Stange Law Firm P.C.
By Kirk C. Stange *
* Special thanks to Samantha Orlowski, Anthony Kramer and Aaron Clite for helping prepare these materials.
Collecting Text Message Evidence: What Information to Look For
What to Look for and Where to Find it: Smartphone/Tablet
Simply put, what to look for depends on what type of case you have and what types of allegations you are seeking to prove or disprove. Knowledge of what you need to prove your point is crucial because of the volumes of potential ESI (Electronically Stored Information) out there. Not only will a broad meandering search waste a lot of your client’s money, but also such attempts are likely to be characterized as an impermissible fishing expedition by the court.
Let traditional sources inform your use of new electronic sources. If you would typically subpoena bank records and credit card statements you might consider examining a computer’s spreadsheets for financial information. Or, perhaps you would consider looking for emails to or from known business associates. If you are looking to prove some sort of conduct between the parties, you might start with emails and text messages. Communications might provide for abundant examples of verbal abuse or promises broken. If allegations of substance abuse or adultery have been leveled, you might consider mining for geolocation data that can show husband or wife was at the bar instead of the soccer game.
The most common application for cell phones in a divorce matter is to subpoena the carrier for itemized billing, but that is changing. Text messages or Short Message Service (SMS) messages may be worth tracking down because a lot may be said in the 224 characters that some phones now allow. SMS messages may also transmit photos, sounds, and videos. As many people now communicate far more frequently through text message than phone calls, these may provide an excellent source of information when it comes to proving the behavior of the opposing party. Outside of intercepting telephone conversations or voicemails, smart phone data and tablets are akin to a computer.
In the last quarter of 2010, for the first time, mobile phones outsold personal computers. This is important because by the end of 2005 cell phone providers were tasked with making calls “location capable” for 911 services. This meant that cell phone usage needed to be traceable to within 300 meters. While in prior years, location data was pulled from cell phone towers, today nearly every phone is equipped with a GPS device accurate within a few meters. Also, today’s phones are Wi-Fi capable, which means they also store data about the networks they are using.
All of these: cell tower data, GPS, and Wi-Fi serve to create geolocation data. They create a record of where you were and when. The previously discussed sources of information: emails, text messages, and social media, all provided subjective information about your location (i.e. Tom said he was at the cafeteria late last night). The data provided by cell phones and GPS enabled apps provides objective evidence that Tom was not at the cafeteria late last night. Moreover, most GPS enabled camera phones also embed the longitude and latitude data of photos when they were taken (many apps exist for converting latitude and longitude into a street address). This data known as Exchangeable Image File Format (Exif) metadata is typically not stripped when the image is emailed or uploaded. This allows for the verification of photos and videos without even having access to the device that captured the image.
This also means that even a stationary computer can be important in terms of geolocation data. The computer itself reveals its location and the user’s during use, but also it contains a litany of files that may contain geolocation data. Moreover, many tablets or smart phones can be synced with the computer as a sort of back up drive. This means that all of the geolocation data stored on the phone or tablet may also be found on the home computer. This can be particularly important if the spouse has a right of access to one device, but not another.
Whose Smartphone/Tablet is Discoverable?
In the realm of cell phones and tablets lurk two significant federal statutes: Title III of the Omnibus Crime Control Act 1968-2522 and Electronic Communications Privacy Act of 1986. Together, they prohibit interception of oral and electronic communication without consent of at least one party to the communication. These apply to traditional telephones, wireless phones, and cell phones. As a practical note, secretly recorded oral communications are almost always excluded at trial, whereas electronic communications are almost never automatically excluded. For example, in Conner v. Tate, a woman had a cause of action against her lover’s wife who was intercepting phone conversations and recording voicemail messages.
Also, be aware that a few states will allow a Guardian ad Litem to listen to recorded conversations caught in violation of the Federal or state Wiretapping statutes. Although the recordings cannot be admitted into evidence, they may prove influential.
Ultimately, clients often recognize that their spouse’s behavior is under the microscope in a dissolution proceeding, but frequently fail to realize that same microscope is looking at them as well. A general rule of thumb is: if you do not have an ownership interest in the device, you do not have access to it, although, there are exceptions. More often than not, the best method of acquiring ESI from computers, tablets, and smart phones is through formal discovery. At a preliminary hearing ask for an injunction with regard to the deletion of various ESI sources and be prepared to subpoena potential sources of ESI.
