a record of them." The phone is sent off for a forensic examination. In that forensic examination, these text messages were not found anywhere. They weren't there on the phone, they weren't there in deleted status on the phone, they weren't found.
The phone itself was registered to the defendant's mother. The probation officer says the defendant admitted the text messages were between him and the victim. The defendant says, "No, I didn't. Never said that. Never admitted to these." In a jail call, the defendant mentioned the victim's phone number. So we do know the defendant knows the victim's phone number. But now we've got kind of a he-said-she-said type situation, defendant saying, "I never texted the victim. I never admitted this." The probation officer is saying, "Well, he admitted it to me, and I don't know how I view these text messages, but I did. I typed them up, and of course my transcription is accurate. Just trust me."
What do you think the court's going to do here? Well, the trial court actually suppressed the evidence, but was reversed on appeal. The trial court does not need to determine whether the evidence is truly authentic, but only whether evidence exists from which a jury could reasonably conclude that it is authentic. The Court of Appeals says, "A flexible approach is appropriate. Allowing the trial court to consider the unique facts and circumstances answers in each case, and the purpose for which the evidence is being offered in deciding whether the evidence has been properly authenticated." Here, the Court of Appeals said, "Look, the probation officer's testimony was enough."
The defense is still free to contradict it, to bring their own witnesses, to bring their own testimony, to contradict that of the probation officer, they can cross examine, but this evidence gets to the jury. The jury could conclude it's authentic. They don't have to conclude that, they could. They get the final say. What was not raised in this case was best evidence rule. The defense is saying, "Hey, we have a genuine question here about that transcription." But they didn't raise that under Rule 1003, that would have been very interesting to see what the trial court and the appellate court would've done with that kind of best evidence rule, but it wasn't preserved.
All right, we're going to talk about our last case. This is again, another Arizona case State v. Griffith. It's a Court of Appeals decision from 2019 in Arizona. It's 247 Arizona 361. In this case, it is a sale of stolen iPads. Law enforcement obtains Facebook messages between allegedly the defendant and a third party. In those messages, there are pictures of the stolen iPads with matching serial numbers. So you can see the serial number of the iPads in these Facebook messages, and that serial number does in fact match the serial number of the stolen iPads. The state, at trial, attempts to admit these records, these Facebook messages, under Rule 803(6), our business record hearsay exception, and rules 902(11) and (12). That's our self-authenticating business record rules there.
The problem, the state didn't have a certification from Facebook to comply with rules 902(11) and (12), or 803(6). Nor did they have a live testimony from somebody from Facebook. They didn't have a custodian here and they were trying to admit these as business records. Those rules require a custodian, either by declaration or by live testimony, but you got to have it. They didn't have that. So you're probably thinking, "Well, then that's not admissible." Well, you're wrong. Court of Appeals said this was admissible. They kind of forgave the state's error here. They said, "Look, these aren't business records. This isn't the normal a course of business, these are statements by the defendant. Therefore, we don't need to deal with hearsay under Rule 803(6)." If they're authored by the defendant, then they're non-hearsay, they're Rule 801(d)(2).
I want to pull out a few statements here that the court made, because it's pretty interesting. What the court says, "The state claimed the message was sent by the defendant Griffith himself and the state was required to provide some indicia of authorship to satisfy its authentication obligation before the message could be admitted into evidence." Fully agree, makes sense. If you're saying, "It came from the defendant." You got to provide something to say, "It came from the defendant." You've got to provide enough information so that the jury could reasonably conclude that it's authentic. If you don't do that, then we don't have authentication and we have a hearsay issue, because we don't have any information to say, "These came from the defendant and therefore they are out of court statements being offered to prove the truth of the matter asserted," they're hearsay.
The court goes on to say, "A Facebook records custodian could not provide such indicia beyond attesting that the message came to or from a particular account." Makes absolute sense. Facebook doesn't know who's using the account. They're going to say, "Hey, these came to and from this account, this account labeled John Doe, but we don't know if John Doe is the owner of this account. We can give you an IP address. You can go figure it out." But Facebook doesn't know who's using the account, so they can't provide data enough to satisfy that it was the defendant using this account, it was the defendant sending these messages.
The court goes on to say, "Allowing the state to fulfill its authentication obligation, simply by submitting such a certification would amount to holding that social media evidence need not be subjected to a relevance assessment prior to admission under Rule 803(6)." This statement, to me, does not make a lot of sense. Let's pull it apart here. "Allowing the state to fulfill its authentication obligation." Yeah, they've got to fulfill that. "By submitting such a certification would amount to holding that social media evidence need not be subjected to a relevance assessment." Where does relevance come in? Relevance is Rule 401. We haven't been talking about relevance. Clearly these messages are relevant. These messages contain pictures of the stolen iPads, they are absolutely relevant. Whoever took those pictures, whoever sent these messages clearly has facts related to this theft. Why is relevance coming in here? What does relevance have to do with authentication or hearsay? That part makes no sense.
