Legal Issues Involving Digital Evidence

There are special rules for collecting and handling digital evidence. However, the process for obtaining the electronic devices and the evidence on them in the first place must follow established legal principles. The law asks two basic questions about evidence:

• Did the person or organization that collected the evidence have the legal authority to do so?
• Is the evidence admissible in court?

Legal principles and statutes are used to address the first question. These laws focus on the situations where a private entity or the government can collect information about a person.

Court rules and case law are used to address the second question. Both the federal government and state governments have trial court rules for civil and criminal proceedings. In addition to these rules, federal and state courts have evidentiary rules that govern how parties introduce evidence at trials. This chapter uses the Federal Rules of Evidence (FRE) to illustrate admissibility requirements. Many states have their own evidence rules that are based on the FRE.

One thing to keep in mind as you review this section is that there are differences between how law enforcement and private entities conduct investigations. Law enforcement agencies have very specific rules that they must follow when they collect evidence because a law enforcement agency is acting on behalf of a government. They are agents of either the federal or a state government. In the United States, a government cannot take some actions against its citizens without proper authority. This is part of our “checks and balances” system of government. For example, unless special circumstances exist, law enforcement must get permission from a court to monitor a person’s telephone conversations.

The rules are different for private entities. Private entities are individuals and organizations that are not related to a governmental agency. As long as a private entity is acting within the rule of law, it may take certain actions to protect its own interests. This is why an employer may monitor an employee’s telephone conversations when the employee is using the employer’s telephone equipment. A private entity generally has the right under the law to monitor and collect data about its own IT resources in order to protect them.

Authority to Collect Evidence

There are many laws that define and limit the government’s ability to monitor and collect data about individuals. The basic protections afforded to U.S. citizens stem from the Constitution. The Fourth Amendment protects citizens from an intrusive government.

Other laws further define how the government can collect and monitor data. These laws affect the activities of computer forensic examiners. The Electronic Communications Privacy Act,²⁰ the Wiretap Act,²¹ and the Pen Register and Trap and Trace Statute²² are discussed in this section.

The Fourth Amendment and Search Warrants

The Fourth Amendment protects people from unreasonable government search and seizure. A search happens when a person’s reasonable expectation of privacy in a place or thing is compromised. A seizure happens when the government interferes with a person’s property. Interference includes taking the property or using it in such a way that the person who owns it cannot use it.

The Fourth Amendment states that the government may not search or seize areas and things in which a person has a reasonable expectation of privacy. If a person has a reasonable expectation of privacy in a place or item, then the government must get a search warrant before searching it or taking it. Under the Fourth Amendment, the “government” includes law enforcement. This section uses the terms government and law enforcement interchangeably.

Several court cases have held that people have a reasonable expectation of privacy in their personal computers and mobile devices. The U.S. Court of Appeals for the Ninth Circuit has found that a person has a reasonable expectation of privacy in a personal computer. That case is called United States v. Heckenkamp.²³ Other courts have held that people have a reasonable expectation of privacy in data stored on personal pagers.²⁴ The U.S. Supreme Court has held that a warrant is required before searching a cell phone, even when the cell phone is seized when its owner is arrested.²⁵ It has also held that a person has a reasonable expectation of privacy in the location information collected by his or her smartphone and stored by his or her cell phone service provider.²⁶ To search any of these devices, law enforcement must get a search warrant.

FYI

To get a search warrant, law enforcement must clearly specify the criminal activity that is being investigated. It must describe where the search will take place and also list the items that will be searched. Finally, law enforcement must state the evidence that they expect to find. They also must state how that evidence relates to the criminal activity that is being investigated.