Retrieval Options for Deleted Messages
If you know that you have deleted relevant data, or you suspect the opposing party has done so, you have several options. First, if you own the device or account in question, you may be able to personally contact the provider without the need for a subpoena. It is important to do this quickly before the service provider deletes the information from its servers. The same goes if you suspect the opposing party has deleted information, although in this case you will likely need a subpoena, but you can attempt to gain consent from the opposing party.
Additionally, and likely your best bet is to hire a computer forensic expert. As discussed above, they may be able to uncover data believed to have been deleted long ago, or they may uncover data that was merely hidden from the common user. They may also be able to provide insight as to the meaning of metadata discovered on various files.
Finally, do not underestimate the ability to locate information elsewhere. People often sync any number of devices to each other. For this reason, a home computer/tablet may be a better source of information than you might initially suspect. Also, beyond other devices consider other people. In the process of jubilant celebration or angry venting, people often write, forward, or post about their recent endeavors. You might discover that the photos you forwarded to a friend are still on their device or that text messages to a mistress deleted from the husband’s phone are still located on the mistress’ devices. In today’s day and age, it is rare that a piece of ESI is truly gone forever. Just be prepared for any additional authentication issues you may have when locating data from an alternative source.
Other courts have found that the ephemeral ESI is too fleeting to be reasonable to preserve. In Healthcare Advocates v. Harding, Early, Follmer,& Frailey, the plaintiffs alleged that defendants were liable for not preserving information that was stored in cache files. The court disagreed, because the plaintiffs made no active efforts to destroy or rid of any evidence.
How to Subpoena Mobile Phone Carriers for Records
The most common application for cell phones in a divorce matter is to subpoena the carrier for itemized billing. This is because most carriers routinely delete text messages within a day or two. However, forensic experts can often pull deleted text messages sent or received long ago from the device itself. With further regard to the discovery of emails on smartphones; subpoenaing internet service providers will typically only generate the sender and recipient of a message. ISP’s like cell phone providers often delete this information quickly. Outside of intercepting telephone conversations or voicemails smart phone data and tablets akin to a computer.
Typically, subpoenaing cell phone records through providers is simple, cell phone providers, at least more likely than not, do business in your state. Therefore, you simply serve a subpoena on a registered agent if they have one within the state. If they do not have a registered agent, physically serve the subpoena on a company store. Like any subpoena it must be calculated to produce relevant evidence, and remember, if you decide to subpoena the provider, you are unlikely to receive the content of any text message conversations. If text messages are what you seek, you are better off trying to get them from the opposing party.
How to Retrieve Texts from messaging Apps
Once you have decided that social media communication will be or could be important to your case, you have several initial options. First, you can obtain the consent of the other party to produce the requested data. Second, you can attempt to subpoena the provider. Finally, you can attempt to compel the opposing party to produce the data.
Your best two options are typically to acquire consent or to subpoena the opposing party. If you subpoena the opposing party, you may be forced to explain to the judge why such materials are relevant, and you may have difficulty with access and the formatting of information. Users are only able to provide the information in screenshots and may not even have access to all of their historical data. Even still, user consent or a subpoena to the user may be your best option, because often social media providers are not particularly cooperative, and even if they are helpful, they are still expensive. For example, Facebook, at one time, charged a non-refundable $500 processing fee in addition to a $100 notarized declaration of the records authenticity. Additionally, in the case of Facebook, you need either a valid California or federal subpoena.
Even if you are successful in subpoenaing Facebook, you may receive limited information. The company has over 30,000 servers located in several data centers across the United States. If the company responds, it may provide a “Neoprint,” which it describes as an expanded view of a given user profile. This may include the user’s physical address, e-mail address, phone number, and IP address. Facebook also may provide a “Photoprint,” which is a “compilation of all photos uploaded by the user that have not been deleted, along with all photos uploaded by any user which have the requested user tagged in them. “Some speculate that in the wake of Crispin and the SCA that it appears unlikely that MySpace and Facebook would divulge private content, subject to a civil subpoena, without the user’s consent. In fact, Facebook’s own policy seems to answer this question: “Federal law prohibits Facebook from disclosing user content (such as messages, Wall (timeline) posts, photos, etc.) in response to a civil subpoena.” “Specifically, the Stored Communications Act, 18 U.S.C. §2701 et seq., prohibits Facebook from disclosing the contents of an account to any non-governmental entity pursuant to a subpoena or court order.” Now, an individual’s entire Facebook profile is downloadable by the user, thus mitigating the need to subpoena the provider.
