legal issues

Legal IssuesLegal Issues

Computer ForensicsComputer ForensicsCOEN 252COEN 252

Drama in Soviet Court. Post-Stalin (1955). Painted by Solodovnikov. Oil on Canvas, 110 x 130 cm.

Issues of EvidenceIssues of Evidence

An information is admissible in court if it is• Relevant• Its probative value outweighs its prejudicial

effect.

Issues of EvidenceIssues of Evidence

• Best Evidence RuleThe legal doctrine that an original piece of evidence, particularly a document, is superior to a copy. If the original is available, a copy will not be allowed as evidence in a trial.

Issues of EvidenceIssues of Evidence• Foundation

– Context for Information• Hearsay

– Not admissible with exceptions• Chain of Custody

– Establishes trustworthiness of evidence by preventing tampering

Stipulation: Agreement between parties or concession by one party in a judicial proceeding.

HearsayHearsay

• Second-hand evidence in which the witness is not telling what he/she knows personally, but what others have said to him/her.

Exceptions to HearsayExceptions to Hearsay

• Admission against interest: – out-of-court statements contrary to penal or pecuniary

interest, including those found on a computer.• Business Records

– Made in the normal course of business.– Relied on by the business.– Made at or near the occurrence of the act the record

purports to record.– Offered through a competent witness, either the

custodian of the record or another who can testify to those issues.


• Official government records– Must be properly kept.

• Writing about an event close to its occurrence used to refresh a witnesses memory.

• “Learned treatise”• Judgments in other cases• Spontaneous excited utterance


• Contemporaneous statement which explains the a person’s state of mind at the time of an event.

• A statement which explains a person’s future intentions if that state of mind is in question.

• Prior testimony• A declaration of the opposing party which was

contrary to their best interest if the parity is not available at trial.

• Dying declaration by a person who believes (s) is dying.

http://dictionary.law.com/


• A statement made about one’s mental set, feeling, pain, or health if the person is not available

• A statement about one’s own will when the person is not available

• Other exception at the judge’s discretion based on the reliability of the testimony.

http://dictionary.law.com/

Computer-Generated RecordsComputer-Generated Records

• Computer generated records often fall under the business record exemption.

• Courts might also start to make a distinction between computer-generated records and computer-stored records.

Computer-Generated RecordsComputer-Generated Records

• Not a question of hear-say (is there better evidence available)

• But a question of Authenticity.Is the generating program reliable?

Proper Care of EvidenceProper Care of Evidence

• Evidence collected by the state needs to be protected from fraud.

• This lays a burden on the state to provably preserve the evidence.– Chain of custody.

Breach of Chain of CustodyBreach of Chain of Custody

• Not every breach makes the item inadmissible. • Not necessary to have the best security against

tampering.• Government agents are assumed to be

trustworthy.• But

Chain of CustodyChain of Custody

• Seized device is put in an Evidence Locker.– Typically a closet safeguarded against

intrusion.• Records allow reconstruction of who had

physical control over the device.

Chain of CustodyChain of Custody

• Working on the original. A forensic examination that is done directly on the original disk drive will make it difficult to argue that the evidence could not have been tampered with. Much better to make a “true copy” and examine the true copy.

• Proof that it is a true copy.

Best Evidence RuleBest Evidence Rule

• Copies are worse than originals, therefore they are not admissible unless the original has been destroyed.

• Does not apply to various computer outputs.

Best Evidence RuleBest Evidence Rule

Except as otherwise provided by statute, no evidence other than the original of a writing is admissible to prove the content of a writing. This section shall be known and may be cited as the best evidence rule.

California Rules of Evidence 1500.

Best Evidence RuleBest Evidence Rule Exceptions:• Printed representations fo computer information and

computer programs.• Printed representations of images stored on video or

digital media.• Secondary evidence of writings that have been lost or

destroyed without fraudulent intent of the proponent of the evidence.

• Secondary evidence of unavailable writings.• Secondary evidence of writings an opponent has, but

fails to produce as requested.• Secondary evidence of collateral writings that would be

inexpedient to produce.

Best Evidence RuleBest Evidence Rule Exceptions:• Secondary evidence of writings recorded in public records, if the

record or an attested or certified copy is made evidence of the writing by statue.

• Secondary evidence of voluminous writings.• Copies of writings that were produced at the hearing and made

available to the other side.• Certain official records and certified copies of writings in official

custody.• Photographic copies made as business records.• Photographic copies of documents lost or destroyed, if properly

certified.• Copies of business records produced in compliance with Sections

1560-1561.

FutureFuture

• The law argues by analogy.• Justice takes (eventually) account of technology.

– Digital storage has qualitative properties that make it fundamentally different from writings.

• Ease of alteration.• Possibility of completely accurate copy & transmission.