If law enforcement conducts a search without a valid warrant, then any evidence that it finds is not admissible in court. This means that a judge will not allow the government to use that evidence to prove its case. Although the rule is strict, there are some limited exceptions. Court-recognized exceptions to the Fourth Amendment’s search warrant requirements include:

• Consent—Law enforcement can search places and items if the person in control of them freely consents to the search. For example, a person can allow law enforcement to search his or her home, car, or computer. A person’s consent must be free and voluntary. If law enforcement finds evidence of criminal activity during a voluntary search, it is admissible in court. Cases reviewing this exception often focus on whether a person’s consent really was free and voluntary.
• Plain view doctrine—Law enforcement does not need a warrant to search and seize evidence that is in an officer’s “plain view.” The officer must be able to see the evidence from a place where the officer has a right to be. This exception is often used to seize drugs or other contraband. For example, a police officer can seize drug paraphernalia that he or she sees in a car if the officer can plainly see the items in the car’s back seat while standing on a public street.
• Exigent circumstances—Law enforcement is allowed to make a warrantless search and seizure in emergency circumstances. This exception applies if public safety would be harmed or evidence would be destroyed if law enforcement took the time to go to court to get a warrant. This exception also is called the “emergency” exception. Law enforcement often seizes drugs and weapons using this exception. Court cases reviewing this exception focus on whether a true emergency existed at the time the search or seizure took place.
• Search incident to a lawful arrest—Law enforcement does not need a warrant to search for weapons or contraband on the body of an arrested person. In some cases, law enforcement may make a brief visual inspection of the area where a person is arrested to make sure that no accomplices are hiding nearby. Law enforcement officers are allowed to make these warrantless searches in order to protect their own safety. They also can use this exception to make sure that critical evidence is not destroyed during the arrest process. Courts strictly construe this exception to make sure that it is not abused. This exception is also called the protective sweep exception.
• Inventory search—Law enforcement may conduct inventory searches without a warrant when they arrest a suspect. These searches are allowed when they are made for a non-investigative purpose. For example, if a suspect has a laptop computer when he or she is arrested, law enforcement may seize the computer for safekeeping while the suspect is in custody. This helps protect law enforcement from claims that they lost or stole a suspect’s property. For the exception to apply, the law enforcement agency must have standard policies and procedures for conducting inventory searches. They also must document the search. Court cases reviewing this exception focus on whether law enforcement was following a documented policy for inventory searches. They review whether the inventory search was a ploy to hide a more thorough search for evidence.

One important thing to keep in mind is that the Fourth Amendment search warrant exceptions allow for the seizure of the media containing the digital evidence. Law enforcement can seize the physical media only. If they want to conduct a forensic examination of that media, they must get a warrant to do so. Therefore, the search warrant must authorize the forensic examination. Unless emergency circumstances exist, the secondary search warrant ensures that any digital evidence collected from the media will be admissible in court. Computer forensic examiners must make sure there is a valid search warrant for any electronic devices that they collect. They also must make sure that the warrant allows them to search the data on the device.

Federal Laws Regarding Electronic Data Collection

Three main federal laws govern the collection of electronic communications data. These laws cover many different communications, including email, radio and electronic communications, data transmissions, and telephone calls. Computer forensic examiners often study these communications when they investigate cases or events. An examiner must make sure that his or her actions follow the law.

These laws forbid the use of eavesdropping technologies. This means that the government, individuals, and private entities cannot use certain technologies to snoop on electronic communications. The only time use of these technologies is allowed is when the law says it is allowed. Usually this is when the law allows an exception or if an entity has a court order. The three laws are:

• The Electronic Communications Privacy Act
• The Wiretap Act
• The Pen Register and Trap and Trace Statute

The Electronic Communications Privacy Act. The ECPA, first passed in 1986, governs the use, disclosure, and interception of stored electronic communications. Congress has amended it several times. The ECPA governs access to the contents of stored communications, as well as access to transmission data about the communications. Transmission data includes header and log data. The ECPA does not apply to real-time collection of electronic communications.