Other social media websites, such as MySpace, pose even greater difficulties as they require additional information, such as user id, password, and birth date. Even once you have gathered such information, you are likely to run into issues with what information contained in the profiles is discoverable.
In What Form Can Texts Be Admitted into Evidence?
Similar to a computer printout of a software application or website, a print out of a text message will typically be sufficient. Some phones will allow you to transfer text files onto a computer and this can be accomplished with relative ease. Many individuals will also have an automatic back-up system located on their computer or in a cloud. In other cases, you can always take a photograph of the text message. Many phones such as the iPhone, will simply let you snap a screen shot, which can then be uploaded and printed. Of course, the device itself can also be used, but this results in the loss of its use while it is being used as evidence. Sometimes, depending on the make and model of the phone, the messages may be stored on the SIM card and the card may simply be removed and preserved with a new one inserted for use.
It is important to know what form to submit this evidence. Again, the proponent must show that the proffered evidence of the alleged communication is an accurate representation of what was posted. The 1981 ALR suggested foundation should include:
- the reliability of the computer equipment used to keep the records and produce the printout;
- the manner in which the basic data was initially entered into the computerized record-keeping system;
- the entrance of data in a regular course of business;
- the entrance of data within a reasonable amount of time after the events recorded by persons having personal knowledge of the events;
- the measures taken to insure the accuracy of the data as entered;
- the method of storing the data and taking precautions take to prevent its loss while in storage;
- the reliability of the computer programs used to process the data;
- the measures taken to verify the accuracy of the programs; and
- the time and mode of preparation of the printout. Lessons from Court Rulings
Recently, courts have not had great difficulty in accepting the fact that a printout or a screen shot is an accurate representation of various online communications. In United States v. Catraban, the defendant contended that the computer printouts used against him were inaccurate, and he was able to show the inaccuracies in the data. Despite this, the court concluded the discrepancies merely went to the weight of the evidence as opposed to the issue of authentication. One court has even stated that the computer printouts “have a prima facie aura of reliability.” Increasingly, the only bar to admission of ESI is finding the applicable hearsay exceptions.
In Firehouse Restaurant Group, Inc. v. Scurmont, LLC, the plaintiff asserted that the printouts from various websites could not be properly authenticated. The defendant in this case argued that most of the printouts contained web addresses on them, and “courts may consider ‘circumstantial indicia of authenticity’ such as the presence of the date and identifying web address for purposes of authentication.” The court concluded that these distinctive characteristics were sufficient to make a prima facie showing of authenticity.
The fact that users have the ability to create a screen name can prove a little tougher for the courts and attorneys to authenticate evidence. In LaLonde v. LaLonde, the wife argued in a custody case that the photographs could not be authenticated, “because Facebook allows anyone to post pictures and then ‘tag’ or identify the people in the pictures.” However, the court reasoned that, “there is nothing within the law that requires her permission when someone takes a picture and posts it on a Facebook Page.” Also, no permission was required to be tagged in a photo. The wife’s testimony that she was the person in the photographs and that the photographs accurately reflected her drinking alcohol was sufficient to meet the standard of authentication.
It is important to note that the courts always have in mind, as you’ll notice throughout this entire presentation, that all forms of evidence are subject to the possibility of alteration. Some courts tackle this differently than others as we will discover.
Preservation and Spoliation Considerations
The use of a deposition under Rule 27(a)(3) of the Federal Rules of Civil Procedure prior to filing the suit to determine the extent and nature of the data that may fall within the scope of potential discovery, and lay the groundwork for its timely preservation.
An agreement on the outset of litigation that states that both parties will retain any data relevant to the matter can also provide attorneys with the sought after evidence they need. Additionally, a special data conference prior to commencing litigation under Fed. R. Civ. P. 16(a) could prove beneficial for attorneys. This would help to avoid spoliation sanctions for both parties, and could help prevent the loss of data from the outside. The overall effect of this is that it would reduce the costs and time significantly invested into the process if there was an issue to arise over ESI.
