Legal Issues
Drama in Soviet Court.
Post-Stalin (1955). Painted
by Solodovnikov. Oil on
Canvas, 110 x 130 cm.
Computer Forensics
COEN 252
Issues of Evidence
An information is admissible in court if it is
• Relevant
• Its probative value outweighs its prejudicial
effect.
Issues of Evidence
• Best Evidence Rule
The legal doctrine that an original piece of
evidence, particularly a document, is
superior to a copy. If the original is
available, a copy will not be allowed as
evidence in a trial.
Issues of Evidence
• Foundation
– Context for Information
• Hearsay
– Not admissible with exceptions
• Chain of Custody
– Establishes trustworthiness of evidence by
preventing tampering
Stipulation: Agreement between parties or concession
by one party in a judicial proceeding.
Hearsay
• Second-hand evidence in which the
witness is not telling what he/she knows
personally, but what others have said to
him/her.
Exceptions to Hearsay
• Admission against interest:
– out-of-court statements contrary to penal or pecuniary
interest, including those found on a computer.
• Business Records
– Made in the normal course of business.
– Relied on by the business.
– Made at or near the occurrence of the act the record
purports to record.
– Offered through a competent witness, either the
custodian of the record or another who can testify to
those issues.
Exceptions to Hearsay
• Official government records
– Must be properly kept.
• Writing about an event close to its
occurrence used to refresh a witnesses
memory.
• “Learned treatise”
• Judgments in other cases
• Spontaneous excited utterance
Exceptions to Hearsay
• Contemporaneous statement which explains the
a person’s state of mind at the time of an event.
• A statement which explains a person’s future
intentions if that state of mind is in question.
• Prior testimony
• A declaration of the opposing party which was
contrary to their best interest if the parity is not
available at trial.
• Dying declaration by a person who believes (s)
is dying.
http://dictionary.law.com/
Exceptions to Hearsay
• A statement made about one’s mental set,
feeling, pain, or health if the person is not
available
• A statement about one’s own will when the
person is not available
• Other exception at the judge’s discretion
based on the reliability of the testimony.
http://dictionary.law.com/
Computer-Generated Records
• Computer generated records often fall
under the business record exemption.
• Courts might also start to make a
distinction between computer-generated
records and computer-stored records.
Computer-Generated Records
• Not a question of hear-say (is there better
evidence available)
• But a question of Authenticity.
Is the generating program reliable?
Proper Care of Evidence
• Evidence collected by the state needs to
be protected from fraud.
• This lays a burden on the state to provably
preserve the evidence.
– Chain of custody.
Breach of Chain of Custody
• Not every breach makes the item inadmissible.
• Not necessary to have the best security against
tampering.
• Government agents are assumed to be
trustworthy.
• But
Chain of Custody
• Seized device is put in an Evidence
Locker.
– Typically a closet safeguarded against
intrusion.
• Records allow reconstruction of who had
physical control over the device.
Chain of Custody
• Working on the original. A forensic
examination that is done directly on the
original disk drive will make it difficult to
argue that the evidence could not have
been tampered with. Much better to make
a “true copy” and examine the true copy.
• Proof that it is a true copy.
Best Evidence Rule
• Copies are worse than originals, therefore
they are not admissible unless the original
has been destroyed.
• Does not apply to various computer
outputs.
Best Evidence Rule
Except as otherwise provided by statute,
no evidence other than the original of a
writing is admissible to prove the content
of a writing. This section shall be known
and may be cited as the best evidence
rule.
California Rules of Evidence 1500.
Best Evidence Rule
•
•
•
•
•
•
Exceptions:
Printed representations of computer information and
computer programs.
Printed representations of images stored on video or
digital media.
Secondary evidence of writings that have been lost or
destroyed without fraudulent intent of the proponent of
the evidence.
Secondary evidence of unavailable writings.
Secondary evidence of writings an opponent has, but
fails to produce as requested.
Secondary evidence of collateral writings that would be
inexpedient to produce.