The ECPA is a complicated statute. Under the ECPA, no one may access the contents of these communications unless it is allowed somewhere else in the ECPA. There are different rules for the government and for private entities. For example, the government cannot access any stored electronic communications without a search warrant. If it accesses them without a warrant, any evidence that it discovers will not be admissible. There are several exceptions to the ECPA for private entities. Some of these exceptions were part of the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act (U.S.A. PATRIOT Act).²⁷ Congress passed the PATRIOT Act, which modified parts of the ECPA, in 2001. Under the ECPA, a private entity may voluntarily disclose the contents of stored communications to law enforcement. Law enforcement does not need a search warrant if the private entity discloses the information voluntarily. (This is the application of the silver platter doctrine.) As long as the evidence was collected and documented properly, it will likely be admissible.

Private entity voluntary disclosure is permitted under the ECPA as long as the private entity is not an ISP. If it is an ISP, then additional conditions must be met. These conditions prevent ISPs from having to monitor all communications across their networks. They also prevent ISPs from snooping on their subscribers and help ISPs maintain their safe harbor protections under U.S. IP laws.

If an ISP wishes to disclose the contents of a communication to law enforcement, the disclosure must fall under a permitted ECPA exception. If the disclosure does not fall under one, then it may not be admissible in court. The permitted exceptions that allow disclosure are:

• The disclosure is made with the consent of the sender or receiver of the communication.
• The disclosure is related to the ISP’s services or is made to protect the ISP’s rights.
• The ISP inadvertently received the contents of the communication and the contents appear to be related to criminal activity.
• The ISP reasonably believes that disclosure is required to prevent an emergency involving immediate danger of death or serious bodily injury.
• U.S. child protection laws require the disclosure.
• The disclosure is made in response to a court order.²⁸

The Wiretap Act. The ECPA applies to access to and disclosure of stored communications only. The federal Wiretap Act governs real-time interception of the contents of an electronic communication. The Act does not apply to transmission information, but does apply to anyone who intentionally intercepts or tries to intercept any wire, oral, or electronic communication. The Act forbids the real-time interception of these communications. Communications covered by the Act include email, radio communications, data transmissions, and telephone calls.

Under the Wiretap Act, no one is allowed to install wiretaps on telephones to intercept telephonic communications. The Act also forbids using network sniffers to intercept internet traffic or other computer-based communications. There are exceptions to the Wiretap Act, however. For example, law enforcement can install telephone wiretaps or network sniffers if it has a court order (warrant) to do so.

There are three main exceptions to the federal Wiretap Act for private entities. Private entities can use these exceptions to monitor content on their own communications systems. These exceptions are:

• The Consent Exception
• The Provider Exception
• The Trespasser Exception

A private entity may monitor content on its own communications systems when one of the parties to the communication consents to the monitoring. This is the consent exception. One way that entities gather consent is by using network banners. A network banner is a warning banner that provides notice of legal rights to the users of computer networks. These banners are displayed when a computer user logs on to a network or visits an entity’s home page.

These banners have many purposes. They are used to show consent to monitoring under the Wiretap Act or consent to access under the ECPA. They are also used to eliminate a user’s Fourth Amendment reasonable expectation of privacy in a computer network. They also may be used to inform a user of the terms of use for the computer network. Typically, these banners inform the user that use of the network (after viewing the banner) is proof that the user consents to network monitoring and the terms of use.

A private entity can monitor its communications systems to protect its “rights or property.” This is called the provider exception. Monitoring under this exception must be reasonable and done in the ordinary course of business. This exception belongs only to the private entity, who may disclose evidence of business-related wrongdoing on its systems to law enforcement. This exception is not a general exception. The law does not allow a private entity to gather evidence of crime unrelated to it and turn that evidence over to law enforcement.

Court cases about the provider exception have upheld it in several situations. For example, an entity’s system administrators can use this exception to monitor a hacker’s communications within its network. They may do this to prevent damage to the entity’s network.²⁹ The entity can give any evidence collected from the monitoring to law enforcement. This is because hacking into a computer network is illegal.

The trespasser exception was created in 2001 as part of the PATRIOT Act. This exception recognizes that there might be times when private entities do not have the expertise needed to track or monitor system intruders. Because they do not have the skills to track system intruders, the provider exception is not helpful to them. The trespasser exception allows the entity to ask the government to help in these situations. The government can assist the entity in intercepting the communications of a computer trespasser.