Sanctions for spoliation of evidence is governed by Fed. R. Civ. P. 37. A duty to preserve must have been attached prior to the destruction of evidence; the accused party must have acted with the culpable state of mind; and the other party must have been prejudiced by the destruction of evidence. There is an exception for failure to provide evidence under Fed. R. Civ. P. 37(e). “Absent additional circumstances, a court may not impose sanctions on a party failing to provide electronically stored information as a result of the routine good-faith operation of an electronic information system.” Questions about what steps the party took the preserve the data, and did the party act affirmatively in destroying or altering data should be raised and answered in order to impose sanctions under this rule.
Another potential tool to combat the elusiveness of data is the litigation hold. This triggers the duty to preserve the information in light of litigation. Holds can be used to establish the first element discussed under Fed. R. Civ. P. 37 that we mentioned earlier (the duty to preserve must have been attached prior to the destruction of evidence). Once an attorney sends out a litigation hold, that duty is attached to the party. More generally, the duty to preserve is triggered when litigation is reasonably anticipated.
It is important to recognize how the courts look at evidence, and whether they determine data as inaccessible or accessible. Within the context of ESI, there are four types that the court in Zubulake v. UBS Warburg LLC, determined as inaccessible and accessible in discovery. In Zubulake, the defendant estimated that the cost of producing evidence in this case would be $175,000, not including attorney fees, and that given the volume of producing such information would produce a high likelihood of inadvertent disclosure. In determining whether the data was inaccessible or accessible and who would bear the costs for production, the court identified four major types of ESI data. The first is active, online data. This type of data is generally accessible, and there will be minimal effort in restoring or accessing this information. For active and online data, it is generally stored on a magnetic disk, and the information on it is usually in the early stages of storage. The early stages of storage refer to the time when data, documents, or any other evidence is being created, received, or processed. An example of this type of data would be a hard drive. Because of its accessibility, there is never really a need for any court to engage in a cost-shifting analysis for the purposes of discovery.
The second type data is near-line data. These types of data generally consist of a “robotic storage device that houses removable media.” The types of devices that are usually used to store and retrieve information and data are usually reading and writing devices. A prime example of near-line data would be an optical disc. This type of data is also generally and widely identifiable as accessible within the context of discovery.
The third type of data is offline storage/archives. This is generally a removable optical disk or magnetic tape media. This requires manual intervention to access the information. The main difference between the near-line and offline storage is that the offline data is essentially just a bunch of disks with data on them, such where as near-line data is controlled by an intelligent disk subsystem. The type of data is also generally identified as accessible in discovery.
The last type of ESI noted in Zubulake is fragmented or damaged data. Essentially, when files are created, there are applied to the storage media in clusters. When they are erased, the clusters are made available as free space. Some newer files become larger than the remaining free space, and are subsequently broken up throughout the disk. These types of files can only be recovered after significant processed, and is also generally identified as inaccessible for discovery purposes. Some courts will implement a cost-shifting analysis to determine whether the proponent should bear the cost of production. Most data, if it falls within the first two or three categories we just outlined, are considered accessible and there is no need to proceed to a cost-shifting analysis. In present day, you can store a massive amount of data and information, at a relatively inexpensive rate. This is something to keep in mind when conducting the discovery process.
How to Authenticate Text Evidence
A common objection to ESI evidence is found under Fed. R. Evid. 901 that the material is not authentic. The attorney should then proceed to various authentication techniques. These techniques include asking the owner or creator of the social media profile if the added the questioned content under Fed. R. Evid. 901(b)(1); formulating requests for admission with printout of the desired posts attached; third, you can bring in an expert to testify under 901(b)(3) or maybe even 901(b)(0); fourth, you can use distinctive characteristics under 901(b)(4); and finally, you could potentially use conditional relevancy under Fed. R. Evid. 104(a) and (b). Until there is a commonly accepted method of authenticating social media evidence, the practitioner should be prepared to meet the most exacting standards.
An uncommon method of authentication for ESI is judicial notice under Fed. R. Evid. 201(b). The use of judicial notice can alleviate the expenditure of resources in the authentication process. Under 201(b) a court may take judicial notice of a fat if it is not subject to reasonable dispute. In United States v. Brooks , the defendant challenged the admissibility of GPS data that was presented at trial. The court took judicial notice of the reliability and accuracy of the GPS technology, stating that, “[c]ourts routinely rely on GPS technology to supervise individuals on probation […] and, in assessing the Fourth Amendment constraints associated with GPS tracking, courts have general assumed the technology’s accuracy.”