Best Evidence Rule
•
•
•
•
•
•
•
Exceptions:
Secondary evidence of writings recorded in public records, if the
record or an attested or certified copy is made evidence of the
writing by statue.
Secondary evidence of voluminous writings.
Copies of writings that were produced at the hearing and made
available to the other side.
Certain official records and certified copies of writings in official
custody.
Photographic copies made as business records.
Photographic copies of documents lost or destroyed, if properly
certified.
Copies of business records produced in compliance with Sections
1560-1561.
Future
• The law argues by analogy.
• Justice takes (eventually) account of technology.
– Digital storage has qualitative properties that make it
fundamentally different from writings.
• Ease of alteration.
• Possibility of completely accurate copy & transmission.
• Current law is still based on the case of manual
copy.
• If the problems are big enough, either precedent
will change or statutes will make the proper
exceptions.
Acquisition of Evidence
• Distinction between government agents
and private citizens.
• Illegal actions by private citizens can yield
admissible evidence and lead to their
punishment.
• If a sworn law officer violates an
amendment, the gained evidence is
usually suppressed, but the officer is
protected by sovereign immunity.
Sovereign Immunity
• A sovereign or a government cannot
commit a legal wrong and is immune from
civil suit or criminal prosecution.
Prosecutorial Immunity
• Judges, legislators, prosecutors enjoy
qualified or unqualified immunity.
• Property of the role, not the person.
– I.e. a prosecutor’s immunity depends on
whether they are acting in a prosecutorial
role, an investigative role, etc.
Prosecutorial Immunity
• Jean v. Collins
– police officers have absolute immunity for failure to
turn over exculpatory material over to a criminal
defendant, because they are performing a
prosecutorial task.
– They have qualified immunity for not turning over the
exculpatory material over to the prosecutor.
• Law enforcement officers do not enjoy sovereign
immunity for willfully violating civil rights.
Electronic Communications Privacy
Act ("ECPA"), Title III
• Extends protection against wiretapping to
communications between computers
• Know the exceptions
• Know the consequences of violating the
title
Electronic Communications Privacy
Act ("ECPA"), Title III
• A person acting under the color of law
can intercept electronic communication
where such a person is party to the
communication or one of the parties of
the communication have given prior
consent to such interception.
Electronic Communications Privacy
Act ("ECPA"), Title III
"A person not acting under color of law" is
also allowed to intercept an "electronic
communication" where "such person is a
party to the communication, or one of the
parties to the communication has given
prior consent to such interception."
The consent can be implicit, e.g. by using a
computer protected with login banners.
ECPA Title III Concerns
Title III also permits providers of a
communication service, including an
electronic communication service, the right
to intercept communications as a
"necessary incident to the rendition of his
service" or to protect "the rights or
property of the provider of that service."
ECPA Title III Concerns
Two exceptions to the last rule:
• If there is no actual damage, then the right
to monitor does not exist.
• The government is not allow to do the
monitoring, but they can profit from
monitoring.
Fourth Amendment
The right of people to be secure in their
persons, houses, papers, and effects,
against unreasonable searches and
seizures, shall not be violated, and no
warrants shall issue, but upon probable
cause, supported by oath or affirmation,
and particularly describing the place to be
searched, and the persons or things to be
seized.
Fourth Amendment
• Computer Storage = Closed Container
such as a briefcase
• With Warrant:
– Limits to warrant because of privilege or
additional protection.
• Without Warrant
– Expectation of Privacy
Fourth Amendment
• No expectation of privacy
– Public display
– Material in some else’s hands
– Consent by co-owner or authorized person
• Exigent circumstances
• Plain view exception
• Lawful arrest
Very difficult and interesting case law.
Fourth Amendment
• Fundamental question:
– Does the individual enjoy a reasonable
expectation of privacy in electronic
information stored within a storage device.
• Courts equate storage devices to “closed
container”
Fourth Amendment
• Reasonable Expectation of Privacy and
Third Party Possession
– Difference between data in transit (usually
need warrant) and data received by third
party.