• Current law is still based on the case of manual copy.

• If the problems are big enough, either precedent will change or statutes will make the proper exceptions.

Acquisition of EvidenceAcquisition of Evidence• Distinction between government agents

and private citizens.• Illegal actions by private citizens can yield

admissible evidence and lead to their punishment.

• If a sworn law officer violates an amendment, the gained evidence is usually suppressed, but the officer is protected by sovereign immunity.

Sovereign ImmunitySovereign Immunity

• A sovereign or a government cannot commit a legal wrong and is immune from civil suit or criminal prosecution.

Prosecutorial ImmunityProsecutorial Immunity

• Judges, legislators, prosecutors enjoy qualified or unqualified immunity.

• Property of the role, not the person.– I.e. a prosecutor’s immunity depends on

whether they are acting in a prosecutorial role, an investigative role, etc.

Prosecutorial ImmunityProsecutorial Immunity

• Jean v. Collins – police officers have absolute immunity for failure to

turn over exculpatory material over to a criminal defendant, because they are performing a prosecutorial task.

– They have qualified immunity for not turning over the exculpatory material over to the prosecutor.

• Law enforcement officers do not enjoy sovereign immunity for willfully violating civil rights.

Electronic Communications Privacy Electronic Communications Privacy Act ("ECPA"), Title IIIAct ("ECPA"), Title III

• Extends protection against wiretapping to communications between computers

• Know the exceptions• Know the consequences of violating the

title


• A person acting under the color of law can intercept electronic communication where such a person is party to the communication or one of the parties of the communication have given prior consent to such interception.


"A person not acting under color of law" is also allowed to intercept an "electronic communication" where "such person is a party to the communication, or one of the parties to the communication has given prior consent to such interception."

The consent can be implicit, e.g. by using a computer protected with login banners.

ECPA Title III ConcernsECPA Title III Concerns

Title III also permits providers of a communication service, including an electronic communication service, the right to intercept communications as a "necessary incident to the rendition of his service" or to protect "the rights or property of the provider of that service."

ECPA Title III ConcernsECPA Title III Concerns

Two exceptions to the last rule:• If there is no actual damage, then the right

to monitor does not exist. • The government is not allow to do the

monitoring, but they can profit from monitoring.

Fourth AmendmentFourth Amendment

The right of people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.


• Computer Storage = Closed Container such as a briefcase

• With Warrant: – Limits to warrant because of privilege or

additional protection. • Without Warrant

– Expectation of Privacy


• No expectation of privacy– Public display– Material in some else’s hands– Consent by co-owner or authorized person

• Exigent circumstances• Plain view exception• Lawful arrest

Very difficult and interesting case law.


• Fundamental question:– Does the individual enjoy a reasonable

expectation of privacy in electronic information stored within a storage device.

• Courts equate storage devices to “closed container”


• Reasonable Expectation of Privacy and Third Party Possession– Difference between data in transit (usually

need warrant) and data received by third party.

– Received by third party: Can owner reasonably expect privacy:

• Bank account information that account holders divulge to the bank.


• Fourth Amendment does not apply to private searches.– Private party cannot act as government

agents:• Repairman discovers many file names indicating

child pornography, opens those, discovers child pornography, and informs LE.

– LE can repeat the original private search, but not exceed it.


• Searches using innovative technology applied to ordinary devices might need a warrant:– Kyllo v. United States

• Supreme Court held that the warrantless use of a thermal imager to reveal the relative amount of heat released from the various rooms of a suspect's home was a search that violated the Fourth Amendment.


• Exceptions to the Warrant Requirement– Consent

• Government carries burden of proof that the consent was voluntary.

– Scope of consent depends on the facts of each case.

• E.g.: does consent to search premises includes consent of storage devices found there.


• Exceptions to the Warrant Requirement– Exigent Circumstances

• “would cause a reasonable person to believe that entry . . . was necessary to prevent physical harm to the officers or other persons, the destruction of relevant evidence, the escape of the suspect, or some other consequence improperly frustrating legitimate law enforcement efforts.”

• Arises in computer cases because some electronic evidence is volatile.

• Reasons for exigent circumstances limit the scope of the search.


• Exceptions to the Warrant Requirement– Plain View

• Agent must in lawful position to observe and access the evidence and its incriminating character must be immediately apparent.

• E.g.: LE agent makes search of hard drive, comes upon evidence of an unrelated crime while conducting the search.

– Search Incident to a Lawful Arrest• Search incident to arrest must be reasonable

– Strip searches are usually not reasonable.– Inventory searches are reasonable.

• But that should not support a search through seized computer files.