Courts have been willing to admit government websites and any data included therein because they recognize that reports and information from such sources cannot be reasonably disputed among the parties. This is a recognized legitimacy that courts will not hesitate to authenticate and admit. However, courts have also recognized a request for judicial notice for private web pages in certain scenarios. These requests have not been recognized to the same degree of frequency and ease as the government websites and information though for obvious ownership and manipulation reasons. But there are certain cases where it happens.
In O’Toole v. Northrop Grumman Corporation, the court took judicial notice of a retirement fund’s earning history from the respondent’s website because the company failed to explain why the information from their website was unreliable.
In Campbell v. State, the court upheld the admission and authentication of Facebook messages in a domestic assault case. The court asserted that Facebook presents an authentication concern that is twofold. First, because anyone can establish a fictitious profile under any name, the person viewing the profile has no way of knowing whether the profile is legitimate. The second concern is that any person may gain access to another person’s account by obtaining the user’s name and password. The person viewing the profile cannot be certain that the author is in fact the profile owner. However, the most appropriate method for authenticating electronic evidence, as with any kind of evidence, will often depend on the nature of the evidence and the circumstances of the particular case. The appellate court held that the contents of the Facebook messages provide circumstantial evidence supporting the trial court’s ruling.
In United States v. Lanzon, the court upheld the admission of instant messaging transcripts with the defendant and an undercover agent. The defendant argued that copying the instant messaging conversations into a word document altered the conversation such that they could not be authenticated. The court rejected this argument under Fed. R. Evid. 901(b)(1) stating that the proponent need only to present enough evidence to make out a prima facie case that the proffered evidence is what it purports to be.
In State of Hawaii v. Espiritu, the court considered text messages to be a ‘writing’ under Fed. R. Evid. 1002. The court found that the original messages were lost or destroyed. Nevertheless, the court concluded that the text messages were admissible via the complainant’s testimony under the state equivalent of Fed. R. Evid. 1004, finding that 1004 is ‘particularly suited for electronic evidence’ because of the many ways it can be deleted or lost. Fed. R. Evid. 1004 states that an original is not necessary and “other evidence of the content of a writing, recording, or photograph is admissible if all the originals are lost or destroyed, and not by the proponent acting in bad faith.”
There are many people and courts that have very different opinions about how the courts and the legislature should approach a uniformity of rules for ESI. There are widespread inconsistent determinations of threshold authenticity for ESI. There are three main proposed remedies for the problems which include: (1) higher standards of authentication; (2) procedural modifications; and (3) maintain the current rules. But should there be different standards for ESI and physical replications of such ESI evidence?
The approach that addresses changes the threshold follows two main trains of though. The first one is setting a higher standard for authentication of social media and other ESI. The second one is to use the standard threshold requirement, and defer competing accounts of reliability to the fact finder. The idea for the approach that focuses on the threshold is that any inconsistencies will eventually work themselves out via case law. The rules currently, if being applied correctly, should result in courts admitting clearly authentic evidence, rejecting clearly inauthentic evidence, and having the trier of fact determine the authenticity of everything in between.
Given the unpredictability and the wide variety of results in judicial decisions concerning authenticating ESI, there have been new rules proposed that would supplement the archaic rules. Proposed rule 902 (13) addresses some of the concerns that many have about the current rules and how they address modern day evidence such as ESI. Proposed Rule 902 (13) addresses Certified Records Generated by an Electronic Process or System. The specific language of the rule would state that:
I. The original or a copy of a record if the record was generated by an electronic process or system that produces an accurate result, as shown by a certification by a qualified person that complies with the certification requirements of 902(11), 902(12), a federal statute, or rule proscribed by the Supreme Court; and
II. The proponent must give an adverse party reasonable notice of the intent to offer the record, and must make the record and certification available for inspection so that the party has a fair opportunity to challenge them.
There are many comments and considerations for proposed rule 902 (13). One is that this provides an alternative to authentication for electronic evidence other than having to use a foundational witness. Additionally, under this rule, a proponent must present certification that would be sufficient to establish authenticity were that information provided by a witness at trial.
