• Technical Delivery Manager
• NETWORK ADMINISTRATOR
• IT MANAGER
• Senior Application Project Manager
• Senior Account Manager -...

Authentication of electronic evidence

Stephen Mason, Information Age

18/10/2006 20:34:28

A range of evidential issues may arise in relation to the introduction of a document into legal proceedings, including the genuineness, authorship, attestation and other requirements that may affect its validity. In brief, the question of authentication relates to the question whether the document is what it purports to be, and an adjudicator will be required to determine the credibility or reliability of the evidence presented and tested before them. Whether a party is required to prove the authenticity of a document will depend on the rules of procedure. In England and Wales, for instance, a party to civil litigation is deemed to admit the authenticity of a document disclosed to them, unless the party serves a notice that they wish the document to be proved at trial. Should a party require a document to be authenticated, then any presumptions that apply to the formation of a document will also be relevant (such as a presumption of the day a document is executed), and oral evidence will be required to test the validity of the document. Lawyers deal with forged or altered documents almost every day - from attempts by criminals to steal money, to claims that intellectual property really belongs to somebody else, backed up with forged evidence, or evidence that has been altered. John D. Gregory has observed that the integrity of physical documents is 'often protected fairly causally', yet the same could be said of documents held and created in electronic format. One concern is whether the authenticity of electronic documents is subject to a more rigorous mechanism than would normally be associated with a document extant on physical media, although electronic documents also depend on physical media - the issue will be one of the degree of permanence. The two forms cannot be compared in this way, because the criteria by which a document in electronic format must be tested will differ, by its very nature, to that of a physical document. Both forms of document may have similar tests, such as testimony of creation and signature, for instance. However, the nature of the different type of documents will determine the most appropriate tests for authenticity. For instance, the very nature of documents in electronic format mean they have a number of features that present particular challenges that a paper carrier does not in the physical world: • Data in electronic format is dependent on specific hardware and software to obtain access to it. In addition, it is dependent on machines. • The technology changes rapidly, in the operating systems, application software and the hardware. As a result, electronic records may reach a point that they cannot be read, understood or used. Technical obsolescence is a major problem. • Electronic documents are easy to manipulate: they can be copied, altered, updated or deleted with ease. • The metadata can be fundamentally linked to a record in electronic format, or it can be included in the systems used to produce the record. • The media upon which electronic documents are stored is generally considered to be fragile, although the same can be said of certain types of paper, especially if it is not manufactured to last very long - for instance, large quantities of paperback books published in the United Kingdom during the second half of the twentieth century were made with such poor quality paper that many have deteriorated over time. The media is inherently unstable, and unless the media is stored correctly, it can deteriorate quickly and without external signs of deterioration. It is inevitable that a document in electronic format invariably requires different mechanisms to test its authenticity, and to suggest the process may be more rigorous than for a physical document is to misunderstand the difference in complexity between the physical object and the electronic file. Authentication of electronic documents in dispute Where the authenticity of a document is the subject of a challenge in legal proceedings, a range of evidence may be required, covering some or all of the technical attributes associated with the preservation of electronic documents. In preparing and presenting evidence of the authenticity of an electronic document, reference will undoubtedly be made to standards, both national and international.

