Collecting and authenticating online evidence
Now more than ever, proving chain of custody matters
By James Careless
Vancouver’s Stanley Cup riots offered a dramatic recent example of the power of online media for identifying lawbreakers. But the riots were far from unique in this respect: every day, people are posting their guilty activities on Facebook, Myspace and Twitter.
Despite the legal implications of such postings, “People are sharing the most embarrassing and incriminating evidence of their actions publicly,” says Ken Clark, a partner at Toronto’s Aird & Berlis LLP. Marvelling at the candid Facebook admissions of vandals, insurance fraudsters and divorce contestants, he adds, “For litigators, this is a gold mine.”
This said, a Facebook picture/video by itself is not enough to win your case. “If you cannot prove the context in which the photo or video was shot, this online evidence is legally hearsay,” says Peter E. J. Wells, a partner at McMillan LLP in Toronto. “You need to show what happened before or after the evidence was created, to establish that it means what you say it means.”
Context is just one of the problems associated with online evidence, and it is not even the largest concern. Instead, the two issues that really challenge the use of online evidence are obtaining it, and then authenticating the evidence in court. “Being digital in nature, online evidence is vulnerable to tampering – be it altering a blog entry, changing an e-mail, or Photoshopping a picture or video,” Clark says. “This is why you must be able to document the evidence’s provenance to everyone’s satisfaction.”
Techniques for collecting online evidence
- Obtain information and online web locations from clients.
- Use Google to search for offending data; a search in Google News can also reveal leads.
- Check Facebook and Twitter, via Google.
- Contact the website and ISP that hosted the offending material; subpoena if necessary.
- Hire a third-party firm to find and safely record the online evidence on your client’s behalf.
Identifying and finding online evidence
Online evidence is an extremely broad term. “It is bigger than just Facebook,” Clark notes. “Really, online evidence is any information that is accessible on the Internet, plus electronic communications outside the Web, such as e-mail.”
Lawyers’ clients are often sources for online evidence. They may be taking legal action in response to defamatory comments posted on a website, Facebook photos showing a supposed disabled insurance claimant skydiving, or YouTube videos showing a divorced custodial parent partying and doing drugs. In other instances, companies or the lawyers they retain may actively search for such materials, and act upon them once they have been found online.
Copying online evidence to ensure provenance
Once online evidence has been found, the next step is to copy it properly. Just printing a screen capture isn’t enough to stand up in court: smart litigators know that the provenance or “chain of custody” trail starts now.
Unless your law firm has personnel trained in proper online evidence copying, it may be wise to hire a third-party expert to do it on your behalf. Digital Evidence International Inc. (www.dei.ca) is one such expert. DEI was established by president/CEO Steve Rogers, a 24-year RCMP veteran who completed his career heading up the Mounties’ “O” Division Technological Crime Unit.
“On behalf of our clients, we archive large volumes of online communications such as forums, IRC chat and newsgroups as well as web pages into our Integrated Case Management Database (ICM),” Rogers says. “All archived content that is secured in the database passes through an industry standard MD5 hash value that can be used to validate the integrity of the original content. This provides us with a pristine source of online evidence whose provenance can be documented in court.”
Any ICM evidence that is provided to clients is either accessed through a web-accessible portal or copied from the database by authorized DEI personnel, who document their efforts. Copied information is never returned to the ICM, thus ensuring that the original evidence’s authenticity is unquestionable.
Global Colleague of Washington D.C. (www.globalcolleague.com) is another third-party firm that obtains and preserves online evidence to ensure its authenticity. “Once we download the evidence, we store it in a ‘digital envelope,’” says Paul Easton, one of Global Colleague’s managing directors. “We seal the contents using Surety’s AbsoluteProof Service, a patented, cryptographical timestamping methodology that digitally ‘seals’ electronic records and files, enabling customers to protect the integrity – and independently and irrefutably prove the authenticity – of their original electronic records throughout their chain of custody. ”
Finding the authors
In the case of the Vancouver riots, it was the perpetrators themselves who proudly posted proof of their actions on Facebook. This made identification relatively easy.
As for identifying the authors of online anonymous threats and defamatory statements? It is possible to file a motion of discovery with the website or ISP that originally hosted the online evidence to get their names. “Sometimes it is as easy as finding the e-mail or IP address that is associated with the evidence’s posting,” says Clark. “However, time is always an issue with online evidence, so it can make more sense to start your own investigation immediately to find the culprit, rather than wait for a discovery to go through.”
For litigators, the good news is that most people consider the Internet to be anonymous. In truth, it is anything but, thanks to the various online identity trails and IP addresses that people leave behind as they surf the Web. “Even in cases where people have tried to hide their identities through anonymous accounts and other tactics, you may be able to track them down by following publicly available information like domain name registrations,” Rogers says.
The bad news: “Just finding out the apparent identity of a malicious poster may not be enough to convict,” says Simon Borys. A former police officer who has handled online investigations, Borys is currently training to be a criminal lawyer at Queen’s University in Kingston, Ont. “The person who wrote the post may have stolen someone else’s online identity, or made one up that is hard to trace. You may need to do more digging before you have something that will stand up in court.”
Meanwhile, the amount of effort required to track down an Internet user truly adept at hiding himself may not be worth the cost. “It’s a question of balance between the difficulty and money required to obtain such information, and the amount of money at stake,” says Wells. “The effort you make has to be proportionate to the reward you seek.”
What if the online evidence has been removed?
In instances where online evidence has been removed, the website or ISP where it was first posted may have captured it during their regular data archiving. And in those cases where this has not happened, the data may still be found through the Web’s “Wayback Machine”.
Located at www.archive.org, the Wayback Machine is an automated application that has been surfing and storing web pages since 1996. Currently it has over 150 billion pages on file. Simply enter the offending website into its search engine, and the Wayback Machine will provide you with captures of that site’s data over time. (For instance, the Wayback Machine has visited and stored web pages from www.cba.org 209 times since May 30, 1997.)
Of course, this kind of archiving saves libel just as effectively as it archives truth. “We once spent a year and a half on behalf of one of our clients, tying to eliminate libelous material from being available on search engines,” says Wells. “Well, the Wayback Machine is located in California, and when we threatened them with legal action, they said ‘go get stuffed; we’re in the U.S.’ We then told our client how much it would cost to sue the Wayback Machine – about $1-2 million – and the client choked.”
The bottom line: standard evidence rules apply
Despite the novelty and challenges of online evidence, litigators need to stay focused on standard rules of provenance and authentication when dealing with it. By dotting your i’s and crossing your t’s, the online evidence you gather can be as legally decisive as you want it to be. But be sloppy, and your online evidence could be dismissed as contaminated hearsay, leading to a judicial outcome that neither you nor your client will welcome.
Removing offending content from the Web
It is possible to have offending content removed from the Web by contacting the websites and ISPs that have posted it and approaching them on a legal basis. Similarly, Google offers advice on removing such material from its searches: googlewebmastercentral.blogspot.com/2010/03/url-removal-explained-part-i-urls.html.
A plain English explanation has been posted by Simon Fodden on Slaw.ca: www.slaw.ca/2010/03/31/removing-content-from-google/
This said, the existence of the Wayback Machine and other web operators who delight in preserving posted material can undo all the efforts you make to remove offensive material. As Fodden comments on Slaw.ca, the person who posted the material can “undo the removal” and put the offensive material back online until the next lawyer’s letter arrives.