There is also a proposed Rule 902 (14) that should be considered. Proposed Rule 902 (14) discusses Certified Copies of Electronic Devices, Storage Media, or Files. The specific language of the proposed rule states that:
Data Copied from an electronic device, storage medium, or file, if authenticated by a process of digital identification, as shown by a certification of a qualified person that complies with the certification requirements of Rule 902(11) or 902(12). The proponent also must meet the notice requirements of Rule 902(11).
This amendment would allow copies of electronic data to be certified through the authentication of a ‘hash value.’ A hash value is a unique alpha-numeric sequence of 30 characters. Copies of files have identical hash values, and therefore can be determined to be exact duplicates and authentic through the analysis of the metadata.
Without a doubt, the addition of these two rules would allow for a more uniformed approach to authenticating electronic evidence. There is concern that there is too much overlap with existing rules. Specifically, that the proposed rules 902(13) and 902 (14) would create major problems with other provisions of 902, 901, 104 (a) and 104 (b). There is also a very legitimate fear that the proposed rules, if enacted, would soon be outmoded by future technological advances. Essentially, the concerns culminate into one major theme – the proposed rules do not represent the all encompassing, test-of-time mentality that the Fed. R. Evid. were designed with.
When there has been an objection to admissibility of a text message, the proponent of the evidence must explain the purpose for which the text message is being offered and provide sufficient direct or circumstantial corroborating evidence of authorship in order to authenticate the text message as a condition precedent to its admission; thus, authenticating a text message or e-mail may be done is much the same way as authenticating a telephone call. In order to authenticate evidence derived from a social networking website, the trial judge must determine that there is proof from which a reasonable juror could find that the evidence is what the proponent claims it to be. An e-mail may be authenticated by circumstantial evidence that allows the finder of fact to determine that the e-mail is what the proponent claims it to be.
The easiest way to authenticate the data is under FRE 901(b)(1), which allows a witness with personal knowledge to authenticate that the data is what it is claimed to be. One simple way to comply with this standard is to introduce the electronic document or evidence during a deposition and have the creator or recipient of the ESI confirm that it is genuine. This will be the strongest and simplest way to prove that your ESI evidence was not manipulated.
Specifically, electronic communications can be authenticated by an admission secured by the author or the sender of the communication that they drafted or sent the communication. It will be given more weight to authenticity if a recipient or non-recipient of the communication had knowledge of it. Additionally, a witness with the knowledge of how the communication carrier sends and receives the information could help authenticate it, as well as information about how it might be stored.
Text communications or transcripts may be authenticated if the proponent demonstrates that, (1) the alleged sender had access to the appropriate computer; (2) the communication was conducted at the same time as the person in question admitted to communicate; (3) the communication was being conducted using a screen name created by the person in question; and (4) the content of the communication was similar to what the person in question admitted to.
The possibility of alternation does not and cannot be the basis for excluding ESI as unidentified or unauthenticated as a matter of course, any more that it can be the rationale for excluding paper documents (and copies of those documents). We live in an age of technology where communication through various platforms is now is a normal and frequent fact for the majority of this nation’s population, and is of particular importance in the professional world. The defendant is free to raise this issue with the jury and put on evidence that electronic communications are capable of being altered before they are passed on. In United States v. Safavian, the court found that absent specific evidence showing alteration, however, the Court will not exclude any embedded e-mails because of the mere possibility that it can be done. The take away from Safavian is that the court in most cases will recognize that manipulation is possible, but there is still the evidence that is required to show that it was. And even then, if it is not overtly convincing, courts have said that information goes to the weight of the evidence, to be considered by the trier of fact.
Establishing the Chain of Custody
Chain of custody issues with electronic evidence like text messages have proven to be much more challenging and contentious than chain of custody matters pertaining to traditional paper evidence. When paper was the most common type of evidence, custodial issues were clear as the material in question was tangible: something that could be physically touched and stored. Now that ESI is rapidly taking over as the primary type of evidence, custodianship is becoming increasingly vague. Courts across the nation have generally held that when evidence is not readily identifiable and is susceptible to alteration by tampering, decay, or contamination, (i.e.: ESI) the authentication must show both (a) what the evidence was when gathered, and (b) that it has remained unchanged since then. ESI can be very easily manipulated or accidentally corrupted, and thusly it is potentially open to numerous chain of custody challenges. The best way to establish and preserve a defensible chain of custody is to ensure that each person who comes into custody of the ESI testifies about:
As with all evidentiary material, when working with ESI like text-messages as evidence, it should be handled with care to ensure the chain of custody remains demonstrable. For example, when a hard drive is to be removed for imaging, a photograph of the drive in its original place may be taken, and the person from whom the drive is obtained can certify the serial number of the drive being removed. At all stages of processing the drive, the persons taking custody of the drive should sign a form acknowledging receipt of the specific drive after verifying its serial number. When the drive is returned, the person from whom the drive was obtained can verify that the serial number matches their record of the removed drive and be willing to attest that the specific drive removed has been returned.