In addition, authoritative papers, such as those prepared by the National Archives in the United Kingdom (Generic requirements for sustaining electronic information over time), and the National Archives of Australia (Digital Recordkeeping: Guidelines for Creating, Managing and Preserving Digital Records) will also be of help in establishing and testing the authenticity of the document in question. The type of evidence available to a court to determine the authenticity of a document in electronic format will comprise a mix of technical attributes and organizational matters. According to the author of "Admissibility Of Electronically Filed Federal Records As Evidence", in 1990, cross-examination in relation to the integrity of computer stored or generated files include questioning: • the source of the input data or information and the process for transcribing it to machine readable form; • the computer programs that create, edit and update the files; • the computer programs that produce the output or stored files; and • the reliability of the hardware and vendor-supplied 'off-the-shelf' software that systematically manages the internal processes of the computer. In this respect, the lawyer whose duty it is to test the evidence is interested in exposing weaknesses, and if it can be demonstrated that a sufficient number of weaknesses exist, the totality of the cross examination may mean the party submitting the document has failed the evidential burden of convincing the adjudicator to accept the evidence. Issues to be taken into account for the authenticity of electronic documents Of interest is a recent decision in the United States of America. The case of In re Vee Vinhnee, debtor, American Express Travel Related Services Company, Inc. v Vee Vinhnee deals with the evidentiary foundation for introducing electronic business records. In this case, American Express claimed Vinhnee failed to pay credit card debts, and took action to recover the money. After a trial that occurred in the absence of the defendant, the trial judge determined that American Express failed to authenticate certain records in electronic format. American Express appealed the verdict, and the decision of the trial judge was affirmed. In respect of the issues in this particular trial, Klein J, pointed out, at 444 [14] that: " ... the focus is not on the circumstances of the creation of the record, but rather on the circumstances of the preservation of the record during the time it is in the file so as to assure that the document being proffered is the same as the document that originally was created." In essence, the learned judge made the pertinent point that the issue is "Ultimately, however, it all boils down to the same question of assurance that the record is what it purports to be." The learned judge continued to explain the issues involved in this process, at 445 [16]: "The logical questions extend beyond the identification of the particular computer equipment and programs used. The entity's policies and procedures for the use of the equipment, database, and programs are important. How access to the pertinent database is controlled and, separately, how access to the specific program is controlled are important questions. How changes in the database are logged or recorded, as well as the structure and implementation of backup systems and audit procedures for assuring the continuing integrity of the database, are pertinent to the question of whether records have been changed since their creation. There is little mystery to this. All of these questions are recognizable as analogous to similar questions that may be asked regarding paper files: policy and procedure for access and for making corrections, as well as the risk of tampering. But the increasing complexity of ever-developing computer technology necessitates more precise focus." Judge Klein reached the conclusion that early attempts at establishing a foundation for electronic evidence were too cursory, whilst also accepting that judicial notice is commonly taken of the validity of the theory underlying the use of computers and the validity of the data generated generally. The learned judge then set out the tests described by Professor Imwinkelried in respect to considering electronic records as a form of scientific evidence: '1. The business uses a computer. 2. The computer is reliable. 3. The business has developed a procedure for inserting data into the computer. 4. The procedure has built-in safeguards to ensure accuracy and identify errors. 5. The business keeps the computer in a good state of repair. 6. The witness had the computer readout certain data. 7. The witness used the proper procedures to obtain the readout. 8. The computer was in working order at the time the witness obtained the readout. 9. The witness recognises the exhibit as the readout. 10. The witness explains how he or she recognises the readout. 11. If the readout contains strange symbols or terms the witness explains the meaning of the symbols or terms for the trier of fact.' The learned judge amplified the fourth step as follows, at 446[16]: "The 'built-in safeguards to ensure accuracy and identify errors' in the fourth step subsume details regarding computer policy and system control procedures, including control of access to the database, control of access to the program, recording and logging of changes, backup practices, and audit procedures to assure the continuing integrity of the records." The members of the court then proceeded to evaluate the exhibits submitted by American Express using the tests set out by Professor Imwinkelried. It was made clear that the evidence of the custodian of the records at American Express was far too vague to be accepted. The following problems were identified: • Generally, the evidence was vague and unpersuasive. • The custodian did not have the requisite knowledge to provide the evidence. • The person providing evidence on behalf of American Express merely asserted that he was an employee of American Express and was personally familiar with the systems, both hardware and software. He failed to inform the court of his job title or of his relevant experience and training that would provide an element of authority to his evidence. • American Express failed to provide information about its computer policy and system control procedures, control of access to the relevant databases, control of access to the applicable programs, how changes to the data were recorded or logged, what backup practices were in place, and whether there were any audit procedures used to provide assurance of the continuing integrity of the records. Although it will not be relevant or necessary to provide such an in-depth analysis of electronic records in every case brought before a court, nevertheless the comments made by Klein J help to illustrate the nature of the evidence that should be gathered, if it is necessary to adduce such evidence. Evidential foundations in proving a digital document The tests proffered by Professor Imwinkelried offer a useful starting point for the introduction of evidence in electronic format, particularly in circumstances where a party is required to lay the evidential foundations of the evidence. As the Vinhnee case illustrates, a number of steps may be required if the authenticity of a document in electronic format is in question. 1. A decision may be required whether an expert witness is required. Such witnesses are more frequently required in giving evidence in criminal trials, but it may be necessary to seek the professional services of an expert witness if the party put to strict proof of a document in electronic format does not have the in-house capability to provide a witness with sufficient knowledge to provide the underlying technical foundation. 2. The witness will be required to demonstrate their expertise in the normal way, and to cover such issues as their job title, relevant experience, training and qualifications. 3. Evidence covering the technical and organizational issues outlined above will be required, including any policy and system control procedures, control of access to the relevant databases, control of access to the applicable programs, how changes to the data were recorded or logged, what backup practices were in place, and whether there were any audit procedures used to provide assurance of the continuing integrity of the records. 4. A range of associated issues may have to be covered, including the following: a. The form of the record: whether it is provided to the court in native format (if so, whether the document has been altered); whether it is a scanned paper document (if so, it may be necessary to demonstrate that the process of scanning was such that the scanned document is a true replica of the original document, and there was no possibility of the document having been manipulated or altered between being received as an original document on paper and being added to the database in electronic format); whether it has been re-published in electronic format, such as PDF, and whether the document in question has been migrated between formats (evidentiary foundations will be required to demonstrate the efficacy of the process and what, if any, data was lost in the process). b. The process of authentication may require evidence relating to the machine that was used to retrieve the document (was the machine the original as used 20 years ago, or is it a modern machine, and if a modern machine, was any data associated with the document lost in the process when retrieving the document); the type of operating and application software used when the document was first created, and whether subsequent changes to both the operating and application software have altered the underlying integrity of the document in any way; whether the storage medium, and any migration between storage media has altered the document; whether the method of retrieval has affected the document; whether it is possible to detect alterations to the document. In essence, the characteristics of authentication comprise reliability (there is evidence that records are created and captured as part of the legitimate business process, and they are subject to a corporate management process), integrity (the document is protected from unauthorised alteration) and useability (the document is capable of being retrieved, presented and interpreted correctly). These characteristics, taken together, lay the foundations for the authenticity of a document in electronic format. However, it must be emphasized that the rigour of the process will depend on the nature of the document. Admitting a statement of account as part of a business process may well be an easier exercise than, for instance, a scanned copy of a will.