But then they go on to say, "The certification from Facebook doesn't fit under Rule 803(6)." Well, that makes perfect sense. We already talked about that. Facebook can't tell us who these messages came from and they're certainly not business records, they're not Facebook's business records. That's for sure. Facebook maintains them, but the statements contained within the messages aren't going to fall under 803(6), they're not business records. The court goes on to say, "Accordingly, we conclude that social media communications, when offered to prove the truth of what a user said, fall outside the scope of Rule 803(6), and are thus not self-authenticating under Rule 902(11)." That all makes sense. The statements in these messages are absolutely not Facebook's business records. Facebook can maintain the account, can maintain the messages, but the content within the messages are not business records. Therefore, they will not fall under the business record hearsay exception.
If they're offered against a defendant, the state or the government better produce information to show some relation of the defendant to that account. At least enough facts that a jury could reasonably conclude that these messages are authentic. If they're messages between somebody else, that's not the defendant, well, you've got to hearsay problem. You're going to have to figure out, "How are we going to deal with hearsay if we're offering these messages for the truth of the matter?" Well, are they a present sense impression, then existing mental state? You're going to have to go through your 803(6), or 803 hearsay exceptions and find what fits. But when they're offered against the defendant, you need facts to establish the defendant is responsible. That's our last case.
I want to wrap up here by giving you some things to think about in the future. While you're gathering evidence in your case, think about admissibility. How are you going to gather that evidence? You can have an expert do it. You're going to hire someone like Archer Hall to gather that evidence for you. Can you have a private investigator do it? Can you have your paralegal or legal assistant do it? Can you have a witness or a party to the case do it? Be careful about doing it yourself, you don't want to be that lawyer that prints out the screenshot, gets to trial and then realizes, "Uh-oh, I'm the only one that can testify about authentication and clearly I can't do that if I'm the lawyer on the case." Think about that, when the stage you're gathering the evidence." Who's going to provide the testimony you need to make the data admissible?
If the other side is offering digital evidence, decide if you should make pretrial or trial challenges to it. Many criminal defense attorneys might want to wait until trial to challenge evidence, because then if they win and they win the case, we'll double jeopardy attaches. Sometimes criminal defense lawyers wait until trial to challenge the data. On the civil side, if you wait until trial to challenge a key piece of evidence, well, a judge might get pretty annoyed with you. Wondering why you didn't file a motion to eliminate, why you didn't raise this issue earlier. Now, of course, if you raise the issue early, it might give the other side the opportunity to cure it. Maybe it gives them the opportunity to get that certification from the custodian of records to make it admissible under 902(13). Or maybe they go back to their expert under Rule 902(14) to get that declaration. Or maybe it can be admissible under 902(11) and (12) as a record of regularly conducted activity. By raising the issue early, the other side has the opportunity to cure it, so long as the close of disclosure isn't done.
The other thing you should think about is using your pretrial interviews, or discovery and disclosure process, or depositions, for authentication purposes. Maybe you go and gather a bunch of data. Maybe you gather screenshots of the opposing party's Facebook page, but now you want them to admit it's their page. Well, if it's a civil case, you send them a request for admission. "Admit that this Facebook page is yours. Admit that this Facebook post was yours. Admit that you have this phone number, that you sent this text message." Maybe you confront it with them at deposition. You show them the screenshot, "Is this your Facebook page?" If they won't confirm that, maybe you ask them about that biographical information, keeping in mind your low burden under Rule 901, sufficient facts from which a jury could reasonably conclude that the evidence is authentic.
You just are looking to gather those facts. Use your pretrial interviews, or depositions, or disclosure and discovery process to gather all of that. Think about admissibility of your data long before you get to trial. You don't want to be three days before trial and realize your key piece of digital evidence isn't going to be admissible. You don't have the right witnesses or the facts to introduce it. Be prepared, think about this from the very beginning of your case. How will this data be admissible? If you do that, you'll be setting yourself up for success later in the case.
That's all I've got for you today. I hope you found something useful here. Hope you learned something new. Hope you enjoyed this presentation, and you'll be thinking about digital evidence going forward. If you ever have questions about this or want to see if I can help you out on a case, always feel free to reach out to us here at Archer Hall. Again, my name is Brian Chase. I am the director of digital forensics here at Archer Hall. My email address is [email protected] You can reach us at archerhall.com. You can call us at (855) 839-9084. Thank you all for attending, and I wish you all the best success dealing with your digital evidence in the future. Thank you.