• Exceptions to the Warrant Requirement– Border Searches

• “Routine searches” do not require a warrant:

United States Customs Agents learned that William Roberts, a suspect believed to be carrying computerized images of child pornography, was scheduled to fly from Houston, Texas to Paris, France on a particular day. On the day of the flight, the agents set up an inspection area in the jetway at the Houston airport with the sole purpose of searching Roberts. Roberts arrived at the inspection area and was told by the agents that they were searching for "currency" and "high technology or other data" that could not be exported legally. Id. at 681. After the agents searched Roberts' property and found a laptop computer and six Zip diskettes, Roberts agreed to sign a consent form permitting the agents to search his property. A subsequent search revealed several thousand images of child pornography.


• Workplace Searches– O'Connor Supreme Court Decision:

• the legality of warrantless workplace searches depends on often-subtle factual distinctions such as whether the workplace is public sector or private sector, whether employment policies exist that authorize a search, and whether the search is work-related.


• Multiple warrants might be needed in network searches.

• No-knock warrants:– As a general matter, agents must announce

their presence and authority prior to executing a search warrant.

• Sneak-and-Peek Warrants – "surreptitious entry warrants"

Privacy Protection ActPrivacy Protection Act

• Protects publishers against government searches of material that is acquired for publication

• Reaction to the Daily Stanfordian case• Internet publishing allows much private

computer material to fall under the PPA protection

Privacy Protection ActPrivacy Protection Act• Subject to certain exceptions, the PPA makes it unlawful

for a government officer "to search for or seize" materials when – (a) the materials are "work product materials" prepared,

produced, authored, or created "in anticipation of communicating such materials to the public," 42 U.S.C. § 2000aa-7(b)(1);

– (b) the materials include "mental impressions, conclusions, or theories" of its creator, 42 U.S.C. § 2000aa-7(b)(3); and

– (c) the materials are possessed for the purpose of communicating the material to the public by a person "reasonably believed to have a purpose to disseminate to the public" some form of "public communication.“

• OR

Privacy Protection ActPrivacy Protection Act• Subject to certain exceptions, the PPA makes it unlawful

for a government officer "to search for or seize" materials when – (a) the materials are "work product materials" prepared,

produced, authored, or created "in anticipation of communicating such materials to the public," 42 U.S.C. § 2000aa-7(b)(1);

– (b) the materials include "mental impressions, conclusions, or theories" of its creator, 42 U.S.C. § 2000aa-7(b)(3); and

– (c) the materials are possessed for the purpose of communicating the material to the public by a person "reasonably believed to have a purpose to disseminate to the public" some form of "public communication.“


• Subject to certain exceptions, the PPA makes it unlawful for a government officer "to search for or seize" materials when – the materials are "documentary materials" that

contain "information," – (b) the materials are possessed by a person

"in connection with a purpose to disseminate to the public" some form of "public communication."

Privacy Protection ActPrivacy Protection Act• Exceptions

– the only materials searched for or seized are contraband, instrumentalities, or fruits of crime

– 2) there is reason to believe that the immediate seizure of such materials is necessary to prevent death or serious bodily injury

– 3) there is probable cause to believe that the person possessing such materials has committed or is committing the criminal offense to which the materials relate (an exception which is itself subject to several exceptions),

– 4) in a search for or seizure of "documentary materials" as defined by § 2000aa-7(a), a subpoena has proven inadequate or there is reason to believe that a subpoena would not result in the production of the materials.


• Was not intended for web journalism that raises questions of who is a journalist and what constitutes publication.

Electronic Communications Privacy Electronic Communications Privacy ActAct

• Protects third party data against law enforcement seizes

• E.g. internet provider.


• Steve Jackson Games, Inc. v. Secret Service

Steve Jackson Games, Inc. ("SJG") was primarily a publisher of role-playing games, but it also operated a network of thirteen computers that provided its customers with e-mail, published information about SJG products, and stored drafts of upcoming publications. Believing that the system administrator of SJG's computers had stored evidence of crimes, the Secret Service obtained a warrant and seized two of the thirteen computers connected to SJG's network, in addition to other materials. The Secret Service did not know that SJG's computers contained publishing materials until the day after the search. However, the Secret Service did not return the computers it seized until months later. At no time did the Secret Service believe that SJG itself was involved in the crime under investigation.


• In Steve Jackson Games, the district court held the Secret Service liable under ECPA after it seized, reviewed, and (in some cases) deleted stored electronic communications seized pursuant to a valid search warrant.

Legally Privileged DocumentsLegally Privileged Documents

• Need to prevent ongoing investigation from using legally privileged documents.

• Medical records.• Attorney-client communications.• Priest-penitent communications.

legal issues

Documents

evidence locker

original piece of evidence

hearsaysecondhand evidence

better evidence availablebut

breach of chain

business record exemption

persons state of mind

hearsaya statement