The following conditions must be met in order to use this exception:

• Law enforcement must get the consent of the private entity.
• The interception must be legal.
• The interception must be part of a legitimate investigation.
• The interception must not monitor the communications of anyone other than the trespasser.³⁰

If these conditions are met, then law enforcement may help a private entity monitor a computer trespasser. Law enforcement does not need a court order to take advantage of this exception.

The Pen Register and Trap and Trace Statute. The Wiretap Act governs real-time interception of the contents of a communication. It does not apply to transmission information. The Pen Register and Trap and Trace Statute governs real-time monitoring of this type of data. Transmission information includes headers, logs, network routing, and other transmission data. This law does not apply to communications content.

Under the Pen Register and Trap and Trace Statute, no one is allowed to use pen register or trap and trace devices to intercept electronic communications transmission data. Similar to the Wiretap Act, however, some exceptions allow the use of these devices. For example, the law allows law enforcement to install pen register or trap and trace devices if they have a court order to do so.

There are three exceptions to the Pen Register and Trap and Trace Statute for private entities. Private entities can use these exceptions to use pen register or trap and trace devices on their own communications systems. The exceptions are:

• A private entity may use pen register or trap and trace devices if necessary to operate, maintain, or test its communication services. It also may use these devices to protect its property rights. (This is similar to the provider exception under the Wiretap Act.)
• A private entity may use pen register or trap and trace devices to protect the entity from fraudulent, unlawful, or abusive use of service. It would use these devices to prove the existence of a fraudulent, unlawful, or abusive electronic communication.
• A private entity may use pen register or trap and trace devices when the user of the electronic communications service consents.

These three laws, in addition to the provisions of the Fourth Amendment, are the main federal laws that govern the collection of electronic communications evidence. Computer forensic examiners must make sure that their evidence collection activities comply with these laws. Computer forensic examiners must also follow any relevant state laws. The examiner’s credibility is damaged if the examiner does not follow the law. In addition, if the examiner does not follow the law, any evidence that he or she gathered might not be admissible.

Admissibility of Evidence

Even if evidence is lawfully collected, it still must be admissible. At the federal level, the main guidance regarding the submission of evidence at trial is the FRE. The FRE apply to use of evidence at federal trials. Many states also have rules of evidence. Often these rules are based on the federal rules. One thing to keep in mind whenever you are reviewing evidence is that you need to understand whether you must follow state rules or federal rules.

Under the FRE, relevant evidence is admissible unless some other rule or law says that it is not. Admissible evidence is evidence that the judge and jury can consider when they deliberate about a case. Evidence can be either inculpatory or exculpatory. Inculpatory evidence supports or confirms a given theory, whereas exculpatory evidence rebuts or contradicts a given theory.

Computer forensic examiners are hired to find digital evidence. There are two basic types of digital evidence:

• Computer-generated records—These records and logs are the output of computer programs. They are created automatically by a computer program or process, even if a person initiates that program or process.
• Records created by people and stored electronically—These records are created by people. They just happen to be in a digital form. This kind of evidence includes files, pictures, images, spreadsheets, and other documents created by a person. It also can include internet browsing history.

The rules of evidence apply to digital evidence in the same way that they apply to traditional types of evidence. This section focuses on issues that are important for digital evidence. In order to be admissible, digital evidence must be:

• Lawfully gathered
• Relevant
• Authentic and reliable

Evidence is lawfully gathered if it is collected in accordance with the law. The main laws that govern the collection of electronic evidence were discussed earlier in this section. Evidence that is not gathered lawfully is tainted with illegality. This means that it cannot be used in court. It also means that any subsequent evidence gathered because of the illegally obtained evidence also cannot be used in court. In the law, this is known as the fruit of the poisonous tree doctrine. This doctrine primarily applies to criminal cases.

