Sean Erenstoft Lectures on Authenticating Web Evidence

Sean Erenstoft: Internet evidence is an inherently difficult matter to deal with as a jurist. The inherent problem is that websites are not typically monitored for accuracy and nothing contained on the web is under oath or even subject to independent verification.

Simply put, “hackers can adulterate the content on any web-site from any location at any time.” (St. Clair v. Johnny’s Oyster & Shrimp, Inc., 76 F. Supp. 2d 773, 774-75 (S.D. Tex. 1999)).

Just a few years ago, California courts struggled with the foundational concerns voiced in the St. Clair holding when lawyers observed that even a digital photograph “can be changed to produce false images” without “skill, experience, or even cognizance” by using computer programs such as Adobe Photoshop. (People v. Beckley, 185 Cal. App. 4th 509, 515 (2010)). The court proceeded to exclude MySpace photographs from evidence.

In Los Angeles, at least one prosecutor has relied upon “To:” and “From:” lines in purported email exchanges to charge the supposed sender with cyber-stalking. As a criminal defense attorney, I challenged the premise of the lawsuit by asking the prosecutor to provide the I.P. addresses (the internet source-code) of the emails to determine their origin.  When it was discovered that the prosecutor was unable (or likely unwilling) to inquire about the I.P. information, she was forced to withdraw the lawsuit.

Distrust of new technology is nothing new and courts are searching for a less-formalistic method to allow for the admission of electronic data. Indeed, courts seem to be settling on the following formula:  “As long as the evidence would support a finding of authenticity;” and any “conflicting inferences [go to] … the document’s weight as evidence, not its admissibility.” (People v. Valdez, 201 Cal. App. 4th 1429, 1435 (2011)).

Many California courts have embraced this progressive mentality by simply requiring the proponent of the evidence to make “a preliminary showing the writing is what it purports to be.” (People v. Boner (2012) San Francisco, Case No.: SF108698A — not officially reported).

More preferred however, is the view articulated by the majority of judges who require definitive proof that Internet evidence was not “faked” or “manipulated.”

The Three Methods of Authentication:

The first is expert testimony used to show that the evidence is free of contamination or corruption and is what it purports to be. The second method is testimony of a witness responsible for the creation and/or knowledge of the content, such as the person who took the suspect picture or a webmaster who created or formed the website.  And third, the court may rely upon circumstantial evidence of reliability to meet the burden of proof.  In California, the primary methods the courts turn to is set forth in our Evidence Code at § 1410.

The first two methods (experts and percipient witnesses) are usually not available. Indeed, detecting modifications of electronic evidence is a very difficult feat and requires sophisticated forensic methodology; and key-stroke analysis is practically impossible.  The third methodology, circumstantial evidence, is the focus of this article.

Leaving authentication issues to the discretion of the court based on whether an attorney can meet the foundational burden appears to be the direction we are going. Focusing on the content and context of the material, it seems that proponents of evidence must now prove authenticity by providing the court with supporting evidence consisting of “distinctive characteristics,” “external corroborating evidence,” and whether the proponent of the evidence has any better method to prove the material’s source.

For example, if the proponent can exclude the possibility of access by third parties to a website or email via the existence of a password, the source of an email may be sufficiently authenticated. In terms of context, perhaps counsel can offer other, previous, exchanges by and between parties and unique or distinctive characteristics can be presented.  Notably, I.P. addresses and the ability to include or exclude a possible source of material remains the most reliable method of proving the source of electronic data insofar as such material is usually, ultimately, sourced to a single laptop or server.  If that server or computer is in possession of the proponent and was password protected at the time of the missive or posting, a court can find a foundational basis in which to proffer electronic evidence sourced to that computer or server.

Despite growing acceptance and flexibility of California courts to rely on circumstantial evidence to authenticate Internet evidence, the precise level of proof remains subject to the whims of the individual judge. For example, an appellate panel affirmed the exclusion of a Facebook photograph because a witness had no personal knowledge about who took the photo, or the name of the person who posted it.

At present, a plethora of objections remain available to what is effectively “out of court evidence.” Indeed, the hearsay objections and the myriad of exceptions to its admissibility remain.  Of primary concern to me remains the ability of the proponent of electronic evidence to prove the basic foundational basis of evidentiary offerings.  Most troublesome is when a prosecutor relies on such evidence as the basis for filing charges (or seeking an indictment) against a suspect without the evidence having been minimally challenged for authenticity.

Sean Erenstoft can be reached at (310) 613-8887.