– Received by third party: Can owner
reasonably expect privacy:
• Bank account information that account holders
divulge to the bank.
Fourth Amendment
• Fourth Amendment does not apply to
private searches.
– Private party cannot act as government
agents:
• Repairman discovers many file names indicating
child pornography, opens those, discovers child
pornography, and informs LE.
– LE can repeat the original private search, but
not exceed it.
Fourth Amendment
• Searches using innovative technology
applied to ordinary devices might need a
warrant:
– Kyllo v. United States
• Supreme Court held that the warrantless use of a
thermal imager to reveal the relative amount of
heat released from the various rooms of a
suspect's home was a search that violated the
Fourth Amendment.
Fourth Amendment
• Exceptions to the Warrant Requirement
– Consent
• Government carries burden of proof that the
consent was voluntary.
– Scope of consent depends on the facts of
each case.
• E.g.: does consent to search premises includes
consent of storage devices found there.
Fourth Amendment
• Exceptions to the Warrant Requirement
– Exigent Circumstances
• “would cause a reasonable person to believe that
entry . . . was necessary to prevent physical harm
to the officers or other persons, the destruction of
relevant evidence, the escape of the suspect, or
some other consequence improperly frustrating
legitimate law enforcement efforts.”
• Arises in computer cases because some electronic
evidence is volatile.
• Reasons for exigent circumstances limit the scope
of the search.
Fourth Amendment
• Exceptions to the Warrant Requirement
– Plain View
• Agent must in lawful position to observe and access the
evidence and its incriminating character must be immediately
apparent.
• E.g.: LE agent makes search of hard drive, comes upon
evidence of an unrelated crime while conducting the search.
– Search Incident to a Lawful Arrest
• Search incident to arrest must be reasonable
– Strip searches are usually not reasonable.
– Inventory searches are reasonable.
• But that should not support a search through seized
computer files.
Fourth Amendment
• Exceptions to the Warrant Requirement
– Border Searches
• “Routine searches” do not require a warrant:
United States Customs Agents learned that William Roberts, a suspect believed to
be carrying computerized images of child pornography, was scheduled to fly from
Houston, Texas to Paris, France on a particular day. On the day of the flight, the
agents set up an inspection area in the jetway at the Houston airport with the sole
purpose of searching Roberts. Roberts arrived at the inspection area and was told
by the agents that they were searching for "currency" and "high technology or other
data" that could not be exported legally. Id. at 681. After the agents searched
Roberts' property and found a laptop computer and six Zip diskettes, Roberts agreed
to sign a consent form permitting the agents to search his property. A subsequent
search revealed several thousand images of child pornography.
Fourth Amendment
• Workplace Searches
– O'Connor Supreme Court Decision:
• the legality of warrantless workplace searches
depends on often-subtle factual distinctions such
as whether the workplace is public sector or
private sector, whether employment policies exist
that authorize a search, and whether the search is
work-related.
Fourth Amendment
• Workplace Searches
– Typical:
• A fellow employee who has equal control over a
computer can consent to its search.
• Employers and supervisors who have authority
over a computer can consent to its search.
• HELPFUL: An employment policy stating that the
employer retains authority over its computers and
networks.
Fourth Amendment
• Multiple warrants might be needed in
network searches.
• No-knock warrants:
– As a general matter, agents must announce
their presence and authority prior to executing
a search warrant.