While the above example utilizes hard drives as its subject, it would apply just as well to the handling of text messages extracted from a cell phone. For instance, you could use a cell-phone’s serial number, SIM card information, phone-number, etc. to verify the chain of custody of text messages found on that phone. Indeed, the court in Lorraine v. Markel American Ins. Co. suggests that the chain of custody for text-messages could be established and defended by using the testimony of witnesses with personal knowledge of the ESI’s nature and authenticity; and/or by introducing circumstantial evidence of the ESI’s distinctive characteristics (like a serial number).
Witness or Expert Testimony
The advantages of hiring an outside investigator can be numerous. To begin, if well selected, the individual will be a professional at their trade, making them adept at finding certain kinds of data within your ESI for verification purposes most people would not know about. In terms of e-discovery, this means that the expert may be able to find all sorts of deleted data from financial records to stored electronic communications. Sometimes this information has not truly been deleted, it merely requires someone with the right know-how to uncover it. Additionally, a good expert-witness will likely best know how to authenticate any deleted ESI he recovers as genuine. Also, there are instances in which hiring a professional forensic computer analyst to examine a phone or tablet is the only way important evidence can be found. Useful information may come from unexpected sources such as “meta data,” which is essentially data about data that can provide your case with the proverbial “smoking gun.”
Other advantages are that professionals can access and often mirror a computer or device without damaging any of the files or hardware. This is something even an experienced attorney cannot always be certain of. Also, the process is usually pretty quick. A forensic image of a hard drive often only takes four to six hours and a comprehensive report from a forensic examiner usually takes between two to four weeks.
Clearly, expert witnesses can be extremely useful for the purposes of authenticating your ESI. But by the same token, an expert witness working with your opponent can pose a serious threat to your case. This is why it is so important that your legal team carefully handles any ESI at every single point it is being processed. For example, in U.S. v. Jackson, an federal agent, posing as a 14-year old girl, engaged in numerous online conversations with the defendant, and the government tried to use these conversations to prove the defendant persuade, induce, and entice a minor to engage in sexual activity. The agent would, at the end of every conversation, copy-and-paste the chat-log onto a Microsoft Word Document. However, this bit of evidence was ultimately defeated by the testimony of the defense’s expert witness, a computer forensics expert. The expert witness testified that there were numerous possible ways that the agent could have captured the chat-log, and that simply copying-and-pasting them to a Word document was the least effective method the agent could have used. The court accepted this testimony, and took it into account when ruling that the cut-and-paste chat-logs were not admissible evidence.
This case not only demonstrates the importance of using the utmost care when handling ESI, but also it showcases the potential usefulness of expert witness testimony as a way to poke holes in your opponent’s handling of ESI. Attorneys should strongly consider hiring or consulting with an computer expert of some kind when processing ESI to ensure the evidence is handled defensibly.
Zittler, Jay M. Authentication of Electronically Stored Evidence, Including Text Messages and E-mail. 34 A.L.R.6th 253, § 3.5. (Originally published in 2008)(see Donati v. State, 84 A.3d 156 (Md. Ct. Spec. App. 2014).
See Deborah L. Meyer, Melendez-Diaz v. Massachusetts: What the Expanded Confrontation Clause Ruling Means for Computer Forensics and Electronic Discovery, 28 Temp. J. Sci. Tech. & Envtl. L. 243, 271-72 (2009)
Deborah L. Meyer, Melendez-Diaz v. Massachusetts: What the Expanded Confrontation Clause Ruling Means for Computer Forensics and Electronic Discovery, 28 Temp. J. Sci. Tech. & Envtl. L. 243, 272 (2009).
A Project of The Sedona Conference Working Group on Electronic Document & Retention & Production (WG1), The Sedona Conference Commentary on Esi Evidence & Admissibility, 9 Sedona Conf. J. 217, 231-32 (2008)