Evidence is admissible only if it is relevant. Another name for relevant evidence is probative evidence. Probative evidence proves or disproves a legal element in a case. If evidence is not probative, then it can be excluded from a trial. The FRE say that evidence is relevant if it makes “the existence of any fact that is of consequence to the determination of the action more probable or less probable than it would be without the evidence.”³⁴ Evidence can be inculpatory or exculpatory.

Relevance can occasionally be a problem for digital evidence. This is because it is sometimes hard for judges and juries to understand very technical information. They might not understand why the evidence is relevant. This is where a good computer forensic examiner can help. The examiner can help explain the technical information in everyday language and help show how the evidence is relevant to the case. The party that wants to introduce digital evidence must show how it is relevant.

Evidence is admissible if it is authentic.³⁵ This means that the party introducing the evidence must show that the evidence is what it says it is. For example, suppose a party wishes to produce a printout of an electronic document and use it to prove an element in the case. Before being able to use the document, the party must show that the document was stored in a computer system. The party also must show that the document has not been altered, manipulated, or damaged since it was created.

Reliability is closely related to authenticity. It is often questioned in digital evidence issues. The reliability of digital evidence can be suspect if the program used to find the evidence has significant flaws. If the output of a program can change because of these flaws, then it is not reliable. If it is not reliable, then the information that the output represents may not be authentic.

Sometimes reliability is implicated at the forensic examination level. If a computer forensic examiner uses a new tool or program to conduct a forensic examination, the reliability of that tool must be demonstrated. The Daubert test is used to satisfy the court that new forensic tools are reliable. If the tool is reliable, then the court is more likely to admit the digital evidence.

As technology evolves, so too do the questions regarding the use of digital evidence in court. For legal practitioners, the Sedona Principles for Addressing Electronic Document Production is the best-known resource for how to properly use electronic evidence in legal proceedings.³⁶ The 14 Sedona Principles are best practices for how to use digital evidence in legal proceedings.

The Hearsay Rule

There are other rules that may apply when courts consider the admissibility of digital evidence. For example, the hearsay rule³⁷ is often implicated with respect to computer records and digital evidence. The hearsay rule is a very complicated evidentiary rule with numerous exceptions. Sometimes even the most experienced attorneys can be confused by the hearsay rule and its many exceptions.

Hearsay is any out-of-court statement that is made by a person that is offered to prove some issue in a case. Hearsay statements are statements made by people. They are not usually made under oath. Hearsay statements are sometimes offered by parties at trial when there are no direct witnesses available to testify. Gossip is a common example of hearsay. Statements that a news reporter makes when he or she reports on events from an anonymous source are also hearsay. Hearsay is not admissible unless a specific exception applies.

Records recovered from a computer can be hearsay, depending on how they were created originally. Many courts have held that computer-generated records, the logs and output of computer programs, are not hearsay. These records are created without human intervention. Some courts have said that computer-generated information is not a statement of a person and cannot be hearsay.³⁸ If the records are not hearsay, then they are admissible.

Computer records that might be hearsay contain assertions by people. These types of records include documents and files, bookkeeping records, and records of transactions that are entered by people (and not through an electronic process). For these types of documents, a party must show that the document is admissible because of a hearsay exception. The party also must show that the document is authentic.

Some courts allow computer records to be admitted over a hearsay objection if they are created in the ordinary course of business. Records created in the ordinary course of business are often admissible, even if the hearsay objection would otherwise apply.³⁹ The theory is that records created as part of a business process tend to be reliable. This is because the records are created repeatedly.

The Best Evidence Rule

The FRE require that original documents be used at trial to make sure that evidence is reliable and authentic.⁴⁰ This is called the best evidence rule. This rule can create an interesting problem for digital evidence. In its original form, digital evidence is almost never in a format that a person can read and understand. The original form of digital evidence would be particularly unhelpful at a trial, as it would not be usable. However, any printout that represents digital evidence would not meet the best evidence rule.

The FRE have made an exception for this quirk of digital evidence since 1972. The rule states that an accurate printout of computerized data is an “original” for purposes of the best evidence rule.⁴¹ The FRE acknowledge that it is practical to address computerized evidence in this way.⁴² Any other result would not make sense.