Authentication Persuasive Use of On-line Communications
DCBA 2002
(Click here for the PDF version)
By Craig J. Chval and Keith G. Chval
After months or even years of investigation,preparation and perhaps
even a little anguish, it all comes down to this. It's that single statement
that will make the difference between conviction and acquittal for a murder
defendant; or cement a finding of liability in a million-dollar medical
malpractice case; or sway a custody determination in a dissolution of
marriage trial.
All you must do is convince the judge to receive the statement
into evidence. The only trouble is that you're dealing with a statement
recovered from a computer. The statement is not spoken, not heard, and
not in the declarant's own hand.
Earlier in your case-in-chief, a civilian witness testified that
the content of the written version of the statement is identical to the
content of the e-mail message she received on her computer.You tie it
all up during the direct examination of your computer expert,when you
elicit testimony that the printed version of the statement truly and accurately
depicts the electronic version of the statement he recovered from the
witness' hard drive. All that's left before you rest your case is the
cross-examination of your computer expert.
What could possibly go wrong now? You can almost feel the back-slapping
sure to occur when you return to your office in triumph after a lightning-quick
verdict in your client's favor. But you have barely settled back into
your seat at counsel table when giddiness turns to panic. Opposing counsel
queries:
Q: Sir, it's common knowledge in the technical community that an e-mail can be "spoofed" where a person can alter an email message to make it appear as if it's coming from another individual, isn't it?
A: Yes, of course.
Q: And you have no proof that this email wasn't spoofed by someone
with a grudge against my client so as to make it appear that this e-mail
was from my client when it really wasn't, do you?
A: It sounds as if you're asking me whether I can prove the existence
of a negative. But to answer your question, no I don't.
Opposing counsel continues:
Q: Sir, aren't there frequent reports in the media of third parties
gaining access to individual's e-mail accounts either because they have
access to another's physical computer or, through one of any number of
means, obtain another's password information?
A: Yes, those kinds of reports are common.
Q: You have no proof that one of my client's co-workers,or perhaps his estranged wife herself,didn't access his e-mail account and send this e-mail themselves,do you?
A: That's very unlikely.
Opposing counsel is just getting warmed up:
Q: Sir, you agree that unsophisticated computer users can create very genuine looking, but phony,documents such as bank checks and driver's licenses?
A: Yes, I agree.
Q: Can you prove that the e-mail you found on Ms. Clump's computer,but
not on my client's computer, was not in fact created by Ms. Clump?
A: No.
And finally:
Q: Sir, you're familiar with ''Trojan horses" and other such programs
whereby an individual surreptitiously installs a program on another's computer
allowing a person, without the knowledge of the true owner of the computer,
to remotely access and use the computer, including sending emails, as if
the remote user was sitting at the keyboard himself, aren't you?
A: Yes, of course.
Q: Sir, can you prove that, without my client's knowledge, someone did not utilize a "Trojan horse" program and remotely access my client's computer?
A: As a matter of fact, I did run hash sets of 25 different known
Trojan horse programs (which the witness proceeds to name) against the
files on the defendant's computer,and ruled that out as a possibility.
Q: Sir, I noticed among the 25 Trojan horse programs that you named
that you did not mention the ''MyClient IsInnocent.exe"
program, so you really can't say with complete certainty that a
Trojan horse program was not on my client's computer, can you?
A: Well, um . . .
The moral of this sad story is not the dangers of utilizing experts
of dubious expertise.Even well-qualified experts could find themselves
in such a scenario, particularly while many lawyers and judges are still
early on the high-tech learning curve. The constantly changing nature
of the Internet and related functions such as e-mail lead to an unpleasant
yet inescapable truth: there is no ironclad way to conclusively rule out
every possibility of tampering with email and other Internet communications.
Hiring a well-qualified expert is critical to cases involving computer
evidence. But when it comes to authenticating computer evidence, nothing
is more important than building a circumstantial case for its reliability.
Corroborating authorship of the communication can be accomplished through "hi-tech" as
well as "low-tech"
means.
There are several well-established doctrines that can be used in
creating the requisite inference of reliability for the admission of on-line
communications. See U.S. v iddiqui, 235 F.3d 1318 (11thCir. 2000) cert.
denied, 2001 U.S. Lexis 4878 (U.S. June 25, 001); Handbook of Illinois
Evidence, Sec. 901.10 (7th ed. 2000); Weinstein's Federal Evidence, sec.
901.01[3] (2001). However,it is important to remember that admissibility
is just the threshold objective; the ultimate goal is to bolster the communications
in ways that maximize their probative value. Thus, utilizing as many theories
of admissibility as possible for a single on-line statement is of paramount
importance.
The reply letter doctrine is a longstanding and generally accepted doctrine that can be applied to authenticate on-line communications. Graham, Steigmann, Brandt, Imwinkelried, Illinois Evidentiary Foundations, chap. 1, sec. L, sub sec. 1. (2d ed. 1997). The essence of this doctrine is a presumption that the United States Postal Service is a reliable form of communication. Accordingly, if (1) an individual properly addresses, stamps and places a letter in the mail, and (2) subsequently receives a return correspondence in due course, referencing or responding to the original mailed letter and bearing the name of the intended recipient of the original letter, then (3) the return correspondence is presumed to be from the intended recipient of the original letter. If those foundational elements are present, courts have generally held that the identity of the author has been established sufficiently to authenticate the letter for admission. Id.