© Stephen Mason, 2006

Stephen Mason is Director of the Digital Evidence Research Programme at the British Institute of International and Comparative Law [http://www.biicl.org/digitalevidence], the author of Electronic Signatures in Law (LexisNexis Butterworths, 2003) and E-Mail, Networks and the Internet: A Concise Guide to Compliance with the Law (xpl publishing, 6th edn, 2006) and the general editor of the Digital Evidence Journal, incorporating the e-Signature Law Journal [http://www.digitalevidencejournal.org]. stephenmason@stephenmason.co.uk

Civil Procedure Rules, rule 32.19(1). 2 An example from the United States of America is that of Scholastic, Inc., J. K. Rowling and Time Warner Entertainment Company, L.P. v Stouffer 221 F.Supp.2d 425 (S.D.N.Y. 2002). 3 John D. Gregory, 'Authentication Rules and Electronic Records', The Canadian Bar Review, Volume 81, 2002, p 533. 4IV. Conclusion, (U. S. Department of Justice, October 1990) available in electronic format at http://www.lectlaw.com/files/crf03.htm. 5 336 B.R. 437 (9th Cir. BAP 2005); 2005 WL 3609376; 06 Cal. Daily Op. Serv. 146; 2006 Daily Journal D.A.R. 169 (B.A.P. 9th Cir. Dec 16, 2005). I am grateful to Tom Smedinghoff for bringing this case to my attention. 6At 445 [15]. 7 Edward J. Imwinkelried, Evidentiary Foundations (6th edn, 2005) paragraph 4.09[4][c].