• Sneak-and-Peek Warrants
– "surreptitious entry warrants"
Privacy Protection Act
• Protects publishers against government
searches of material that is acquired for
publication
• Reaction to the Daily Stanfordian case
• Internet publishing allows much private
computer material to fall under the PPA
protection
Privacy Protection Act
• Subject to certain exceptions, the PPA makes it unlawful
for a government officer "to search for or seize" materials
when
– (a) the materials are "work product materials" prepared,
produced, authored, or created "in anticipation of communicating
such materials to the public," 42 U.S.C. § 2000aa-7(b)(1);
– (b) the materials include "mental impressions, conclusions, or
theories" of its creator, 42 U.S.C. § 2000aa-7(b)(3); and
– (c) the materials are possessed for the purpose of
communicating the material to the public by a person
"reasonably believed to have a purpose to disseminate to the
public" some form of "public communication.“
• OR
Privacy Protection Act
• Subject to certain exceptions, the PPA makes it unlawful
for a government officer "to search for or seize" materials
when
– (a) the materials are "work product materials" prepared,
produced, authored, or created "in anticipation of communicating
such materials to the public," 42 U.S.C. § 2000aa-7(b)(1);
– (b) the materials include "mental impressions, conclusions, or
theories" of its creator, 42 U.S.C. § 2000aa-7(b)(3); and
– (c) the materials are possessed for the purpose of
communicating the material to the public by a person
"reasonably believed to have a purpose to disseminate to the
public" some form of "public communication.“
Privacy Protection Act
• Subject to certain exceptions, the PPA
makes it unlawful for a government officer
"to search for or seize" materials when
– the materials are "documentary materials"
that contain "information,"
– (b) the materials are possessed by a person
"in connection with a purpose to disseminate
to the public" some form of "public
communication."
Privacy Protection Act
• Exceptions
– the only materials searched for or seized are contraband,
instrumentalities, or fruits of crime
– 2) there is reason to believe that the immediate seizure of such
materials is necessary to prevent death or serious bodily injury
– 3) there is probable cause to believe that the person possessing
such materials has committed or is committing the criminal
offense to which the materials relate (an exception which is itself
subject to several exceptions),
– 4) in a search for or seizure of "documentary materials" as
defined by § 2000aa-7(a), a subpoena has proven inadequate or
there is reason to believe that a subpoena would not result in the
production of the materials.
Privacy Protection Act
• Was not intended for web journalism that
raises questions of who is a journalist and
what constitutes publication.
Electronic Communications Privacy
Act
• Protects third party data against law
enforcement seizes
• E.g. internet provider.
Electronic Communications Privacy
Act
• Steve Jackson Games, Inc. v. Secret
Service
Steve Jackson Games, Inc. ("SJG") was primarily a publisher of role-playing games,
but it also operated a network of thirteen computers that provided its customers with
e-mail, published information about SJG products, and stored drafts of upcoming
publications. Believing that the system administrator of SJG's computers had stored
evidence of crimes, the Secret Service obtained a warrant and seized two of the
thirteen computers connected to SJG's network, in addition to other materials. The
Secret Service did not know that SJG's computers contained publishing materials
until the day after the search. However, the Secret Service did not return the
computers it seized until months later. At no time did the Secret Service believe that
SJG itself was involved in the crime under investigation.
Electronic Communications Privacy
Act
• In Steve Jackson Games, the district court
held the Secret Service liable under ECPA
after it seized, reviewed, and (in some
cases) deleted stored electronic
communications seized pursuant to a valid
search warrant.
Pen/Trap Statute (amended 2001)
• Authorizes installation of pen-registers and
trap-and-trace devices.
– Pen register only records dialing, routing, and
address information for electronic outgoing
communications.
– Trap-and-Trace: same for incoming
communications.
– Court order for pen/trap device requires only a
statement by the investigator that the
information is likely to be relevant to a criminal
investigation.
USA Patriot Act (2001)
• Contains “sneak and peek” authority
– Delayed notification of physical searches for
up to 90 days.
• Already norm in wiretap cases.
– Dalia v. U.S. 1979:
• Feds implanted a hidden microphone pursuant to a
search warrant.
• Notification was delayed until surveillance was
ended.
– Allows installation of electronic surveillance
devices authorized for the whole U.S.
• important for working with IP providers.
– Gives immunity to persons providing technical
assistance.
Legally Privileged Documents
• Need to prevent ongoing investigation
from using legally privileged documents.
• Medical records.
• Attorney-client communications.
• Priest-penitent communications.