The application of this doctrine to email communications is relatively
straightforward. Based upon our wide reliance upon e-mail in all aspects
of everyday life and work, on-line communication has been accepted as
reliable by courts. See~, Siddiqui, 235 F.3d at 1318; Handbook of illinois
Evidence, Sec. 901.10. This acceptance follows the same logic, under the
reply letter doctrine, applicable to the regular mail system. While the
author might not physically sign an email letter that he sends, his return
e-mail address typically bears his name through one or more common electronic
methods: it
might be automatically generated in the "From" line in the e-mail
header information;
he might type it at the end of the body of the e-mail; it might
be automatically included at the end of the body of the e-mail; or it maybe
attached to the e-mail as an electronic signature or business card.See Siddiqui,235
F.3d at 1322.
A final consideration, in applying the reply letter doctrine to
on-line communication, is what constitutes "due course."With
regular mail, perhaps a week or two reasonably might be considered due
course. However, with the near instantaneous reply capability of e-mail,
practitioners should be prepared to argue that a shorter period should
constitute due course when it comes to e-mail correspondence. Illinois
Evidentiary Foundations at 99. With these minor adaptations, the reply
letter doctrine should be an effective means of authenticating return
e-mail.
Another situation that falls under the reply letter doctrine is
where the communication at issue is a response to a previous e-mail and
contains the original email in its body. Cf., Siddiqui, 235 F.3d at 1322.
This occurs when a user has his email program set to include the message
from the sender in the reply e-mail. Provided that you have a witness
who can testify that she sent the original e-mail to a valid address for
the purported author of the response email, the presence of the original
witness' e-mail in the reply should raise an inference that the author
of the reply is the person to whom the original was sent.
Content of an on-line communication can often provide the necessary
foundation to authenticate the document. . See, e.g., Siddiqui, 235 F.3d
at 1323; Illinois Evidentiary Foundations, at 99. Frequently, such communications
include information that only the purported author would know. Siddiqui,
235 F.3d at 1322. For example, the author shares the fact that her hard
drive is quickly running out of storage space. Through investigation or
discovery, you are able to prove that the purported author had a hard
drive on her computer that was nearing capacity .A reasonable inference
is that only the true author would possess that information.
Another content authentication circumstance involves an author
revealing personal or business information that only the author would
be expected to know. Such information might include details about a person's
work assignments or appointments, or perhaps information about the author's
health or family. On occasion, the content of an on-line communication
will contain information from more than one facet of an individual's life.
The improbability of one person knowing information about multiple facets
of another individual's life further strengthens your claim as to authorship.
The identity of the author of an online communication can also be established
by tracing the communication back to the sender based upon Internet Protocol
(IP) information that may be contained in the header of the e-mail. Typically,
only the
"From," "To" and "Subject" information is visible
in an e-mail header. However, the header can be expanded to reveal additional
information, such as the IP address from where the e-mail was sent. At any
given point in time, every computer or terminal attached to the Internet has
a unique IF address assigned to it. Through the use of on-line databases and
subscriber information obtained from Internet Service Providers, it may be
possible to identify who was assigned to the particular IP address in an e-mail
header at the time the message in question was sent.
However, as is frequently the case with telephones, the issue of
shared access can be an additional hurdle to admissibility and probative
value. Commonplace shared access to computers and associated IP addresses
require additional evidence to establish that a purported author actually
composed and sent the message. A further note of caution: people seeking
to hide their identity may utilize more than one service provider, or
use other methods to try to make it difficult to trace back their address.
Tracing a message back to the sender may require obtaining information
from several service providers and in some instances may be virtually
impossible to accomplish.
Another familiar authentication strategy is establishing that the
purported author of an on-line communication took action consistent with
the content of the communication. Siddiqui, 235 F.3d at 1322-23. For instance,
an author who indicates that her hard rive is running out of capacity
may also indicate that she is going to have to swap it out and install
a new hard drive. If investigation uncovers a hard drive out on her desk
and subsequent analysis of the drive and the computer's internal hard
drive establish that the loose drive was near capacity and the drive in
the computer was virtually empty, the sum of the parts is fairly compelling
evidence that the person with access to the computer is the person who
authored the on-line communication. Additional corroborative authentication
evidence may include proof that the author had sufficient knowledge to
execute the hard drive swap.
Although the foregoing methods are certainly not the only means for authenticating on-line communications, they are the most common and illustrate how traditional theories of authenticating various forms of more conventional communications can be adapted to today's cyber world.
So, what of our poor witness who was subjected to a barrage of
near-impossible questions on cross-examination? First, those questions
are grounded in legitimate technical theory - the hypothetical situations
posited can and do happen. Second, provided enough time and expertise,
a sharp computer examiner could negate all of those theories. Third, even
the best examiners lack the time and resources necessary to refute every
possible theoretical challenge to the integrity of on-line statements.
Finally, the questions above represent the tip of the iceberg of technical
issues that could sink your case faster than you can say "Titanic." The
lesson to be learned about authentication and utilization of on-line communication
evidence is the use of multiple indicia of reliability in attempting to
authenticate on-line communications.
Keith Chval is Chief of the High Tech Crimes Bureau, Office of Illinois Attorney General Jim Ryan. Mr. Chval was an Assistant State's Attorney for the DuPage County State's Attorney's Office. He received his J.D. at IIT/ Chicago-Kent College of Law in 1992 and his B.S. at Indiana University in 1985.
Craig Chval is Special Counsel to Illinois
Attorney General Jim Ryan. Mr. Chval was an Assistant State's
Attorney and Chief of the Gang Prosecutions Unit for the DuPage
County State's Attorney's Office. He received his J.D. at IIT/
Chicago-Kent College of Law in 1984 and his B.B.A. at the University
of Notre Dame in 1981.
