7.2 Authenticity and Reliability

7.2 Authenticity and Reliability

The process of determining whether evidence is worthy is called authentication.

Authentication means satisfying the court that (a) the contents of the record have remained unchanged, (b) that the information in the record does in fact originate from its purported source, whether human or machine, and (c) that extraneous information such as the apparent date of the record is accurate. As with paper records, the necessary degree of authentication may be proved through oral and circumstantial evidence, if available, or via technological features in the system or the record. (Reed 1990–91)

Authentication is actually a two-step process, with an initial examination of the evidence to determine that it is what its proponent claims and, later, a closer analysis to determine its probative value. In the initial stage, it may be sufficient for an individual who is familiar with the digital evidence to testify to its authenticity. For instance, the individual who collected the evidence can confirm that the evidence presented in court is the same as when it was collected. Alternately, a system administrator can testify that log files presented in court originated from her/his system.

In some cases, the defense will cast doubt on more malleable forms of digital evidence, such as logs of online chat sessions.

CASE EXAMPLE (MICHIGAN v. MILLER 2002):

In 2000, e-mail and AOL Instant Messages provided the compelling evidence to convict Sharee Miller of conspiring to kill her husband and abetting the suicide of the admitted killer (Jerry Cassaday) she had seduced with the assistance of the Internet. Miller carefully controlled the killer's perception of her husband, going so far as to masquerade as her husband to send the killer offensive messages. In this case, the authenticity of the AOL Instant Messages was questioned in light of the possibility that such an online conversation could be staged (Bean 2003).

CASE EXAMPLE (UNITED STATES v. TANK):

In United States v. Tank, a case related to the Orchid/Wonderland Club investigation, the defendant argued that the authenticity and relevance of Internet chat logs was not adequately established. One of the points the defense argued was that the chat logs could be easily modified. The prosecution used a number of witnesses to establish that the logs were authentic. The court held that "printouts of computer-generated logs of 'chat room' discussions may be established by evidence showing how they were prepared, their accuracy in representing the conversations, and their connection to the defendant."

This case is significant because it is one of the first to deal with the authentication of chat logs. However, some feel that there are still questions about the authenticity and reliability of Internet chat logs that have not been addressed. On IRC, for example, in addition to the chat channel window, there may be important information in other areas of an IRC client such as the status window and in private chat or fserve windows. Since it is not possible for one investigator simultaneously to view every window, we must rely heavily on the logs for an account of what occurred. In some instances, investigators have been able to compensate for a lack of documentation by testifying that the evidence being presented is authentic and reliable. Of course, it is best to have solid documentation.

To authenticate digital evidence, it may also be necessary to demonstrate that a computer system or process that generated digital evidence was working properly during the relevant time period. For instance, the section in the Federal Rules of Evidence 901(b)(9) titled "Requirement of Authentication or Identification" includes "evidence describing a process or system used to produce a result and showing that the process or system produces an accurate result." In the United Kingdom, under Section 69 of the PACE, there is a formal requirement for a positive assertion that the computer systems involved were working properly.

CASE EXAMPLE (R. v. COCHRANE 1993, UNITED KINGDOM):

The accused was convicted of theft by fraudulent use of his cash card, withdrawing sums that his building society inadvertently credited to his account. The issue before the court was whether the trial judge should have admitted evidence in the form of computer printouts or till rolls. The evidence before the court was that two computers were involved in the relevant process. The person using the cash-point machine provided certain information which was relayed to the branch computer, which retained a back-up in its memory before transmitting it to the central mainframe computer. The court found that none of the prosecution witnesses had any knowledge of the actual working of the mainframe computer in that part of its operation, and none of them was able to supply affirmative information that the mainframe computer was operating correctly at the relevant time. As such the prosecution had failed to adduce adequate evidence to enable the court to properly rule that the till rolls were admissible evidence; in the absence of the till rolls the prosecution's case could not be proved.

The increasing variety and complexity of computer systems makes this type of evaluation increasingly difficult leading the UK Law Commission to recommend the repeal of Section 69 of PACE (Law Commission 1997). Requiring programmers and system designers to establish that computer systems are reliable at the lowest level is untenable, "overburdening already crowded courts with hordes of technical witnesses" (People v. Lugashi 1998). Therefore, US and UK courts have accepted the testimony of individuals who are familiar with the operation of computer systems. For instance, in R. v. Shephard (1993), The House of Lords held that Section 69(1) can be satisfied by the oral evidence of a person familiar with the operation of the computer who can give evidence of its reliability and the person need not be a computer expert. In United States v. Miller, telephone company records were admitted after a telephone-billing supervisor authenticated them. In a sexual assault case, the manager of the Southwestern Bell's security office testified that their telephone billing records were reliable as noted in the following quote.

Figlio's testimony was sufficient to confirm the reliability of the telephone records. She explained that entries in the record were made instantaneously with the making of the calls and that AT&T would send Southwestern Bell the billing tapes, which established when the call took place, the originating number and the terminating number. She explained that the source of the information was a computer, which monitored Southwestern Bell's switching operations. The circuit court was correct in concluding that these records were uniquely reliable in that they were computer-generated rather than the result of human entries. (Missouri v Dunn 1999)

Once digital evidence is admitted, its reliability is assessed to determine its probative value. For instance, if there is concern that the evidence was tampered with prior to collection, these doubts may reduce the weight assigned to the evidence. In several cases, attorneys have argued that digital evidence was untrustworthy simply because there was a theoretical possibility that it could have been altered or fabricated. However, as judges become more familiar with digital evidence, they are requiring evidence to support claims of untrustworthiness. As noted in the US Department of Justice Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations:

Absent specific evidence that tampering occurred, the mere possibility of tampering does not affect the authenticity of a computer record. See Whitaker, 127 F.3d at 602 (declining to disturb trial judge's ruling that computer records were admissible because allegation of tampering was "almost wild-eyed speculation ... [without] evidence to support such a scenario"); United States v. Bonallo, 858 F.2d 1427, 1436 (9th Cir. 1988) ("The fact that it is possible to alter data contained in a computer is plainly insufficient to establish untrustworthiness."); United States v. Glasser, 773 F.2d 1553, 1559 (11th Cir. 1985) ("The existence of an air-tight security system [to prevent tampering] is not, however, a prerequisite to the admissibility of computer printouts. If such a prerequisite did exist, it would become virtually impossible to admit computer-generated records; the party opposing admission would have to show only that a better security system was feasible.") ... the government may need to disclose "what operations the computer had been instructed to perform [as well as] the precise instruction that had been given" if the opposing party requests. United States v. Dioguardi, 428 F.2d 1033, 1038 (C.A.N.Y. 1970). Notably, once a minimum standard of trustworthiness has been established, questions as to the accuracy of computer records "resulting from ... the operation of the computer program" affect only the weight of the evidence, not its admissibility. United States v. Catabran, 836 F.2d 453, 458 (9th Cir. 1988). (USDOJ 2002)

Even when there is a reasonable doubt regarding the reliability of digital evidence, this does not necessarily make it inadmissible, but will reduce the amount of weight it is given by the court.